Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report: Offensive Cyber, Rise of Iran, Hacking Elections, Fake News Crackdown

John P. Mello, Jr.

Northport, N.Y. – Oct. 2, 2018

Nations — including the US, UK and Nigeria — began thinking about offense, not just defense, when it comes to cyber; Iran’s cyber star continued to rise; politicians, political parties and voting machines became hacker targets; and Microsoft, Google, Twitter and Facebook all launching forays against distributors of fake news and disinformation were topline cyberwar stories during the third quarter of 2018. For a comprehensive view of international cyber conflict, these are the stories you should be following:

September

Sep. 27. A report summarizing the findings of security researchers who organized the “Voting Village” at DEF CON, an annual hacking conference held in Las Vegas, reveals an 11-year-old security flaw makes a vote-counting machine used currently in 23 states vulnerable. It says Election Systems & Software, which makes the M650 high-speed ballot scanner, was informed of the defect 11 years ago but has yet to fix it.

Sep. 26. At a United Nations Security Council meeting in New York City,  President Donald J. Trump accuses China of meddling in the US midterm elections in retaliation for his trade policies. He offered no evidence to support his allegation.

Sep. 21. Sky News reports the UK plans to create a new offensive cyber force of up to 2,000 people. The new force would be four times bigger than the nation’s current manpower allocation for offensive cyber operations.

Sep. 20. Trump administration releases National Cyber Strategy, promising to be more aggressive in deploying offensive operations against nation-states and criminal groups in cyberspace.

Sep. 19. Cyber Threat Alliance, a consortium of cybersecurity firms formed to share threat intelligence, reports a year-over-year increase in illicit cryptomining of 459 percent, an increase it links to the leak from the NSA of Eternal Blue, a tool to exploit vulnerabilities in Microsoft Windows.

Sep. 18. U.S. State Department confirms one of its unclassified email systems was compromised and the personal information of some of its employees may have been exposed to the intruders. It adds no classified data was accessed during the breach.

Sep. 15. U.S. Naval War College in Newport, R.I. announces establishment of the Adm. James R. Hogg Cyber and Innovation Policy Institute, which will replace and build upon the previous work of the college’s Center for Cyber Conflict Studies.

Sep. 13. U.S. Treasury Department blacklists China Silver Star, its CEO Jong Song, and Volasys Silver Star, its Russian sister company. It says action is intended to stop the flow of illicit revenue to North Korea from overseas IT workers hiding behind front companies and aliases. The move blocks any property the targets may have in the US and prohibits Americans from doing business with them.

Sep. 12. President Donald J. Trump signs executive order allowing punitive sanctions to be imposed on foreigners who interfere with US elections. The order sets up a process for imposing financial penalties and blocks actors trying to hack voting systems and those spreading disinformation.

Sep. 10. Alba Iulia Court of Appeal in Romania approves extradition to the United States of Marcel Lehel Lazar, 46, better known by his online handle Guccifer and for discovering Hillary Clinton’s private email server. After serving a seven-year prison sentence in Romania for going on a hacking spree there, he will serve a 52-month US sentence for aggravated identity theft and unauthorized access to a computer.

Sep. 7. Check Point, a cybersecurity company, reveals a spyware campaign it believes is sponsored by Iran and aimed at ISIS, Kurdish, and Turkish targets. The malware is hidden in mobile apps, like wallpapers. After it’s installed on an Android phone, it collects contact lists, phone call records, SMS messages, browser history and bookmarks, geolocation data, photos, voice recordings and much more.

Sep. 6. U.S. Justice Department charges Park Jin Hyok, a North Korean national, with computer and wire fraud in connection to the 2014 cyberattack on Sony Pictures Entertainment. Department says Hyok is tied to North Korea’s Reconnaissance General Bureau, a state-sponsored intelligence agency that oversees the country’s cyber capabilities. It also accuses him of participating in the 2016 Bangladesh Bank cyber heist, in which $1 billion was stolen, and the 2017 WannaCry ransomware attack that penetrated more than 230,000 computers in 150 countries.

Sep. 6. ClearSky, a cybersecurity firm, finds three Iran-run, fake news sites aimed at Israelis. It says one of the sites is the Hebrew-language Tel Aviv Times, which engages in “distorting news,” and the other two are Arabic language news outlets that promote the Islamic Republic.

August

Aug. 29. Lt. General Tukur Yusuf Buratai, chief of staff for the Nigerian army, approves creation of the Cyber Warfare Command. The command will be initially composed of 150 specially trained personnel from all the corps and services of the military branch. It’s charged with monitoring, defending and attacking subversive elements in cyberspace.

Aug. 27. Associated Press reports Fancy Bear, the Russian hacking group believed to have stolen emails from the Democratic National Committee during the 2016 presidential election, is  trying to snatch the private correspondence of some of the world’s most senior Orthodox Christian figures. AP notes that the Kremlin is trying to help Moscow’s Patriarch Kirill retain control over the Orthodox church in the Ukraine, which wants to sever ties with Russia.

Aug. 24. Secureworks, a cybersecurity company, exposes global campaign originating in Iran to steal unpublished research and nick intellectual property from 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.

Aug. 23. U.S. District Court in Augusta, Ga. sentences Reality Winner, 26, a former NSA contractor, to five years, three months in prison, three years of supervised release, and a $100 special assessment for leaking classified information about Russia’s meddling with the 2016 presidential election. Sentence is longest ever for a federal crime involving leaks to the news media.

Aug. 23. American Journal of Public Health publishes study finding that Russian bots and trolls disseminated online messages both for and against vaccines between 2014 and 2017. Researchers explain that by posting for, against, and neutral tweets about vaccines, the trolls and bots tried to legitimize the vaccine debate. They add that troll accounts linked to campaign were tied to the Internet Research Agency, a company backed by the Russian government.

Aug. 23. Google terminates 39 YouTube channels, six Blogger accounts and 13 Google+ accounts connected to an influence campaign run by the Islamic Republic of Iran Broadcasting. It says actors engaged in this type of influence operation violate its policies.

Aug. 22. Facebook and Twitter announce they’ve removed hundreds of pages, accounts, and groups linked to Iran’s state media from their services. Facebook maintains the 652 pages, accounts and groups covertly spread political content to people on four continents in violation of the social network’s terms of service by engaging in “coordinated inauthentic behavior.” Twitter says it removed 284 accounts for “coordinated manipulation.”

Aug. 22. Mark Kneidinger, director of the Federal Network Resilience division of Office of Cybersecurity and Communications in the U.S. Department of Homeland Security, reveals at a cybersecurity event sponsored by Splunk that DHS is working on a software tool that will allow federal agencies to  contextualize cybersecurity risk and clarify where they need to apply focus and resources. He explains the “Risk Radar” tool will alert top brass at agencies about the actual consequences of everyday cyber activity and make sense of threat information above the operational level.

Aug. 20. Microsoft announces it has shut down six malicious websites created by the group of hackers affiliated with the Russian military who are believed to have stolen a cache of email from the Democratic National Committee during the 2016 presidential campaign. It says the sites were crafted to spoof the domains of legitimate websites, including the Hudson Institute and the International Republican Institute, both well-known GOP think tanks.

Aug. 20. Website of Sweden’s Social Democrats party, one of the two coalition parties running the country, suffers DDoS attack that disrupts access to the site for six minutes. Party’s IP provider links attack to Russia and North Korea.

Aug. 17. Labor Party of Western Australia announces it’s resetting the passwords to its email systems after discovering hackers, possibly from China and Russia, have tried to gain unauthorized access to party documents and data. It says the attacks have been going on for several months but increased significantly a week before elections held in July.

Aug. 16. Marsh, an international insurance and risk management company, releases position paper maintaining NotPetya, the most costly cyberattack in world history, was not an act of cyberwar. As such, it argues, damages suffered from the event are not subject to cyberwar exceptions found in many cybersecurity insurance policies.

Aug. 16. Recorded Future, a cybersecurity firm, reports hackers using computers at China’s MIT, Tsinghua University, targeted US energy and communications companies, as well as Alaska’s state government, before and after a US trade delegation led by Alaskan Gov. Bill Walker spent a week in China in May. RF says the hackers were searching for security flaws that could be used to break into confidential systems.

Aug. 15. President Donald J. Trump signs order scuttling restrictions on offensive cyber operations established by the Obama administration. Details of the order are classified and not made public.

Aug. 15. Rolling Stone reports FBI agents in California and Washington, D.C. have investigated a series of cyberattacks on the Congressional campaign of Dr. Hans Keirstead, who ran against Rep. Dana Rohrabacher, R- Calif., one of the biggest boosters in Congress of Russia and its president Vladimir Putin. Keirstead, a stem-cell scientist and the CEO of a biomedical research company, finished third in California’s nonpartisan “top-two” primary in June, falling 125 votes short of advancing to the general election.

Aug. 12. Emmett Brewer, 11, demonstrates at DEF CON 26, an annual hacking convention held in Las Vegas, Nev., how to compromise a state’s election website and change voting results.

Aug. 12. Turkish hackers crack NBC national correspondent’ Peter Alexander’s Twitter account and post pro-Turkey tweets and pictures.

Aug. 12. HackerOne and the U.S. Defense Department launch “Hack the Marine Corps.,” a bug-bounty program designed to harden the Corps’ public-facing websites and enterprise network.

Aug. 10. A U.S. State Department cable obtained by BuzzFeed News through the Freedom of Information Act reveals Russian hackers were targeting Swedish news sites in the fall of 2016 in an attempt to discourage the country from cooperating with NATO. The attacks knocked several of the nation’s largest sites offline temporarily.

Aug. 10. U.S. Democratic National Committee’s lawyers serve WikiLeaks, via Twitter, with notice of lawsuit against it for working with the Trump campaign and Russia to swing the 2016 election in Trump’s favor. The attorneys reportedly resorted to Twitter after their attempts to serve the papers via email were ignored by the information transparency advocates.

Aug. 9. Clearsky, an Israeli cybersecurity firm, discovers bogus early warning app designed to spread spyware on smartphones. It says Hamas, a Palestinian Islamist political organization and militant group, is behind the malware. It adds the bad app is being promoted through a website that looks like the one used by Israel to distribute the legitimate app to warn people of Hamas rocket attacks.

Aug. 7. Accenture releases mid-year Threatscape Report, which predicts an escalation of Iran-based cyber-threat activity, a broadening attack of global supply chains, increased targeting of critical infrastructure, as well as new and growing avenues of financially motivated cybercrime.

Aug. 7. U.S. Navy Secretary Richard V. Spencer tells reporters at Pentagon press conference that cyber officers need to be recruited at ranks higher than ensign and second lieutenant to attract the “brain power” the service needs for its technical fields. He adds that cyber officers also need to move more fluidly between military and civilian careers.

Aug. 3. Taiwan Semiconductor Manufacturing Co., which makes the chips for Apple’s iPhones, shuts down several factories after a number of its fabrication tools became infected with a software virus. Company says it has been attacked by viruses before but this is the first time it has affected production.

Aug. 4. Tabitha Isner, a Democratic candidate for a congressional seat in Alabama, claims there have been more than 1,400 attempts to break into her campaign’s website, about 1,100 of them from Russia.

Aug. 2. Director of National Intelligence Dan Coats says at White House press briefing that the US intelligence community knows Russia has tried to hack into and steal information from candidates and public officials. He adds that those efforts are not exclusive to the upcoming midterm elections, but part of a “pervasive messaging campaign by Russia to try to weaken and divide the United States.”

Aug. 2. Zimbabwe Electoral Commission announces its website was hacked and had to be taken offline. It says it noticed the hack after finding images on the site not posted there by the commission.

Aug. 1. The Intercept reports Google plans to launch a censored version of its search engine in China that will blacklist websites and search terms about human rights, democracy, religion, and peaceful protest. It notes the project, called Dragonfly, has been underway since the spring of 2016. Most internet users in China can’t access Google’s search engine because it’s blocked by the country’s “Great Firewall.”

Aug. 1. Security and social media experts appearing at a public hearing tell U.S. Senate Intelligence Committee that the Internet Research Agency, a “troll farm” linked to the Kremlin, is just the “tip of the iceberg” when it comes to Russia’s hacking and disinformation efforts.

July

Jul. 31. Facebook removes 32 pages and fake accounts it says were designed to potentially disrupt midterm elections in the United States. It adds it could not identify who was behind the campaign, but some of the tools and techniques used by the accounts were similar to those used by the Internet Research Agency, a group linked to Russia at the center of an indictment this year alleging interference in the 2016 presidential election.

Jul. 31. ComputerWeekly reports Tim Leonard, 39, a British IT manager, was behind a disinformation campaign claiming the theft of emails from the US Democratic National Committee in 2016 was an “inside job” and not orchestrated by the Kremlin. It notes Leonard, who ran the campaign from the UK under the false name Adam Carter, worked with right-wing activists to spread the fake news to discredit reports Russia meddled in the 2016 US elections.

Jul. 30. Swiss newspaper Sonntags Blick reports Spiez Laboratory in Bern canton has been the target of a phishing attack by Sandworm, a hacker group affiliated with Russia’s secret service. The lab has been analyzing the nerve agent used to poison former Russian double agent Sergei Skripal and his daughter in the UK. Blick notes the attack caused limited damage to the lab and no outflow of data has been detected.

Jul. 28. U.S. Undersecretary of Defense for Acquisition and Sustainment Ellen Lord tells reporters the Pentagon is working on a software “do not buy” list to block vendors who use software code originating from Russia and China.

Jul. 27. Lt. Gen. Jiri Baloun, first deputy of the Army of the Czech Republic’s general staff, tells reporters the service aims to add 5,000 more people to technical branch specialties such as cyber warfare and robotics by 2026.

Jul. 26. Daily Beast reports the staff of Sen. Claire McCaskill, a Missouri Democrat, has been targeted by the Russian intelligence agency that meddled in the 2016 US elections. McCaskill later said the attacks were unsuccessful.

Jul. 24. German Interior Ministry and state security agency release report finding Russian online interference in the country declined during run-up to last year’s federal elections.

Jul. 24. Washington, D.C. fends off large-scale multinational attempt to breach its cyberdefenses. City Chief Technology Officer Barney Krucoff tells Government Tech that the attack was widespread and did not target any single individual or department.

Jul. 23. Wall Street Journal reports Russian hackers penetrated hundreds of US utilities in 2017 and could have disrupted the nation’s power grid. It notes the attacks were launched by a group known as Dragonfly or Energetic Bear, which is sponsored by the Russian government.

Jul. 22. In response to a lawsuit, FBI releases documents related to surveillance of Carter Page, an advisor to the 2016 Trump presidential campaign. Among the documents are surveillance requests filed and approved by the Foreign Intelligence Surveillance Court noting “the FBI believes that the Russian Government’s efforts are being coordinated with Page and perhaps other individuals associated with” Trump’s campaign.

Jul. 20. Eric Hoh, Asia Pacific president of FireEye, says well-resourced, well-funded and highly sophisticated nation-state actor is likely behind theft of healthcare information of 1.5 million citizens of Singapore.

Jul. 19. Tom Burt, Microsoft’s vice president for customer security, tells the Aspen Security Forum that the staff of three candidates running for office this year have been targeted by hackers using techniques similar to those that compromised servers at the Democratic National Committee in 2016.

Jul. 18. Former NSA Director Keith Alexander tells Fox Business that Chinese cyberattacks have resulted in the “greatest transfer of wealth in history” and likely costs the United States as much as $400 billion a year.

Jul. 17. Motherboard reports Election Systems & Software, the nation’s top voting machine maker, has acknowledged it installed remote-access software on some of its voting systems over a period of six years. It had previously denied the use of that kind of software. Such programs can make voting machines more vulnerable to hackers.

Jul. 14. Twitter shuts down accounts of DCLeaks and Guccifer 2.0, both connected with the release of stolen emails and documents during the run-up to 2016 elections. Both accounts were reportedly dormant for at least 18 months before they were shut down.

Jul. 13. U.S. Department of Justice charges 12 Russian intelligence officers with hacking Democratic officials in the 2016 elections and stealing data of half a million voters from a state election board website. It says officers used fictitious online personas, including “DCLeaks” and “Guccifer 2.0,” to release thousands of stolen emails beginning in June 2016.

Jul. 13. United Nations sets up digital cooperation panel to deal with the dark side of digital innovation, such as cyberwar and the proliferation of hate speech. Jack Ma, co-founder Alibaba, and Melinda Gates, co-chair of the Bill and Melinda Gates Foundation, will co-chair the 20-member panel.

Jul. 11. Head of U.S. Homeland Security Department’s cybersecurity unit Christopher Krebs tells House Homeland Security Committee intelligence officials have seen no evidence of Russian meddling in midterm elections that “rises to the level of 2016.”

Jul. 11. Security Service of Ukraine claims Russian hackers targeted an overflow station that cleans the country’s water supply with VPNFilter malware. The agency says attack was mitigated before a man-made disaster occurred.

Jul. 11. ISIS advises followers to follow only its Telegram channel in wake of spoofs and cyberattacks on terrorist group’s online information outlets by international intelligence agencies. ISIS warns that there are no Nashir News Agency accounts — NNA is the group’s official information arm — on Twitter, Instagram, WhatsApp or any other site other than Telegram.

Jul. 10. FireEye reports TEMP.Periscope, a Chinese espionage group, has compromised multiple entities related to Cambodia’s upcoming elections on July 29. Government bodies penetrated by the group include entities overseeing the elections and opposition candidates.

Jul. 10. Recorded Future, a threat intelligence company, reports a hacker is trying to sell sensitive information about US military drones on the dark web. It says unclassified documents on the program were stolen from an Air Force captain’s computer. They include a list of airmen working in the MQ-9A drone program, as well as maintenance and course material on the aircraft used for surveillance and air strikes around the world.

Jul. 10. Blogger and developer Patrick Wardle reveals Apple’s attempt to censor references to Taiwan on iPhones in China created bug that crashes the devices. Apple subsequently fixed the bug.

Jul. 9. Bellingcat and De Correspondent report the fitness app Polar is exposing online the locations of people exercising at sensitive locations such as military bases and airfields, nuclear weapons storage sites, and embassies, as well as at their homes.

Jul. 6. Sydney Morning Herald reports hackers based in China successfully breached the IT systems at the Australian National University, potentially compromising the country’s leading national security college and key defense research projects.

Jul. 3. U.S. Senate Intelligence Committee releases report finding January 2017 assessment of Russia’s election meddling by intelligence community was a “sound intelligence product” and that the conclusions were “reached in a professional and transparent manner.”

Jul. 3. U.S. District Court Judge Ellen Huvelle dismisses lawsuit alleging President Donald Trump’s campaign and former Trump adviser Roger Stone conspired with Russia and WikiLeaks to publish hacked Democratic National Committee emails during the 2016 presidential race. She determined the case was too flimsy to proceed.

Jul. 3. Daily Mail reports the Pentagon is developing an advanced cyber weapon system to launch online attacks against hackers from hostile governments. Dubbed the “cyber carrier,” it’s expected to become an integral part of all US online operations and provide services as critical as jets are to pilots or aircraft carriers are to sailors.

Jul. 3. Israeli army accuses Hamas, an Islamist militant group, of attempting to hack into its soldiers’ phones through a World Cup app as well as two dating apps. The apps let Hamas access the troops’ location, secretly take and send photographs, turn the phone into a listening device, and copy files and photos.

Jul. 3. Izvestia reports Russian Ministry of Defense is constructing  a research laboratory that will explore how blockchain technology can be used to bolster national security by preventing hacks on military infrastructure. ERA, the military’s technology accelerator, is overseeing the project.

Stay tuned for the Q4 2018 edition of Cyberwarfare Report.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.



Send this to a friend