Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report, Vol. 2, No. 4: Election Meddling, Rise Of Iranian Hackers And Kaspersky Saga Headline Year-End Cyberwar Stories

John P. Mello, Jr.

Sausalito, Calif. – Jan. 3, 2018

As the last quarter of 2017 closed, more evidence appeared that the presidential campaign of Donald J. Trump had an inside knowledge on Russia’s meddling with the 2016 US elections.

The New York Times reported just days before the year ended that George Papadopoulos, a foreign policy adviser to the campaign, after a night of heavy drinking at a London bar, told Australia’s top diplomat in Britain that the Russians had “dirt” on Hillary Clinton. Two months later, when stolen emails from the Democratic National Committee were leaked online, that diplomat, Alexander Downer, let his US counterparts know about the conversation which, the Times says, contributed to the FBI’s decision to open a probe of Russian interference in the elections.

Earlier during the quarter, Papadopoulos pleaded guilty to lying to FBI agents investigating Russia’s meddling in the elections. At the time, Papadopoulos was one of three former campaign members targeted by Special Counsel Robert Mueller. Paul Manafort and Richard Gates III, were indicted by the Special Counsel for money laundering and tax evasion.

Another connection between Russia and the elections occurred in a Moscow courtroom where Konstantin Kozlovsky, 29, a hacker on trial for cybercrimes, claimed the FSB, Russia’s secret service, directed him to steal data from the DNC, Clinton and the US military.

The role American social media played in Russia’s election interference also became more apparent during the quarter. Google, for example, revealed that a Russian “troll farm” bought $4,700 in ads on the search service. Facebook reported that inflammatory messages from Russian outlets reached 126 million Facebook users and Twitter revealed they appeared in 131,000 tweets. In addition, Russian agents uploaded more than 1,000 videos to YouTube.

Despite the news of voter manipulation, election information continued to be endangered during the period. Security research firm Kromtech reported voter registration records for 19.3 million California voters was stolen from an unprotected MongoDB database and ransomed. Meanwhile, Gizmodo reported that a server used by a presidential commission on election integrity had been compromised.

Another development during the quarter was Iran’s rise as a cybewar player. Tehran was fingered as the perpetrator of an attack on some 9,000 UK parliamentary email accounts. An Iranian hacker was also charged during period with the HBO hack that resulted in a number of unaired shows being stolen and posted to the Internet. Campaigns by Iranian hackers were also revealed to steal information about financial, government, energy, chemical and telecommunications entities, as well as plant malware on the computers of academic researchers, human rights activists, media outlets and political advisors focusing on Iran.

Meanwhile, Moscow-based Kaspersky Lab rode a roller coaster during the quarter. The company’s troubles began when it was reported that Russian hackers exploited Kaspersky’s antivirus software to steal a collection of NSA hacking tools from the personal computer of one of the agency’s contractors. The contractor, Nghia Hoang Pho, 67, later pled guilty to willful retention of national defense information.

Concerns over Kaspersky’s connection to Russian spy agencies resulted in the US Homeland Security Department banning the use of the software. Similar concerns were voiced by British intelligence. Meanwhile, WikiLeaks claimed the CIA was forging digital certificates attributed to Kaspersky to avoid detection when stealing data from national security targets. In addition, an assistant secretary at DHS told a congressional committee that her agency had no conclusive evidence the company’s software had been exploited to breach federal government information systems. Kaspersky finally decided to the let the US courts settle the matter. It filed a lawsuit to flip the DHS ban because the action denied the Russian company of due process.

December

Dec. 30. New York Times reports two months before emails stolen from the Democratic National Committee began appearing online George Papadopoulos, a foreign policy adviser to the Trump presidential campaign, after a night of heavy drinking in a London bar, told Australia’s top diplomat in Britain that Russia had political dirt on Hillary Clinton. It says the diplomat, Alexander Downer, later told the US about the Papadopoulos conversation, which contributed to the FBI opening an investigation into Russian meddling in the 2016 presidential election.

Dec. 29. Mihai Alexandru Isvanca, 25, and Eveline Cismaru, 28, are charged by the U.S. Justice Department of hacking District of Columbia police computers linked to the city’s surveillance cameras days before the inauguration of Donald J. Trump. The pair intended to use the cameras to send ransomware demands to nearly 180,000 email addresses.

Dec. 26. US federal court in Miami denies motion by Russian tech executive and entrepreneur Aleksej Gubarev that Buzzfeed reveal the source of a dossier connected to the Trump-Russia controversy. Court ruled Gubarev, who is suing Buzzfeed for defamation, did not adequately prove the dossier was unavailable from other sources.

Dec. 26. Reuters reports Vietnam has a 10,000 person military cyber warfare unit to counter “wrong views” on the Internet. It says the unit, Force 47, is in operation in several sectors and appears to be focused on domestic Internet users.

Dec. 22. the Associated Press reports that journalists were the third largest group of targets on a “hit list” belonging to Fancy Bear , a Russian hacker group believed to be connected to the Kremlin’s military. The two largest groups on the list were diplomats and Democrats.

Dec. 21. Malaysia’s largest political party, Umno, announces it’s requiring all its branches to have information technology and social media committees by the end of January in preparation for  cyberwar during the country’s 2018 elections.

Dec. 19. US and UK officially attribute WannaCry attack that affected more than 300,000 computers in 150 countries to North Korea. Australia, Canada and New Zealand joined US and UK in pinning attack on Pyongyang.

Dec. 19. Youbit, a South Korean bitcoin exchange, files for bankruptcy after hackers siphoned off 17 percent of the entity’s reserves. An earlier attack on the exchange was attributed to North Korea, and it’s suspected that Pyongyang is behind the latest robbery, too.

Dec. 18. Kaspersky Lab asks a US federal court to lift a ban on the use of the company’s products in government networks because the move deprived the Moscow-based business of due process. The US Department of Homeland Security ordered civilian government agencies to remove Kaspersky software from their networks over concern it enabled Russian espionage and endangered national security.

Dec. 15. Information security research firm Kromtech reports voter registration records for 19.3 million California voters was stolen from an unprotected MongoDB database and ransomed.

Dec. 14. Information security company FireEye reveals it’s discovered Triton, a family of malware specifically designed to damage or destroy industrial equipment. The malicious software attacks safety systems in industrial settings creating the potential for loss of human life.

Dec. 13. Times of London reports Konstantin Kozlovsky, 29, told a Moscow court that he hacked the US Democratic National Committee, Hillary Clinton’s email and the US Military under the direction of the FSB, the Kremlin’s secret service.

Dec. 10. Germany’s intelligence agency BfV (Bundesamt für Verfassungsschutz) accuses China of using fake LinkedIn accounts to target at least 10,000 politicians and officials in an attempt to recruit them as informants.

Dec. 9. Alastair MacGibbon, the cybersecurity adviser to Australian Prime Minister Malcolm Turnbull, reveals that Vietnamese hacker Le Duc Hoang Hai, 31, broke into the computer systems at Perth Airport and stole “a significant amount of data” relating to the airport, including building schematics and details of physical security at airport buildings.

Dec. 9. US Air Force stages Hack the Air Force Day in New York City in which 25 civilian hackers and seven Air Force members discovered 55 flaws at the military branch’s more than 300 public websites in nine hours. Civilian hackers earned $26,883 in bug bounties from the event.

Dec. 7. Reuters reports WikiLeaks is being investigated by three U.S. congressional committees for its role in influencing the 2016 presidential election.

Dec. 7. Information security company FireEye reports a hacker group it’s calling APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance to benefit the Iranian government.It says the group has  targeted a number of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East.

Dec. 5. ClearSky Cyber Security reveals campaign by Iranian cyber espionage group “Charming Kitten” to infect with malicious software computers of academic researchers, human rights activists, media outlets and political advisors focusing on Iran.

Dec. 3. Nghia Hoang Pho, 67, pleads guilty in a Maryland federal court of willful retention of national defense information for taking home classified information on his personal computer. It’s believed that computer contained an NSA spy tool, Equation, which was captured by Kaspersky Lab’as antivirus software. Kaspersky says it destroyed the code when it realized it was classified material.

November

Nov. 29. The Intelligence Bureau of India advises the country’s troops stationed on its border with China to delete 42 Chinese apps from their phones over concern the programs could be used to collect data on India’s security installations.

Nov. 28. Karim Baratov, 22, pleads guilty in a California federal court for computer hacking and other criminal offenses in connection with the massive data breach at Yahoo.

Nov. 28. Three Chinese nationals are charged in a Pittsburgh federal court of hacking into Siemens, Trimble and Moody’s to steal business secrets. The three men are affiliated with the Guangzhou Bo Yu Information Technology Company, which the US government says is affiliated with China’s People’s Liberation Army Unit 61398, and that most, if not all its hacking operations, are state-sponsored and directed.

Nov. 26. The Associated Press reports the FBI failed to notify scores of US officials that Russian hackers were trying to break into their personal Gmail accounts, even though the agency knew for at least a year the officials were Kremlin targets.

Nov. 21. Behzad Mesri, a member of the Turk Black Hat Security hacking team and who has worked for the Iranian military on computer attacks against Israel, is charged in a New York federal court with hacking into HBO’s computer system, stealing unaired episodes of hit shows and demanding millions in Bitcoin as ransom.

Nov. 18. Security research firm UpGuard discovers three misconfigured  AWS S3 buckets containing data belonging to the US military exposed to the public on the Internet. The several terabytes of data includes social media posts and similar pages from around the world.

Nov. 16. Hacktivist collective Anonymous takes down more than a dozen neo-Nazi websites as part of its campaign against domestic terrorism in the United States.

Nov. 15. ReFirm, a cybersecurity startup, reports flaws in some IoT devices sold by TRENDnet, Belkin and Dahua allow them to be easily hacked and their video feeds exposed online. It also notes that cameras made by Dahua, a Chinese company, contain a backdoor that allows access to their feeds.

Nov. 14. Jeanette Manfra, U.S. Department of Homeland Security assistant secretary for cybersecurity and communications, tells the House Science, Space and Technology Oversight Subcommittee her agency has seen no conclusive evidence the antivirus software of Kaspersky Lab has been exploited to breach federal government information systems.

Nov. 13. BBC reports flaw in popular office collaboration program Huddle put at risk of unauthorized access to sensitive information several UK government agencies, as well as anyone else using the software. Huddle told the BBC it has fixed the flaw.

Nov. 12. Wall Street Journal reports surveillance cameras made by Hangzhou Hikvision Digital Technology, which is partially owned by the Chinese government, could pose security risk at U.S. Army bases, embassies and other locations where they’re used.

Nov. 12. The Financial Times reports Britain’s digital surveillance agency, GCHQ, has concerns over Barclays bank offering Kaspersky Lab’s antivirus software to its customers. It says the agency is worried the software may be being used by the Russian government to gather information from the computers it’s installed on.

Nov. 12. Pro-Saudi Arabian Hackers vandalize Lebanon’s Ministry of Foreign Affairs and 20 of the country’s embassy websites. As part of their mischief, the “Bad Dream” hackers posted a message predicting war between Lebanon and the Saudis, who have been accused of interfering with Lebanon’s internal politics.

Nov. 9. Gizmodo reports Interstate Crosscheck System deployed by a national election integrity commission created by President Donald J. Trump is placing the personal data of millions of American voters at risk. Both the server where the voter information resides and multiple sets of login credentials have been compromised, it reported.

Nov. 9. ZDNet reports NATO will be creating a new Cyber Operations Centre as part of its strategy to add the cyberwarfare capabilities of it member states to the range of options available to the organization.

Nov. 9. WikiLeaks publishes documents claiming the CIA forged digital certificates for Kaspersky Lab to more easily exfiltrate data from entities targeted by the agency.

Nov. 8. The Daily Beast reports the FBI broke into thousands of computers around the world–including some in Russia, china and Iran–during a child pornography investigation. Experts note indiscriminate “kicking down of digital doors” could have future geopolitical consequences.

Nov. 8. At the 2017 CyberSat Summit in Virginia, Robert Hickey, aviation program manager in the U.S. Department of Homeland Security, explains how to remotely hack a Boeing 757.

Nov. 7. U.S. Commerce Secretary Wilbur Ross says he will “probably” not keep his holdings in Navigator Holdings, a shipping company with business ties to Russian President Vladimir Putin. One of Navigator’s clients is Sibur, a Russian gas and petrochemical company whose owners include Putin’s son-in-law Kirill Shamalov and Gennady Timchenko, a Putin associate who is subject to U.S. Treasury sanctions.

Nov. 7. Information security software maker McAfee reveals Fancy Bear, a hacking group believed to be connected to the Russian military, has launched new phishing campaign that exploits an ISIS terror attack in New York City and a US Army exercise in Eastern Europe to plant malware on computers.

Nov. 7. Hackers redirect visitors to four school websites in the United States to a pro-ISIS YouTube video. Some 800 school and district web pages in Arizona, Connecticut, Virginia and New Jersey were affected by the attack.

Nov. 3. Turkish hackers take down websites of the Times of Israel and Asia Times and post pro-Palestinian messages in them.

Nov. 3. ZDNet reports Chinese hacking group known as KeyBoy has expanded its operations from the Asia-Pacific region to the West. It says hackers have begun infecting Western organization with malware that can take screenshots, key-log, browse and download files, and gather extended system information about a machine, as well as shut it down.

October

Oct. 31. Google reveals a Russian “troll farm,” the Internet Research Agency, bought $4,700 in Google ads during the 2016 election cycle.

Oct. 31. Kyeong Dae-soo, a South Korean lawmaker, reveals hackers have stolen 60 classified documents, including blueprints and technical data for submarines and vessels equipped with Aegis weapon systems, from the systems of Daewoo Shipbuilding & Marine Engineering.

Oct. 30. New York Times reports Russian agents attempting to create discord among Americans in the the run up to the 2016 presidential elections posted inflammatory messages that reached 126 million Facebook users, published more than 131,000 tweets on Twitter and uploaded over 1,000 videos to YouTube.

Oct. 30. George Papadopoulos, a former foreign policy aide to the Donald J. Trump presidential campaign, pleads guilty in federal court to lying to FBI agents investigating Russian interference with 2016 U.S. presidential election. Two other campaign officials, Paul Manafort and Richard Gates III, indicted by Special Counsel Robert Mueller for money laundering and tax evasion.

Oct. 27. Associated Press reports Center for Elections Systems at Kennesaw State University wiped server hosting information crucial to a lawsuit against the state of Georgia’s election officials. Litigation seeks to retire state’s election technology, which security experts say is vulnerable to hackers.

Oct. 26. Twitter announces ban on advertising from RT and Sputnik, two information outlets associated with the Russian government.

Oct. 24. Reuters reports a wave of cyber attacks using the “BadRabbit” malware has hit Russia and other nations. The malicious software disrupted operations at Russia’s Interfax news agency and caused flight delays at the Odessa airport in the Ukraine.

Oct. 23. The Telegraph reports the UK’s Royal Air Force is recruiting cyber security experts to examine its aircraft for system flaws that could be exploited by hackers.

Oct. 22. Cisco Talos reveals phishing campaign by hackers connected to the Russian military to infect with malware the computers of potential attendees to CyCon U.S., a conference sponsored by Army Cyber Institute at the United States Military Academy, NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence.

Oct. 19. Verisk Analytics estimates losses to Merk & Co. due to “NotPetya” attack in June could cost insurers $275 million.

Oct. 16. Kaspersky Lab reports cyber espionage groups previously preoccupied with stealing data have expanded their activities to include stealing money from financial institutions in the Asia Pacific region. Financial institutions in financial institutions in Malaysia, South Korea, Indonesia, Philippines, Hong Kong, Bangladesh and Vietnam have all been successfully breached, the security software company notes.

Oct. 16. Adobe patches flaw in its Flash player being exploited in the wild by the BlackOasis APT group to plant FinSpy malware on computers running the Windows, Mac, Linux and Chrome OS systems. FinSpy is highly sophisticated software used by nation-states to monitor people, such as criminals, activists and journalsts.

Oct. 14. The Times of London reports Iran was behind cyber attack in June on members of the British parliament. Some 9,000 accounts were attacked, including Prime Minister Theresa May’s and other cabinet ministers, but only 90 were compromised.

Oct. 13. Microsoft President Brad Smith says in interview with ITV News that WannaCry cyber attack that affected 200,000 computers in 150 countries was launched by North Korea using tools or weapons stolen from the NSA.

Oct. 10. BBC reports North Korean hackers snatched 235 gigabytes of military documents from South Korea’s Defense Integrated Data Center, including US-South Korean wartime contingency plans and a plan to assassinate North Korea’s leader Kim Jong-un.

Oct. 10. Microsoft confirms it’s investigating the sale of advertising to Russians through its Bing search engine prior to the 2016 US presidential election.

Oct. 9. The Independent reports North Korean cyber gangs are launching almost daily attacks on Irish companies, banks and utilities as Pyongyang turns to international online robbery to offset losses caused by UN and US sanctions against it.

Oct. 5. Politico reports White House Chief of Staff John Kelly’s personal cellphone was compromised while he was secretary of Homeland Security. The compromise was discovered by White House tech staff after he turned the device over to them complaining it hadn’t been working properly for months.

Oct. 5. Wall Street Journal reports Russian state hackers exploited Kaspersky antivirus software to steal a collection of NSA hacking tools and documents from the home computer of a contractor to the agency.

Oct. 5. Hans-Georg Maassen, head of Germany’s domestic intelligence agency, urges lawmakers to give the country’s spy organizations authority to conduct offensive cyber operations against foreign powers.

Oct. 4. Wall Street Journal reports Russia hacked the smartphones of a group of at least 4,000 NATO troops in Eastern Europe in a campaign to obtain sensitive military information such as troop numbers.

Oct. 4. Dyn Research reports North Korea has opened a second Internet connection provided by Russia. Experts say the move could increase Pyongyang’s ability to launch cyber attacks around the world.

Oct. 2. Reuters reports Hewlett Packard Enterprise allowed a Russian defense agency to review the source code of HPE’s ArcSight software, which serves a central role in the cybersecurity of much of the U.S. military.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.