Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report: Russian Hackers, Iranian Cyber Spies, And Google’s $300M To Fight Fake News

John P. Mello, Jr.

Sausalito, Calif. – Apr. 2, 2018

Google’s battle against fake news, and international cybercriminal activity led by the Russian hacking group Fancy Bear and Iranian cyber spies topped the cyberwarfare news that we followed during the start of 2018. For a comprehensive view of international cyber conflict, these are the stories you should be following:

March

Mar. 28. Boeing, a defense contractor and airplane maker, announces computer systems at its North Charleston, S.C. facility infected with WannaCry virus. It says malware was limited to “a few machines,” and there was no interruption to any of its programs.

Mar. 27. Ella Pamfilova, head of Russia’s Central Election Commission, says on Moscow radio show she plans to introduce a blockchain-based voting system to protect Kremlin elections from tampering and rigging. She adds she hopes the new system will be in place in time for the next presidential election in 2024.

Mar. 26. Trump fundraiser Elliott Broidy and his wife, Robin Rosenzweig, file lawsuit against Qatar and lobbyists working for that Middle Eastern state, alleging they hacked into the couple’s email accounts and leaked information from them to journalists in an attempt to discredit the pair. Broidy is reportedly working on a campaign to brand Qatar as a state sponsor of terrorism.

Mar. 26. United States and United Kingdom issue statement on intentions to develop offensive and defensive cyberweapons.

Mar. 23. US Justice Department charges and the Treasury Department sanctions nine Iranian nationals and the Iran-based Mabna Institute for penetrating the computer systems of hundreds of universities and other organizations and stealing information for Tehran. The DOJ is charging the Iranians with seven crimes, including conspiracy, computer fraud, wire fraud, and identity theft.

Mar. 22. City of Atlanta announces ransomware attack has crippled some internal and customer facing applications, including bill-paying and court information apps.

Mar. 22. The Daily Beast reports Guccifer 2.0, the hacker who took credit for stealing a cache of email from the Democratic National Committee and giving it to WikiLeaks, was a Russian military intelligence (GRU) officer. It says the officer failed to cover his tracks on one occasion, which exposed the IP address where he entered the internet, an IP address at GRU headquarters on Grizodubovoy Street in Moscow.

Mar. 20. Election Chief Ella Pamfilova states Russia’s Central Election Commission’s website repelled a distributed denial of service attack on the eve of the country’s presidential election. Since Russia’s voting process takes place offline, the attack wouldn’t have affected it.

Mar. 20. The Telegraph reports British surgeon David Nott believes a hack of his computer led to the bombing of a hospital in Syria. He says the intrusion occurred after the BBC aired video of him advising physicians during an operation at the hospital via Skype and WhatsApp. He believes the timing of the attack, suspected to have been carried out by Russian warplanes, and its precise nature could only have been obtained from coordinates on his computer.

Mar. 20. Google pledges to spend $300 million over the next three years to fight false and unreliable information on the internet. Called the Google News Initiative, the effort’s goals include making it easier for users to subscribe to news publications and giving publishers new tools to create fast-loading mobile pages.

Mar. 15. Trump administration accuses Russia of mounting a concerted effort to hack the US energy grid and other critical infrastructure. It also imposes sanctions on 19 Russian officials for meddling with the 2016 US presidential election.

Mar. 13. Strava, maker of a fitness-tracking app, says it will restrict access to an online map that shows where people are exercising and remove some data from the app. The software gained notoriety in January when it was discovered it could be used to locate military posts and other sensitive sites.

Mar. 9. “Russian Roulette,” a book by Michael Isikoff and David Corn, says US plans to retaliate against Russia for meddling in the 2016 elections were shut down by President Barack Obama.

Mar. 9. Citizen Lab, an internet watchdog group, releases report finding network traffic in Turkey and Syria is being redirected to nation-state spyware when users attempt to download some Windows applications. It also finds Egyptian network traffic being redirected to revenue-generating content such as affiliate ads and cryptocurrency mining scripts. It says the redirects raise significant human rights concerns.

Mar. 9. Spiegel Online reports public prosecutors have opened investigation into cyberattack on the German Institute for International Security Affairs, which advises Berlin on foreign affairs, by Fancy Bear, a group of hackers linked to the Russian military.

Mar. 9. Forbes reports Kaspersky researcher Kurt Baumgartner found traces of spyware belonging to CIA and Fancy Bear, a group of hackers linked to the Russian military, on the server of a Chinese aerospace and military conglomerate.

Mar. 8. Japan forces two cryptocurrency exchanges, Bitstation and FSHO, to halt trading. Action is part of crackdown on exchanges following heist of $530 million from Coincheck, which South Korean intelligence suspects was pulled off by North Korea.

Mar. 7. Israel states cellular blackouts in the southern part of the country were caused by Egypt, which is engaged in electronic warfare with Islamic State forces on the Sinai Peninsula.

Mar. 6. Washington Post reports the United Nations panel enforcing trade sanctions against North Korea has been repeatedly hacked by a nation-state actor. It says email accounts of four current or former panel members were compromised. Citing a draft of a forthcoming report on the episode, it notes details on what the hackers stole was not revealed in the document, although the panel typically reviews secret assessments of smuggling operations used to prop up the government of Kim Jong Un.

Mar. 6. Hungarian research firms CrySyS Lab and Ukatemi discover in data dump of NSA hacking tools a collection of scripts and scanning apps used by the spy agency to detect other nation-state actors on machines its operatives infect. They say at least 45 nation-state APTs — Advanced Persistent Threats — were in the collection, some known to the security community, others known only to the agency.

Mar. 5. New Yorker reports Russia used “unspecified channels” to block the appointment of Mitt Romney as secretary of state for the Trump administration. Citing a memo written by former spy Christopher Steele, the magazine notes Russia asked Trump to appoint someone prepared to lift Ukraine-related sanctions on the Kremlin and cooperate with it on issues like the Syrian conflict.

Mar. 5. Priscilla Moriuchi, a former US National Security Agency officer who now works for Recorder Future, a threat intelligence company, estimates North Korean hackers purloined from $120 million to $220 million in cryptocurrency in 2017. She adds cash from virtual money sales could be used to offset international sanctions on Pyongyang.

Mar. 2. Motherboard reveals 2015 letter from the Israeli Ministry of Defense to American makers of “zero day” vulnerabilities soliciting them for Israel’s law enforcement and security agencies. Zero Day vulnerabilities are prized by hackers because, since they’ve never been seen before, they’re difficult to defend against.

February

Feb. 28. Germany confirms that its Federal Office for Information Security and intelligence services are investigating a breach of the private networks of its defense and interior ministries. The intrusion, which may have lasted as long as a year, is being widely blamed on Fancy Bear, a hacker group connected to the Russian military.

Feb. 28. NBC News reports the US intelligence community developed substantial evidence that seven states had their websites or voter registration systems compromised by Russian-backed covert operatives before the 2016 election and did not inform the states about the intrusions.

Feb. 28. Palo Alto Networks, a cybersecurity company, discovers phishing campaign by Fancy Bear, a hacker group connected to the Russian military, directed at a number of ministries of foreign affairs around the world. Campaign uses an email containing a Microsoft Excel document pretending to be from Jane’s, a well-known supplier of information about the military and defense industries.

Feb. 26. CrowdStrike, a cybersecurity company, reports hackers based in China repeatedly targeted UK think tanks specializing in defense and international security issues in 2017. It also says data was stolen from executives and research fellows specializing in nuclear policy and the South China Sea.

Feb. 24. Washington Post reports cyberattack on Winter Olympics’ opening ceremony was a “false flag” operation launched by Russian military spies who tried to make it appear North Korea was behind the intrusion.

Feb. 23. Motherboard reports dozens of employees from US federal law enforcement agencies and the armed services are buying malware for mobile devices produced by Mobistealth. Software can intercept Facebook messages, track GPS locations, and remotely activate microphones.

Feb. 20. US Attorney General Jeff Sessions announces cyber task force to evaluate and study efforts to interfere with elections. Group will evaluate how Justice Department is fighting cyberthreats and how it could do better.

Feb. 19. UN Secretary General Antonio Guterres, speaking at the University of Lisbon, calls for the creation of a regulatory body to fight electronic warfare campaigns that target civilians. He says global set of rules are needed to protect civilians from disinformation campaigns.

Feb. 15. UK Foreign Minister Tariq Ahmad says his government has determined that the Russian military was behind the NotPetya cyberattack in June 2017. It’s estimated that organizations suffered losses of $1.2 billion due to the malware.

Feb. 15. US Air Force pays out $104,000 to white hat hackers through its Hack the Air Force 2.0 program, which ended January 1.

Feb. 14. BuzzFeed sues the Democratic National Committee to obtain information on a controversial anti-Trump dossier compiled by former spy Christopher Steele. The DNC partially funded the research behind the document. BuzzFeed is being sued for libel by Russian businessman Aleksej Gubarev and for defamation by the president’s personal attorney Michael Cohen for publishing the dossier.

Feb. 14. NBC News publishes database of 200,000 tweets tied by Twitter to malicious activity from Russia-linked accounts during the 2016 presidential election but were deleted by the microblogging service.

Feb. 13. FBI Director Christopher Wray, CIA Director Mike Pompeo, and Director of National Intelligence Daniel Coats tell US Senate Intelligence committee Russia is continuing efforts to disrupt the US. political system and is targeting the 2018 midterm election.

Feb. 13. Dmitry Skobelkin, deputy governor of Russia’s central bank, speaking at an information security conference in Magnitogorsk, states $17 million was stolen from his country’s banks by cyber criminals in 2017.

Feb. 11. A compromised version of Browsealoud, a popular app for the visually impaired, infects more than 4,200 websites, including some operated by the US and UK governments, with crypto mining malware.

Feb. 11. Iranian government accuses hackers from US and UK of defacing 30 websites in that nation with fake news stories about the death of its supreme leader Ayatollah Ali Khamenei.

Feb. 11. International Olympic Committee confirms cyberattack February 9 on the Winter Games’ opening ceremonies but did not identify the source of the attack. It notes no critical part of their operations was compromised during the episode.

Feb. 10. Sacramento Bee states it accidently exposed the records of 19 million California voters when a contractor failed to restore a firewall after performing routine maintenance on the newspaper’s computer systems. It says hackers subsequently encrypted the data and asked for a ransom to decrypt it. The Bee refused to pay the ransom and deleted the database, which was a copy of information maintained by the state’s Secretary of State.

Feb. 8. Jeanette Manfra, head of cybersecurity at the US Department of Homeland Security, tells NBC News Russian hackers successfully penetrated the voter registration rolls of several states prior to the 2016 presidential election.

Feb. 7. Associated Press reports Fancy Bear, a hacker group linked to the Russian military, targeted 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms, or other sensitive activities. It says targets worked at small and large companies, such as Lockheed Martin, Raytheon, Boeing, and Airbus, as well as trade groups, contractors in US-allied countries, or on corporate boards.

Feb. 5. UK High Court of Justice denies extradition to United States of Lauri Love, 33, accused of hacking US government computers, including those of Federal Reserve, Army and NASA. It says extradition would pose a suicide risk to Love, who suffers from Asperger Syndrome.

Feb. 5. South Korea’s National Intelligence Service tells members of Seoul’s National Assembly it believes North Korea was behind theft of some $526 million in the NEM cryptocurrency from the Coincheck exchange in Japan on January 26.

Feb. 4. Conrad Prince, former deputy head and operations chief of UK spy agency GCHQ, reports Isis and other jihadist groups are seeking to recruit insiders and obtain cyber weapons from the criminal underground to mount attacks on the critical infrastructure of Western nations.

Feb. 4. China announces it will begin blocking all websites—including foreign ones—related to cryptocurrency trading and initial coin offerings, and admits closing down domestic exchanges failed to eradicate trading by its citizens.

Feb. 2. Turkey’s Anadolu Agency, a state-sponsored media outlet, announces its Twitter account was hacked and used to post inflammatory material about an opponent of the Egyptian government, Ayman Nour, living in Istanbul.

January

Jan. 31. Erel Margalit, a former member of Israel’s parliament, claims at a cybersecurity conference in Tel Aviv that the blueprints for a submarine being built for Israel by a German shipyard were stolen in a cyberattack in May 2016. ThyssenKrupp, which owns the shipyard, reported the incident when it occurred but did not mention the theft of the sub’s plans.

Jan 31. AlienVault reports most active threat actor groups in 2017 were Fancy Bear (Sofacy, APT28), which has been linked to the Russian military, and the Lazarus Group, which operates out of North Korea. Company based its findings on an analysis of data from its Open Threat Exchange threat intelligence sharing platform.

Jan. 30. Utah’s Chief Information Officer Michael Hussey tells legislators at a budget committee hearing that more than 300 million cyberattacks are launched on the state’s computer systems daily. He adds that two years ago, the average was 150 million per day.

Jan. 29. Security analysts say Strava, a fitness app that posts online a map of its users’ activity, has exposed the locations and habits of military personnel around the world, including American forces in Iraq and Syria.

Jan. 29. African Union officials accuse China of hacking its headquarters every night for five years and stealing confidential data. China funded the headquarters in Addis Ababa, Ethiopia, for $200 million and a Chinese state-owned company built it.

Jan. 28. Documents leaked to the website Axios from US National Security Council reveal plan by Trump administration to build a government-owned 5G mobile network to guard against cyberattacks by China and other threat actors.

Jan 25. Current affairs program Nieuwsuur and newspaper de Volkskrant report Dutch intelligence agency AIVD monitored between 2014 and 2016 the headquarters of the Russian hacking group linked to a theft of data from the US Democratic National Committee. They say the AIVD shared the intelligence garnered from the operation with the US CIA and NSA.

Jan. 25. Reuters reports SAP, Symantec, and McAfee have allowed Russian authorities to examine the source code of their software as a condition for selling into the Russian market. It says the practice could potentially jeopardize the security of at least a dozen federal agencies.

Jan. 25. Democratic National Committee appoints as its chief security officer Bob Lord. Before accepting the position, Lord detected two massive data breaches while head of information security at Yahoo.

Jan. 24. A hacker group believed to be connected to Russian intelligence and calling itself “Fancy Bears Hack Team” posts email and documents stolen from the International Luge Federation to its website that it claims demonstrate violations of Olympic doping rules.

Jan. 23. Metrolinx, the transit agency of Ontario province in Canada, confirms it was the target of a cyberattack originating in North Korea. It says the attack breached a firewall to one of its systems but did not reach any system containing employee or customer information.

Jan. 23. The Center for Strategic and Defense Studies, a Spanish Defense Ministry think tank, reports Russian hacking efforts in support of Catalonian independence are continuing and could intensify. It maintains Russia is using escalating tensions in Spain’s northeast region to destabilize Madrid.

Jan. 23. China National Space Administration announces first communication between Shijian 13, the country’s first high-throughput communication satellite, and its ground control center. Two-way test was conducted at 5Gbps.

Jan. 18. Schneider Electric announces flaw in its Triconex system exploited by hackers forced suspension of operations of an undisclosed industrial facility. Triconex is used in industrial plants to safely shut down industrial processes when hazardous conditions are detected.

Jan. 18. Electronic Frontier Foundation and mobile security company Lookout announce discovery of malware espionage campaign infecting thousands of people in 20 countries and resulting in hundreds of gigabytes of data being stolen. The campaign, which appears to originate in Lebanon, uses bogus versions of legitimate apps, including Signal and WhatsApp, to take photos, retrieve location information, capture audio, and perform other tasks without a phone owner’s permission.

Jan. 16. Turkish government sympathizers hack Twitter accounts of Fox News hosts Greta Van Susteren and Eric Bolling and begin posting to their news feed pro-Turkey messages and private direct messages from the accounts.

Jan. 14. Twitter account of Syed Akbaruddin, India’s representative to the United Nations, is hacked and images of Pakistan’s president, Mamnoon Hussain, and the country’s flag posted in its feed.

Jan. 14. Swedish Prime Minister Stefan Loefven announces his country will be launching a new government agency to protect its elections from Russian and other propaganda. The new agency is part of a broad initiative to protect the elections, which includes increased funding for the nation’s intelligence and cyber defense services.

Jan. 13. Iran lifts ban on Telegram. The country’s government blocked both Telegram, which has 40 million users in Iran, and Instagram in December in response to anti-government protests that were spreading throughout the country.

Jan. 12. Trend Micro reports Fancy Bear, the Russian hacking group believed to have stolen emails from the Democratic National Committee during the 2016 presidential election, has been trying to break into US Senate email accounts, as well as setting up websites mimicking the body’s email system.

Jan. 12. Washington Post reports the CIA is attributing Russian military hackers with the NotPetya attack in the Ukraine in June 2017 that wiped data from the computers of banks, energy firms, senior government officials, and an airport. From the Ukraine, the malware spread to thousands of computers in 150 countries.

Jan. 11. ThreatConnect reports it has discovered early signs that Russian hackers are planning attacks against anti-doping agencies in retaliation for excluding their country from the 2017 Winter Olympics. It explains three websites with domains mimicking those of the World Anti-Doping Agency have been registered by unknown people in the past month.

Jan. 10. A hacker group calling itself “Fancy Bears” releases confidential emails allegedly belonging to the International Olympic Committee. It’s believed the move is retaliation for the committee barring Russia from the Winter Olympics.

Jan. 9. Bloomberg reports President Donald J. Trump’s personal attorney Michael Cohen has filed lawsuits against BuzzFeed and Fusion GPS over a dossier claiming Trump and Cohen had suspicious connections to Russian figures. BuzzFeed published material from the dossier. Fusion was commissioned to put it together by Trump opponents.

Jan. 5. Cybersecurity company McAfee reports it has discovered a hacking campaign targeting organizations involved with the Winter Olympics to be held in South Korea in February. The campaign uses an infected Microsoft Word document to plant malicious code on a targeted machine and allow the attacker to execute commands to it.

Stay tuned for the Q2 2018 edition of Cyberwarfare Report.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.



Send this to a friend