01 Jul Cyberwarfare Report, Vol. 5, No. 2: Intrusions Intensify During The COVID-19 Pandemic
Sponsored by Intrusion
Northport, N.Y. – Jun. 30, 2020
The coronavirus not only dominated the news cycle during the second quarter of the year, but it became a source for exploitation by cyber warriors.
Universities and companies engaged in COVID-19 research became targets of nation-state hackers, and cyberattacks increased globally as workers confined to their homes were perceived as ripe targets for hackers searching for easy ways to crack corporate networks. Meanwhile, cyber skirmishes broke out between India, China, and Pakistan, as well as between Israel and Iran.
Organizations in the U.S. continue to suffer intrusions at the hands of adversaries. “The simple fact is that most if not all businesses in America have been breached,” says Jack B. Blount, president and CEO at Intrusion, Inc. “They undoubtedly have cyberwarfare agents living in their network today… stealing information, or waiting to be attacked,” adds Blount, an expert on cyberwarfare, and a former federal government CIO.
Our diary of Cyberwarfare activity over the past three months makes clear that our nation cannot be distracted by the coronavirus pandemic while the global cybercrime epidemic persists.
Cybercrime Radio: Discussion with Jack Blount, CEO at Intrusion
Cyberwarfare insights for C-suite executives and CISOs
Jun. 30. Washington Free Beacon reports lawsuit filed by Republican financier Elliott Broidy alleges Qatar, through a consultancy composed of former CIA and other military officials with experience in cyber espionage, conspired to steal confidential materials from Broidy and make them public in order to discredit him. It adds that the country is believed to be behind a series of similar attacks against GOP and Jewish community activists who have been pressuring the Trump administration to cut ties with Qatar.
Jun. 29. India bans nearly 60 Chinese mobile apps, including TikTok, because they pose a national security risk. Earlier in the month, the two nations engaged in a military clash that left 20 Indian soldiers dead and an unknown number of Chinese casualties.
Jun. 29. Australian Prime Minister Scott Morrison announces $1.35 billion in existing defense funding will be used to boost his nation’s cybersecurity capabilities. Money will be used to create 500 new cybersecurity jobs, improve the Australian Signals Directorate ability to disrupt cybercrime, and expand data science and intelligence capabilities.
Jun. 28. Theodore Karasik, a senior adviser at Gulf State Analytics, claims a huge explosion at the Khojir military site east of Tehran was the result of an Israeli cyberattack. He adds that the attack on the site, which has been used for weapons manufacturing and as a nuclear weapons research facility in the past, is a continuation of the Stuxnet virus which disrupted Iran’s nuclear development program 10 years ago.
Jun. 24. Cyfirma, a threat intelligence company based in Singapore, reports cyberattacks on India have increased 200 percent from May to June. It notes it has reason to believe that two Chinese hacking groups affiliated with the People’s Liberation Army, Gothic Panda and Stone Panda, are behind the attacks, which could affect as many as two million Indians.
Jun. 17. Eset, a cybersecurity company, reports hackers posing on LinkedIn as recruiters for Collins Aerospace and General Dynamics were able to compromise the systems of at least two defense contractors in Central Europe. The bogus recruiters sent job candidates documents which, when opened, released malicious code into the systems of the targeted organizations. Eset could not determine if any data was stolen from the targets or who is behind the attacks, although they contained links to the Lazarus Group, a North Korean outfit accused by U.S. prosecutors of data robberies at Sony Pictures and the Central Bank of Bangladesh.
Jun. 15. Chinese researchers in an article published in Nature explain how they successfully shared, through Quantum Key Distribution, secret encryption keys between two ground stations 1,120 kilometres apart at 0.12 bits per second, without the need for relays. The distribution took place through bidirectional downlinks from the Micius satellite. QKD technology has the potential to create “hacker proof” encryption, but its low range — about 100 kilometres without relays — has been one of the obstacles to adoption.
Jun. 14. The National Intelligence Service of Greece hires 80 hackers to bolster its cyberwar capabilities. Greece’s action was prompted by an attack by Turkey on the website of the municipality of Chalkidona. In retaliation for that action, the Greek chapter of Anonymous took down the websites of the Turkish Foreign Affairs and Defense Ministries, as well as its cybersecurity site. Anonymous also stole data from Turkey’s medical system.
Jun. 4. Google reveals that Chinese and Iranian government hackers have been targeting Gmail accounts of staffers working on the presidential campaigns of Joe Biden and Donald Trump. It added that there were no signs that any of the accounts had been compromised.
Jun. 4. The U.K. Ministry of Defence announces creation of the 13th Signals Regiment, the British Army’s first dedicated cyber regiment. The unit is being built around 250 specialists who combat threats both overseas and domestically, and provide technical support for a hub that’s in the making for testing next-generation information capabilities.
Jun. 3. Sky News reports cybercriminals staged a ransomware attack on Westech International, a defense contractor that provides support for the U.S. Minuteman III nuclear deterrent program, and have stolen confidential documents from the company. The news outlet noted it is unclear if any of the documents contain classified military information.
May 28. National Security Agency releases advisory about Sandworm Team, a hacker group affiliated with Russian military intelligence, exploiting a vulnerability in the Exim mail transfer agent. Although the vulnerability was patched nearly a year ago, the NSA noted Sandworm is attacking unpatched systems and exploiting the flaw to add privileged users, disable network security settings, and execute additional scripts for further network exploitation.
May 28. Germany tells Russia it is asking the European Union to impose a travel ban and an asset freeze on the head of the Kremlin’s military intelligence agency for a cyberattack on the lower house of Germany’s parliament in 2015. The sanctions would be imposed under a measure adopted by the EU last year which allows member states to ask that restrictions be placed on individuals involved in cyberattacks.
May 27. Google releases the first bulletin from its Threat Analysis Group, a division in the company’s security department that focuses on nation-state and high-end cybercrime groups. It notes that during the first three months of 2020, there was an increase in “hack-for-hire” operations in India and a rise in political influence operations by governments around the world.
May 26. Channel 12, a news outlet in Israel, reports cyber assaults on hundreds of websites based in that country were aimed at disrupting development of a vaccine for the coronavirus. The report notes that the attacks were not initiated by Iran, but they may have included Iranian hackers.
May 26. The Red Cross and others warn cyberattacks are making the Covid-19 pandemic worse by preventing critical healthcare from providing life-saving services. The warning is made in an open letter signed by President of the International Committee of the Red Cross Peter Mauer, Microsoft President Brad Smith, Kaspersky Lab President Eugene Kaspersky, and former presidents of Mexico, Uruguay, Liberia, Slovenia, Brazil and Poland. The letter says: “Cyber operations that disrupt hospital computers, medical supply chains, or medical devices, risk interrupting the provision of health care and pose great risk to those seeking medical care. If hospitals are no longer functioning, life-saving treatment will not be available.”
May 23. The Times of London reports Instagram, which is owned by Facebook, is being accused of breaking international human rights law by hosting fake accounts created by Iran to identify opponents of its government. It explains that agents believed to be working for the Islamic Revolutionary Guard Corps have been setting up accounts that mimic those of Iran International, a UK-based news outlet whose reporters Tehran has denounced as “enemies of the state.” The bogus websites are intended to attract supporters of Iran International so they can be identified by the Iranian government.
May 19. Reuters reports Chinese hackers are suspected in the computer intrusion at easyJet that exposed emails and travel details of some nine million customers. It says hacking tools and techniques used in the attack implicate a group of Chinese threat actors that have targeted multiple airlines in recent months.
May 19. Asahi Shimbun, a Japanese newspaper, reports the country’s defense ministry is investigating the possible theft of information on a new state-of-the-art missile system following a cyberattack on Mitsubishi Electric. It says the ministry suspects intruders obtained the performance requirements for the system, which were given to several contractors as part of the bidding process.
May 19. New York Times reports Israel was behind cyberattack on May 9 on the computer systems at the Iranian port of Shahid Rajaee in the Strait of Hormuz. It says the attack, which created traffic jams of delivery trucks and some shipping delays, was meant to discourage Iran from targeting Israeli infrastructure and is a direct response to an earlier failed Iranian cyberattack on an Israeli water facility.
May 14. European Council extends for one year the restrictive measures framework against cyberattacks that threaten the EU or its member states. It noted restrictive measures include a ban on persons traveling to the EU, and an asset freeze on persons and entities, as well as a prohibition on EU persons and entities making funds available to those listed.
May 14. Elexon, a power manager in the U.K.’s power grid, reveals a cyberattack has disabled its internal IT systems. Although employees lost access to their email accounts, the nation’s electricity supply was not affected. Elexon did not release details about the attack, but it’s believed it’s related to an unpatched Pulse Secure VPN server.
May 13. Chancellor Angela Merkel confirms before German parliament that she was targeted by Russian hackers as part of a wider attack on the country’s legislators. On May 8, Der Spiegel reported that German experts were able to partially reconstruct the attack and found two email inboxes from Merkel’s office breached.
May 13. U.S. Air Force announces its “Hack A Satellite” event originally scheduled for Def Con 28 has been rescheduled as an entirely virtual event due to the coronavirus. During the final stage of the contest in August, participants will be challenged to reverse-engineer representative ground-based and on-orbit satellite system components to overcome planted “flags” or software code. The top three teams to overcome the most flags will win prize money for their contribution to the research community.
May 13. The Federal Bureau of Investigation and U.S. Department of Homeland Security announce they’re investigating digital break-ins by China-linked hackers at organizations carrying out research on COVID-19. No information is released about the hackers or their targets.
May 12. The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and the Department of Defense release three reports on North Korean malware. The reports reveal details about CopperHedge, a remote access trojan, and two beacon and command packages, TaintedScribe and PebbleDash.
May 12. Trend Micro reports Tropic Trooper, a hacker group that targets government, military, healthcare, transportation, and high-tech industries in Asia, is focusing its latest activities on air-gapped military installations in Taiwan and the Philippines. It says the group is using USBferry, malicious software that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.
May 8. Reuters reports hackers linked to Iran have targeted staff at Gilead Sciences, which is working on a treatment for COVID-19. It says it could not determine if any of the attacks were successful, but the activity shows how cyber spies around the world are focusing their intelligence-gathering efforts on COVID-19, the disease caused by the new coronavirus.
May 8. U.S. House Intelligence Committee releases transcripts of closed-door testimony from its investigation into Russian interference in the 2016 presidential election. Transcripts include testimony of Donald Trump Jr., Jared Kushner, Steve Bannon, Roger Stone, former acting FBI Deputy Director Andrew McCabe, former Attorney General Jeff Sessions, and Obama era officials Susan Rice and Ben Rhodes.
May 8. Asahi Shimbun, a Japanese newspaper, reports that a VPN router appears to be the starting point for a data breach at Mitsubishi Electric that compromised defense secrets and private information. Citing unnamed sources, it says it found traces of illegal access to a VPN router at a Mitsubishi data center in China where a computer virus was planted that eventually infected the company’s headquarters in Japan.
May 7. Check Point, a cybersecurity company, reports Naikon, a Chinese-based hacking group, has been carrying out a five-year cyber espionage campaign against governments in the Asia Pacific region. It says the group is using a new backdoor called Aria-body to take control of targeted networks.
May 5. Sueddeutsche Zeitung, a German newspaper, reports an arrest warrant has been issued for Sergeyevich Badin, 29, a hacker working for Russian military intelligence believed to be behind the hacking of the German parliament in 2015. Badin is also wanted in the United States, where he and other members of his hacker group, known as APT28, are charged with attacks on the Democratic National Committee in 2018 and the World Anti-Doping Agency in 2016 and 2018.
May 4. The Associated Press reveals contents of memo by Federal Bureau of Investigation and U.S. Department of Homeland Security warning states that Russia may try to interfere in the 2020 election by covertly advising political candidates. The AP adds that because the memo was prepared before the coronavirus outbreak, it does not indicate how the pandemic may affect Russian tactics to interfere with the election.
May 3. The Daily Mail reports Iran and Russia have launched cyberattacks on British universities attempting to produce vaccines and testing kits for COVID-19, as well as scientists and physicians studying the virus. The newspaper adds that none of the attacks have been successful.
Apr. 30. The Indian Army issues warning to its personnel to beware of a malicious mobile application pretending to be contact tracing software for the coronavirus. It says Pakistani intelligence operatives have been sending the malicious app to WhatsApp groups frequented by Army members. The malware’s filename, Aarogya Setu.apk, is very similar to that of the legitimate program, AarogyaSetu, which is being used by almost all government employees.
Apr. 28. Documents unsealed from Mueller investigation of Russian interference with the 2016 U.S. presidential election reveal Trump political adviser Roger Stone managed hundreds of Facebook accounts and bloggers in a political influence scheme on social media in 2016. The U.S. Justice Department released the information after a number of news organizations sued for access to the files.
Apr. 24. In documents filed in a U.S. court, Facebook says it has linked a series of cyberattacks on WhatsApp users to a Los Angeles-based data center. The discovery is important in keeping alive the social network’s lawsuit against NSO, an Israeli security firm that Facebook alleges developed a “Zero Day” exploit of the WhatsApp program and sold it to clients who used it to hack WhatsApp users, which included attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials. NSO has been trying to get the case dismissed for a number of reasons, including lack of jurisdiction in California where the lawsuit is filed.
Apr. 24. SITE Intelligence Group, which monitors right-wing extremism, reports information leaked from organizations linked to coronavirus research — including the Wuhan Institute of Virology in China, World Health Organization, Bill and Melinda Gates Foundation, U.S. Centers for Disease Control and Prevention, World Bank, and the National Institutes of Health — is being used online by right-wing groups to spread conspiracy theories about COVID-19.
Apr. 23. ZecOps, a cybersecurity company, reveals a security flaw in Apple’s built-in mail program that allows attackers to access iPhones. Apple responds that the email flaw alone isn’t enough to bypass built-in security measures on its devices running iOS and that it hasn’t found any evidence that the vulnerability has been exploited by bad actors.
Apr. 21. U.S. Senate Intelligence Committee releases report finding that U.S. intelligence community’s conclusion that Russia interfered in the 2016 election to help elect Donald Trump was accurate and based on strongly sourced information and sound analytical judgment.
Apr. 15. U.S. State Department, Department of Homeland Security, Treasury Department, and FBI release report accusing North Korea of using an array of old and new forms of cyberattack to steal and launder money, extort companies, and use digital currencies to produce cash for its nuclear weapons program.
Apr. 14. Eset, a cybersecurity company, in a series of tweets says a group of hackers operating on behalf of the Russian government were behind the breach of two websites operated by the San Francisco International Airport in March. The firm adds that the targeted information in the attack was visitors’ Windows credentials.
Apr. 8. U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre issue warning about coronavirus-themed phishing attacks. It notes that the surge in telework has increased the use of potentially vulnerable services, such as Virtual Private Networks, which is amplifying the threat to individuals and organizations.
Apr. 3. Citizen Lab at the University of Toronto reports Zoom, a video and teleconferencing company, handles user data, including encryption keys, in China, even for users not based in China. It says the practice could be problematic, especially for countries using Zoom for sensitive meetings.
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.
Sponsored by Intrusion
Intrusion Inc. is a global provider of entity identification, high speed data mining, cybercrime and advanced persistent threat detection products.
Intrusion’s products help protect critical information assets by quickly detecting, protecting, analyzing and reporting attacks or misuse of classified, private and regulated information for government and enterprise networks.
We believe that the Internet should be a safe place to work! Free from cyber crime, ransomware, theft of trade secrets, harvesting corporate knowledge, insider threats, and IoT extraction of data.