Tag Archives: cyberespionage military

Invisible CyberAttack: Volt Typhoon

Leave a reply

Cybersecurity agencies in the U.S., the U.K., Canada, Australia and New Zealand—an intelligence-sharing group of countries known as the Five Eyes—said a Chinese state-sponsored actor is employing a tactic known as “living off the land,” which involves using built-in network administration tools to gain access to systems. The activity blends in with normal Windows system activities, allowing the actor to evade detection. The campaign is impacting communications, manufacturing, transportation, maritime and other sectors in parts of the U.S. and Guam, the American territory that hosts major military installations in the Pacific, according to a blog post from Microsoft, publisher of the Windows operating system. The tech giant said the Chinese actor, known as Volt Typhoon, is pursuing capabilities that could disrupt communication infrastructure between the U.S. and Asia in a future crisis.

China has consistently denied carrying out cyberattacks and has accused the U.S. of being the biggest culprit of such efforts…By gaining access to a system through the “living off the land” approach—and maintaining that access while remaining undetected—hackers can glean intelligence about how the system operates. It could also give them the ability to disrupt the system later with no warning—though the intent could just be information gathering…

Excerpts from Mike Cherney and Austin Ramzy, Hack Hurts Bid for Beijing Reset, WSJ, May 26, 2023

Perpetual Attack: 25-Year Cyberattack, Russia v. US

Leave a reply

They US Federal Bureau of Investigation (FBI)  disabled a piece of malware Russia’s intelligence agency has allegedly used for two decades (!) to steal documents from NATO-allied governments and others, in an operation that highlights the FBI’s increasing efforts to go beyond arresting hackers and find new ways to disrupt cyberattacks.

In an affidavit filed in federal court in Brooklyn, a Federal Bureau of Investigation agent said the bureau had identified a long-running cyber-espionage campaign by officers in a unit of Russia’s Federal Security Service, or FSB, to take documents from other governments’ defense and foreign ministries, journalists and others, and route them through infected computers in the U.S. to cover their tracks. Security researchers have sometimes referred to the group of hackers as “Turla,” who are known to use a malware called “Snake.”

FBI agents identified U.S. computers infiltrated with the Snake malware, including in Oregon, South Carolina and Connecticut, and obtained court approval to issue commands to the malware to permanently disable it on those computers, officials said. The operation is the latest example of the FBI using an obscure legal authority to proactively disrupt Russian or Chinese cyberattacks by essentially infiltrating their systems. Investigators tracked the group’s daily activities to an FSB facility in Ryazan, outside Moscow.

Cybersecurity experts and U.S. officials said that Turla’s espionage activities can be traced back more than 25 years, though with rare exception the group’s hackers are adept at infiltrating systems without being noticed. For example, the group was linked to a major breach of U.S. classified systems in the late 1990s that compromised the Pentagon, other government agencies and defense contractors and was considered a watershed cyberattack that demonstrated the national security threat posed by Russian government hackers. In that case, it took years before the U.S. discovered the campaign (!).

Aruna Viswanatha and Dustin Volz, FBI Disables Malware Russia Allegedly Used to Steal Documents from NATO Allies, WSJ, May 9, 2023

Late Paranoia Better than None: US v. Chinese Cranes

Leave a reply

In recent years, U.S. national-security officials have pointed to a range of equipment manufactured in China that could facilitate either surveillance or disruptions in the U.S., including baggage-screening systems and electrical transformers, as well as broader concerns about China’s growing control of ports around the world through strategic investments. China makes almost all of the world’s new shipping containers and controls a shipping-data service. In that context, the giant ship-to-shore cranes have drawn new attention. The $850 billion defense policy bill lawmakers passed in December requires the Transportation Department’s maritime administrator, in consultation with the defense secretary and others, to produce an unclassified study by the end of this year on whether foreign-manufactured cranes pose cybersecurity or national-security threats at American ports.

ZPMC cranes entered the U.S. market around two decades ago, offering what industry executives described as good-quality cranes that were significantly cheaper than Western suppliers. In recent years, ZPMC has grown into a major player in the global automated-ports industry, working with Microsoft Corp. and others to connect equipment and analyze data in real time…Today, ZPMC says it controls around 70% of the global market for cranes and has sold its equipment in more than 100 countries. A U.S. official said the company makes nearly 80% of the ship-to-shore cranes in use at U.S. ports…

The huge cranes are generally delivered to U.S. ports fully assembled on ships and are operated through Chinese-made software. In some cases, U.S. officials said, they are supported by Chinese nationals working on two-year U.S. visas, factors they described as potential avenues through which intelligence could be collected…Early in the Trump administration, officials in the National Security Council’s strategic planning office came to consider cranes as a unique point of interest, said Sean Plankey, a former cybersecurity official who was involved in those discussions. “Where would someone attack first and how would they do it?” he asked, characterizing the discussion. He said the officials determined that if Beijing’s military could access the cranes, they could potentially shut down U.S. ports without drawing on their navy.

A National Maritime Cybersecurity Plan, released in December 2020, found that no single U.S. agency had responsibility for maritime network security, leaving port directors without enforceable standards on cybersecurity and generally free to buy equipment from any vendor.

Excerpts from Aruna Viswanatha, Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools, WSJ, Mar. 6, 2023.

The Repressive Digital Technologies of the West

Leave a reply

A growing, multi-billion-dollar industry exports “intrusion software” designed to snoop on smartphones, desktop computers and servers. There is compelling evidence that such software is being used by oppressive regimes to spy on and harass their critics. The same tools could also proliferate and be turned back against the West. Governments need to ensure that this new kind of arms export does not slip through the net.

A recent lawsuit brought by WhatsApp, for instance, alleges that more than 1,400 users of its messaging app were targeted using software made by NSO Group, an Israeli firm. Many of the alleged victims were lawyers, journalists and campaigners. (NSO denies the allegations and says its technology is not designed or licensed for use against human-rights activists and journalists.) Other firms’ hacking tools were used by the blood-soaked regime of Omar al-Bashir in Sudan. These technologies can be used across borders. Some victims of oppressive governments have been dissidents or lawyers living as exiles in rich countries.

Western governments should tighten the rules for moral, economic and strategic reasons. The moral case is obvious. It makes no sense for rich democracies to complain about China’s export of repressive digital technologies if Western tools can be used to the same ends. The economic case is clear, too: unlike conventional arms sales, a reduction in spyware exports would not lead to big manufacturing-job losses at home.

The strategic case revolves around the risk of proliferation. Software can be reverse-engineered, copied indefinitely and—potentially—used to attack anyone in the world…. There is a risk that oppressive regimes acquire capabilities that can then be used against not just their own citizens, but Western citizens, firms and allies, too. It would be in the West’s collective self-interest to limit the spread of such technology.

A starting-point would be to enforce existing export-licensing more tightly… Rich countries should make it harder for ex-spooks to pursue second careers as digital mercenaries in the service of autocrats. The arms trade used to be about rifles, explosives and jets. Now it is about software and information, too. Time for the regime governing the export of weapons to catch up

The spying business: Western firms should not sell spyware to tyrants, Economist, Dec. 14, 2019

Cyber-Attacking Nuclear Plants: the 3 000 cyber bugs

Leave a reply

In the first half of 2019 , no country endured more cyber-attacks on its Internet of Things—the web of internet-connected devices and infrastructure—than India did. So asserts Subex, an Indian telecommunications firm, which produces regular reports on cyber-security. Between April and June of 2019, it said, recorded cyber-attacks jumped by 22%, with 2,550 unique samples of malware discovered. Some of that malicious code is turning up in hair-raising places.

On October 28, 2019 reports indicated that malware had been found on the computer systems of Kudankulam Nuclear Power Plant in Tamil Nadu, the newest and largest such power station in India. Pukhraj Singh, a cybersecurity researcher who formerly worked for the National Technical Research Organisation (NTRO), India’s signals-intelligence agency, says he was informed of the malware by an undisclosed third party in September, and notified the government.The attackers, he said, had acquired high-level access and struck “extremely mission-critical targets”…. On October 30, 2019 the body that operates nuclear power plants acknowledged, sheepishly, that a computer had indeed been infected, but it was only an “administrative” one.

Sensitive sites such as power plants typically isolate the industrial-control systems (those that control the workings of a plant) from those connected to the wider internet. They do so using air-gaps (which involve disconnecting the system from the wider world), firewalls (which monitor data-flows for suspicious traffic) or data diodes (which allow information to flow out but not in).

But breaching a computer on the outside of these digital moats is nevertheless troubling. It could have given the attackers access to sensitive emails, personnel records and other details which would, in turn, make it easier to gain access to the more isolated operational part of the plant. America and Israel are thought to have sneaked the devastating Stuxnet virus into Iran’s air-gapped uranium-enrichment plant at Natanz around 2007 by planting a USB stick on a worker, who carried it inside and plugged it in.

The culprit behind the Kudankulam attack is unknown, but left some clues. The malware in question is from a family known as DTrack, which gives attackers an intimate look at what victims are doing—down to their keystrokes. It is typically used to monitor a target, making it easier to deliver further malware. DTrack was originally developed by a group of hackers known as the Lazarus Group, who are widely assumed to be controlled or directed by North Korea.

Excerpts from On the DTrack: A cyber-attack on an Indian nuclear plant raises worrying questions, Economist, Nov. 1, 2019

The Right Way to Steal

Leave a reply

Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.   The breaches occurred in January and February  2018, the officials said… The hackers targeted a contractor who works for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I., that conducts research and development for submarines and underwater weaponry.

Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library…This fact raises concerns about the Navy’s ability to oversee contractors tasked with developing ­cutting-edge weapons.

For years, Chinese government hackers have siphoned information on the U.S. military, underscoring the challenge the Pentagon faces in safeguarding details of its technological advances. Over the years, the Chinese have snatched designs for the F-35 Joint Strike Fighter; the advanced Patriot PAC-3 missile system; the Army system for shooting down ballistic missiles known as Terminal High Altitude Area Defense; and the Navy’s new Littoral Combat Ship, a small surface vessel designed for near-shore operations, according to previous reports prepared for the Pentagon.  In some cases, suspected Chinese breaches appear to have resulted in copycat technologies…

Investigators say the hack was carried out by the Chinese Ministry of State Security, a civilian spy agency responsible for counterintelligence, foreign intelligence and domestic political security. The hackers operated out of an MSS division in the province of Guangdong, which houses a major foreign hacking department….

In September 2015, in a bid to avert economic sanctions, Chinese President Xi Jinping pledged to President Barack Obama that China would refrain from conducting commercial cyberespionage against the United States. …Both China and the United States consider spying on military technology to fall outside the pact.

Excerpts from Ellen Nakashima and Paul Sonne, China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare, Washington Post, June 8, 2018