Tag Archives: computer virus

Perpetual Attack: 25-Year Cyberattack, Russia v. US

Leave a reply

They US Federal Bureau of Investigation (FBI)  disabled a piece of malware Russia’s intelligence agency has allegedly used for two decades (!) to steal documents from NATO-allied governments and others, in an operation that highlights the FBI’s increasing efforts to go beyond arresting hackers and find new ways to disrupt cyberattacks.

In an affidavit filed in federal court in Brooklyn, a Federal Bureau of Investigation agent said the bureau had identified a long-running cyber-espionage campaign by officers in a unit of Russia’s Federal Security Service, or FSB, to take documents from other governments’ defense and foreign ministries, journalists and others, and route them through infected computers in the U.S. to cover their tracks. Security researchers have sometimes referred to the group of hackers as “Turla,” who are known to use a malware called “Snake.”

FBI agents identified U.S. computers infiltrated with the Snake malware, including in Oregon, South Carolina and Connecticut, and obtained court approval to issue commands to the malware to permanently disable it on those computers, officials said. The operation is the latest example of the FBI using an obscure legal authority to proactively disrupt Russian or Chinese cyberattacks by essentially infiltrating their systems. Investigators tracked the group’s daily activities to an FSB facility in Ryazan, outside Moscow.

Cybersecurity experts and U.S. officials said that Turla’s espionage activities can be traced back more than 25 years, though with rare exception the group’s hackers are adept at infiltrating systems without being noticed. For example, the group was linked to a major breach of U.S. classified systems in the late 1990s that compromised the Pentagon, other government agencies and defense contractors and was considered a watershed cyberattack that demonstrated the national security threat posed by Russian government hackers. In that case, it took years before the U.S. discovered the campaign (!).

Aruna Viswanatha and Dustin Volz, FBI Disables Malware Russia Allegedly Used to Steal Documents from NATO Allies, WSJ, May 9, 2023

From Pegasus to Pariah: Israeli Spying is Not Sexy

Leave a reply

When international news organizations revealed that at least ten governments had used Pegasus, a powerful software tool created by Israel’s NSO Group, to hack into the smartphones of thousands of people around the world, including politicians, human-rights activists and journalists, the Israeli government shrugged. None of its ministers has publicly commented….Israeli defence exporters privately expressed ridicule. “Arms companies can’t keep track of every rifle and bullet they sell to legitimate customers,” said one. “Why should we have higher expectations when it comes to software?…Israeli spying is a sexy subject and these reports are the price for doing business.”

Countries that have received Pegasus software include Brazil, Hungary and India, along with Sunni Arab regimes with whom Israel recently established diplomatic relations: Bahrain, Morocco and the United Arab Emirates. Saudi Arabia, a fellow enemy of Iran, is listed, too. “Deals on cyber-surveillance are the kind of sweetener you can throw into a diplomatic package with a foreign leader,” says a former NSO consultant.

Excerpts from Let Pegasus fly: Israel is loth to regulate its spyware exports, Economist, July 31, 2021

Who is the Boss? Cyber-War

Leave a reply

A new National Cyber Power Index by the Belfer Centre at Harvard University ranks 30 countries on their level of ambition and capability…That America stands at the top of the list is not surprising. Its cyber-security budget for fiscal year 2020 stood at over $17bn and the National Security Agency (NSA) probably gets well over $10bn. The awesome scale of America’s digital espionage was laid bare in leaks by Edward Snowden, a former NSA contractor, in 2013, which showed the agency hoovering up vast amounts of the world’s internet traffic and trying to weaken encryption standards.

China, in second place, has demonstrated a voracious appetite for commercial cyber-espionage abroad and an iron grip on the internet at home. Britain, whose National Cyber Security Centre has parried over 1,800 cyber-attacks since its creation in 2016, is third. Russia, whose spies interfered with America’s last election, is in fourth place. The big surprise is the Netherlands in fifth place, ahead of France, Germany and Canada. Dutch expertise in analyzing malware is particularly sharp…

Many countries outsource the dirtiest work to deniable proxies, like “hacktivists” and criminals….But while stealing things and disrupting networks is important, what matters most over the longer term is control of digital infrastructure, such as the hardware that runs mobile telecommunications and key apps. Dominance there will be crucial to economic strength and national security.

Excerpt from Digital dominance: A new global ranking of cyber-power throws up some surprises, Economist, Sept. 19, 2020

Cyber-Attacking Nuclear Plants: the 3 000 cyber bugs

Leave a reply

In the first half of 2019 , no country endured more cyber-attacks on its Internet of Things—the web of internet-connected devices and infrastructure—than India did. So asserts Subex, an Indian telecommunications firm, which produces regular reports on cyber-security. Between April and June of 2019, it said, recorded cyber-attacks jumped by 22%, with 2,550 unique samples of malware discovered. Some of that malicious code is turning up in hair-raising places.

On October 28, 2019 reports indicated that malware had been found on the computer systems of Kudankulam Nuclear Power Plant in Tamil Nadu, the newest and largest such power station in India. Pukhraj Singh, a cybersecurity researcher who formerly worked for the National Technical Research Organisation (NTRO), India’s signals-intelligence agency, says he was informed of the malware by an undisclosed third party in September, and notified the government.The attackers, he said, had acquired high-level access and struck “extremely mission-critical targets”…. On October 30, 2019 the body that operates nuclear power plants acknowledged, sheepishly, that a computer had indeed been infected, but it was only an “administrative” one.

Sensitive sites such as power plants typically isolate the industrial-control systems (those that control the workings of a plant) from those connected to the wider internet. They do so using air-gaps (which involve disconnecting the system from the wider world), firewalls (which monitor data-flows for suspicious traffic) or data diodes (which allow information to flow out but not in).

But breaching a computer on the outside of these digital moats is nevertheless troubling. It could have given the attackers access to sensitive emails, personnel records and other details which would, in turn, make it easier to gain access to the more isolated operational part of the plant. America and Israel are thought to have sneaked the devastating Stuxnet virus into Iran’s air-gapped uranium-enrichment plant at Natanz around 2007 by planting a USB stick on a worker, who carried it inside and plugged it in.

The culprit behind the Kudankulam attack is unknown, but left some clues. The malware in question is from a family known as DTrack, which gives attackers an intimate look at what victims are doing—down to their keystrokes. It is typically used to monitor a target, making it easier to deliver further malware. DTrack was originally developed by a group of hackers known as the Lazarus Group, who are widely assumed to be controlled or directed by North Korea.

Excerpts from On the DTrack: A cyber-attack on an Indian nuclear plant raises worrying questions, Economist, Nov. 1, 2019

Who is Afraid of Shamoon? How to Wipe a Country Off the Face of the Earth

Leave a reply

Suspected Iranian hackers infiltrated critical infrastructure and government computers in the Persian Gulf nation of Bahrain in July-August  2019, raising fears among leaders in the region that Tehran is stepping up its cyberattacks amid growing tensions…Hackers broke into the systems of Bahrain’s National Security Agency—the country’s main criminal investigative authority—as well as the Ministry of Interior and the first deputy prime minister’s office, according to one of the people familiar with the matter.

On July 25, 2019 Bahrain authorities identified intrusions into its Electricity and Water Authority. The hackers shut down several systems in what the authorities believed was a test run of Iran’s capability to disrupt the country, the person said. “They had command and control of some of the systems,” the person said.  The breaches appeared broadly similar to two hacks in 2012 that knocked Qatar’s natural-gas firm RasGas offline and wiped data from computer hard drives belonging to Saudi Arabia’s Aramco national oil company, a devastating attack that relied on a powerful virus known as Shamoon.  Bahrain is the smallest country in the Persian Gulf, but it is strategically important because it’s the permanent home of the U.S. Navy’s Fifth Fleet and Navy Central Command. It is closely allied with its much larger neighbor, Saudi Arabia, a regional rival of Iran.

The Bahrain authorities haven’t definitively attributed the attack to Iran, but they have been provided intelligence by the U.S. and others suggesting Iran is behind it, the people familiar with the matter said….“In the first half of 2019, the Information & eGovernment Authority successfully intercepted over 6 million attacks and over 830,000 malicious emails. The attempted attacks did not result in downtime or disruption of government services,” 

Excerpt from High-Level Cyber Intrusions Hit Bahrain Amid Tensions With Iran, WSJ, Aug. 7, 2019

Hacked to be Framed: N. Korea – Wapomi Worm

Leave a reply

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

Hacking Nuclear Plants – South Korea

Leave a reply

Korea Hydro & Nuclear Power Co Ltd said it would beef up cybersecurity by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters.  The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors.

The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul’s energy ministry and nuclear watchdog said in a joint statement, adding the systems were inaccessible from external networks.  Energy Minister Yoon Sang-jick told a parliamentary session that evidence of the presence and removal of a “worm” — which the ministry said was probably inadvertently introduced by workers using unauthorized USB devices — was unrelated to the recent hacking incidents, drawing scepticism from some lawmakers.  “I doubt control systems are perfectly safe as said,” Lee Jung-hyun, a lawmaker in the ruling Saenuri party, told the committee hearing.

Worries about nuclear safety in South Korea, which relies on nuclear reactors for a third of its power and is the world’s fifth-largest nuclear power user, have mounted since the 2011 Fukushima disaster in Japan and a domestic scandal in 2012 over the supply of reactor parts with fake security certificates…Korea Hydro and Nuclear Power President and CEO Cho Seok told the hearing that all control systems of the country’s 23 nuclear reactors were safe against malignant codes. Recently, he said that cyberattacks on non-critical operations at the company’s headquarters were continuing, although he did not elaborate for security reasons.

Excerpt from South Korea nuclear operator finds computer ‘worm’ in control system, Reuters, Jan, 1, 2015