Category Archives: NSA Spying

Russia’s Other War, Cyber

Posted on by

 

Finding weakness and exploiting it in the cyber realm is hidden warfare, few speak about. For the West, Russia tops the list. China, Iran and North Korea are also on the short list. For Russia’s other targets, the Baltic States are in the Russian target list.

CBS: The U.S. has elevated its appraisal of the cyber threat from Russia, the U.S. intelligence chief said Thursday, as he delivered the annual assessment by intelligence agencies of the top dangers facing the country.

“While I can’t go into detail here, the Russian cyber threat is more severe than we had previously assessed,” James Clapper, the director of national intelligence, told the Senate Armed Services Committee, as he presented the annual worldwide threats assessment.

As they have in recent years, U.S. intelligence agencies once again listed cyber attacks as the top danger to U.S. national security, ahead of terrorism. Saboteurs, spies and thieves are expanding their computer attacks against a vulnerable American internet infrastructure, chipping away at U.S. wealth and security over time, Clapper said.

Russia ‘was behind German parliament hack’

BBC: Germany’s domestic intelligence agency has accused Russia of being behind a series of cyber attacks on German state computer systems.

The BfV said a hacker group thought to work for the Russian state had attacked Germany’s parliament in 2015.

This week it emerged that hackers linked to the same group had also targeted the Christian Democratic Union party of Chancellor Angela Merkel.

Russia has yet to respond publicly to the accusations made by the BfV.

Sabotage threat

BfV head Hans-Georg Maassen said Germany was a perennial target of a hacker gang known as Sofacy/APT 28 that some other experts also believe has close links with the Russian state. This group is believed by security experts to be affiliated with the Pawn Storm group that has been accused of targeting the CDU party.

The Russian Cyber Threat: Views from Estonia

Tensions between Russia and its adversaries in the West are escalating. In recent years, Russia has undermined the security of its neighbors by violating their land borders, crossing into their airspace unannounced and harassing them above and below sea level. Less noticed or understood, however, are Moscow’s aggressive actions in cyberspace. The small Baltic country of Estonia—a global leader in digital affairs—is well-placed to shed light on the tactical and strategic aspects of Russia’s offensive computer network operations.

In fact, three civilian and intelligence agencies responsible for cyber security—the Estonian Information System Authority, Internal Security Service and Information Board—recently issued reports that help put together different pieces of the puzzle. The conclusion is that “in cyberspace, Russia is the source of the greatest threat to Estonia, the European Union and NATO.” Now policymakers on both sides of the Atlantic must decide what to do about it.

Russia has been developing and employing offensive cyber capabilities for years. Russian cyber threat groups consist of professional, highly skilled practitioners whose daily jobs are to prepare and carry out attacks. And they don’t go after low-hanging fruit; instead, they receive specific orders on which institutions to target and what kind of information is needed. Criminals, hacktivists, spies and others linked to Russian strategic interests are usually well-financed, persistent and technologically advanced. They have a wide range of tools and resources, including the ability to carry out denial-of-service attacks, develop sophisticated malware and exploit previously unknown software vulnerabilities. Russian threat actors cloak their identities by using remote servers and anonymizing services. They target everything from the mobile devices of individuals to the IT infrastructure of entire government agencies.

Often, Russian threat actors map target networks for vulnerabilities and conduct test attacks on those systems. After carrying out reconnaissance, they conduct denial-of-service attacks or try to gain user access. Common techniques include sending emails with malicious attachments, modifying websites to infect visitors with malware and spreading malware via removable media devices like USB drives. Once inside, they continue to remotely map networks, attempt to gain administrator-level access to the entire network and extract as much sensitive data as possible. Such access also lets them change or delete data if that’s what the mission requires. They’ll often go after the same targets for years to get what they need. They have the confidence that comes from perceived anonymity and impunity; if they make a mistake or fail, they’ll simply try again.

These tactical activities are carried out in pursuit of strategic objectives. In the long term, this includes undermining and, if possible, helping to dissolve the EU and NATO. Moscow also aims to foster politically divided, strategically vulnerable and economically weak societies on its periphery in order to boost its own ability to project power and influence on those countries’ decisions. Russian cyber threat actors help by stealing military, political or economic data that gives Russia advantages in what it sees as the zero-sum game of foreign relations. The exfiltrated data can be used to recruit intelligence agents or provide economic benefits to its companies. Cyber capabilities can also be used to carry out influence operations that undermine trust between the citizens and the state. Telling examples of that strategy include its multi-week distributed-denial-of-service (DDoS) attacks against Estonia in 2007, its coordinated attacks against Ukraine’s 2014 presidential elections and the false-flag operation against a French telecommunication provider in 2015.

Most worryingly, today’s intelligence operations can enable tomorrow’s military actions. Influence operations, including the use of propaganda and social media, can create confusion and dissatisfaction among the population. Denial-of-service attacks can inhibit domestic and international communication. Coordinated, plausibly deniable attacks on multiple critical national infrastructure sectors can disrupt the provision of vital services such as energy, water, or transportation. This can provide a context for the emergence of “little green men”. Malicious code can be weaponized to hinder military and law enforcement responses. Clearly, cyber capabilities have the potential to be a powerful new tool in the Kremlin’s not-so-new “hybrid warfare” toolbox. With enough resources and preparation, they can be used in attempts to cause physical destruction, loss of life and even to destabilize entire countries and alliances. Such operations could be but a decision or two away in terms of planning, and perhaps several months or years before implementation. What can be done about it?

Preventive and countermeasures exist at the personal, organizational, national and international levels. Individuals should take “cyber hygiene” seriously, since Russian threat actors target both personal and work devices. This includes employing basic security technologies, backing up data, not visiting dubious websites and not opening suspicious emails. Organizations that handle sensitive information should adopt stricter security policies, including for handling of work-related data on personal devices. Information systems managers must be especially vigilant since they are primary targets, and weak personal security on their part may compromise national security. For their part, governments must enact the basics: computer security laws, national cyber strategies, a police focus on cybercrime, national CERTs, public-private partnerships and capable intelligence agencies. They also need continuous training and exercises to keep relevant agencies prepared for their missions. Finally, global cooperation and expeditious exchange of information among cyber security firms, national computer security incident response teams (CSIRTs) and security services are key to identifying Russian attack campaigns and taking defensive countermeasures.

All such countermeasures comprise elements of a deterrence-by-denial strategy that aims to raise the cost of carrying out malicious operations. States have also undertaken diplomatic initiatives to manage the potential instability that could result from the use of weaponized code—namely confidence-building measures, norms of responsible state behavior and attempts to agree on international law. While laudable, none of these have curbed Russian cyber aggression in the short term. For example, Russia’s coordinated December 2015 attack on the Ukrainian electrical grid—highlighted in all three agencies’ reports—was clearly an attack on critical national infrastructure that violated tentative international norms signed by Russia, possibly even while the campaign was being prepared. Defensive and diplomatic countermeasures must be complemented by a cohesive strategy of deterrence-by-punishment by individual countries as well as like-minded allies.

Cyber threat actors with links to Russia (APT28/Sofacy/Pawn Storm, the Dukes/APT29, Red October/Cloud Atlas, Snake/Turla/Uroburos, Energetic Bear/DragonFly, Sandworm Team and others) target NATO members on a daily basis—mainly for espionage and influence operations. But a recent SCMagazineUK article claims that the FSB plans to spend up to $250 million per year on offensive cyber capabilities. “Particular attention is to be paid to the development and delivery of malicious programs which have the ability to destroy the command and control systems of enemy armed forces, as well as elements of critical infrastructure, including the banking system, power supply and airports of an opponent.” Clearly, we had better be prepared.

9/11 Saudi Supported Memo Released

Posted on by

Memos on Alleged Saudi-Affiliated Support of the 9/11 Attacks

The National Archives released a series of memos written by Sept. 11 Commission staff members, a compilation of numerous possible connections between the hijackers and Saudis inside the United States. The document appears to be a glimpse into what is still contained in the classified 28 pages of the congressional inquiry into the 2001 attacks.

Clinton Cash, Coming to a Theater Near You

Posted on by

‘Clinton Cash’ doc set to stir up controversy as it debuts at Cannes

MSNBC: CANNES, France — A massive police force will be guarding the Cannes Film Festival this year. But the only scuffle on the horizon may come in response to the right-wing producers of a devastating new documentary about Bill and Hillary Clinton’s alleged influence peddling and favor-trading. That film, “Clinton Cash,” screens here May 16 and opens in the U.S. on July 24 — just before the Democratic National Convention.

The allegations are as brazen as they are controversial: What other film at Cannes would come up with a plot that involves Russian President Vladimir Putin wrangling a deal with the alleged help of both Clintons, a Canadian billionaire, Kazakhstan mining officials and the Russian atomic energy agency — all of which resulted in Putin gaining control of 20 percent of all the uranium in the U.S.?

MSNBC got an exclusive first look at “Clinton Cash,” the flashy, hour-long film version of conservative author Peter Schweizer’s surprise 2015 bestseller, which The New York Times called the “the most anticipated and feared book of a presidential cycle.” The Washington Post said that ”on any fair reading, the pattern of behavior that Schweizer has charged is corruption.” Meanwhile, Hillary Clinton’s campaign manager John Podesta denounced the book as a bunch of “outlandish claims” with “zero evidence.”

The film portrays the Clintons as a greedy tag team who used the family’s controversial Clinton Foundation and her position as secretary of state to help billionaires make shady deals around the world with corrupt dictators, all while enriching themselves to the tune of millions.

The movie alleges that Bill Clinton cut a wide swathe through some of the most impoverished and corrupt areas of the world — the South Sudan, the Democratic Republic of Congo, Colombia, India and Haiti among others — riding in on private jets with billionaires who called themselves philanthropists but were actually bent on plundering the countries and lining their own pockets.

In return, billionaire pals like Frank Giustra and Gilbert Chagoury, or high-tech companies like Swedish telecom giant Ericsson or Indian nuclear energy officials — to name just a few mentioned in the film — hired Clinton to speak at often $750,000 a pop, according to “Clinton Cash.” When a favor was needed at the higher levels of the Obama administration to facilitate some of the deals, Hillary Clinton was only willing to sign off on them, the movie reports.

As a film, it powerfully connects the dots —  whether you believe them or not — in a narrative that lacks the wonkiness of the book, which bore a full title of “The Untold Story of How and Why Foreign Governments and Businesses Helped Make Bill and Hillary Rich.”

It packs the kind of Trump-esque mainstream punch that may have the presumptive GOP nominee salivating. He recently declared, “We’ll whip out that book because that book will become very pertinent.”

The hour-long documentary is intercut with “Homeland”-style clips of the Clintons juxtaposed against shots of blood-drenched money, radical madrassas, villainous dictators and private jets, all set to sinister music.

Produced by Stephen K. Bannon, the executive chairman of Breitbart News, with Schweizer as the film’s talking head, the documentary might be easy to dismiss as just another example of the “vast right-wing conspiracy” the former secretary of state referenced so many years ago.

But what complicates matters for Hillary Clinton’s campaign is that the book resulted in a series of investigations last year into Schweizer’s allegations by mainstream media organizations from The New York Times and CNN to The Washington Post and The Wall Street Journal, many of which did not dispute his findings — and in some cases gathered more material that the producers used in the film. More recently, some information uncovered in the Panama Papers has echoed some of Schweitzer’s allegations in the movie and book.

The Clinton campaign loudly denounced the book as a “smear project” last year and Schweizer’s publisher, the Murdoch-owned Harper Collins, had to make some corrections to the Kindle version. But the changes, in the end, involved seven or eight inaccuracies, some of which were fairly minor in the context of the larger allegations, Politico reported.

Neither the Clinton campaign nor the Clinton Foundation responded to calls and emails requesting comment about the film Tuesday.

One of the most damning follow-ups to Schweizer’s most startling accusation — that Vladimir Putin wound up controlling 20 percent of American uranium after a complex series of deals involving cash flowing to the Clinton Foundation and the help of Secretary of State Clinton — was printed in The New York Times.

Like Schweizer, the Times found no hard evidence in the form of an email or any document proving a quid pro quo between the Clintons, Clinton Foundation donors or Russian officials. (Schweizer has maintained that it’s next to impossible to find a smoking gun but said there is a troubling “pattern of behavior” that merits a closer examination.)

But the Times concluded that the deal that brought Putin closer to his goal of controlling all of the world’s uranium supply is an “untold story … that involves not just the Russian president, but also a former American president and a woman who would like to be the next one.”

“Other news outlets built on what I uncovered and some of that is in the film,” Schweizer, a former speechwriter for President George W. Bush, told NBC News Tuesday. “To me the key message is that while U.S. politics has long been thought to be a dirty game, it was always played by Americans. What the Clinton Foundation has done is open an avenue by which foreign investors can influence a chief U.S. diplomat. The film may spell all this out to people in a way the book did not and it may reach a whole new audience.”

 

China, Unfettered Espionage Against U.S.

Posted on by

Did China Just Steal $360 Billion From America?

Gordon G. Chang/Forbes:

“The FBI has obtained information regarding multiple malicious cyber actor groups that have compromised sensitive business information from U.S. commercial and government networks through cyber espionage,” warned the law enforcement agency on the 2nd of this month. At about the same time, the Department of Homeland Security and the Defense Security Service of the Department of Defense issued similar alerts.

The principal group in question is believed to be the one codenamed APT6. The three letters stand for Advanced Persistent Threat, and this group appears to be among the first tagged as an “APT.”

Kurt Baumgartner of Russian firm Kaspersky Lab suggests APT6 is state-sponsored.That sounds correct because as Craig Williams WMB -4.47% at Talos, a part of Cisco, notes, it is “an advanced, well-funded actor.”

Baumgartner declined to identify APT6’s nationality, but others have. Vice Media’s Motherboard reports that experts think the group is Chinese. As the FireEye security firm notes, APT6 is “likely a nation-state sponsored group based in China.”

In any event, APT6 has caught the attention of the FBI. The group also appears to be the subject of the Bureau’s February 12 alert.

Related reading from the FBI

The February 12 alert says the group in question was attacking U.S. networks “since at least 2011,” but Baumgartner thinks it was active as early as 2008.

In September of last year during Xi Jinping’s state visit, President Obama said the U.S. and China had reached “a common understanding on the way forward” on cybertheft. Washington and Beijing, he said, had affirmed the principle that neither government would use cyber means for commercial purposes.

China indeed affirmed that principle, and the agreement was, as Adam Segal and Tang Lan write, “a significant symbolic step forward.” The pair correctly note that “trust will be built and sustained through implementation.”

As might be expected, there was little implementation on the Chinese side at first. CrowdStrike , the cyber security firm, for instance, in October reported no letup in China’s cyber intrusions into the networks of American corporates.

Related: Economic Terrorism

Beijing, according to the Financial Times, has since reduced its cyber spying against American companies. As Justin Harvey of Fidelis Cybersecurity told the paper, “What we are seeing can only be characterized as a material downtick in what can be considered cyber espionage.”

And FireEye noted that all 22 Chinese hacking units identified by the firm as attacking American networks discontinued operations.

Nonetheless, the Obama administration is not declaring victory quite yet, and for good reason. “The days of widespread Chinese smash-and-grab activity, get in, get out, don’t care if you’re caught, seem to be over,”says Rob Knake, who once directed cyber security policy at the National Security Council and is now at the Council on Foreign Relations. “There’s a consensus that activity is still ongoing, but narrower in scope and with better tradecraft.”

Whether espionage is overt or not, the damage to American business is still large. According to the May 2013 report of the Blair-Huntsman Commission on the Theft of American Intellectual Property, “The scale of international theft of American intellectual property is unprecedented—hundreds of billions of dollars per year, on the order of the size of U.S. exports to Asia.”

William Evanina, America’s chief counterintelligence official, told reporters in November that hacking espionage costs U.S. companies $400 billion each year and that China is responsible for about 90% of the attacks. Beijing’s haul, therefore, looks like something on the order of $360 billion.

And how do we know the Chinese are culprits? For one thing, bold Chinese cyber thieves like to show their victims the information they have stolen.

Moreover, the U.S. government has gotten better at attribution, going from being able to attribute one-third of the attacks to more than two-thirds. The improvement is largely due to the government’s partnership with the private sector. Microsoft, Google, and Twitter, for example, will share information if they detect attacks on their customers.

And their customers are still getting attacked. “We continue to see them engage in activity directed against U.S. companies,” said Admiral Mike Rogers, the head of U.S. Cyber Command, in early April in testimony before the Senate Armed Services Committee. “The questions I think that we still need to ask is, is that activity then, in turn, shared with the Chinese private industry?”

It’s right for Rogers to be cautious, but it would be strange for Chinese hackers not to share as they have done in the past. At the moment, there is little reason for Beijing to stop hacking, because Washington is not willing to impose costs on China for its “21st century burglary.”

There was the May 2014 indictment of five officers of the People’s Liberation Army for cyberattacking American businesses, like Alcoa and U.S. Steel, and the United Steelworkers union. That move, while welcome, was overdue and only symbolic. The Blair-Huntsman Commission suggested an across-the-board tariff on Chinese goods, but the imposition of a penalty of that sort is unlikely without a radical change of thinking in Washington.

Therefore, the FBI, even after all these years, is just playing catch up. The February alert is a tacit admission that the U.S. government is not in control of its own networks said Michael Adams, who served in U.S. Special Operations Command. “It’s just flabbergasting,” Adams told Motherboard. “How many times can this keep happening before we finally realize we’re screwed?”

The People’s Republic of China is still committing monumental thefts in large part because successive American governments cannot get beyond half-measures.

Beijing may be an intruder, but Washington somehow finds it unseemly to lock the door and punish the thief.

 

Today: National Change Your Password Day, Why?

Posted on by

Russian Hackers Have 270 Million Email Logins, Including Gmail and Yahoo Accounts

Gizmodo: A report from Reuters suggests that over 270 million hacked email credentials—including those from Gmail, Hotmail and Yahoo—are circulating among Russian digital crime rings.

Reuters reports that an investigation by Hold Security revealed the huge stash of login details, that are said to be being traded among criminals. Many of the credentials relate to the Russian email service Mail.ru, but the team has also identified details from Google, Yahoo and Microsoft.

Update: There may, however, not be too much cause for concern, as Motherboard points out that the data may in fact be taken from a series of older hacks, which means the credentials are likely useless.

The team from Hold Security was offered a tranche of 1.17 billion email user records in an online forum, and asked to pay just $1 for a copy of the data. The team refused to pay for stolen data, but was given the information anyway when it offered to post positive comments about the hacker online.

The team has since sifted through the data set to remove duplicates, revealing that it contains 270 million unique records. Alex Holden, the founder of Hold Security, told Reuters that the data was “potent,” adding that the “credentials can be abused multiple times.”

Hold Security has apparently alerted all of the affected email providers. Mail.ru, Google, Yahoo and Microsoft are all now investigating the situation.

A Microsoft spokesperson told Gizmodo that “unfortunately, there are places on the internet where leaked and stolen credentials are posted,” adding that it “has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”

It may be that the stash is out of date and doesn’t present too much of a security threat—though, of course, it could be a new pool of data, in which case the accounts included in the tranche could be at risk. Initial reports to the BBC from Mail.ru suggest that, from a sample of the records, there may not be many live email-passwords combinations in the data.

But it may be a good time to refresh your password anyway.

****

In a Wednesday statement, Mail.ru said its early analysis suggests many username/password combinations contain the same username paired with different passwords.

“We are now checking whether any username/password combinations match valid login information for our email service, and as soon as we have enough information we will warn the users that might have been affected,” the Russian service said.

The cache reportedly included tens of millions of certificates for Google Gmail, Microsoft Hotmail, and Yahoo Mail, as well as German and Chinese email providers.

“Unfortunately, there are places on the Internet where leaked and stolen credentials are posted, and when we come across these or someone sends them to us, we act to protect customers,” a Microsoft spokeswoman told PCMag. “Microsoft has security measures in place to detect account compromise and requires additional information to verify the account owner and help them regain sole access to their account.”

Google declined to comment, while Yahoo did not immediately respond to PCMag’s request.

The junior hacker—either inexperienced in the art of haggling, or just too rich to care—asked for only 50 rubles in exchange for the “incredibly large set of data.” Equivalent to about 75 cents, the payment request did little to boost Hold Security’s confidence in the data’s credibility and value. The move was “similar to an expensive sports car being sold for pennies at auction,” the firm said.

Hold refused to pay and convinced the hacker to trade the data for likes/votes on his social media page.

“At the end, this kid from a small town in Russia collected an incredible 1.17 billion stolen credentials from numerous breaches that we are still working on identifying,” Hold Security said. More from PC Magazine.

*****

In a shocking report from FireEye Inc., a California security firm with top government connections, as well as three other reports, the existence of a Russian-based hacker group, which appears to be a joint effort by the Russian government and the Russian Mafia, has been revealed, The Wall Street Journal reports.

Terming the hacker attack “Safacy” or “APT28,” the computer anti-hacking firm’s report, called “A Window Into Russia’s Cyber Espionage Operations,” notes, “We assess that APT28’s work is sponsored by the Russian government” and is more technically sophisticated than Chinese-hacking efforts earlier detected and exposed by FireEye, the report states.
“I worry a lot more about the Russians” than about China, James Clapper, director of national intelligence, said at a University of Texas forum, the Journal reports. More from NewsMax.