Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report, Vol. 5, No. 3: U.S. Election Security Threats And Warnings

Sponsored by Intrusion

John P. Mello, Jr.

Northport, N.Y. – Oct. 1, 2020

Concern over the undermining of the integrity of U.S. elections dominated cyberwar news during the third quarter. Intelligence and law enforcement agencies issued periodic warnings about disruptive behavior by leading adversaries Russia, China and Iran. Meanwhile, information started to appear about Western nation’s offensive cyber operations against nations they see as threat actors.

September

Sep. 30. U.S. District Court Judge Reggie Walton rules Justice Department improperly redacted 15 pages of the Mueller report on Russian interference with the 2016 presidential election. The pages deal with potential criminal charges and the Trump campaign’s interest in Russia’s hacking of the Democratic National Committee. The redacted material must be made public by November 2, one day before election day.

Sep. 29. Microsoft releases data showing Russia is behind a majority of attacks on its customers over the last two years. During that period, it says, of 13,000 alerts about nation-state attacks on its customers, 52 percent were related to Russian hackers and 12 percent related to Chinese threat actors. It notes Russian hackers have targeted elections and political organizations in multiple countries, as well as nonprofit groups, professional services, and higher education.

Sep. 29. Politico reports a declassified Russian intelligence assessment released by Director of National Security John Ratcliffe claiming Hillary Clinton personally approved a campaign to discredit Donald Trump by tying him to Vladimir Putin and the Russian hacking of the Democratic National Committee was previously rejected by Democrats and Republicans on the Senate Intelligence Committee as having no factual basis. It adds that several former intelligence officials were critical of the move, which releases unverified information originating with a foreign adversary.

Sep. 25. Russian President Vladimir Putin proposes his country and the United States create an agreement to prevent incidents in cyberspace, including meddling in each other’s elections. “One of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere,” he says in a statement. “We would like to once again appeal to the United States with a proposal to approve a comprehensive program of practical measures to reset our relations in the use of information and communication technologies.”

Sep. 25. Gen. Sir Patrick Sanders, the U.K.’s most senior cyber military officer, acknowledges his nation has the capacity to “degrade, disrupt, and destroy” its enemies’ critical infrastructure in any cyber conflict. According to The Guardian, public declarations about the country’s offensive cyber capabilities are rare.


Cybercrime TV: Jack Blount, CEO at Intrusion

The enemy is cyberwarfare


Sep. 24. Public service announcement released by FBI and the Cybersecurity and Infrastructure Agency stating the agencies are not aware of any cyber threats that could change vote tallies or “manipulate votes at scale” in the November 3 presidential election.

Sep. 24. Cybersecurity and Infrastructure Security Agency announces a federal agency was targeted in a cyberattack. It says an intruder, using compromised credentials, penetrated the agency, which it didn’t identify by name, and was able to browse directories, copy at least one file, and exfiltrate data.

Sep. 23. Facebook announces removal of a number of fake accounts linked to China pushing information about American and Philippine politics. It says accounts were removed for violating the company’s “inauthentic behavior” policy.

Sep. 18. At a congressional hearing, FBI Director Christopher Wray says China is engaged in a massive data mining campaign against the United States. He adds Beijing has likely stolen personal data on nearly half the U.S. population and most American adults.

Sep. 17. U.S. Justice Department indicts three Iranian hackers on charges of breaking into computer systems of a number of American aerospace and satellite companies and stealing information and intellectual property. The alleged data thieves — Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati — are accused of orchestrating their attacks on behalf of the Iranian government.

Sep. 15. The Telegraph reveals a Chinese government database containing information on millions of people from the U.S., U.K., Australia, Canada, India, and Japan has been turned over to the U.K.’s intelligence agencies. It reports the database was stolen by an anti-China activist from Zhenhua Data, a Chinese government contractor. The activist turned the data over to a cybersecurity company, Internet 2.0, which gave it to the intelligence agencies of the “Five Eyes” —the U.S., U.K., Canada, Australia, and New Zealand. The database includes both public and private information about its subjects.

Sep. 15. U.S. Justice Department indicts two men for defacing more than 50 websites hosted in the United States in retaliation for the military airstrike that killed Iranian General Qasem Soleimani. If found guilty of all charges, the defendants — Iranian national Behzad Mohammadzadeh and Palestinian national Marwan Abusrour — face jail time of 15 years in prison and a $500,000 fine.

Sep. 14 Cybersecurity and Infrastructure Security Agency, of U.S. Department of Homeland Security, issues alert to federal agencies that groups affiliated with the Chinese Ministery of State Security are using known vulnerabilities, tactics, and techniques to target those agencies. Those tactics include use of open-source information to plan and conduct cyber operations, as well as use of readily available exploits and exploit kits to attack targeted networks. It says a rigorous patching program is the best defense against such attacks.

Sep. 10. Microsoft releases report warning that Russian, Chinese, and Iranian hackers have launched cyberattacks on hundreds of organizations and people involved in the 2020 presidential and U.S.-European policy debates. It says Russian threat actors have attacked more than 200 organizations including political campaigns, advocacy groups, parties, and political consultants. Chinese hackers, it continues, have targeted high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community, while Iranian adversaries have been attacking the personal accounts of people associated with the Donald J. Trump campaign.

Sep. 7. U.K. District Judge Vanessa Baraitser rejects motion by defense team of WikiLeaks founder Julian Assange to delay, for one year, proceedings to extradite him to the United States to stand trial on charges he conspired with hackers to obtain classified information. Charges carry a maximum sentence of 175 years in prison.

Sep. 1. Marianne Andreassen, the non-elected chief administrator for Norway’s parliament, announces the legislative body was attacked by hackers. She says a limited number of members and employees were affected by the incident. She adds the perpetrators of the attack are unknown, as well as what data was extracted.

Sep. 1. Michigan Secretary of State’s office denies report in Russian news outlet that the state’s voter systems had been hacked and information on 7.6 million voters posted to the dark web. A spokesperson for Secretary of State Tracy Wimmer explains that public voter information can be obtained by anyone who files a Freedom of Information Act request.

Sep. 1. Reuters reports threat actors have stepped up efforts to knock Trump campaign and business websites offline as election day approaches. Citing internal emails sent to senior managers at Cloudflare, a cybersecurity contractor hired to protect the websites, Reuters notes attacks increased in number and severity during May and June. It adds that some attacks have been successful in disrupting access to some of the websites for short periods of time.


Cybercrime Radio: Discussion with Jack Blount, CEO at Intrusion

Cyberwarfare insights for C-suite executives and CISOs


August

Aug. 27. South Korean court dismisses lawsuit brought by the military against two contractors involved in a 2016 data breach that resulted in the theft by North Korean hackers of sensitive information, including diagrams for the F-15K fighter jet and drones. The court found the government did not produce sufficient evidence of wrongdoing and that the contractors fulfilled their obligations under their contract with the military.

Aug. 27. U.S. Justice Department files civil forfeiture complaint to seize 280 cryptocurrency accounts it alleges were used by North Korean hackers who stole millions of dollars in cryptocurrency from two virtual exchanges. Complaint also notes that the hackers laundered their ill-gotten gains through Chinese Over-the-Counter cryptocurrency traders.

Aug. 26. NZX, New Zealand’s stock exchange, confirms trading was disrupted for two days, following a DDoS attack. It states it experienced a volumetric distributed denial of service attack from offshore through its network service provider. It adds that the attack has been mitigated and connectivity restored to the exchange.

Aug. 25. In an editorial in Foreign Affairs magazine, commander of U.S. Cyber Command Paul M. Nakasone reveals the Department of Defense has deployed personnel to foreign countries to hunt for malicious software that may be used against America’s voting infrastructure prior to election day. Nakasone, in the article penned with senior adviser Michael Sulmeyer, writes: “We learned that we cannot afford to wait for cyberattacks to affect our military networks. We learned that defending our military networks requires executing operations outside our military networks.”

Aug. 25. Human rights attorney Eitay Mack files petition in Israeli court seeking to halt the export to Hong Kong of phone hacking technology by Cellebrite. Previous court filings revealed that the company’s tech was used to break into 4,000 Hong Kong citizens, including Joshua Wong, a prominent politician and activist.

Aug. 18. U.S. Senate Intelligence Committee releases report finding former Trump for President campaign chairman Paul Manafort passed internal campaign information to a Russian intelligence officer in 2016. The report notes that Manafort’s connection with the Russian was a “grave counterintelligence threat.”

Aug. 18. ZDNet reports the U.S. Army has released a 332-page report on North Korean tactics, including its electronic warfare tactics. According to the report, the country has 6,000 hackers and electronic warfare specialists, many operating in other countries such as Belarus, China, India, Malaysia, and Russia.

Aug. 18. Royal Malaysian Navy states documents recently found on the dark web leaked from the military arm’s system are obsolete. It says security of its systems is solid. According to reports, the documents contain information on the troop strength at several Malaysian navy and army bases during a holiday last year; details of senior and junior navy officers charged with corruption, drug consumption and being absent without leave; and naval exam requirements.

Aug. 13. National Security Agency and FBI issue alert about a malware program targeting Linux systems. They say the sinister software was created by Fancy Bear, a hacker group affiliated with Russian military intelligence and credited with the theft of emails from the Democratic National Committee prior to the 2016 U.S. presidential election. Called Drovorub, the malware gives an attacker root access to an infected system.

Aug. 12. Israeli Defense Ministry announces it mitigated a cyberattack on its classified defense industry by the North Korean hacker group known as Lazerus. It says the attack was foiled in real time and without any harm or disruption to its computer systems. The security researchers that first exposed the attack, however, say the Israeli systems were penetrated and a large amount of classified data stolen.

Aug. 10. Wired magazine reports internet and cellular service is out in Belarus, following a controversial national election. It says the blackout, which is also affecting landlines, appears to be imposed by the government in the face of social unrest caused by the reelection of Aleksandr Lukashenko to a sixth term as president of the country.

Aug. 10. ZDNet reports FBI is warning the public that an elite group of hackers affiliated with the Iranian government has been detected attacking the U.S. private and government sectors. Although the FBI did not identify the hacker group by name, ZDNet says it’s Fox Kitten or Parisite, which is known for establishing beachheads at its targets for other Iranian threat actors.

Aug. 8. iYouPort, the University of Maryland, and the Great Firewall Report issue joint report revealing the Chinese government has modified its “Great Firewall” censorship tool to block HTTPS traffic that uses new technologies like TLS 1.3 and ESNI. Those technologies make it difficult for censors to identify domains users are trying to access.

Aug. 7. The NSA and U.S. Cyber Command election threat leads reveal Russia is changing its playbook for the 2020 elections. Speaking at the virtual DEF CON conference, NSA lead David Imbordino says Russia is using proxies and intermediaries to post information about divisive issues online.

Aug. 7. Social news website Reddit hit by massive hack with nearly 100 channels defaced to show messages in support of Donald Trump’s reelection campaign. ZDNet reports the attackers compromised the accounts of subreddit moderators to work their mischief. Earlier in the summer Reddit banned r/The _Donald, a channel for Trump supporters, for breaking the community’s rules on harassment, bullying, and threats of violence.

Aug. 6. Australia’s Prime Minister Scott Morrison announces his country will spend AU$1.66 billion (US$1.19 billion) over the next 10 years to strengthen the cyber defenses of companies and households. He says cyberattacks on businesses and households are costing his country about AU$29 billion (US$20.83 billion) or 1.5 percent of its gross domestic product.

Aug. 5. U.S. State Department announces $10 million reward for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through illegal cyber activities.

Aug. 5. U.S. State Department releases report detailing how Russia uses a network of proxy websites to spread disinformation and propaganda in the United States and elsewhere. According to the New York Times, while the report explains how Russia disseminates information, it scrupulously avoids discussing how the Kremlin is trying to influence the current elections.

Aug. 5. Google announces that it has banned almost 2,600 Chinese channels on YouTube during this year’s second quarter as part of its investigations into “coordinated influence operations.” It says most of the channels posted spam or nonpolitical content in Chinese, but some postings were about racial justice protests in the United States.

Aug. 4. U.S. Defense Department, the Cybersecurity and Infrastructure Security Agency, and the FBI announce they have “high confidence” that China is behind cyberattacks using a malware program called Taidoor. The remote access trojan (RAT) has been around since 2008 and used largely in operations aimed at government agencies and organizations with a connection to Taiwan.

Aug. 3. U.K.’s National Crime Agency confirms it’s investigating a 2019 cyberattack on the email account of Conservative MP Liam Fox. Attack resulted in the leak of confidential documents on U.S.-U.K. trade talks. The documents were leaked online and used by Britain’s Labour party to claim that the country’s national health care system would be at risk with a Conservative election win. Since the documents were released, the U.K. government has said the move was almost certainly a ploy by Russia to interfere with the 2019 British elections.

July

July 30. European Union imposes sanctions on China, Russia, and North Korea for cyberattacks against European citizens and businesses. The sanctions include a travel ban, asset freeze, and a ban on doing business with a half dozen individuals and three companies. China was sanctioned for a series of intrusions into cloud providers called “Operation Cloud Hopper.” Russia is being punished for NotPetya and an attack on the Organization for the Prohibition of Chemical Weapons. And North Korea is being sanctioned for the WannaCry malware.

July 30. Two Catalan separatist politicians file lawsuit against the former head of Spain’s intelligence agency and NSO, an Israeli maker of spyware, for trying to hack their cellphones. The move by Roger Torrent, the speaker of Catalonia’s regional parliament, and Ernest Maragall, a member of Barcelona’s town council, comes on the heels of reports El Pais and The Guardian that Torrent was targeted by NSO’s spyware.

July 28. Recorded Future, a cybersecurity firm based in Somerville, Mass., reports that Chinese hackers have infiltrated the Vatican’s computer networks in an apparent espionage effort prior to scheduled meetings this fall between the Roman Catholic Church and Beijing over the status of the religion in China. It says the suspected intrusion could give China insights into the Vatican’s negotiating positions going into those meetings.

July 27. Tom Tugendhat, chairman of the Commons Foreign Affairs Select Committee, tells Times of London he’s been subjected to concerted efforts to access his email account and discredit him professionally and personally. It reports the National Cyber Security Centre is investigating the situation. It adds that Google’s security team found in its probe of the spoofed email accounts that their users originated in China.

July 24. India bans 47 Chinese apps that were clones of apps banned in June, including Tik Tok Light. The move comes on the heels of India tightening its financial rules that make it more difficult for Chinese companies to obtain government contracts.

July 24. Wired magazine reports a notorious group of Russian hackers targeted a wide range of U.S.-based organizations, state and federal agencies, and educational institutions from December 2018 to at least May of this year. Citing an FBI notification sent to victims of the attacks and obtained by the magazine, it says the intrusions by Fancy Bear — a hacking group affiliated with Russian military intelligence — were previously unreported.

July 24. William R. Evanina, director of the National Counterintelligence and Security Center, issues statement saying the U.S. intelligence community is concerned with China, Russia, and Iran — as well as other nation-states and nonstate actors — doing harm to the country’s electoral process. He adds that China is trying to use its influence to shape the policy environment in the United States and that Russia is continuing to spread disinformation designed to undermine confidence in the democratic process.

July 21. U.S. Justice Department unseals indictment of two Chinese hackers accused of perpetrating a global cyber theft campaign that targeted a number of industries, including defense, high-end manufacturing, and solar energy. It says the pair — Li Xiaoyu and Dong Jiazhi — also targeted COVID-19 vaccine development on behalf of the country’s intelligence service.

July 16. Israel’s Water Authority confirms cyberattack on its water infrastructure. It says no damage was caused to the two facilities targeted by the attackers and there were no service disruption. Earlier this year, an attack by Iran on the systems controlling distribution to rural areas of the country also failed.

July 16. IBM X-Force reveals it has obtained a cache of training videos for Iranian hackers. It says it was able to download the videos from a virtual private server with misconfigured security settings used by the hackers and which IBM had been monitoring. It adds the videos show junior members of the group how to handle hacked accounts.

July 16. The United States, United Kingdom, and Canada issue advisory warning that Cozy Bear, a hacking group believed to be connected to Russian intelligence services, has been targeting organizations involved in developing a vaccine for COVID-19. They say it is highly likely the group intends to steal information and intellectual property related to development and testing of the vaccine.

July 15. Yahoo News reports that the CIA has been using secret authorization from President Trump to conduct a series of covert cyber operations against Iran and others. It says the authorization, called a presidential finding, allows the agency to authorize its own covert cyber operations without White House approval.

July 11. President Trump confirms he authorized a clandestine military cyberstrike against Russian trolls in 2018 to upend their efforts to disrupt the midterm elections in the United States. It’s the first time the operation, which is classified, has been confirmed publicly.

July 8. Indian Army orders its members to delete their accounts for 89 apps that it considers security risks. The accounts range from those for social media to dating to e-commerce sites. They include Facebook, Instagram, Snapchat, songs.pk, WeChat, Hike, TikTok, Likee, Shareit, True Caller, PUBG, Tinder.

July 4. Iran claims a fire and possible explosion at its Natanz nuclear plant could have been caused by a cyberattack. The site has been targeted by cyberattacks in the past. In 2010, it was hit with Stuxnet, an advanced cyberweapon developed by the United States and Israel.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.


Sponsored by Intrusion

Intrusion Inc. is a global provider of entity identification, high speed data mining, cybercrime and advanced persistent threat detection products.

Intrusion’s products help protect critical information assets by quickly detecting, protecting, analyzing and reporting attacks or misuse of classified, private and regulated information for government and enterprise networks.

We believe that the Internet should be a safe place to work! Free from cyber crime, ransomware, theft of trade secrets, harvesting corporate knowledge, insider threats, and IoT extraction of data.