Category Archives: NSA Spying

Cyber Conflict, Chaos and Calamity

Posted on by

There have been several Congressional hearings on cyber-terrorism, yet with such an emergency and threat, no solution is forthcoming.

From AEI: “America’s intelligence leaders have made clear the biggest threat today is cyber and counterintelligence. Who are the largest perpetrators of these types of attacks? The intelligence report singles out Russia and China as first examples. These nations have “highly sophisticated cyber programs” and are regularly conducting “politically motivated” attacks. What are they up to exactly? Countries such as China are “reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.” Back in 2013, Verizon released a report detailing Chinese hackers lurking around inside American industrial control systems—the cyber equivalent to casing a robbery target. In 2014 alone, the FBI investigated a likely Russian hacking campaign against American banking backbone JP Morgan, while two cybersecurity firms blamed Iran for a major campaign against US critical infrastructure like major airliners, medical universities, and energy companies. As the year ended, the US government publicly accused North Korea of a devastating cyberattack against Sony.”

When of Office of National Intelligence produced a report, the first chapter is on cyber threats.

“Risk. Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all ICT systems at risk for years to come. In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed. Moreover, the risk calculus employed by some private sector entities does not adequately account for foreign cyber threats or the systemic interdependencies between different critical infrastructure sectors.

Costs. During 2014, we saw an increase in the scale and scope of reporting on malevolent cyber activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable information (PII) compromised, or remediation costs incurred by US victims. “

The stakes are higher than anyone will admit, most of all the White House. The Office of Personnel Management hack of personnel files now appears to exceed 18 million individuals. “FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM’s own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.”

Just announced as a possible additional agency falling victim to hacking is the National Archives and Records Administration (NARA). What is chilling about this probability is all government reports, records and communications are by law to be maintained by NARA., even classified material.

EXCLUSIVE: Signs of OPM Hack Turn Up at Another Federal Agency

The National Archives and Records Administration recently detected unauthorized activity on three desktops indicative of the same hack that extracted sensitive details on millions of current and former federal employees, government officials said Monday. The revelation suggests the breadth of one of the most damaging cyber assaults known is wider than officials have disclosed.

The National Archives’ own intrusion-prevention technology successfully spotted the so-called indicators of compromise during a scan this spring, said a source involved in the investigation, who was not authorized to speak publicly about the incident. The discovery was made soon after the Department of Homeland Security’s U.S. Computer Emergency Readiness Team published signs of the wider attack — which targeted the Office of Personnel Management — to look for at agencies, according to NARA.

It is unclear when NARA computers were breached. Suspected Chinese-sponsored cyberspies reportedly had been inside OPM’s networks for a year before the agency discovered what happened in April. Subsequently, the government uncovered a related attack against OPM that mined biographical information on individuals who have filed background investigation forms to access classified secrets.

The National Archives has found no evidence intruders obtained “administrative access,” or took control, of systems, but files were found in places they did not belong, the investigator said.

NARA “systems” and “applications” were not compromised, National Archives spokeswoman Laura Diachenko emphasized to Nextgov,  “but we detected IOCs,” indicators of compromise, “on three workstations, which were cleaned and re-imaged,” or reinstalled.

“Other files found seemed to be legitimate,” such as those from a Microsoft website, she said. “We have requested further guidance from US-CERT on how to deal with these” and are still awaiting guidance on how to proceed.

It will take additional forensics assessments to determine whether attackers ever “owned” the National Archives computers, the investigator said.

Diachenko said, “Continued analysis with our monitoring and forensic tools has not detected any activity associated with a hack,” including alerts from the latest version of a governmentwide network-monitoring tool called EINSTEIN 3A.

EINSTEIN, like NARA’s own intrusion-prevention tool, is now configured to detect the tell-tale signs of the OPM attack.

“OPM isn’t the only agency getting probed by this group,” said John Prisco, president of security provider Triumphant, the company that developed the National Archives’ tool. “It could be happening in lots of other agencies.”

Prisco said he learned of the incident at a security industry conference June 9, from an agency official the company has worked with for years.

“They told us that they were really happy because we stopped the OPM attack in their agency,” Prisco said.

The malicious operation tries to open up ports to the Internet, so it can excise information, Prisco said.

“It’s doing exploration work laterally throughout the network and then it’s looking for a way to communicate what it finds back to its server,” he added.

Homeland Security officials on Monday would not confirm or deny the situation at the National Archives. DHS spokesman S.Y. Lee referred to the department’s earlier statement about the OPM hack: “DHS has shared information regarding the potential incident with all federal chief information officers to ensure that all agencies have the knowledge they need to defend against this cybersecurity incident.”

The assault on OPM represents the seventh raid on national security-sensitive or federal personnel information over the past year.

Well-funded hackers penetrated systems at the State Department, the White House, U.S. Postal Service and, previously in March 2014, OPM. Intruders also broke into networks twice at KeyPoint Government Solutions, an OPM background check provider, and once at USIS, which conducted most of OPM’s employee investigations until last summer.

On Wednesday, the House Oversight and Government Reform Committee is scheduled to hold a hearing on the OPM incident that, among other things, will examine the possibility that hackers got into the agency’s systems by using details taken from the contractors.

Yemen Cyber Army, Saudi and Wikileaks

Posted on by

Here it comes again, a major hack that took place earlier this month and the documents are in a pipeline to be published. Some are out there now.

From www.securityaffairs.co who I just interviewed for radio last week:

“We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.” states the group.

The following image was left on the PC of the employees at the Saudi foreign ministry on Thursday morning

Yemen Cyber Army vs Saudi Gov

More details here on the Yemen Cyber Army and the Saudi hack. The Yemen Cyber Army left behind these messages for file access as well:

OPERATION Name : “Syed Hussein Badreddin al-Houthi”
OPERATION Key  : b919117da9954bd82e65677cb240bbb3e4ddbd9ac93e10f0a399257ad54d851a

Saudi Arabia Ministry of Foreign Affairs Hacked By Yemen Cyber Army
All MOFA.GOV.SA Subdomains And Servers Hacked and HDD Encrypted
Allah is the enemy of those who oppress people

This is to convey a message to Saudi Dictators, if they’ve got a listening ear!

It’s us again, Yemen Cyber Army!

We are an Islamic Group who fights against you oppressors.

What you and your puppets commit in Yemen, Syria, Bahrain, Iraq and Lebanon, remind us of crimes your forefather Yazid-ibn-Muawiya committed in Karbala. And indeed you are good successors to him. You are ISIS and ISIS is you.

Never assume our calmness is due to weakness. We are oppressed! God will judge between you and us. As we never seek help from other than him.
You are pagan oppressors as you always fawn for US and Israel, that’s what you deserve.
So congratulations to those who achieve martyrdom in fight against pagan oppressors.

“And never think of those who have been killed in the cause of Allah as dead. Rather, they are alive with their Lord, receiving provision ”

Our cyber operation is just started and by the grace of God we are expecting the Saudi regime’s collapse by the “Labbaik Ya-Hossain” slogan.
This second operation is blessed by the name of martyred “Syed Hussein Badreddin al-Houthi” and is going to be a beginning to Saudi’s overthrow, Inshallah.

We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their diplomats in different missions around the world.

We publish only few portions of vital information we have, just to let them know that “truly the flimsiest of houses is the spider´s house”

Some portions of visa secret information, thousands of documents from the MOFA’s automation system and secret emails will be published gradually so as to keep Saudi puppets always in fear of their identity disclosure.

This way they might slightly come to know how it feels when our innocent women and children rush into havens crying and looking for their beloved once in dark.

And that’s not all! All your computers will be automatically wiped on Wednesday – 2015 20 May and at 12:00 to become a lesson for oppressors.

We have the same access to the Interior Ministry (MOI) and Defense Ministry (MOD) of which the details will be published in near future. Wish such shocking news make Saudi dictators to come to their senses and recapture those young wild dogs’ leash to avoid Muslims exploiting hate against Saudi family.
If you did not stop attacks on Muslims in Yemen, do not blame anyone but yourself and expect greater harms.
Files PASSWORD : [email protected]

Your Network Hacked By Yemen Cyber Army
We Are Cutting Sword of Justice
All Your Data is Encrypted and You Can’t Access Them without Key
Find Out the Decryption Key This Way :
Number of Yemeni Children Killed in Saudi Air Attacks   +
Number of Yemeni Homes Destroyed By Saudi-USA Bombs   –
Number of Saudis Killed By Yemenis   –
Number of Israeli Soldiers Killed by Saudi and Arab Union in 1984!!!!

#OPSAUDI
#YEMEN_UNDER_ATTACK
#OPKSA

We Are Anonymous
We Are Everywhere
We Are Legion
We do Not Forgive
We do Not Forget
Stop Attacking To Our Country!

****

Now enter the documents and Wikileaks.

WikiLeaks says it’s leaking over 500,000 Saudi documents

ISTANBUL (AP) — WikiLeaks is in the process of publishing more than 500,000 Saudi diplomatic documents to the Internet, the transparency website said Friday, a move that echoes its famous release of U.S. State Department cables in 2010.

WikiLeaks said in a statement that it has already posted roughly 60,000 files. Most of them appear to be in Arabic.

There was no immediate way to verify the authenticity of the documents, although WikiLeaks has a long track record of hosting large-scale leaks of government material. Many of the documents carried green letterhead marked “Kingdom of Saudi Arabia” or “Ministry of Foreign Affairs.” Some were marked “urgent” or “classified.” At least one appeared to be from the Saudi Embassy in Washington.

If genuine, the documents would offer a rare glimpse into the inner workings of the notoriously opaque kingdom. They might also shed light on Riyadh’s longstanding regional rivalry with Iran, its support for Syrian rebels and Egypt’s military-backed government, and its opposition to an emerging international agreement on Tehran’s nuclear program.

One of the documents, dated to 2012, appears to highlight Saudi Arabia’s well-known skepticism about the Iranian nuclear talks. A message from the Saudi Arabian Embassy in Tehran to the Foreign Ministry in Riyadh describes “flirting American messages” being carried to Iran via an unnamed Turkish mediator.

Another 2012 missive, this time sent from the Saudi Embassy in Abu Dhabi, said the United Arab Emirates was putting “heavy pressure” on the Egyptian government not to try former president Hosni Mubarak, who had been overthrown in a popular uprising the year before.

Some of the concerns appear specific to Saudi Arabia.

In an Aug. 14, 2008 message marked “classified and very urgent,” the Foreign Ministry wrote to the Saudi Embassy in Washington to warn that dozens of students from Saudi Arabia and other Gulf countries had visited the Israeli Embassy in the U.S. capital as part of an international leadership program.

“They listened to diplomats’ briefings from the embassy employees, they asked questions and then they took pictures,” the message said, asking the embassy for a speedy update on the situation.

Another eye-catching item was a document addressed to the interior and justice ministers notifying them that a son of Osama bin Laden had obtained a certificate from the American Embassy in Riyadh “showing (the) death of his father.”

Many more of the dozens of documents examined by The Associated Press appeared to be the product of mundane administrative work, such as emails about setting up a website or operating an office fax machine.

The AP was able to partially verify a handful of documents’ authenticity by calling the telephone numbers included in many of them. WikiLeaks spokesman Kristinn Hrafnsson told AP he was confident that the material was genuine.

It is not clear how WikiLeaks got the documents, although in its statement the website referred to a recent electronic attack on the Saudi Foreign Ministry by a group calling itself the Yemen Cyber Army. Hrafnsson declined to elaborate on the statement or say whether the hackers subsequently passed documents on to WikiLeaks.

“As a matter of policy we’re not going to discuss the source of the material,” he said.

The Saudi Embassy in Washington did not immediately return repeated messages seeking comment.

In its statement, WikiLeaks said the release coincided with the three-year anniversary of its founder, Julian Assange, seeking asylum in the Ecuadorian Embassy in London.

Assange took refuge in the embassy to avoid extradition to Sweden, where he is wanted for questioning about alleged sex crimes. Assange has denied any wrongdoing.  To access: WikiLeaks’ Saudi Cables site: https://wikileaks.org/saudi-cables/

 

 

Chinese Intelligence at Center of OPM Hack

Posted on by

First reported there was Anthem, one of the largest healthcare providers that was hacked. 80 million personal records were compromised. What is notable is Anthem is part of the Blue Cross Blue Shield health coverage network and even more concerning is BCBS provides coverage to more that half of the federal government workforce.

Take note of the following fro Threatconnect.com:

“Anthem Themed Infrastructure & Signed Malware:
In September 2014, the ThreatConnect Intelligence Research Team (TCIRT) observed a variant of the Derusbi APT malware family, MD5: 0A9545F9FC7A6D8596CF07A59F400FD3, which was signed by a valid digital signature from the Korean company DTOPTOOLZ Co. Derusbi is a family of malware used by multiple actor groups but associated exclusively with Chinese APT. TCIRT began tracking the DTOPTOOLZ signature for additional signed malware samples and memorialized them within our Threat Intelligence Platform over time.
Analyst Comment: The DTOPTOOLZ signature has also been observed in association with Korean Adware that is affiliated with the actual DTOPTOOLZ Co. This adware should not be confused with the APT malware that is abusing the same digital signature.
Later, in mid-November we discovered another implant that was digitally signed with the DTOPTOOLZ signature. This implant, MD5: 98721c78dfbf8a45d152a888c804427c, was from the “Sakula” (aka. Sakurel) family of malware, a known variant of the Derusbi backdoor, and was configured to communicate with the malicious command and control (C2) domains extcitrix.we11point[.]com and www.we11point[.]com. Through our Farsight  Security passive DNS integration, we uncovered that this malicious infrastructure was likely named in such a way to impersonate the legitimate Wellpoint IT infrastructure.”

This brings us to the hack or rather simply sign-on as a root user of the 14 million personnel records of Office of Personnel Management (OPM) located in Colorado.

From Reuters:

U.S. employee data breach tied to Chinese intelligence

The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees has a different mission and organizational structure than the military hackers who have been accused of other U.S. data breaches, according to people familiar with the matter.

While the Chinese People’s Liberation Army typically goes after defense and trade secrets, this hacking group has repeatedly accessed data that could be useful to Chinese counter-intelligence and internal stability, said two people close to the U.S. investigation.

Washington has not publicly accused Beijing of orchestrating the data breach at the U.S. Office of Personnel Management (OPM), and China has dismissed as “irresponsible and unscientific” any suggestion that it was behind the attack.

Sources told Reuters that the hackers employed a rare tool to take remote control of computers, dubbed Sakula, that was also used in the data breach at U.S. health insurer Anthem Inc last year.

The Anthem attack, in turn, has been tied to a group that security researchers said is affiliated with China’s Ministry of State Security, which is focused on government stability, counter-intelligence and dissidents. The ministry could not immediately be reached for comment.

In addition, U.S. investigators believe the hackers registered the deceptively named OPM-Learning.org website to try to capture employee names and passwords, in the same way that Anthem, formerly known as Wellpoint, was subverted with spurious websites such as We11point.com, which used the number “1” instead of the letter “l”.

Both the Anthem and OPM breaches used malicious software electronically signed as safe with a certificate stolen from DTOPTOOLZ Co, a Korean software company, the people close to the inquiry said. DTOPTOOLZ said it had no involvement in the data breaches.

The FBI did not respond to requests for comment. People familiar with its investigation said Sakula had only been seen in use by a small number of Chinese hacking teams.

“Chinese law prohibits hacking attacks and other such behaviors which damage Internet security,” China’s Foreign Ministry said in a statement. “The Chinese government takes resolute strong measures against any kind of hacking attack. We oppose baseless insinuations against China.”

MANY UNKNOWNS

Most of the biggest U.S. cyber attacks blamed on China have been attributed, with varying degrees of certitude, to elements of the Chinese army. In the most dramatic case two years ago, the U.S. Justice Department indicted five PLA officers for alleged economic espionage.

Far less is known about the OPM hackers, and security researchers have differing views about the size of the group and what other attacks it is responsible for.

People close to the OPM investigation said the same group was behind Anthem and other insurance breaches. But they are not yet sure which part of the Chinese government is responsible.

“We are seeing a group that is only targeting personal information,” said Laura Gigante, manager of threat intelligence at FireEye Inc, which has worked on a number of the high-profile network intrusions.

CrowdStrike and other security companies, however, say the Anthem hackers also engaged in stealing defense and industry trade secrets. CrowdStrike calls the group “Deep Panda,” EMC Corp’s RSA security division dubs it “Shell Crew,” and other firms have picked different names.

The OPM breach gave hackers access to U.S. government job applicants’ security clearance forms detailing past drug use, love affairs, and foreign contacts that officials fear could be used for blackmail or recruiting.

In contrast to hacking outfits associated with the Chinese army, “Deep Panda” appears to be affiliated with the Ministry of State Security, said CrowdStrike co-founder Dmitri Alperovitch.

Information about U.S. spies in China would logically be a top priority for the ministry, Alperovitch said, adding that “Deep Panda’s” tools and techniques have also been used to monitor democracy protesters in Hong Kong.

An executive at one of the first companies to connect the Anthem and OPM compromises, ThreatConnect, said the disagreements about the boundaries of “Deep Panda” could reflect a different structure than that in top-down military units.

“We think it’s likely a cohort of Chinese actors, a bunch of mini-groups that are handled by one main benefactor,” said Rich Barger, co-founder of ThreatConnect, adding that the group could get software tools and other resources from a common supplier.

“We think this series of activity over time is a little more distributed, and that is why there is not a broad consensus as to the beginning and end of this group.”

China did Not Hack OPM, Operative Just Signed In

Posted on by

Per ARS Technica: Not only were the database records of POM not encrypted, it simply did not matter. At least 14 million personnel files have been compromised and protecting social security numbers by encryption did not mater.

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.’

Even more chilling, a person or team just found a way to sign in as a root user.

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.

Future consequences of lack of security of data systems is blackmail

Reuters: The same hackers breached several health insurance companies last summer and made off with the medical records of 11 million people, including members of Blue Cross/Blue Shield’s District of Columbia affiliate CareFirst.

Media pundits spent all week talking about how Deep Panda could compile all this information to craft a potential blackmail database on U.S. operatives for its patron, presumably China. But that’s ridiculous. Beijing is smarter than that.

Espionage is a long game, not a race, and countries are patient. Blackmail is a quick, brutal method of acquiring information in the short term.

It typically begins when foreign agents play on a target’s existing weakness — a penchant for gambling, for example, or deviant sexual behavior — enticing the target to indulge in it and then threatening exposure.

That’s a lot of work for a short-term gain. Blackmail targets are almost always found out, or turn on their blackmailers or end their lives. No, a better use for that database is as a reference to create the background for the perfect mole. Many additional details found here.

An additional security concern of real proporations is this cyber intrusion has affected Hill and Congressional staff.

In Part from the Hill: Officials had initially said the breach only encompassed 4.2 million federal employees, all within the executive branch. But the discovery of a second breach that compromised security clearance data has many expecting the breach to eventually expose up to 14 million people.

According to an email sent to House staff members shortly before midnight Tuesday and obtained by The Hill, many of them are at risk.

“It now appears likely that the service records of current House employees employed previously by ANY federal government entity (including the House, if an individual left the House and later returned to a House position) may have been compromised,” said the email said, sent by House Chief Administrative Officer Ed Cassidy.

When staffers leave Capitol Hill, or any federal agency, their retirement records are forwarded to the OPM.

“In addition, the background investigation files of individuals holding security clearances (whether currently active or not) may have been exposed,” the email added.

Senate staffers received a similar email from the Senate Sergeant at Arms several hours earlier on Tuesday, according to multiple reports.

 

 

Listen and Read How Wrong Obama is on Iran

Posted on by

Even the Russians did not lie as badly as the Iranians have and Kerry at the behest of the White House is ignoring the historical lies.

Sen. Bob Corker (R-Tenn.) has sent a blistering letter to President Obama denouncing reported Iran concessions. It reads:

Dear Mr. President:

It is breathtaking to see how far from your original goals and statements the P5+1 have come during negotiations with Iran. Under your leadership, six of the world’s most important nations have allowed an isolated country with roguish policies to move from having its nuclear program dismantled to having its nuclear proliferation managed. Negotiators have moved from a 20-year agreement to what is in essence a 10-year agreement that allows Iran to simultaneously continue development of an advanced ballistic missile program and research and development of advanced centrifuges. This also will allow Iran’s economy to be restored with billions of dollars returned to its coffers, a development that administration officials concede will be used at some level to export terrorism in the region.

I am alarmed by recent reports that your team may be considering allowing the deal to erode even further. Only you and those at the table know whether there is any truth to these allegations, and I hope reports indicating potential concessions on inspections and on the full disclosure of Iran’s possible military dimensions (PMDs) are inaccurate.

Regarding inspections, surely your administration and those involved in the negotiations will adhere to an “anytime, anywhere” standard. No bureaucratic committees. No moving the ball. No sites off limits.

You have publicly acknowledged Iran’s long history of covert nuclear activity.  We all are aware of the importance of having a full understanding of Iran’s nuclear program, including PMDs of those activities as part of any agreement. Yet, recently I have heard of a potential cumbersome process where the International Atomic Energy Agency (IAEA), with no confirmation from Iran, will make PMD determinations about Iran’s nuclear program in order to protect Iran’s national pride, meaning Iran will not have to publicly admit to these activities. Today, the IAEA cannot get access to information Iran agreed to share pursuant to a 2013 agreement. By not requiring Iran to explicitly disclose their previous weaponization efforts on the front end of any final agreement, we will likely never know, in a timely fashion, the full extent of Iranian capabilities.

I understand the dynamics that can develop when a group believes they are close to a deal and how your aides may view this as a major legacy accomplishment. However, as you know, the stakes here are incredibly high and the security implications of these negotiations are difficult to overstate. As your team continues their work, if Iran tries to cross these few remaining red lines, I would urge you to please pause and consider rethinking the entire approach. Walking away from a bad deal at this point would take courage, but it would be the best thing for the United States, the region and the world.

One hopes that Corker’s colleagues are paying attention and that they are ready to prevent a catastrophic deal.