Category Archives: Treasury

Report: VP Biden was Well Aware of Hunter’s Illicit Foreign Actions

Posted on by

Senate report

DW: A bombshell report from the Senate Committee on Homeland Security and Governmental Affairs (HSGAC) and the Committee on Finance makes a series of damning new allegations against Hunter Biden, the son of Democrat presidential nominee.

The investigation launched after Finance Committee Chairman Charles Grassley (R-IA) publicly raised conflict-of-interest concerns about the sale of a U.S. company to a Chinese firm with ties to Hunter Biden a month before Congress was notified about a whistleblower complaint that was the catalyst for Democrats’ impeachment of President Donald Trump. The Senate’s investigation relied on records from the U.S. government, Democrat lobbying groups, and interviews of numerous current and former officials.

Hunter Biden received $3.5M from Russian billionaire: report photo

The report outlined the following key findings from the investigation:

  • In early 2015 the former Acting Deputy Chief of Mission at the U.S. Embassy in Kyiv, Ukraine, George Kent, raised concerns to officials in Vice President Joe Biden’s office about the perception of a conflict of interest with respect to Hunter Biden’s role on Burisma’s board. Kent’s concerns went unaddressed, and in September 2016, he emphasized in an email to his colleagues, “Furthermore, the presence of Hunter Biden on the Burisma board was very awkward for all U.S. officials pushing an anticorruption agenda in Ukraine.”
  • In October 2015, senior State Department official Amos Hochstein raised concerns with Vice President Biden, as well as with Hunter Biden, that Hunter Biden’s position on Burisma’s board enabled Russian disinformation efforts and risked undermining U.S. policy in Ukraine.
  • Although Kent believed that Hunter Biden’s role on Burisma’s board was awkward for all U.S. officials pushing an anti-corruption agenda in Ukraine, the Committees are only aware of two individuals — Kent and former U.S. Special Envoy and Coordinator for International Energy Affairs Amos Hochstein — who raised concerns to Vice President Joe Biden (Hochstein) or his staff (Kent).
  • The awkwardness for Obama administration officials continued well past his presidency. Former Secretary of State John Kerry had knowledge of Hunter Biden’s role on Burisma’s board, but when asked about it at a town hall event in Nashua, N.H. on Dec. 8, 2019, Kerry falsely said, “I had no knowledge about any of that. None. No.” Evidence to the contrary is detailed in Section V.
  • Former Assistant Secretary of State for European and Eurasian Affairs Victoria Nuland testified that confronting oligarchs would send an anticorruption message in Ukraine. Kent told the Committees that Zlochevsky was an “odious oligarch.” However, in December 2015, instead of following U.S. objectives of confronting oligarchs, Vice President Biden’s staff advised him to avoid commenting on Zlochevsky and recommended he say, “I’m not going to get into naming names or accusing individuals.”
  • Hunter Biden was serving on Burisma’s board (supposedly consulting on corporate governance and transparency) when Zlochevsky allegedly paid a $7 million bribe to officials serving under Ukraine’s prosecutor general, Vitaly Yarema, to “shut the case against Zlochevsky.” Kent testified that this bribe occurred in December 2014 (seven months after Hunter joined Burisma’s board), and, after learning about it, he and the Resident Legal Advisor reported this allegation to the FBI.
  • Hunter Biden was a U.S. Secret Service protectee from Jan. 29, 2009 to July 8, 2014. A day before his last trip as a protectee, Time published an article describing Burisma’s ramped up lobbying efforts to U.S. officials and Hunter’s involvement in Burisma’s board. Before ending his protective detail, Hunter Biden received Secret Service protection on trips to multiple foreign locations, including Moscow, Beijing, Doha, Paris, Seoul, Manila, Tokyo, Mexico City, Milan, Florence, Shanghai, Geneva, London, Dublin, Munich, Berlin, Bogota, Abu Dhabi, Nairobi, Hong Kong, Taipei, Buenos Aires, Copenhagen, Johannesburg, Brussels, Madrid, Mumbai and Lake Como.
  • Andrii Telizhenko, the Democrats’ personification of Russian disinformation, met with Obama administration officials, including Elisabeth Zentos, a member of Obama’s National Security Council, at least 10 times. A Democrat lobbying firm, Blue Star Strategies, contracted with Telizhenko from 2016 to 2017 and continued to request his assistance as recent as the summer of 2019. A recent news article detailed other extensive contacts between Telizhenko and Obama administration officials.
  • In addition to the over $4 million paid by Burisma for Hunter Biden’s and Archer’s board memberships, Hunter Biden, his family, and Archer received millions of dollars from foreign nationals with questionable backgrounds.
  • Archer received $142,300 from Kenges Rakishev of Kazakhstan, purportedly for a car, the same day Vice President Joe Biden appeared with Ukrainian Prime Minister Arsemy Yasenyuk and addressed Ukrainian legislators in Kyiv regarding Russia’s actions in Crimea.
  • Hunter Biden received a $3.5 million wire transfer from Elena Baturina, the wife of the former mayor of Moscow.
  • Hunter Biden opened a bank account with Gongwen Dong to fund a $100,000 global spending spree with James Biden and Sara Biden.
  • Hunter Biden had business associations with Ye Jianming, Gongwen Dong, and other Chinese nationals linked to the Communist government and the People’s Liberation Army. Those associations resulted in millions of dollars in cash flow.
  • Hunter Biden paid nonresident women who were nationals of Russia or other Eastern European countries and who appear to be linked to an “Eastern European prostitution or human trafficking ring.”

The report also stated that the investigation found that the Obama administration “knew that Hunter Biden’s position on Burisma’s board was problematic and did interfere in the efficient execution of policy with respect to Ukraine.”

FinCen Flagged Hunter Biden for Money-Laundering

Posted on by

Adam Schiff is way too quiet on this….and not only is Hunter not returning phone calls, but the Biden presidential campaign wont respond either.

Hunter Biden Has No Regrets For Serving On Ukrainian Gas ...

JTN: Treasury Department agency that polices financial threats such as money laundering flagged several foreign transactions to Hunter Biden-connected businesses as “suspicious” during the end of the Obama administration and the beginning of the Trump administration.

The concerns from the Financial Crimes Enforcement Network (FinCEN) were highlighted in Suspicious Activity Reports turned over to Senate committees over the last year in conjunction with investigations into the Russia and Ukraine scandals, according to several officials familiar with the evidence.

As those Senate investigations wind toward the issuance of their first official report later this month, an essential question has emerged: Did U.S. law enforcement or intelligence agencies do anything to determine if the money flowing to Vice President Joe Biden’s son posed any criminal or intelligence threats? Officials at Treasury, FBI and the Office of Director of National Intelligence declined comment.

Senate Democrats first called attention to the existence of the SARs in a little-noticed letter late last year and are now bracing for the flagged financial transactions to be a major revelation in a joint report they expect to be published by the GOP-led Senate Homeland Security and Governmental Affairs and the Senate Finance Committees as early as next week.

“The Republicans have had this in their back pocket for some time to make headlines as the election drew closer,” one Democratic source told Just the News.

A lawyer for Hunter Biden did not return a call requesting comment. Spokesmen for the two Senate committees declined comment.

The SAR reports were requested as Senate investigators dug into a labyrinth of global businesses that Hunter Biden and his business partners became involved with in Russia, China, Ukraine and elsewhere while his father Joe Biden served as the vice president and Obama administration foreign policy point person. That includes Hunter Biden’s controversial addition in spring 2014 to the board of Burisma Holdings, a Ukrainian gas firm with a long record of corruption allegations.

SARs are one of the law enforcement community’s most powerful and secretive tools in the war against money laundering, drug cartels and terrorist threats, providing real-time warnings from financial institutions to FinCEN that certain transactions have characteristics that make them suspicious. The origin, size and routing channels are just some of the components that can lead a transaction to be flagged.

Treasury typically receives or generates one million to two million Suspicious Activity Reports a year. So a SAR report in and of itself is not evidence of wrongdoing, but it is usually a starting point for investigation, experts say. The question that remains is whether FBI or ODNI did anything to investigate these suspicious reports after they were alerted by FinCEN.

The American suspicious transaction reports turned over to the Senate committees are the second known instance of red flags raised about foreign money flowing into business firms associated with Hunter Biden.

In February 2016, the Latvian government sent a warning to Ukrainian prosecutors that several payments from Burisma to an account in New York controlled by Hunter Biden’s Rosemont Seneca Bohai firm appeared suspicious, according to a copy of the letter obtained by Just the News and Latvian authorities.

“The Office for Prevention of Laundering of Proceeds Derived from Criminal Activity … is currently investigating suspicious activity of Burisma Holdings Limited,” the Latvian agency, also known as the FIU, wrote to Ukraine’s financial authorities.

The letter was confirmed earlier this year by the Latvian embassy to the United States.

The Latvian law enforcement letter identified a series of loan payments totaling about $16.6 million that were routed from companies in Belize and the United Kingdom to Burisma through Ukraine’s PrivatBank between 2012 and 2015.

The flagged funds were “partially transferred” to Hunter Biden, a board member at Burisma since May 2014, and three other officials working for the Ukrainian natural gas company, according to the Latvian letter.

The letter asked Ukrainian officials for any evidence about whether the funds were involved in corruption and whether Ukrainian officials were investigating Burisma and the recipients of the money.

“On the grounds of possible legalization of proceeds derived from criminal activity and corruption, please grant us permission to share the information included in the reply to this request with Latvian law enforcement entities for intelligence purposes only,” the letter said.

Latvian authorities said they did not get any incriminating information back from Ukraine to warrant further investigation and did not take additional action in 2016.

Hunter Biden’s globe-trotting business activities have long generated controversy because they often occurred in the shadows of his father’s foreign policy portfolio. Hunter Biden, for instance, traveled aboard Air Force Two in December 2013 with the vice president to Beijing, walking away soon after with a stake in an investment fund that received funding from the state-owned Bank of China. As his father’s administration took several actions favorable to Beijing, such as opening U.S. capital markets to Chinese companies, Hunter Biden closed deals in China.

One of those involved the sale of an iconic American auto parts manufacturer called Henniges in Michigan, in which Hunter Biden’s firm helped a Chinese military aircraft maker acquire a controlling stake in 2015. The transaction was approved by the Obama administration despite the facts that the Chinese firm had been sanctioned five prior times by the U.S. government for nefarious activity and that less than 15 months prior one of the Chinese firm’s subsidiaries was placed on a black list by the U.S. government for ties to the Chinese military.

Similarly, Hunter Biden was added to the Burisma board in May 2014 just weeks after his father implored Ukraine to expand its natural gas production. Burisma faced multiple corruption investigations, and State Department memos show the U.S. government reported just months after Hunter Biden joined the firm’s board that Burisma allegedly paid a $7 million bribe to Ukrainian prosecutors designed to make the corruption allegations go away.

State officials also testified during last year’s impeachment proceedings that the Bidens created the appearance of a conflict of interest that undercut Joe Biden’s efforts to stamp out corruption in Ukraine.

FBI officials obtained records in an unrelated investigation showing Burisma paid more than $3 million from foreign accounts to a New York investment account tied to Hunter Biden.

Senate investigators have also spent some time investigating real estate investments that Hunter Biden and his business partner Devon Archer were involved in. The investigators’ interest was piqued by evidence that some of the investments received large support from a Russian oligarch and philanthropist based in London named Yelena Baturina, Russia’s only female billionaire and the wife of the late Moscow Mayor Yury Luzhkov.

Board minutes obtained by the FBI in an unrelated 2017-18 investigation of Archer state that Archer told investors during a 2014 meeting that he had secured upwards of $200 million from Baturina’s real estate businesses in London.

“Mr. Archer further discussed the possible sale of his company and the revenues that might be realized, which he said would be a big liquidity event for him, as well as his connections with Bohai, which he said was sponsored by major banks and institutional investors in China,” according to the minutes. “He also discussed his client relationship with Yelena Baturina, who he said had invested over $200 million dollars in his various investment funds. Mr. Archer emphasized that he had ample funding, but that the investors wanted to be efficient,” the memo read.

You can read those board minutes here:

Baturina’s office in London did not respond to a email request for comment, nor did lawyers for Hunter Biden or Archer.

NK Hackers are Robbing Banks Around the World

Posted on by

Primer:

North Korea’s Foreign Ministry on Saturday called the United States a “mastermind of cybercrime” as it responded to a report detailing Pyongyang’s efforts to hack banks.

In an English-language statement posted on the ministry’s website, a spokesperson for the country’s “National Coordination Committee for Anti-Money Laundering and Countering the Financing of Terrorism” denied the regime’s link to any online criminal activities, claiming there was no truth to the “preposterous rumors” circulated by the United States.

The U.S. Treasury Department and three federal agencies including the FBI said in an alert issued Wednesday that hackers attempted to initiate fraudulent money transfers and ATM “cash-outs” from multiple countries that appeared to be part of the North’s “extensive, global cyber-enabled bank robbery scheme.” More here.

US govt warns of North Korean hackers targeting banks ... source/article

The BeagleBoyz have made off with nearly $2 billion since 2015, and they’re back to attacking financial institutions after a short lull in activity.

The BeagleBoyz, part of the North Korean government’s hacking apparatus, are back to targeting banks around the world after a brief pause in activity.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert with details of how the BeagleBoyz have made off with an estimated $2 billion in fiat and cryptocurrency since 2015, along with details on how financial institutions can protect themselves against their known patterns of attack.

Along with the theft of massive amounts of money that the United Nations believes is used for North Korea’s nuclear weapons and ballistic missile programs, the robberies also pose a serious risk to financial institutions’ reputations, their operations, and public confidence in banking, CISA said.

The BeagleBoyz aren’t typical cybercriminals either: They conduct “well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities,” CISA warns. “Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.”

The group has used a variety of approaches to gaining initial access: Spear phishing, watering holes, social engineering, malicious files, and even contracted third-party hacking groups have been used for initial penetration.

Once inside a network, the BeagleBoyz have again used a wide variety of approaches to meet their objectives, establish a persistent presence, evade defense, and harvest credentials of privileged users.

CISA said that the BeagleBoyz appear to seek out two particular systems in a financial institution’s network: It’s SWIFT terminal and the server hosting the payment switch application for the bank. They map networks using locally-available administrative tools, deploy a constantly evolving list of command and control software, and ultimately try to make off with any possible money they can get their hands on via fraudulent ATM cashouts.

“After gaining access to either one or both of these operationally critical systems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and then they deploy bespoke tools to facilitate illicit monetization,” CISA said.

It isn’t known if the BeagleBoyz have successfully targeted a US-based financial institution, and CISA’s report suggests they’ve been active primarily in other parts of the world. That doesn’t mean they won’t attempt to break into a US-based bank: Everyone in the cybersecurity arm of the financial industry should be alert.

Protecting against the BeagleBoyz

CISA makes the following mitigation suggestions based on particular industry:

All financial institutions:

Institutions with retail payment systems:

  • Require chip and PIN for all transactions
  • Isolate payment system infrastructure behind multiple authentication factors
  • Segment networks into separate, secure enclaves
  • Encrypt all data in transit
  • Monitor networks for anomalous behavior

Institutions with ATMs or point-of-sale devices:

  • Validate issuer responses to financial request messages
  • Implement chip and PIN for debit transactions

These suggestions come along with general good security habits such as enforcing strong password policies, keeping all systems up to date, disabling all unnecessary services on workstations, scanning documents and emails for potential malicious code, and staying up to date on the latest threats.

 

SecState Pompeo to UNSC to Invoke Iran Snapback Sanctions

Posted on by

President Trump confirmed on Wednesday that he had asked Secretary of State Mike Pompeo to notify the UN Security Council that the U.S. intends to initiate “snapback” sanctions on Iran. The formal request is expected on Thursday, Israeli officials told Axios.

The backdrop: This move could create a diplomatic and legal crisis unlike any seen before at the Security Council. It comes days after the U.S. failed to mobilize support at the council to extend an international arms embargo on Iran.

The big picture: Despite having withdrawn from the 2015 Iran nuclear deal, the U.S. is invoking its terms in an attempt to force sanctions lifted under the pact to snap back into place.

  • The deal says any of the signatories — the U.S., Russia, China, France, Germany and the U.K. — can demand sanctions be reimposed automatically if they believe Iran has committed substantial violations. No country can veto such a move.
  • Russia and China contend that the U.S. gave up its right to reimpose the sanctions when it withdrew from the deal. That view is shared by others on the council, and even by John Bolton, the hawkish former national security adviser.
  • The U.S., on the other hand, claims it has the right to initiate the snapback mechanism because it is a party to the Security Council resolution that endorsed the nuclear deal and included the snapback mechanism.
  • The European signatories, who have tried desperately to save the nuclear deal, also oppose the U.S. move.

How it works: Pompeo is expected to arrive in New York on Thursday and present formal letters to the UN secretary-general and the UN ambassador from Indonesia, who holds the Security Council’s rotating presidency.

  • The letter will then be circulated to other members, beginning a 30-day consultation period.

What to watch: Israeli officials and Western diplomats both say they expect a major diplomatic crisis over those 30 days.

  • If any member of the Security Council submits a resolution to stop the snapback move, the U.S. will be able to veto it.
  • U.S. officials believe that the renewal of international sanctions will lead Iran to withdraw from the nuclear deal — and likely make it impossible for Democratic nominee Joe Biden to put the deal back together if he wins in November.
  • Israeli officials were notified on Monday that the Trump administration intended to submit the official complaint on Thursday.

The latest: “When the United States entered into the Iran deal, it was clear that the United States would always have the right to restore the UN sanctions that would prevent Iran from developing a nuclear weapon,” Trump claimed in a press conference on Wednesday.

*** UN crisis looms as US readies demand for Iran sanctions ...

For background and context:

In May of 2020 –

State Dept: The 13-year-old arms embargo on the Iranian regime will expire in October. The embargo was created by the United Nations Security Council but is scheduled to end because of the 2015 Iran nuclear deal, leaving the world’s foremost state sponsor of terrorism and anti-Semitism free to import and export combat aircraft, warships, submarines and guided missiles. To prevent this, the Security Council must pass a resolution to extend the arms embargo. If this effort is defeated by a veto, the Trump administration is prepared to exercise all legally available options to extend the embargo.

We face this circumstance because the Obama administration acceded to Iran’s demand that the U.N. embargo end in the fifth year of the deal. It is only one of many restrictions on Iran scheduled to expire over time. President Obama hoped concessions would moderate the regime’s behavior. “Ideally,” he said in 2015, “we would see a situation in which Iran, seeing sanctions reduced, would start . . . re-entering the world community [and] lessening its provocative activities.”

Instead, Iranian provocations accelerated under the nuclear deal. Emboldened by repeated diplomatic wins and flush with cash, the Iranian regime increased its ballistic-missile testing and missile proliferation to terrorist proxies. Iran built out a “Shiite crescent” in Syria, Iraq, Lebanon, Bahrain and Yemen, arming its proxies to the teeth.

The U.S. and partners have used the arms embargo to disrupt Iran’s sending advanced weaponry to terrorists and militants. This diplomatic tool has rallied the international community to interdict and inspect weapons shipments, building global condemnation of Iranian violations.

Among many examples, on Feb. 9, a U.S. Navy ship interdicted a ship attempting to smuggle Iranian weapons to Houthi rebels in Yemen. American sailors found 150 antitank guided missiles, three surface-to-air missiles, and component parts for unmanned explosive boats.

Iran’s President Hassan Rouhani sees a bright future when the embargo lapses. In November 2019, he said: “When the embargo . . . is lifted next year, we can easily buy and sell weapons.” He went on to hail the provision as a “huge political success” for Iran.

Kerry: Agreement on Iran issue only alternative to force ... John Kerry/Wendy Sherman negotiators of JCPOA

The regime plans to upgrade Iran’s aging air force, improve the accuracy of its missiles, and strengthen its ability to strike ships and shoot down aircraft. Iran’s Islamic Revolutionary Guard Corps—a terrorist group with a long history of targeting and killing Americans—could then reverse-engineer technologies in these systems for domestic weapons production and export.

Iranian weapons already put American and allied troops in the region under threat and endanger Israel. Letting the arms embargo expire would make it considerably easier for Iran to ship weapons to its allies in Syria, Hamas in Gaza, and Shiite militias in Iraq.

Mr. Rouhani understands the stakes. Last week he appeared on Iranian television to declare that “Iran will give a crushing response if the arms embargo on Tehran is extended.” This threat is designed to intimidate nations into accepting Iran’s usual violent behavior for fear of something worse.

The Security Council must reject Mr. Rouhani’s extortion. The U.S. will press ahead with diplomacy and build support to extend the embargo. We have drafted a resolution and hope it will pass. Russia’s and China’s interests would be served by a “yes” vote—they have more to gain from Mideast stability than from selling weapons to Iran for its sectarian wars.

If American diplomacy is frustrated by a veto, however, the U.S. retains the right to renew the arms embargo by other means. Security Council Resolution 2231 (2015) lifted most U.N. sanctions but also created a legal mechanism for exclusive use by certain nations to snap sanctions back. The arms embargo is one of these sanctions.

Mr. Obama explained how “snapback” works in 2015: “If Iran violates the agreement over the next decade, all of the sanctions can snap back into place. We won’t need the support of other members of the U.N. Security Council; America can trigger snapback on our own.” As of today, Iran has violated the nuclear deal at least five times.

The Trump administration’s preferred strategy is for the Security Council to extend the arms embargo while the U.S. continues to apply maximum economic pressure and maintains deterrence against Iranian aggression. Nearly 400 House members, an overwhelming bipartisan majority, have signed a letter backing Secretary of State Mike Pompeo’s diplomacy to extend the arms embargo. Iran certainly hasn’t earned the right to have it lifted. One way or another, the U.S. will ensure it remains in place against the violent and revolutionary regime in Tehran.

Hat tip to NSA FBI for Cracking Drovorub

Posted on by

The National Security Agency and the FBI are jointly exposing malware that they say Russian military hackers use in cyber-espionage operations.

Hackers working for Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center, military unit 26165, use the malware, which the Russians themselves call “Drovorub,” to target Linux systems, the NSA and FBI said Thursday in a detailed report.

The hackers, also known as APT28 or Fancy Bear, allegedly hacked the Democratic National Committee in 2016 and frequently target defense, government, and aerospace entities. The Russian military agency is also known as the GRU.

FBI e NSA descobrem novo malware Linux chamado Drovorub ...

While the alert does not include specific details about Drovorub victims, U.S. officials did say they published the alert Thursday to raise awareness about state-sponsored Russian hacking and possible defense sector vulnerabilities. The disclosure comes just months before American voters will conduct a presidential election.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. Presidential Election,” the NSA and FBI said in the report.

The U.S. intelligence community has assessed that multiple foreign governments may “seek to compromise our election infrastructure.” It was not clear if the Russian hackers were using Drovorub malware in any ongoing interference efforts related to the 2020 presidential elections.

The NSA and FBI urged national security personnel, including the U.S. Department of Defense, to be on the alert for Drovorub attacks.

“The malware represents a threat because Linux systems are used pervasively throughout National Security Systems, Department of Defense, and the Defense Industrial Base,” the statement said. “All stakeholders should take action as appropriate.”

The announcement comes nearly one year after the NSA stood up a new cybersecurity directorate aimed at sharing more adversary threat intelligence with the public, and in recent weeks the NSA has worked to expose a spate of Russian campaigns, including Russian hackers’ efforts to target coronavirus research.

Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, told CyberScoop the release shows these hackers are not easily deterred.

“Most importantly it demonstrates that FANCY BEAR has more tools and capabilities that are still being identified. This actor didn’t pack up and go home, they still have tricks up their sleeve,” Meyers told CyberScoop, adding that the news should raise alarm bells about Linux security. “Another important take away is that Linux is an area that organizations need to keep in mind from a malware perspective, many have not invested in similar security tools for this platform as they have for user platforms.”

Attacks employing Drovorub may be linked with previous Russian military efforts against connected devices, according to the NSA and the FBI. An APT28 attack that Microsoft security researchers identified last year against devices such as an office printer or a VOIP phone, for instance, was linked with an IP address that has also been used to access the Drovorub command and control IP address, the NSA and FBI said.

In such attacks, the hackers appeared interested in exploiting so-called internet of things devices in order to gain access to broader networks, other insecure accounts, and sensitive data, according to Microsoft.

The joint NSA and FBI release also has the effect of alerting the Russian government that U.S. officials are capable of tracking some of their work. The 780th Military Intelligence Brigade, which currently works with the Pentagon’s offensive cyber arm, Cyber Command, tweeted information out about the malware, and tagged a state-funded media outlet, RT, to flag the news for them.

The Drovorub malware consists of several components, the NSA and the FBI said, including an implant, a kernel module rootlet, a file transfer tool, and an attacker-controlled command and control server.

“When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the NSA and FBI said.

More detail for zdnet:

“Technical details released today by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cyber defenders across the United States.”

To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

The joint security alert [PDF] contains guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules — all helpful for deploying proper detection measures.

Some interesting details we gathered from the 45-page-long security alert:

  • The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.
  • The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”
  • The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft.