Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report, Vol. 3, No. 2: Sanctions Against Russians, Theft Of Submarine Secrets, And Router Infections

John P. Mello, Jr.

Sausalito, Calif. – Jul. 2, 2018

In Q2 2018, the U.S. Joint Chiefs of Staff released a report [PDF] finding that “permanent global cyberspace superiority is not possible.” It says even local superiority may not be practical “due to the way IT is implemented; the fact U.S. and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology.”

For a comprehensive view of international cyber conflict, these are the stories that we’re following, and you should too:


Jun. 29. Izvestia reports Russian Federation defense ministry is setting up a research laboratory to develop blockchain technologies to enhance cybersecurity and fight cyber assaults on critical information infrastructure. It says the technology can help the Army track the origin of hack attacks and improve the security of its databases.

Jun. 28. Joshua Adam Schulte, 29, asks federal judge to grant him bail in case involving sending classified information to a group that released it March 7, 2017. That’s the same date WikiLeaks published thousands of sensitive US government documents designated “Vault 7.”

Jun. 21. Kari A. Bingen, deputy undersecretary of defense for intelligence, tells US House Armed Services Committee the Pentagon wants to establish cybersecurity as “a fourth pillar in defense acquisition.” She adds that incentives must be created “for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for US  government business.”

Jun. 20. Kaspersky Lab warns all European biochemical threat-prevention organizations that the malware used to disrupt the IT system at the PyeongChang Winter Olympics is now being aimed at European organizations. The malware steals credentials from browsers and Windows systems, which are then used to automatically spread across networks and destroy infected PCs. It says the malware is targeting financial organizations in Russia and chemical and biological threat-prevention labs in Europe and Ukraine.

Jun. 20. Hans-Georg Maassen, head of Germany’s domestic intelligence agency, tells the RND newspaper chain that Russia was probably behind a widespread attack on his country’s energy providers earlier this month. He says there were multiple indicators that Russia was behind the campaign.

Jun. 19. Symantec reveals a sophisticated hacking campaign launched from computers in China penetrated the computer systems of satellite operators, defense contractors, and telecoms in the US and Southeast Asia. It says the effort — which has been mitigated — appears to be driven by national espionage goals, such as the interception of military communication.

Jun. 17. New York Times reports the Pentagon has empowered the US Cyber Command to take a more aggressive approach to defending the nation against cyberattacks. Citing a “vision statement” issued by the command, it says the objective of the new policy is to “contest dangerous adversary activity before it impairs our national power.”

Jun. 14. Kaspersky Lab suspends collaboration with Europol and NoMoreRansom Initiative after European Parliament passes resolution describing the company’s  software as malicious. The company’s software is not trusted by some governments who believed the firm has ties to Russian intelligence.

Jun. 13. Clarifai CEO Matthew Zeiler denies in a blog that his company’s computer systems were compromised by one or more people in Russia, potentially exposing technology used by the US military to an adversary. He explains an untargeted bot was identified on an isolated research server and quickly contained. He adds that the bot did not access any data, algorithms, or code.

Jun. 13. Kaspersky Lab reports LuckyMouse, a group of Chinese-speaking hackers, has compromised a national data center in a Central Asian nation and is using it to poison the country’s government websites, making them sources for “waterhole” attacks.

Jun. 11. US Treasury Secretary Steven Mnuchin announces sanctions on five Russian companies and three Russian individuals for malicious actions designed to increase Russia’s offensive cyber capabilities. The sanctions prohibit the companies and individuals from performing any transactions involving the US financial system. In addition, American citizens and companies cannot do business with the sanctioned targets.

Jun. 9. Marine Corps Commandant General Robert Neller tells defense leaders attending a conference in San Diego that the corps is considering offering bonuses and other perks to entice older Marines to reenlist to beef up its cyber operations.

Jun. 8. Washington Post reports Chinese government hackers compromised the computers of a contractor working for the Naval Undersea Warfare Center in Newport, R.I. and stole  614 gigabytes of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on US submarines.

Jun. 8. Recorded Future, a threat intelligence company, releases report finding that export bans and restrictions can be effective in keeping North Korea from acquiring technology for its nuclear weapons program, but fail when it comes to regulating computer products used for destructive cyberattacks from entering the Hermit Nation.

Jun. 8. The US Joint Chiefs of Staff releases reports [PDF] finding that “permanent global cyberspace superiority is not possible.” It says even local superiority may not be practical “due to the way IT is implemented; the fact US  and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology.”

Jun. 6. Cisco’s Talos intelligence unit reveals VPNFilter is targeting more makes and models of routers than originally identified and has additional malicious capabilities. Those capabilities include extending the threat beyond the device itself and into the network supported by the device.

Jun. 6. Security firm FireEye reports South Korea hit with significant cyberattacks from Russia and China in recent weeks. It says attacks will escalate in the days leading up to the US – North Korea summit later in the month.

Jun. 6. Motherboard reports documents it obtained through the Freedom of Information Act reveal that US government researchers believe it’s only a matter of time before a cybersecurity breach on a commercial aircraft occurs.

Jun. 6. IRNA, Iran’s official news agency, reports hackers disrupted arrival and departure monitors at the country’s Tabriz International Airport. An airport spokesman says the monitors were turned off when the hack was discovered, but service was quickly restored. Messages on the monitors were in support of Iranian truck drivers who are on strike.

Jun. 6. Trillium President and CEO David Uze embarks on six-month road trip to publicize the reality of automotive cyberattacks. Uze says Trillium is committed to educating the public about protecting all types of vehicles from cars to trucks to military tanks.

Jun. 5. Izvestia reports Russian military is spending $6 million to build data centers with all-Russian hardware and software to act as an alternative cloud should the country’s connection to the global internet be lost, severed, or hacked.

Jun. 5. Reuters reports Chinese telecommunications equipment maker ZTE Corp. has agreed in principle to pay $1.7 billion penalty in exchange for the US Commerce Department lifting its sanctions against the company for illegally shipping goods to Iran and North Korea.


May 30. US Office of Management and Budget releases assessment of cybersecurity at 96 federal agencies finding 74 percent were either “at risk” or “high risk” of succumbing to a cyberattack. It also notes that only one in four agencies could confirm that they have the capability to detect and investigate signs of a data breach.

May. 29. Karim Baratov, a Canadian hacker accused of helping Russian intelligence agents break into millions of Yahoo email accounts in 2014, is sentenced to five years in prison and ordered to pay a $250,000 fine by US District Judge Vince Chhabria in San Francisco.

May. 29. Frost & Sullivan releases forecast predicting the US defense satellite market will reach $30.30 billion by 2023 driven by the US Department of Defense’s desire to harden its satellite infrastructure against cyberattacks.

May 28. Two of Canada’s largest banks, Bank of Montreal and Canadian Imperial Bank of Commerce, reveal they’ve been contacted by hackers who say they’ve stolen data for nearly 90,000 of the banks’ customers.

May 24. In an amended lawsuit filed in federal court in Los Angeles, Elliott Broidy, a top fundraiser for President Donald Trump,  claims that a US-based security firm, Global Risk Advisors, introduced Qatar to “cyber mercenaries” who hacked Broidy’s emails. Those emails formed the basis of media reports about how Broidy tried to profit from his proximity to Trump, seeking to benefit his defense contracting firm as well as Qatar’s gulf rival, the United Arab Emirates.

May 24. Hackers defaced electronic messaging boards at the airport in Mashad, Iran, with a statement protesting against that country’s military presence in the Middle East.

May 24. Pakistani Major General Asif Ghafoor, the director general of inter-services public relations, warns social media users of phishing scheme using emails pretending to be from his agency to get the users to fill out forms and steal their credentials.

May 23. US Justice Department announces seizure of an Internet domain used to direct malware infecting more than half a million routers in 54 countries. The move is seen as a first step in dismantling the botnet created by the malware called VPNFilter, which was discovered by Cisco’s Talos intelligence unit. The DOJ says the botnet was set up by Fancy Bear, a group of hackers affiliated with Russian military intelligence.

May 23. Cisco’s Talos intelligence unit announces discovery of VPNFilter, which it estimates has infected more than half a million routers in 54 countries. It says the malware can be used to steal website credentials, monitor SCADA protocols, and totally disable any device it has infected.

May 23. US Department of Defense bans the use of commercial off-the-shelf unmanned aerial systems, better known as drones, until the cybersecurity of the devices can be adequately assessed.

May 22. The Daily Beast reports the Pentagon has plans to disable nuclear missiles before they’re fired, which includes the use of cyberattacks. It says an internal policy document obtained by the publication and outlining the plans appears to be the first official confirmation that the US reserves the right to infect adversary missile networks with disabling malware.

May 21. Politico reports President Donald Trump is using a White House cellphone that isn’t equipped with sophisticated security features designed to protect it from cyberattacks. It says the president has gone as long as five months without having the phone checked for malware infections by security experts.

May 17. Ron Delbert, the head of the University of Toronto’s Citizen Lab, speaking at the RightsCon conference in Toronto, calls for universities to form a global network of researchers dedicated to attributing nation-state attacks. He says the association of attribution would be independent of states and companies but would cooperate with them.

May 15. Lookout Security Intelligence announces discovery of surveillance software tools for Android and iOS that are being used by the Pakistani military against government officials, diplomats, military personnel, and activists in Pakistan, Afghanistan, India, Iraq, and the UAE. Data has also been stolen from officials and members of the military in the United States, Australia, and Germany.

May 11. New York Times reports government and private sector cybersecurity experts in the United States and Israel are worried that the US’s decision to pull out of Iran nuclear deal will lead to a surge in retaliatory cyberattacks from Iran.

May 10. Billy Ribeiro Anderson, 41, of Torrance, Calif., arrested by federal authorities for defacing more than 11,000 websites globally, including West Point’s Combating Terrorism Center and the New York City Comptroller’s Office. Anderson faces three counts of computer fraud and could serve up to 21 years in prison.

May 10. Anonymous defaces official website of Russia’s Federal Agency for International Cooperation in protest of Kremlin’s ban on Telegram, an app that protects its messages with encryption.

May 8. US Senate Intelligence Committee releases report on Russian cyberattacks on digital US voting systems  prior to the 2016 presidential election. Report finds Moscow conducted “an unprecedented, coordinated cyber campaign” against the nation’s voting infrastructure.

May 8. Associated Press reports Russian hackers posing as Islamic State militants sent electronic death threats to the wives of five members of the US military. It says the “false flag ” operation was launched by Fancy Bear, a group of hackers affiliated with the Russian military and believed to have stolen a cache of emails from the Democratic National Committee during the 2016 presidential election.

May 8. Georgia Gov. Nathan Deal vetoes cybersecurity bill that would make accessing a computer network without permission a crime punishable by up to one year in jail and a $5,000 fine. Measure was opposed by Microsoft and Google because it contained “hack back” provisions, which the companies believe could be abused.

May 6. Izvestiya reports Russian authorities are planning to convert the country’s money transfer system to blockchain technology in 2019. The move is calculated to make Russia’s system, SPFS, more competitive to SWIFT, which is the dominant international system.

May 5. The Observer reports aides to President Donald Trump orchestrated a “dirty ops” campaign against key individuals from the Obama Administration who helped negotiate the Iran nuclear deal. It says people in the Trump camp contacted private investigators in May 2017 to “get dirt” on Ben Rhodes, who had been one of Barack Obama’s top national security advisors, and Colin Kahl, deputy assistant to Obama, as part of an elaborate attempt to discredit the deal.

May 4. US Office of the Director of National Intelligence releases report finding that the NSA collected 534 million records of phone calls and text messages of Americans in 2017 — three times more than 2016.

May. 4. Department of Defense elevates US Cyber Command to a unified combatant command. The DoD says the move recognizes the significance the cyber domain will play in the next century of warfare.

May 3. Russia’s media and communication regulatory authority Roskomnadzor blocks more than 50 VPN networks, Web proxies, and anonymizers, which it says can be used to access Telegram, a messaging app banned by the Kremlin after its makers refused to turn over the encryption keys of its users to state security authorities “for investigation purposes.”

May 3. Kaspersky Lab reveals its findings about ZooPark, a cyber espionage operation deploying sophisticated Android malware and focusing on targets in the Middle East since June 2015.

May 3. 401TRG, the threat research and analysis team at ProtectWise, releases report on previously unreported links existing between a number of Chinese state intelligence operations.

May 2. Tenable, a cyber exposure company, announces discovery of a critical vulnerability in two  Schneider Electric applications used in manufacturing, oil and gas, water, automation, and wind and solar power facilities. It says vulnerability, if exploited, could give an attacker complete control of an underlying system, as well as move laterally through a network, exposing additional systems to attack.

May 1. Netscout’s Arbor Networks’ Security Engineering and Response Team announces discovery of malware infecting LoJack software used to prevent computer theft. It says it found infected LoJack programs communicating with servers to be linked to Russian military intelligence.


Apr. 29. Brigadier General Seyed Kamal Hadianfar, head of Iran’s Cyber Police, reports 296 serious cyberattacks were carried out against Iran’s infrastructure from March 2017 to March 2018. He says 50 percent of those attacks originated from either the United States or China.

Apr. 28. Campaign for Human Rights in Iran reports Iranian hackers have attacked a number of user accounts of charity workers, academics, dual nationals living abroad, and political and civil activists. Some of the people targeted by the hackers were in communication with individuals arrested in Iran or professional acquaintances currently in custody in the country.

Apr. 26. The undergraduate council’s website at Harvard is vandalized by the “Iran Cyber Security Group.” The hackers placed  a cartoon on the site that showed President Donald Trump being punched in the chin by a figure wearing a wristband striped with the colors of the Iranian flag.

Apr. 26. NATO’s Cooperative Cyber Defense Center of Excellence announces completion of Locked Shields, a complex international live-fire cyber defense exercise involving 1,000 cyber experts from 30 nations.

Apr. 26. US Senate confirms Major General Stephen Fogarty as commander of US Army Cyber Command. Fogarty replaces Lieutenant General Paul Nakasone who recently became director of the National Security Agency and head of US Cyber Command.

Apr. 25. US Defense Department orders retail stores on military bases to stop selling products made by Chinese telecom firms Huawei and ZTE. it says devices from those companies pose unacceptable risk to the DOD’s personnel, information, and mission.

Apr. 25. US Air Force awards five small business contracts worth $950 million for the rapid development of cyber capabilities. Work under the contracts include areas such as cyber threat avoidance and cyber defense; full spectrum cyber operations; cyber network exploitation; cyber situation and mission awareness; cyber command and control; cyber infrastructure; cyber mission assurance; and cyber modeling, simulation, and wargaming.

Apr. 24. McAfee reports it has uncovered a global reconnaissance campaign assaulting a wide number of industries, including critical infrastructure, entertainment, finance, healthcare, and telecommunications. Called Operation GhostSecret, the campaign uses tools and malware associated with Hidden Cobra, a hacker group connected to North Korea.

Apr. 24. US Department of Homeland Security cyber lead Jeanette Manfra tells Senate Homeland Security Committee her agency has seen no evidence so far this year that Russian intelligence agencies are trying to hack into the nation’s voting systems to undermine the 2018 midterm elections.

Apr. 24. Senate confirms Army Lieutenant General Paul Nakasone to lead the US Cyber Command and National Security Agency. Nakasone replaces Admiral Mike Rogers who is retiring after four years in those posts.

Apr. 23. Portugal and Australia announce they’re joining the Cooperative Cyber Defense Center of Excellence based in Tallinn, Estonia. The organization is a think tank for the development of global cyber norms, establishing cybersecurity training requirements, and communication of goals shared among the countries.

Apr. 21. Campaign of Kendall Scudder, who is running against Republican incumbent Bob Hall for a state senate seat in Texas, took its website offline after discovering coding in Russian and digital trails leading to Russian websites embedded on its server.

Apr. 20. The Democratic National Committee files a multimillion dollar lawsuit in federal court in Manhattan alleging the Trump campaign, the Russian government, and WikiLeaks conspired to interfere in the 2016 presidential campaign to tilt the election in favor of Donald Trump.

Apr. 20. Kane Gamble, 18, sentenced by UK court to two years in prison for computer crimes, including hacking email accounts of former CIA Director John Brennan and former Director of Intelligence James Clapper.

Apr. 19. Microsoft, Facebook, LinkedIn, and 31 Auto technology companies sign “Cyber Security Tech Accord” for cyberspace. Under the accord, signers agree to protect users and customers from cyberattacks and to build more secure products; oppose attacks on “innocent citizens and enterprises from anywhere,” which includes refusing to help any government planning such attacks; empower users and developers with the tools they need to strengthen cybersecurity on their own; and work with each other and with other organizations dedicated to improving cybersecurity in the developed and developing world.

Apr. 19. The Sun reports that UK government social media experts have documented more than 45,000 posts spreading false stories about the chemical weapons attack that killed at least 75 people in the Syrian town of Douma. It says the stories are being circulated by Russian bots that reach around 20 million social media users.

Apr. 19. Trump Administration sends to Congress report on US policy for deterring and responding to attacks in cyberspace. Details of the report were classified.

Apr. 19. Website of the Supreme Court of India vandalized. Vandals left message in Portuguese on the site that translated to “Hacked by HighTech Brazil HackTeam.”

Apr. 18. Iran’s supreme leader, Ayatollah Ali Khamenei, announces he’s leaving the popular messaging app Telegram to safeguard his country’s national interest and to end the app’s monopoly on social media in the country. It’s estimated 40 million Iranians use the app.

Apr. 17. UK’s House of Commons Public Accounts Committee reports that Britain’s National Health System is still unprepared for a major cyberattack nearly one year after operations were impaired by the global WannaCry virus. It notes the government has yet to identify the full financial cost of the infection, the extent of vulnerabilities in the system, and the challenges in upgrading out-of-date equipment.

Apr. 16. Britain’s  National Cyber Security Centre, US Department of Homeland Security, and the US Federal Bureau of Investigation issue warning that Russian government-sponsored hackers are compromising key hardware of government and business computer networks, like routers and firewalls, “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations.”

Apr. 14. Former CIA Director John Brennan reveals at the Logan Symposium on Investigative Reporting at the University of California Berkeley that President Barack Obama rejected a plan to conduct retaliatory cyber action against Russia for its campaign to interfere with the US elections in 2016. He says Obama was afraid that any US action against the Russians might be perceived as an ongoing Democratic president working to influence the election’s outcome.

Apr. 12. Jeremy Fleming, director of the UK’s GCHQ intelligence agency, says in a speech at the Cyber UK conference in Manchester that Britain conducted a major offensive cyber campaign against the Islamic State. He says the campaign disrupted online propaganda channels, as well as destroyed networks and equipment.

Apr. 12. The UK’s National Cyber Security Center announces new guidelines for classifying cyberattacks. Six categories of attack range from Category 1 — an attack causing sustained disruption of UK essential services or affects national security, leading to severe economic or social consequences or to loss of life — to Category 6, a cyberattack on an individual.

Apr. 12. Acting Director of the US Consumer Financial Protection Bureau Mick Mulvaney tells Senate Committee on Banking, Housing, and Urban Affairs his agency has suffered some 240 lapses in data security over an unspecified amount of time in addition to a suspected 800 other such incidents.

Apr. 12. Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, warns that cyber-espionage groups are using hacked routers more and more for their attacks. He says that leveraging routers to launch Advanced Persistent Threat attacks has grown steadily in the past year and the tactic is becoming widespread this year.

Apr. 10. SonicWall reports cyberattacks on the UK have risen 300 percent this year compared to 151 percent worldwide. It says that while it’s too early to identify the sources of the attacks this year, in 2017 more than half of all 9.3 billion cyberattacks worldwide were carried out by state-sponsored hackers.

Apr. 10. Bastille, an enterprise threat detection company, reports the discovery of a vulnerability it calls Siren Jack. The flaw in emergency alert systems made by ATI Systems can be exploited remotely by radio frequencies to activate all sirens in a system at will and trigger false alarms, which can cause widespread panic and endanger lives.

Apr. 10. Facebook CEO Mark Zuckerberg tells US Senate Judiciary and Commerce committees that his company detected Russian government hackers targeting the accounts of campaign officials before the 2016 presidential election and warned the national committees of the nation’s political parties about the activity.

Apr. 6. US imposes sanctions on seven Russian oligarchs “for attacks to subvert Western democracies.” Among those sanctioned were Oleg Deripaska, 50, a metals magnate who has business ties with Paul Manafort, who served as President Trump’s campaign chairman for several months in 2016; and Kirill Shamalov, 36, the husband of Vladimir Putin’s daughter, Katarina.

Apr. 6. Iran’s IT minister, Mohammad Javad Azari-Jahromi, reveals some data centers in his country have come under cyberattack, forcing them to reset a number of routers. Attackers vandalized the sites with a graphic of an American flag and the warning: “Don’t mess with our elections.” He says the core of Iran’s National Information Network was not affected.

Apr. 5. US Department of the Interior’s Inspector General releases report finding little has been done to improve security of servers breached by Chinese hackers three years ago, which resulted in the theft of security clearance files and other sensitive personal information of 22 million federal employees.

Apr. 5. BuzzFeed publishes direct messages from Twitter between WikiLeaks founder Julian Assange and journalists Emma Best indicating Assange knew source of stolen emails from the Democratic National Committee posted to the Internet by WikiLeaks was connected to Russian military intelligence. Assange has continually denied Russia had anything to do with the stolen emails.

Apr. 4. Director of National Intelligence Dan Coats tells reporters at a press breakfast that the US government is seriously considering offensive cyber warfare. He says, “I’m publicly on board with the idea that you can’t just play defense, you have to play offense.”

Apr. 3. Four Singapore universities report to that nation’s Cyber Security Agency and Ministry of Education that 52 staff accounts were compromised by Iranian hackers. The hackers have been accused of stealing more than 31 terabytes of academic data and intellectual property from institutions around the world.

Apr. 2. Times of London obtains emails leaked from Kremlin revealing details of Russia’s plans to sow chaos and dissent in the Ukraine, which it invaded in 2014.

Apr. 2. Energy Transfer Partners notifies oil and gas shippers that data system for its pipeline network was hacked by cyber criminals. It says attack targeted Latitude Technologies, which manages the system, and the event was limited to the electronic data interchange system that facilitates transactions over oil and gas moving through its pipelines.

Apr. 2. CyberScoop reports US Department of Defense has hired HackerOne to run a bug bounty program on its Defense Travel System, which the department’s personnel use to book airline and hotel reservations when they travel on DoD business.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.