Category Archives: #StopIran

A Look Back at the Last Decade

Posted on by

Sadly, so much of the domestic and world events have affected our daily lives while other events have carried into this new decade. This is hardly a complete look back and readers are encouraged to leave comments with additional major events of the last decade. Congratulations for surviving and prevailing the last decade.

Image result for arab spring tunisia

2010: The Arab Spring

Deepwater Horizon Oil Spill

Apple introduces first iPad

President Obama signed the Affordable Care Act into law

7.0 Earthquake strike Haiti

Instagram Debuts

Image result for abbottabad raid

2011:  Abbottabad Raid Killing Osama bin Ladin

8.9 Earthquake Hits Japan

Prince William Marries Catherine Middleton

Casey Anthony Acquitted of Killing her Daughter

Syrian Civil War Began

2012: Baumgartner’s Stratosphere Jump

Benghazi attack

Super Hurricane Sandy

Aurora, Colorado Theater Shooting

Sandy Hook Elementary School Shooting

2013: IRS Targeting

Boston Marathon Bombing

Edward Snowden NSA leaks

Pope Benedict Resignation, First Ever

Black Lives Matter Activist Movement Originates

Failed Government Launch of Healthcare.gov

Image result for malaysia flight 370

2014: Malaysia Flight #370 Goes Missing

Actor Robin Williams Dies by Suicide

Bowe Bergdahl Taliban Prisoner Swap

Ebola Virus Outbreak

Boko Harem Kidnaps 200 Schoolgirls

Uber Launches Rideshare

Obama Normalizes Relations with Cuba

Islamic State (ISIL-ISIS) Battle Begins in Mosul

Image result for bataclan terror attack

2015:  San Bernardino Terror Attack

Pope Francis Speech to Joint Session of Congress

Hillary Clinton Email Scandal

Charlie Hebdo Terror Attack

Paris Stade de France Bombing

Bataclan Terror Attack

Syrian European Refugee Crisis

2016: Rio Olympic Games, Ryan Lochte scandal

U.S. Supreme Court Legalizes Gay Marriage

Singer Prince Found Dead from Fentanyl Overdose

Colin Kaepernick Began Kneeling Protest

Brexit Vote for Withdraw of United Kingdom from European Union

Russia Hacks U.S. Obama Expels Russian Diplomats and Spies

2017: Rare Coast to Coast Full Solar Eclipse

#MeToo Movement Begins

Las Vegas Mandalay Bay Hotel Shooting Killing 58 Wounding 413

Arianna Grande Manchester Bombing

Robert Mueller Named Special Council to Investigate Donald Trump and Russian Collusion

Hurricane Harvey, Category 4 Hits Leaving $125 Billion in Damage

Hurricane Irma, Category 5

Hurricane Maria, Category 5

President Trump Launches #FakeNews

ANTIFA Launches National Activist Operations

Image result for thailand soccer team cave

2018: Thailand Soccer Team Rescued from Cave

North Korea Agrees to Trump to Denuclearize

Cambridge Analytica-Facebook Scandal

Christine Blasey Ford v. Brett Kavanugh (Supreme Court Nominee)

Prince Harry Marries American Meghan Markle

Stoneman Douglas High School Shooting, Killing 17

Image result for u.s immigration crisis southern border

2019:  Robert Mueller Special Council Investigation Ends

U.S. House of Representatives Votes on Two Articles of Impeachment of President Trump

Trump Installs Sweeping Immigration Enforcement Measures

U.S. China Trade Pact Finalizes First Agreement

Boeing Jets Grounded

Hong Kong Freedom Fighters Protest China for Freedom

Locked Shields Versus Iran

Posted on by

Since the death of several Iranian warlords including Qassim Soleimani, the United States has dispatched more military personnel to the Middle East. The Patriot missile batteries scattered in the region including in Bahrain are now at the ready. When it comes to cyber operations inside Iran, little is being discussed as a means of retribution against the United States. Iran does have cyber warfare capabilities and does use them.

It has been mentioned in recent days that President Trump has been quite measured in responding to Iran’s various attacks including striking Saudi oil fields, hitting oil tankers and shooting down one of the drones operated by the United States. In fact, the United States did respond directly after the downing of our drone by inserting an effective cyber-attack against Iran’s weapons systems by targeting the controls of the missile systems.

APT33 phishing Read details from Security Affairs.

Iran has an estimated 100,000 volunteer cyber trained operatives that has been expanding for the last ten years led by the Basij, a paramilitary network. The cyber unit known for controlling the Iranian missile launchers is Sepehr 110 is a large target of the United States and Israel. Iran also mobilizes cyber criminals and proxy networks including another one known as OilRig.

In 2018, the United States charged 9 Iranians (Mabna Hackers) for conducting massive cyber theft, wire fraud and identity theft that affected hundreds of universities, companies and other proprietary entities.

Due to a more global cyber threat by Iran known to collaborate with North Korea, China and Russia, NATO has been quite aggressive in cyber defense operations via the Cooperative Cyber Defense Center of Excellence applying the Locked Shields Program.

Not too be lost in the cyber threat conditions, Iran also uses their cyber team to blast out propaganda using social media platforms. If this sounds quite familiar, it is. The Russian propaganda operations manual is also being used by Iran. The bots and trolls are at work in Europe to keep France, Britain and Germany connected to the Iranian nuclear deal and to maintain trade operations with Iran including diplomatic operations. There are fake Iranian and Russian accounts still today all over Twitter and Facebook for which Europe is slow to respond if at all.

Meet APT33, which the West calls the Iranian hacking crew(s), the other slang name is Elfin. APT33 is not only hacking, but it is performing cyber-espionage as well. There are many outside government organizations researching and decoding Iran’s cyber operations that cooperate with inside U.S. government cyber operations located across the globe that also cooperate with NATO.

Recorded Future is one such non-government pro-active cyber operation working on Iran. These include attributions of cyber attacks by Iran against Saudi Arabia as well as the West by decoding phishing campaigns, relationships, malware and webshells and security breeches.

Recent published results include in part:

Nasr Institute and Kavosh Redux

In our previous report, “Iran’s Hacker Hierarchy Exposed,” we concluded that the exposure of one APT33 contractor, the Nasr Institute, by FireEye in 2017, along with our intelligence on the composition and motivations of the Iranian hacker community, pointed to a tiered structure within Iran’s state-sponsored offensive cyber program. We assessed that many Iranian state-sponsored operations were directed by the Iranian Revolutionary Guard Corps (IRGC) or the Ministry of Intelligence and Security (MOIS).

According to a sensitive Insikt Group source who provided information for previous research, these organizations employed a mid-level tier of ideologically aligned task managers responsible for the compartmentalized tasking of over 50 contracting organizations, who conducted activities such as vulnerability research, exploit development, reconnaissance, and the conducting of network intrusions or attacks. Each of these discrete components, in developing an offensive cyber capability, were purposefully assigned to different contracting groups to protect the integrity of overarching operations and to ensure the IRGC and/or MOIS retained control of operations and mitigated the risk from rogue hackers. Read more here in detail from a published summary of 6 months ago.

Lebanon Has Fallen, Anyone Care?

Posted on by

Lebanon was once known as the ‘Switzerland of the East’ because post the Lebanese Civil War, the country had calm and prosperity excelling in tourism, commerce, agriculture and banking. Lebanon was a major center of Christianity under Roman Empire rule.

Image result for lebanon

Today, Christians in Lebanon are called Maronites. Christians, Muslims and Druze including some Greek Orthodox make up separate enclaves to co-exist. 40% of the country is Christian, 55% is Muslim and the rest is Druze or Greek Orthodox.

Image result for lebanon

After the war against Israel in 1948, Lebanon has an estimated 500,000 Palestinians that fled the military conflict.

In 2000, Israel withdrew from Southern Lebanon and the Syrian military occupied the country. In 2005, the former Prime Minister was assassinated by a car bomb explosion. This triggered the Cedar Revolution which demanded Syria withdraw troops which was completed by mid 2005. Yet in 2006, Hezbollah launched a series of rocket attacks into Israel from Lebanon. Israel responded in earnest.
In 2008, the Lebanese government declared Hezbollah in the country was illegal as this was considered an attempted coup that later the Doha Agreement was signed where the Lebanese government was forced to cave to all opposition demands.
Still having sectarian violence, opposing factions have caused more political unrest where being forced to accept 1.5 million Syrian refugees has added to the debt and increased taxes.

The government of Lebanon is essentially ruled by Hezbollah which is fully backed by Iran. Many within the political system as well as the religious factions are demanding an end to the sectarian system that Hezbollah relies on to leverage power. This chaos is demanding tactical decisions on behalf of the United States, the Arab leaders, Israel, Europe and the United Nations. There is no leader, al Hairi resigned.

Image result for lebanon

Today: Newspaper al-Joumhuria cited Berri, an ally of the Shi’ite group Hezbollah, as telling visitors that efforts to form a new government were “completely frozen” and awaiting developments at any moment.

Struggling with a massive public debt and economic stagnation, Lebanon has sunk into major political trouble since protests erupted against its ruling elite a month ago, leading Prime Minister Saad al-Hariri to quit on Oct. 29.

On Sunday, banks, which have mostly been closed since the protests began, announced temporary measures including a weekly cap of $1,000 on cash withdrawals and restricting transfers abroad to cover urgent personal spending only. Efforts to form a new government, needed to enact urgent reforms, hit a setback at the weekend when former finance minister Mohammad Safadi withdrew his candidacy for the post of prime minister, sparking bitter recriminations.

Berri said he still hoped Hariri would agree to form a new cabinet, al-Joumhuria reported.

“The country is like a ship that is sinking little by little,” the paper quoted him as saying. “If we don’t take the necessary steps, it will sink entirely.”

Trump’s Reelection Operation Targeted by Cyber Attacks

Posted on by

Hey Hillary it is not Russia, but they are out there for sure. This time most notable attributions are pointing to Iran.

When the Pentagon recently awarded Microsoft a $10 billion contract to transform and host the US military’s cloud computing systems, the mountain of money came with an implicit challenge: Can Microsoft keep the Pentagon’s systems secure against some of the most well-resourced, persistent, and sophisticated hackers on earth?

“They’re under assault every hour of the day,” says James Lewis, vice president at the Center for Strategic and International Studies. 

Microsoft’s latest win over cloud rival Amazon for the ultra-lucrative military contact means that an intelligence-gathering apparatus among the most important in the world is based in the woods outside Seattle. These kinds of national security responsibilities once sat almost exclusively in Washington, DC. Now in this corner of Washington state, dozens of engineers and intelligence analysts are dedicated to watching and stopping the government-sponsored hackers proliferating around the world.

Members of the so-called MSTIC (Microsoft Threat Intelligence Center) team are threat-focused: one group is responsible for Russian hackers code-named Strontium, another watches North Korean hackers code-named Zinc, and yet another tracks Iranian hackers code-named Holmium. MSTIC tracks over 70 code-named government-sponsored threat groups and many more that are unnamed.

El acuerdo del Pentágono con Microsoft conlleva un centro ...

What are the superpowers of Microsoft?

“Microsoft sees stuff that just nobody else does,” says Williams, who founded the cybersecurity firm Rendition Infosec. “We routinely find stuff, for instance, like flags for malicious IPs in Office 365 that Microsoft flags, but we don’t see it anywhere else for months.”

Connect the dots

Cyber threat intelligence is the discipline of tracking adversaries, following bread crumbs, and producing intelligence you can use to help your team and make the other side’s life harder. To achieve that, the five-year-old MSTIC team includes former spies and government intelligence operators whose experience at places like Fort Meade, home to the National Security Agency and US Cyber Command, translates immediately to their roles at Microsoft. 

MSTIC names dozens of threats, but the geopolitics are complicated: China and the United States, two of the most significant players in cyberspace and the two biggest economies on earth, are virtually never called out the way countries like Iran, Russia, and North Korea frequently are. 

“Our team uses the data, connects the dots, tells the story, tracks the actor and their behaviors,” says Jeremy Dallman, a director of strategic programs and partnerships at MSTIC. “They’re hunting the actors—where they’re moving, what they’re planning next, who they are targeting—and getting ahead of that.”

Microsoft, like other tech giants including Google and Facebook, regularly notifies people targeted by government hackers, which gives the targets the chance to defend themselves. In the last year, MSTIC has notified around 10,000 Microsoft customers that they’re being targeted by government hackers. 

New targets

Beginning in August, MSTIC spotted what’s known as a password spraying campaign. Hackers took around 2,700 educated guesses at passwords for accounts associated with an American presidential campaign, government officials, journalists, and high-profile Iranians living outside Iran. Four accounts were compromised in this attack.

“Once we understand their infrastructure—we have an IP address we know is theirs that they use for malicious purposes—we can start looking at DNS records, domains created, platform traffic,” Dallman says. “When they turn around and start using that infrastructure in this kind of attack, we see it because we’re already tracking that as a known indicator of that actor’s behavior.” 

After doing considerable reconnaissance work, Phosphorus tried to exploit the account recovery process by using targets’ real phone numbers. MSTIC has spotted Phosphorus and other government-sponsored hackers, including Russia’s Fancy Bear, repeatedly using that tactic to try to phish two-factor authentication codes for high-value targets.

What raised Microsoft’s alarm above normal on this occasion was that Phosphorus varied its standard operating procedure of going after NGOs and sanctions organizations. The cross-hairs shifted, the tactics changed, and the scope grew.

Microsoft’s sleuthing ultimately pointed the finger at Iranian hackers for targeting presidential campaigns including, Reuters reported, Donald Trump’s 2020 reelection operation.

One consequence of the 2016 US election is a rise in the sheer number of players fighting to hack political parties, campaigns, and think tanks, not to mention government itself. Election-related hacking has typically been the province of the “big four”—Russia, China, Iran, and North Korea. But it’s spreading to other countries, although the Microsoft researchers declined to specify what they’ve seen.

“What is different is that you’re getting additional countries joining the fray that weren’t necessarily there before,” says Jason Norton, a principal project manager on MSTIC. “The big two [Russia and China]—now, we can say they’ve been historically going after this since well before the 2016 election. But now you’re getting to see additional countries do that—poking and prodding the soft underbelly in order to know the right pieces to have an influence or impact in the future.” 

“The field is getting crowded,” Dallman agrees. “Actors are learning from each other. As they learn tactics from the more prominent names, they turn that around and use them.” 

The upcoming election is different, too, in that no one is surprised to see this malicious activity. Leading into 2016, Russian cyber activity was greeted with a collective dumbfounded naïveté, contributing to paralysis and an unsure response. Not this time.

You saw them in 2016, you saw what they did in Germany, you saw them in the French elections—all following the same MO. The 2018 midterms, too—to a lesser degree, but we still saw some of the same MO, the same actors, the same timing, the same techniques. Now we know, going into 2020, that this is the MO we’re looking for. And now we’ve started to see other countries come out and start doing other tactics.”

In 2016, it was CrowdStrike that first investigated and pointed the finger at Russian activity aiming to interfere with the American election. The US law enforcement and intelligence community later confirmed the company’s findings and eventually, after Robert Mueller’s investigation, indicted Russian hackers and detailed Moscow’s campaign.

MIT Technology Review visited Microsoft, the full summary is here.

Iran’s Underground Enrichment Facility

Posted on by

Under the Iran deal, Iran agreed to redesign, convert and limit its nuclear facilities.

Particular focus was put on Iran’s uranium-enrichment capabilities, putting serious limitations on uranium-enrichment facilities in Iran – Natanz and Fordow. Among other resolutions, Iran also agreed to allow inspection of all its nuclear facilities and the IAEA inspectors will be able to request visits to military sites. However, it doesn’t guarantee them access to military sites.

Fordow is Iran’s second fuel enrichment facility, buried under a mountain in the Great Salt Desert near the holy city of Qom. Before the Iran deal, the bunker was filled with 2,710 centrifuges that could enrich uranium to weapons-grade materials.

Under the nuclear agreement, Iran agreed to stop any uranium enrichment and uranium enrichment R&D at Fordow and turn the plant into a nuclear physics and technology center that will produce radioisotopes for use in medicine, agriculture, industry and science.

Reported in part by Free Beacon:

U.S. State Department officials described Iran’s blocking of an international nuclear inspector from accessing key nuclear sites last week as an “outrageous and unwarranted act of intimidation” amid growing concerns Iran is hiding undeclared nuclear materials.

The administration suspects that Iran is trying to prevent international inspectors from confirming its work with prohibited nuclear materials.

“The United States is deeply concerned about the two issues the IAEA acting director general described in today’s special session of the IAEA Board of Directors,” the official said. “First, that the IAEA has detected evidence of potential undeclared nuclear material in Iran, and second, the detention of an IAEA inspector. Along with Iran’s expansion of proliferation-sensitive nuclear activity, this pattern of deception and intimidation is unacceptable. All nations should be concerned that Iran is not fully cooperating with the IAEA and should demand Iran immediately redress these serious problems.”

The diplomatic escalation comes as Iran breaches limits on the amount of enriched uranium it produces and the enrichment methods it uses. It escalated installations of advanced centrifuges in the past week and has vowed to continue doing so.

Nuclear experts told the Free Beacon that Iran’s behavior raises multiple questions and concerns about the nature of its ongoing work.

“Assuming the IAEA version of events is correct and she did not have explosive contamination on her person, then Iran may be testing what the reaction is to denying inspectors access to safeguarded sites,” David Albright, a former weapons inspector and president of the Institute for Science and International Security, told the Free Beacon.

“How long does it take for this episode to be reported to the board and media?” he asked. “Does the IAEA send a replacement quickly? How many countries and which ones believe the Iranian rationale? Is there outrage or are there divisions that delay a coordinated response?”

Andrea Stricker, a nonproliferation analyst and research fellow at the Foundation for Defense of Democracies, described Iran’s actions as “highly provocative.”

It “gives the impression that Iran could be considering curtailing inspection authorities as a future step to draw down its JCPOA commitments,” Stricker said. “It’s a hostile sign for sure.”