13 Jan Cyberwarfare Report, Vol. 3, No. 4: Indictments, Sanctions, And Supply Chain Poisoning
Northport, N.Y. – Jan. 2, 2019
The United States was busy during the last three months of 2018 leveling indictments and sanctions against Russian and Chinese officials and hackers, while Bloomberg publishes a disturbing report about motherboard tampering by overseas contractors.
December
Dec. 29. A computer virus disrupts delivery of major newspapers in the United States, including the Los Angeles Times, Chicago Tribune, Baltimore Sun, and West Coast editions of the New York Times and Wall Street Journal. The malicious software affected backend systems at the newspapers and customer information was unaffected, according to news reports.
Dec. 20. U.S. Justice Department unseals indictment of Zhu Hua and Zhang Shillong, both Chinese nationals, which alleges the men carried out an extensive hacking campaign to steal corporate data and commercial secrets from 45 entities in 12 countries. Indictment maintains the men’s victims were in a variety of industries—including aviation, telecommunications, pharmaceuticals, and natural resources—and involved NASA and the personal information of more than 100,000 U.S. Navy personnel.
Dec. 20. Reuters reports that threat actors working for China’s Ministry of State Security penetrated the networks of Hewlett Packard Enterprise and IBM and then used that access to compromise those companies’ clients. It explains attacks were part of a campaign called Cloudhopper in which Chinese hackers infected technology service providers in order to steal intellectual property.
Dec. 20. U.S. Air Force releases results of its “Hack the Air Force” bug bounty program. It says 120 vulnerabilities were found in the military branch’s public-facing websites and services, and $130,000 in bug bounties was awarded White Hat hackers.
Dec. 19. U.S. Treasury Department announces sanctioning of 15 Russian military intelligence operatives for interfering with the 2016 presidential election and the assassination of a former double agent in the UK. Sanctions also target persons involved in a Russian intrusion into the systems of the World Anti-Doping Agency and an intelligence officer accused of working for oligarch Oleg Deripaska.
Dec. 19. U.S. District Court Judge Ursula Ungaro dismisses libel lawsuit against BuzzFeed arising from its publication of a dossier on President Donald J. Trump’s ties to Russia. The lawsuit was filed by Russian businessman Aleksej Gubarev, who the document connects to Kremlin-ordered hacking of Democratic Party officials in 2016.
Dec. 18. Area 1, a cybersecurity firm, reveals hackers penetrated the European Union’s diplomatic communications networks for years and downloaded thousands of cables revealing the concerns of diplomats about the Trump administration, how to deal with Russia and China, and the possibility Iran would revive its nuclear weapons program.
Dec. 17. U.S. Senate releases two reports that find Russia engaged in an all out social media campaign on Donald Trump’s behalf during the 2016 election and continued to support him after he took office.
Dec. 14. Wall Street Journal reports that Chinese hackers have breached U.S. Navy contractors and stolen massive amounts of information, including missile plans. It notes that the attacks over the last 18 months have been used to gather intelligence, sabotage American systems, and steal intellectual property.
Dec. 13. Associated Press reports an Iranian hacking group known as Charming Kitten has been trying to break into the private emails of more than a dozen U.S. Treasury officials and others to obtain inside information on sanctions against the Middle Eastern nation.
Dec. 12. Palo Alto Networks reports that Fancy Bear, or APT28, has launched a campaign to install backdoor software on targets in NATO-aligned nations and some former USSR states.
Dec. 11. New York Times reports that cyberattack on Marriott hotel chain that stole personal information on some 500 million guests was part of a Chinese intelligence-gathering campaign that also hacked health insurers and security clearance files of millions of Americans. It notes the Marriott hackers are suspected of working for the Ministry of State Security, the country’s Communist-controlled civilian spy agency.
Dec. 4. Politico reports that the National Republican Congressional Committee suffered a major cyberattack during the 2018 midterm campaigns, exposing thousands of emails to an intruder. It notes the group was occupied for several months until a vendor detected the system breach in April.
Dec. 4. The Secret Service of Ukraine reveals it stopped an attempt by Russian special services to launch a large-scale cyberattack on the information and telecommunications systems of its country’s judiciary system. It notes that the attackers tried to get their targets to download counterfeit accounting documents infected with a computer virus.
Dec. 3. The Czech Security Intelligence Service issues report revealing country’s government networks were penetrated in 2016 and 2017 by two cyber espionage groups linked to Russia, Turla and Fancy Bear, or APT28. It notes the attackers focused on email accounts of top ministry representatives and accessed the mailboxes in a repeated, long-term, and irregular manner.
Dec. 3. Financial Review reports that the Lowry Institute, Australia’s leading foreign affairs think tank, has been targeted at least twice by Chinese hackers in an apparent attempt to view the organization’s online dealings with the federal government and visiting foreign dignitaries. It notes the attacks—one in 2018, the other in 2012—are similar to those mounted against think tanks in the United States.
Dec. 1. UK military issues alert to all bases in Britain to report any sightings of Timur Siraziev, a Russian TV reporter, and his cameraman, Dmitry Volkov. Military initiates action after Siraziev, who works for Channel One in the Kremlin, was spotted filming close to the perimeter of the 77th Brigade, a top secret electronic and psychological warfare Army unit that works with MI5, MI6, and the SAS.
November
Nov. 30. U.S. Department of Homeland Security reports that the elections systems of Maryland hosted by a vendor with financial ties to Russia have not been compromised. It finds no unauthorized access or statistical anomalies in network activity that suggest malicious behavior by the host, ByteGridLLC, which was purchased in 2015 by Vladimir Potanin, the sixth wealthiest person in Russia.
Nov. 29. German news magazine Der Spiegel reports Snake, a Russian hacking group, has compromised the email accounts of several German officials. It notes intrusion was discovered by German security officials nearly a year after it happened.
Nov. 28. U.S. Department of Justice indicts Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, both of Iran, for a 34-month computer crime spree targeting computers of the City of Newark, N.J. and dozens of hospitals, municipalities, and public institutions. The pair’s ransomware scheme raked in $6 million in extortion payments and caused $30 million in losses to their victims.
Nov. 21. Col. Gen. Igor V. Korobov, 63, head of GRU, Russia’s military intelligence branch, dies after a long illness. Korobov oversaw the hacking of the Democratic National Committee’s computers during the 2016 presidential elections and was sanctioned by the U.S. Treasury Department for releasing those emails to the public.
Nov. 20. Researchers at Tel Aviv University and U.S. Naval War College report that for six months in 2017, Internet traffic from Europe and North America headed to Australia was diverted as it traveled through mainland China. China Telecom, a state-owned company, attributed the diversion to a “routing error,” although one of the Israeli researchers believes the action was part of a targeted data theft.
Nov. 19. UK Parliament’s National Security Select Committee recommends adding a cybersecurity minister to the cabinet and prioritizing information sharing and collaboration on cybersecurity with EU during Brexit talks.
Nov. 16. A number of cybersecurity firms report a resurgence of activity by Cozy Bear, or APT29, after a one-year hiatus. The group has launched a large-scale, spear-phishing campaign aimed at both the U.S. government and the private sector.
Nov. 14. Norwegian Defense Ministry accuses Russia of jamming GPS location signals during NATO war games held in the Scandinavian nation between Oct. 16 and Nov. 7.
Nov. 12. Fifty nations and 150 tech companies sign “Paris Call for Trust and Security in Cyberspace,” an agreement to fight criminal activity on the Internet, including interference with elections and hate speech, as well as prevent malicious activities, like online censorship and theft of trade secrets. United States and Russia do not sign agreement.
Nov. 12. The Australian Cyber Security Centre reveals Iranian hackers were behind a data breach at Austral, of Perth, the country’s biggest defense exporter. The intruders robbed the company’s computers of staff email addresses and phone numbers, as well as ship drawings and designs, and later offered some of the information for sale on the Dark Web.
Nov. 9. U.S. Cyber Command begins releasing unclassified samples of adversaries’ malware. It says move is intended to improve information sharing among members of the cybersecurity community.
Nov. 5. Iranian Telecommunications Minister Mohammad Javad Azari-Jahromi blames Israel for Stuxnet-like cyberattack on his country’s communications infrastructure. He claims Iran was able to foil the attack.
Nov. 3. The Australian reports a secret report given to Australian officials outlines a case in which Chinese intelligence services used staff at telecommunications giant Huawei to get access codes and break into a foreign network. Security concerns have induced some countries, including Australia, to ban Huawei from working on large telecommunication infrastructure projects.
Nov. 2. Daily Beast reports U.S. intelligence community and the Pentagon have agreed on the outlines of a cyber offensive against Russia should the Kremlin try to interfere with the midterm elections. It says American military hackers have been given the green light to access Russian systems needed to launch the plan quickly.
Nov. 2. Yahoo News reports that from 2009 to 2013 the secret Internet-based communication system used by the U.S. intelligence community experienced crippling failures that resulted in the death of more than two dozen sources in China in 2011 and 2012.
October
Oct. 31. Hadashot TV in Israel reports that Iranian infrastructure and strategic networks have been attacked by malware similar to Stuxnet but “more violent, more advanced and more sophisticated.”
Oct. 30. U.S. Justice Department unseals indictment of 10 people, including Chinese intelligence officers, hackers, and company insiders, alleged to have conspired to break into the computer systems of private companies and steal information on a turbo fan engine used in commercial jetliners. The indictment notes that at the time of the cyber espionage, China was working on a compatible engine for use in China and other countries.
Oct. 29. Associated Press reports that a year before Marila Butina was accused of being a spy for the Russian government, she worked as a graduate student at American University gathering information on the cyberdefenses of U.S. non-profit organizations that champion media freedom and human rights.
Oct. 26. Facebook announces it has removed 82 pages, groups, and accounts originating in Iran for coordinated inauthentic behavior. It says the removal targets were registered by Iranians posing as U.S. or UK citizens and posted material about hot-button issues, such as race relations, opposition to President Trump, and immigration.
Oct. 24. New York Times reports Russian and Chinese spies routinely eavesdrop on conversations of President Donald J. Trump made on his insecure iPhones. It says American spy agencies learned of the eavesdropping from human sources inside foreign governments and intercepting communications between foreign officials.
Oct. 23. New York Times reports U.S. Cyber Command is targeting individual Russian operatives to deter them from spreading disinformation to interfere with the midterm elections. It says the agents are being told America knows who you are and it is watching you.
Oct. 23. FireEye, a cybersecurity company, reports with “high confidence” that a Russian-linked research institute helped develop malware used by hackers to force the shutdown of a Saudi petrochemical plant in 2017.
Oct. 22. Hackers deface home page of high-profile Saudi “Davos in the Desert” investment conference scheduled to begin Oct. 23. Site content was replaced with message calling for Saudi Arabia to be held “responsible for its barbaric and inhuman action, such as killing its own citizen Jamal Khashoggi and thousands of innocent people in Yemen.” Khashoggi is a journalist murdered by agents of the Saudi state.
Oct. 19. U.S. Justice Department unseals criminal complaint against Elena Alekseevna Khusyaynova, 44, of St. Petersburg, Russia, for her alleged role in a Russian conspiracy to interfere with the U.S. political system, including the 2018 midterm elections. According to the complaint, Khusyaynova allegedly managed the financing of Project Lakhta, an umbrella organization funded by Russian oligarch Yevgeniy Viktorovich Prigozhin and two companies he controls. Lakhta was used to hire activists, buy advertisements on social media platforms, register domain names, and purchase of proxy servers for a campaign to sow discord in the U.S. political system and undermine faith in democratic institutions.
Oct. 18. European Union calls for “restrictive measures” to respond to and deter cyberattacks against its member states. The initiative was proposed by Britain, the Netherlands, Lithuania, Estonia, Latvia, Denmark, Finland, and Romania.
Oct. 17. Cybersecurity researchers at Eset say they’ve discovered a new espionage group called GreyEnergy which has infected with malware three energy and transportation companies in the Ukraine and Poland. Eset warns the activity could be an early indicator that the hacking group is preparing to launch more damaging attacks in the future.
Oct. 17. Slovakia’s Prime Minister Peter Pellegrini announces investigation of a cyberattack on its foreign ministry by a “supranational and sophisticated spy organization.” He says attack involved harmful code that transferred data to foreign servers.
Oct. 16. Ciaran Martin, head of the UK’s National Cyber Security Centre, says in a newspaper interview that the Kremlin is accessing his nation’s computer systems in attempts to spy or as a first step towards unleashing attacks on the country’s critical infrastructure.
Oct. 15. U.S. Department of Homeland Security says in an intelligence assessment obtained by NBC news that it’s seeing an increase in the number of cyber attacks on U.S. election databases. It adds it doesn’t know who is behind the attacks but all of them either failed or were mitigated.
Oct. 15. Anomali Labs and Intel 471, two cybersecurity firms, report voter registration databases for 19 states are being sold on the Dark Web for $150 to $12,500. It estimates databases contain more than 35 million records.
Oct. 15. British foreign minister Jeremy Hunt urges Europe to impose sanctions on Russia over its cyberwar activities.
Oct. 15. Nigerian Chief of Army Staff, Lt. Gen. Tukur Buratai, announces the Nigerian Army Cyber Warfare Command, a new corps to protect the army’s data and networks against cyber attacks and to curb terrorism. In addition, a new app is unveiled to enable Nigerian citizens to pass information to the military.
Oct. 13. Facebook removes 66 accounts, pages, and apps of SocialDataHub and Fubutech, both based in Moscow, for violating the social network’s rules by scraping data about its members.
Oct. 12. Pentagon reveals data breach of U.S. Department of Defense’s travel records compromising personal information and payment card data of as many as 30,000 military and civilian personnel.
Oct. 10. Google turns on as default for administrators of its G Suite software an alert that their users have been targeted by a government-backed attack.
Oct. 10. Symantec, a cybersecurity company, reports it has discovered a new threat actor it’s calling Gallmaker carrying out target attacks against embassies in an Eastern European country, as well as military and defense targets in the Middle East. It says the actor is likely state-sponsored, but did not speculate on what state may be sponsoring the group.
Oct. 9. U.S. Government Accountability Office releases report finding nearly all weapon systems currently under development at the Department of Defense contain mission critical cyber vulnerabilities.
Oct. 9. CrowdStrike, a cybersecurity company, releases report finding that, after a brief hiatus during the end of the Obama administration, China has begun to ramp up its efforts to steal U.S. intellectual property.
Oct. 9. Bloomberg reports a major U.S. telecommunications company discovered manipulated hardware by Supermicro Computer on its network and removed it in August. Supermicro was named in a Bloomberg report on how China’s intelligence services ordered subcontractors to plant spy chips on motherboards used in the company’s servers. Yossi Appleboum, who provided Bloomberg with documentation about the incident at the telecom, says he’s seen similar manipulations in hardware from different vendors made by contractors in China, not just in products from Supermicro.
Oct. 6. U.S. Department of Homeland Security says it has no reason to doubt denials by Apple and Amazon that their networks contain hardware with malicious chips planted by Chinese intelligence, as reported by Bloomberg earlier in the week.
Oct. 5. UK’s National Cyber Security Centre states it has no reason to doubt findings by Apple and Amazon discrediting Bloomberg report that those companies’ networks contain hardware with malicious computer chips planted by Chinese intelligence services.
Oct. 4. Bloomberg reports Chinese spy chip found on motherboard of servers widely used in U.S. Defense Department data centers, CIA drone operations, onboard Navy warships, and nearly 30 U.S. companies, including Apple and Amazon. It says chips created a backdoor to any network connected to the servers and were inserted on the motherboards at factories run by manufacturing subcontractors in China.
Oct. 4. Grand Jury in Pennsylvania indicts seven officers in Russian military intelligence for computer hacking, wire fraud, aggravated identity theft, and money laundering. The indictment alleges the officers were part of a conspiracy that used sophisticated computer intrusions to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize the efforts of international anti-doping organizations and officials who had publicly exposed a Russian state-sponsored athlete doping program and to damage the reputations of athletes around the world by falsely claiming that such athletes were using banned or performance-enhancing drugs.
Oct. 4. Dutch Major General Onno Eichelsheim, at a news conference, says four men believed to be connected to Russian military intelligence tried, but failed, to hack into the Organization for the Prohibition of Chemical Weapons while the agency was investigating the nerve agent used to poison former Russian spy Sergei Skripal in England and in a chemical attack in Syria.
Oct. 4. UK accuses Russian military intelligence of directing a host of cyberattacks aimed at undermining Western democracies. It casts GRU as pernicious cyber aggressor that used a network of hackers to sow discord globally.
Oct. 3. Australian Prime Minister Scott Morrison states advice from Australian intelligence agencies in consultation with the nation’s allies has led him to believe Russian military has been responsible for a “pattern of malicious cyber activity” for years.
Oct. 3. Cybersecurity firm FireEye releases report on the North Korean hacking groups APT38, TEMP.Hermit, and Lazarus. It says two of the groups, TEMP.Hermit and Lazarus, are focused on espionage, while the third specializes in cyber heists at banks and financial institutions.
Oct. 2. U.S. Homeland Security Secretary Kirstjen Nielsen tells audience at Washington Post cybersecurity summit that there is no indication that a foreign adversary intends to disrupt the nation’s election infrastructure during the midterm elections.
Oct. 2. Billy Ribeiro Anderson, 41, pleads guilty to defacing websites at the U.S. Military Academy at West Point and the New York City Comptroller’s office. Anderson, convicted of two counts of computer fraud for causing damage to a protected computer, faces up to 10 years in jail for each count.
Oct. 1. Twitter announces rules changes to improve the health of public conversation on its platform and to protect the integrity of elections. Changes add criteria for defining fake accounts, allow accounts related to suspended accounts to be suspended, and suspend accounts claiming responsibility for a hack, as well as those that include threats and public incentives to hack specific people and accounts.
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.