U.S. is on the Offensive, Espionage and Cyber

In the last few weeks, there was the Aspen Security Forum, a 3 day event. Then there was a DNI report. Then came 2 separate nationwide conference calls hosted by CERT, the cyber division of DHS.

A remarkable White House press briefing included the heads of intelligence agencies explaining the condition of cyber/espionage and the countermeasures against Russia.

Then there is the military side, a division frankly not well known, the Defense Security Services.

 

See the whole 2 page release here.

 

 

 

 

 

 

 

 

 

 

And there is more:

FBI Releases Article on Securing the Internet of Things

The Federal Bureau of Investigation (FBI) has released an article on the risks associated with internet-connected devices, commonly referred to as the Internet of Things (IoT). FBI warns that cyber threat actors can use unsecured IoT devices as proxies to anonymously pursue malicious cyber activities.

As our reliance on IoT becomes an important part of everyday life, being aware of the associated risks is a key part of keeping your information and devices secure. NCCIC encourages users and administrators to review the FBI article for more information and refer to the NCCIC Tip Securing the Internet of Things.

*** IOT?

The internet of things, at its simplest level, is a network of smart devices – from refrigerators that warn you when you’re out of milk to industrial sensors – that are connected to the internet so they can share data, but IoT is far from a simple challenge for IT departments.

Related reading: Five IoT Predictions For 2019

For many companies, it represents a vast influx of new devices, many of which are difficult to secure and manage. It’s comparable to the advent of BYOD, except the new gizmos are potentially more difficult to secure, aren’t all running one of three or four basic operating systems, and there are already more of them.

A lot more, in fact – IDC research says that there are around 13 billion connected devices in use worldwide already, and that that number could expand to 30 billion within the next three years. (There were less than 4 billion smartphone subscriptions active around the world in Ericsson’s most recent Mobility Report.)

With a huge number of companies “doing IoT” – most big-name tech companies, including Google, Microsoft, Apple, Cisco, Intel, and IBM have various types of IoT play – all working to bring as many users as possible into their respective ecosystems, motivation to make sure IoT systems and devices from different companies all work with each other is sometimes lacking.

Internet of Things photo

The problem, of course, is that nobody’s willing to give up on the idea of their own ecosystem becoming a widely accepted standard – think of the benefits to the company whose system wins out! – and so the biggest players in the space focus on their own systems and development of more open technologies lags behind. More here.

Hey Jim Acosta, this Could be Why Media is an Enemy

Traveling over the CNN’s Jim Acosta’s Twitter account, this is his pinned tweet:

Then yesterday, he re-tweeted this:

And he retweeted this:

At the White House press briefing, Sarah Sanders called on @Acosta and he asked Sarah if she or the Trump White House would denounce that the media is an enemy of the people. She did not denounce that but went on to describe the media and progressive abuse the Trump administration endures, listing many nasty encounters.

What did @Acosta do?

He tweeted again:

As a conservative radio host, I watched that WH exchange between them and sent a tweet to @Acosta inviting him to an interview with me. ……crickets….

But there is more. It goes beyond CNN actually. Media and the left are simply branding all things law enforcement as racists including those in government, Republican voters and even some at Fox News. So we are in a posture war here that is undeniable. So….no sooner was all that over, here comes the New York Times.

***

Meet Sarah Jeong. She’s the newest member of the New York Times editorial board. She also has a history of saying pretty vile, racist things on Twitter.

Saved tweets from Sarah Jeong, the newest member of the New York Times editorial board. (source: Twitter)

Heck, just read more here, if you can stomach the vile branding of her and where the NYT’s is going in the future.

Night Wolves, Putin’s Hells Angels

The Slovak foreign ministry says it is “disturbing” that the Night Wolves – a Russian nationalist biker gang close to President Vladimir Putin – now have a base in Slovakia.

The base has old military vehicles and lies in Dolna Krupa, a village 70km (44 miles) from the capital Bratislava.

The Russian government calls it the Night Wolves’ “European headquarters”.

The bikers are under US sanctions, accused of providing military help for the pro-Russian rebels in Ukraine.

Russian Nationalist biker gang Night Wolves set up base in ...  story/photo

 

So close in fact, Putin rode with them and endorses the group.

Earlier this year, the Night Wolves did a 9 day tour. Bosnia? Yes.  Members of the Night Wolves motorcycle gang visiting a monastery in Serbia. The gang’s tour, funded with a grant from the Kremlin, was billed as a “pilgrimage” meant to showcase the shared Orthodox faith of Russia and the region.CreditLaura Boushnak for The New York Times

Heck, the rode through the Balkins.

The Night Wolves billed their tour, funded with a $41,000 grant from the Kremlin, as a “pilgrimage” meant to showcase the shared Orthodox faith of Russia and the region, at least the bits of it inhabited by ethnic Serbs like Republika Srpska, which is legally part of Bosnia and Herzegovina.

***

Performances organized by the Russian hyper-patriotic biker club Night Wolves stand as prime examples of the Kremlin’s new take on old propaganda efforts. Their spectacles tend to display the full gamut of the Kremlin’s imagery and messaging, from the evil of the United States and Ukrainians to the glorification of the Russian Orthodox Church and the Russian military.

An analysis of Night Wolves spectacles reveals how the Kremlin’s agent provocateurs make use of the fuzzy lines between patriotism, pro-Putinism, Russian Orthodoxy, civic/national duty, and militarism. The purposes of these anti-American scripts are many, not least of which is to garner psychological and physical support for the motherland one way or the other, especially during the Euromaidan era, but also to create a sense of Russian identity, which has been vacuous since the early 1990s. The alarming aspect is that these types of fantastical attractions can transform patriotic attendees into actual networks of gun-toting Russian combatants, which may be part of the government’s objective. Read more here, chilling operation concocted by the Kremlin.

Rock videos supporting the Night Wolves? Yes, glad you asked.

 

Did they have some role in Crimea and Ukraine? Yup. In 2014:

As night fell on Friday , there were signs that the Ukrainian peninsula of Crimea was slipping beyond Kiev’s reach. The parliament remained under siege by pro-Russian protesters, armed men of unknown allegiance were guarding the airports and the Night Wolves, a biker gang with close ties to the Kremlin, blockaded the roads.

Three hundred men in military uniforms with no identifying insignia had entered the Sevastopol airport compound on Thursday night, witnesses said, in what Ukraine’s new interior minister, Arsen Avakov, described as a “military invasion and occupation”.

***

In 2014, the U.S. Treasury added the Night Wolves to the sanctions list due to Crimea and in violation of the Minsk Agreement.

The Night Wolves biker group had its members serve in the Crimean self-defense forces as early as February 2014, which supported local Crimeans against the Government of Ukraine. In March 2014, the Night Wolves conducted intimidation and criminal activities within Ukraine and also abducted and subsequently assaulted a Ukrainian Border Guard official. This biker group also participated in the storming of the gas distribution station in Strikolkove and the storming of the Ukrainian Naval Forces Headquarters in Sevastopol. In early-April 2014, the Night Wolves helped smuggle a former senior Ukrainian official out of Ukraine and also helped obtain Russian passports for another larger group of senior Ukrainian officials that they helped get into Russia. The Night Wolves have been closely connected to the Russian special services, have helped to recruit separatist fighters for Donetsk and Luhansk, Ukraine, and were deployed to the cities of Luhansk and Kharkiv. The Night Wolves group is being designated because it is an entity that is responsible for or complicit in, or has engaged in, directly or indirectly, actions or policies that threaten the peace, security, stability, sovereignty, or territorial integrity of Ukraine.

Aleksandr Zaldostanov, also known as “the Surgeon,” is the leader of the Night Wolves. Zaldostanov chairs the overall Night Wolves organization, and some of his responsibilities include the punishing of chapter groups and members for disloyalty to the Night Wolves organization. During the late-March storming of the Ukrainian Naval Forces Headquarters in Sevastopol, he coordinated the confiscation of Ukrainian weapons with the Russian forces. Zaldostanov is being designated for being a leader of a group, the Night Wolves, that is engaging in, directly or indirectly, actions or policies that threaten the peace, security, stability, sovereignty, or territorial integrity of Ukraine.

 

 

Eligible Receiver 97, Red Team Being Applied Today for Cyber Hacks?

An early classified Defense Department cybersecurity exercise named “Eligible Receiver 97” (ER97) featured a previously unpublicized series of mock terror attacks, hostage seizures, and special operations raids that went well beyond pure cyber activities in order to demonstrate the potential scope of threats to U.S. national security posed by attacks in the cyber domain, according to recently declassified documents and a National Security Agency (NSA) video posted today by the nongovernmental National Security Archive at The George Washington University.

“Joint Exercise Eligible Receiver 97”, run during the Clinton presidency, is frequently pointed to as a critical event in the United States’ appreciation of threats in cyber space. The exercise led directly to the formation of what would eventually become United States Cyber Command (USCYBERCOM) and informed key studies such as the formative Marsh Report on critical infrastructure protection. Despite the significance of ER97, however, very little is publicly known about the exercise itself.

ER97 involved an NSA Red Team playing the role of North Korean, Iranian and Cuban hostile forces whose putative aim was to attack critical infrastructure as well as military command-and-control capabilities to pressure the U.S. government into changing its policies toward those states. An interagency Blue Team was required to provide recommendations to personnel enacting defensive responses. Until now, only two phases out of three (infrastructure and command-and-control) had been publicly known.  The video and documents posted today provide new details about the third phase involving kinetic attacks in the physical domain – i.e. more traditional terrorist assaults on civilian targets – which were built upon intelligence gathered through the Red Team’s successes. Read more here on the declassified files.

*** With all the cyber terror going on today in the United States, are we doing more ‘red team’ exercises? Perhaps some of those tactics are paying off many years later.

3 Carbanak (FIN7) Hackers Charged With Stealing 15 Million ...

Three Members of Notorious International Cybercrime Group “Fin7” in Custody for Role in Attacking Over 100 U.S. Companies

Victim Companies in 47 U.S. States; Used Front Company ‘Combi Security’ to Recruit Hackers to Criminal Enterprise

          SEATTLE – Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced U.S. Attorney Annette L. Hayes, Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division and Special Agent in Charge Jay S. Tabb Jr. of the FBI’s Seattle Field Office.

According to three federal indictments unsealed today, Ukrainian nationals Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kolpakov, 30, are members of a prolific hacking group widely known as FIN7 (also referred to as the Carbanak Group and the Navigator Group, among other names).  Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign to attack more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.  As set forth in the indictments, FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers which were used or sold for profit.

In the United States alone, FIN7 successfully breached the computer networks of businesses in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.  Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France.  Companies that have publicly disclosed hacks attributable to FIN7 include such familiar chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.  Additionally here in Western Washington FIN7 targeted the Emerald Queen Casino (EQC) and other local businesses.  The Emerald Queen Casino was able to stop the intrusion and no customer data was stolen.

“Protecting consumers and companies who use the internet to conduct business – both large chains and small ‘mom and pop’ stores — is a top priority for all of us in the Department of Justice,” said U.S. Attorney Annette L. Hayes.  “Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong.  We will continue our longstanding work with partners around the world to ensure cyber criminals are identified and held to account for the harm that they do – both to our pocketbooks and our ability to rely on the cyber networks we use.”

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski.  “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”

“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said Special Agent in Charge Jay S. Tabb Jr., of the FBI’s Seattle Field Office.  “As the lead federal agency for cyber-attack investigations, the FBI will continue to work with its law enforcement partners worldwide to pursue the members of this devious group, and hold them accountable for stealing from American businesses and individuals.”

Each of the three FIN7 conspirators is charged with 26 felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

In January 2018, at the request of U.S. officials, foreign authorities separately arrested Ukrainian Fedir Hladyr and a second FIN7 member, Dmytro Fedorov.  Hladyr was arrested in Dresden, Germany, and is currently detained in Seattle pending trial.  Hladyr allegedly served as FIN7’s systems administrator who, among other things, maintained servers and communication channels used by the organization and held a managerial role by delegating tasks and by providing instruction to other members of the scheme.  Hladyr’s trial is currently scheduled for October 22, 2018.

Fedorov, a high-level hacker and manager who allegedly supervised other hackers tasked with breaching the security of victims’ computer systems, was arrested in Bielsko-Biala, Poland.  Fedorov remains detained in Poland pending his extradition to the United States.

In late June 2018, foreign authorities arrested a third FIN7 member, Ukrainian Andrii Kolpakov in Lepe, Spain.  Kolpakov, also is alleged to be a supervisor of a group of hackers, remains detained in Spain pending the United States’ request for extradition.

According to the indictments, FIN7, through its dozens of members, launched numerous waves of malicious cyberattacks on numerous businesses operating in the United States and abroad.  FIN7 carefully crafted email messages that would appear legitimate to a business’ employee, and accompanied emails with telephone calls intended to further legitimize the email. Once an attached file was opened and activated, FIN7 would use an adapted version of the notorious Carbanak malware in addition to an arsenal of other tools to ultimately access and steal payment card data for the business’ customers. Since 2015, many of the stolen payment card numbers have been offered for sale through online underground marketplaces. (Supplemental document “How FIN7 Attacked and Stole Data” explains the scheme in greater detail.)

FIN7 used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise.  Combi Security’s website indicated that it provided a number of security services such as penetration testing.  Ironically, the sham company’s website listed multiple U.S. victims among its purported clients.

 

The charges in the indictments are merely allegations, and the defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

The indictments are the result of an investigation conducted by the Seattle Cyber Task Force of the FBI and the U.S. Attorney’s Office for the Western District of Washington, with the assistance of the Justice Department’s Computer Crime and Intellectual Property Section and Office of International Affairs, the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across the nation and globe, as well as numerous international agencies. Arrests overseas were executed in Poland by the “Shadow Hunters” from CBŚP (Polish Central Bureau of Investigation); in Germany by LKA Sachsen – Dezernat 33, (German State Criminal Police Office) and the Polizeidirektion Dresden (Dresden Police); and in Spain by the Grupo de Seguridad Logica within the Unidad de Investigación Technologica of the Cuerpo Nacional de Policía (Spanish National Police).

This case is being prosecuted by Assistant U.S. Attorneys Francis Franze-Nakamura and Steven Masada of the Western District of Washington, and Trial Attorney Anthony Teelucksingh of the Justice Department’s Computer Crime and Intellectual Property Section.

how_fin7_attacked_and_stole_data.pdf

Fugitive Extradited in Border Patrol Agent Brian Terry Murder

border.jpg Heraclio Osorio-Arellanes, left, and Border Agent Brian Terry FBI/ATF

SAN DIEGO, CA – Heraclio Osorio-Arellanes, who is charged with the first-degree murder of U.nited S.tates Border Patrol Agent Brian Terry, was extradited from Mexico to the United States today, announced Attorney General Jeff Sessions and Southern District of California U.S. Attorney Adam Braverman for the Southern District of California.  He will be arraigned in U.nited S.tates District Court in, Tucson, Arizona, Wednesday tomorrow afternoon.  Osorio-Arellanes has been in custody awaiting extradition since his arrest by Mexican authorities on April 12, 2017.

Agent Terry was fatally shot on Dec.ember 14, 2010, when he and other U.S. Border Patrol agents encountered Osorio-Arellanes and four other members of a “rip crew” (a criminal gang that attempts to steal from drug and alien smugglers) operating in a rural area north of Nogales, Arizona.  Of the six defendants charged along with Osorio-Arellanes in the case, three have pleaded guilty, two were convicted following a jury trial, and one other defendant – Jesus Rosario Favela Astorga (arrested by Mexican authorities in October, 2017) – has not yet been tried. is pending extradition to the United States.

“The Department of Justice is pleased that the suspected killer of Border Patrol Agent Brian Terry has been successfully extradited to the United States and will now face justice for this terrible crime,” said Attorney General Jeff Sessions. “We are grateful for the efforts of the Federal Bureau of Investigation, U.S. Marshals Service and U.S. Customs and Border Protection as well as our law enforcement partners in Mexico. To anyone who would take the life of an American citizen, in particular an American law enforcement officer, this action sends a clear message: Working closely with our international partners, we will hunt you down, we will find you, and we will bring you to justice.”

“The arrest and extradition of Osorio-Arellanes reflects the steadfast commitment and tireless work of the United States and our law enforcement partners in Mexico, who shared the common goal of seeking justice for the murder of Agent Brian Terry,” said U.nited S.tates Attorney Adam Braverman.  “When an agent makes the ultimate sacrifice while serving his country, we must hold all the individuals who played a part in this tragic outcome accountable for their actions.  This extradition moves that important goal forward.”

The indictment charges the defendants with first-degree murder, second-degree murder, conspiracy to interfere with commerce by robbery, attempted interference with commerce by robbery, use and carrying a firearm during a crime of violence and assault on a federal officer.  In addition to the murder of Agent Terry, the indictment alleges that the defendants assaulted U.S. Border Patrol Agents William Castano, Gabriel Fragoza and Timothy Keller, who were with Agent Terry during the firefight with the “rip crew.”

This case is being prosecuted in federal court in Tucson by attorneys from the Southern District of California, Special Attorneys Todd W. Robinson and David D. Leshner.  The U.S. Attorney’s Office for the District of Arizona is recused.  The case is being investigated by the FBI.  The Government of Mexico assisted in the apprehension and extradition.  The Justice Department’s Office of International Affairs provided assistance with the extradition of defendant Osorio-Arellanes.

The public is reminded that an indictment is a formal charging document and defendants are presumed innocent until the government meets its burden in court of proving guilt beyond a reasonable doubt.

DEFENDANT                                                                        Case No. 11-CR-00150-TUC-DCB (BPV)     

Heraclio Osorio-Arellanes

AGENCIES

Federal Bureau of Investigation

U.S. Customs and Border Protection

United States Border Patrol

DOJ Office of International Affairs         

***

 Federal authorities said Tuesday that Heraclio Osorio-Arellanes will be arraigned in U.S. District Court in Tucson on Wednesday.               

 Osorio-Arellanes had been in custody awaiting extradition since being arrested by Mexican authorities on April 12, 2017. Osorio-Arellanes is charged in the death of Border Patrol Agent Brian Terry, who was shot and killed Dec. 14, 2010 when he and other agents encountered a gang preying on smugglers north of Nogales, Arizona.

Terry was part of a four-man team in an elite Border Patrol unit staking out the southern Arizona desert on a mission to find “rip-off” crew members who rob drug smugglers.

They encountered a five-man group of suspected marijuana bandits and identified themselves as police in trying to arrest them.

A jury in Tucson in October 2015 found two men, Jesus Leonel Sanchez-Meza and Ivan Soto-Barraza, guilty on murder and other charges. Another man, Manual Osorio-Arellanes, pleaded guilty to murder and was sentenced to 30 years in prison in 2014.

A fourth man, Rosario Rafael Burboa-Alvarez, pleaded guilty to murder. He was not present during the shooting but is accused of assembling the rip crew.

Authorities are still looking for Jesus Rosario Favela-Astorga, who’s wanted on murder, conspiracy, robbery, assault and firearm charges, reports CBS affiliate KOLD.