Cyberwarfare Report. PHOTO: Cybercrime Magazine.

Cyberwarfare Report, Vol. 4, No. 1: Phone Hacks, Unprotected Databases, Microsoft’s Moves

John P. Mello, Jr.

Northport, N.Y. – April. 8, 2019

Phone hacking became prominent during the first three months of the year as reports emerged of the mobiles of prominent people—such as Amazon CEO Jeff Bezos, as well as a prominent candidate for Prime Minister of Israel, and a former PM of the country—being compromised. A broad campaign of phone hacking by the United Arab Emirates also emerged during the period.

Once again security researchers were busy finding unprotected servers exposing millions of records online. A particularly disturbing find was an unprotected server in China containing facial recognition and location data on 2.5 million Uyghur Muslims, a population persecuted in that country.

Meanwhile, Microsoft continued its campaign against bad seeds on the Internet seizing control, with judicial permission, of websites operated by Fancy Bear, a group of hackers tied to Russian military intelligence, and 99 sites used by Iranian hackers to steal data from targets in the United States.

March

Mar. 31. Gavin de Becker, a security consultant hired by Amazon CEO Jeff Bezos to investigate a leak of sensitive photos about the executive to the National Enquirer, concludes that Bezos’s phone was hacked by Saudi Arabia and the pictures released in retaliation for the Washington Post’s coverage of the state-sponsored murder of Saudi journalist Jamal Khashoggi. Bezos owns the Post.

Mar. 28. Former NSA contractor Harold Thomas Martin III, 54, pleads guilty in federal court to stealing classified material for 20 years in what may be the largest breach of classified information in U.S. history. Sentencing is scheduled for July.

Mar. 27. Unsealed court documents show Microsoft took control of 99 websites that it says were being used by Iranian hackers to steal sensitive information from targets in the United States. In the documents, Microsoft says seizure of the sites enable it to stop future cyberattacks and monitor how infected computers were compromised.

Mar. 27. Facebook announces it is taking steps to reduce the spread of false information on its platforms ahead of the April elections in India. Measures include blocking fake accounts and hiring third-party fact checkers.

Mar. 22. Special Counsel Robert Mueller files final report with U.S. Attorney General of investigation into coordination between Trump campaign and Russia during the 2016 presidential election.

Mar. 18. Israeli TV outlet Channel 12 reports the mobile phone and personal computer of the country’s former prime minister Ehud Barak was hacked and the information sold to Iran. It adds that Barak was informed of the breach about six months ago by the Israel Security Agency.

Mar. 14. Israel’s Channel 12 reports the country’s Shin Bet security service suspects Iran hacked into the phone of Benny Gantz, Prime Minister Benjamin Netanyahu’s chief rival in the nation’s upcoming elections. It adds that the agency believes the hackers accessed the former general’s personal information and correspondence on the phone.

Mar. 12. Wall Street Journal reports an internal U.S. Navy report finds that service branch and its industry partners “under cyber siege” by Chinese hackers and others who have stolen national security secrets in recent years. It adds those thefts threaten the nation’s standing as the world’s top military power.

Mar. 12. FBI arrests Kim Anh Vo, 20, in Georgia and charges her in federal court with recruiting supporters for the Cyber Caliphate, an online group that, among other things, published “kill lists” on behalf of the Islamic State.

Mar. 8. Nikkei Asian Review reports Taiwanese makers of server power cords and plugs have begun moving production of those items out of China over concerns by U.S. technology companies that the hardware may be used for Chinese espionage.

Mar. 8. Cybersecurity firm Resecurity reveals Iranian hackers have stolen from six to 10 terabytes of data from Citrix Systems, which handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI, and many American corporations.

Mar. 7. Volexity, a cybersecurity company, reveals at RSA Conference in San Francisco that it has gathered enough evidence to say definitively that the hacker group known as OceanLotus is behind a fake news campaign aimed at Vietnamese dissidents. 

Mar. 6. Microsoft reveals it has detected cyberattacks linked to Iranian hackers that have targeted thousands of people at more than 200 companies over the past two years. It adds the hacking campaign has stolen corporate secrets and wiped data from some computers.

Mar. 5. Security researchers at iDefense report Chinese hackers have targeted more than two dozen universities in the United States and around the world in attacks aimed at stealing maritime military research. It adds forays focused on schools that either studied underwater tech or had faculty with backgrounds in that tech.

February

Feb. 28. Resecurity, a cybersecurity firm in Los Angeles, reports the Iranian hacker group Iridium was responsible for cyberattacks on the Australian parliament in February and the British Parliament in 2017. It notes the attacks were part of a multi-year cyber espionage campaign aimed at sensitive government, diplomatic, and military resources in Australia, Canada, New Zealand, the UK, and the United States.

Feb. 28. The Federal News Agency, a Russian news site associated with the notorious “troll factory” the Internet Research Agency, confirms the U.S. Cyber Command disrupted operations at the IRA the day before the 2018 midterm elections in the United States. It notes the U.S. intruders were able to destroy a RAID controller and wipe two of four hard drives attached to it.

Feb. 21. 360 Enterprise Security Group in Beijing, China, reports a hacking group called Blind Eagle has been active over the last year launching targeted attacks against Colombian government agencies, financial companies, and corporations. It notes that the group has been posing as Colombian institutions like the National Cyber Police and the Office of the Attorney General to steal intellectual property. The researchers could not identify who is behind the group, but they say a number of factors indicate the attacks are originating in South America. 

Feb. 19. Microsoft reveals Fancy Bear, a hacker group linked to Russian military intelligence, targeted the Aspen Institute, the German Marshall Fund of the United States, and the German Council on Foreign Relations between September and December 2018. Fancy Bear is believed to be behind the hacking of the Democratic National Committee during the 2016 U.S. presidential election.

Feb. 18. New York Times reports dozens of corporations and multiple government agencies have been targeted in aggressive attacks by Iranian and Chinese hackers. It adds Boeing, General Electric Aviation and T-Mobile were among the companies targeted by Chinese hackers.

Feb. 18. Australia’s Prime Minister Scott Morrison announces in statement to parliament that the country’s major political parties have been targeted in a cyberattack by “sophisticated state actor.” He adds that there is no evidence of electoral interference and measures have been taken to ensure the integrity of the country’s voting system.

Feb. 18. Times of India reports a hacker group called Team I Crew has defaced more than a dozen Pakistani websites in retaliation for a terrorist attack that killed some 40 Indian police officers in Pulwama, Kashmir. The hackers posted the message “We will never forget #14/02/2019,” a reference to the date of the terrorist attack.

Feb. 16. Pakistan’s Ministry of Foreign Affairs announces its website has become inaccessible from visitors outside the country. Some sources in the ministry blame India for the disruption, which comes three days after some 40 Indian police officers were killed in a suicide terrorist attack in Pulwama, Kashmir, by a group called Jaish-e-Mohammed. 

Feb. 14. Security researcher Victor Gevers discovers unprotected database online containing the facial recognition data the Chinese government is using to track Uyghur Muslim population. He notes the database contained personal information on more than 2.5 million people, as well as GPS data documenting where individuals had been seen.

Feb. 13. Kaspersky Lab reports a website to provide humanitarian aid to Venezuela has been targeted in a DNS manipulation attack aimed at gathering the personal information of the site’s visitors. 

Feb. 11. Russia announces it’s planning to disconnect the country from the Internet to collect information and feedback for a law passed in December. That law requires Russian Internet service providers to ensure operation of the country’s Internet space in the event of a foreign attack on it. It also calls for the nation’s telecom companies to create ways to re-route all Russian Internet traffic to exchange points approved or managed by Roskomnazor, Russia’s telecom watchdog.

Feb. 7. Kevin Peesker, president of Microsoft Canada, announces AccountGuard, a free security add-on to Office 365 aimed at giving highly targeted users an additional measure of protection from cybersecurity threats, will be offered north of the border. Those highly targeted users include candidates for federal or provincial office and their campaigns; all registered federal and provincial political parties; think tanks and democracy advocacy organizations; and technology vendors who primarily serve political campaigns.

Feb. 7. Venezuelan dissidents compromise websites of nine of the country’s embassies and post messages calling for a period of transition that leads to dialogue, the re-establishment of democracy, and the delivery of humanitarian aid to the country. They also announce their support of interim President Juan Guaidó, who has been prevented from taking power by Nicolás Maduro, who controls the military and refuses to vacate the presidential palace. 

Feb. 1. Foreign Policy reports that a growing number of hackers have begun selling credentials on the dark web that can be used to post articles and plant malware on media websites. It explains that penetrating the content management systems of a media organization would give an intruder the ability to use newspapers, wire services, and magazines to disseminate disinformation and fake news.

Feb. 1. The Daily Caller reports that a hacking campaign sponsored by Qatar from 2014 to 2018 affected 1,400 people, including James Devon Lamond, who was leading an initiative at the Center for American Progress looking into alleged collusion between Russia and the Trump presidential campaign. Others targeted by Qatar’s spies included former Republican National Committee finance chairman Elliott Broidy; Kristin Wood, whose 20-year CIA career included leading the analytic team in the Office of the Director of Central Intelligence; Shmuley Boteach, a celebrity rabbi and confidante of Republican mega-donor Sheldon Adelson; and Ronald Sandee, co-founder of Blue Water Intelligence and a former senior analyst with Dutch military intelligence.

January

Jan. 30. Reuters reports that a team of former U.S. government operatives working for the United Arab Emirates has been used to hack into the iPhones of activists, diplomats, and foreign leaders. It notes the team is using a sophisticated spy tool called Karma, which has allowed the UAE to monitor hundreds of targets since 2016.

Jan. 30. Court filing by Office of Special Prosecutor Robert Mueller reveals more than 1,000 confidential files it shared with attorneys for indicted Russian hackers were posted online and promoted by a Twitter account. According to a tweet, the documents were stolen from a Russian server, but FBI investigators say they could not find any evidence that the server where the documents were stored was hacked, which suggests the documents were leaked.

Jan. 30. Federal court in Virginia allows Microsoft to take over a group of websites it says are tied to Fancy Bear, a hacking group tied to Russian military intelligence, and were being used to mimic the website of the Center for Strategic and International Studies, a Washington, D.C. think tank. Microsoft has used the technique 13 times in the past two years to take down 89 fake websites.

Jan. 29. U.S. Director of National Intelligence Dan Coats tells Senate Select Committee on Intelligence that the nation’s intelligence agencies expect foreign actors to attempt to interfere with 2020 presidential election.

Jan. 29. Annual Worldwide Threat Assessment of the U.S. Intelligence Community warns that both China and Russia have the capability to launch cyberattacks against the nation that could at least temporarily disrupt its critical infrastructure, such as gas pipelines and power networks.

Jan. 25. Distributed Denial of Secrets, a transparency group, posts online 175 gigabytes of hacked and leaked document from inside Russia. Material includes hundreds of thousands of messages and files from Russian politicians, journalists, oligarchs, religious figures, and nationalists/terrorists in Ukraine.

Jan. 25.  Japan approves law allowing its National Institute of Information and Communications Technology to hack into consumers’ IoT devices to test their security. Information gathered by the hacking will be used to create a list of devices that use default or easy-to-guess passwords that can be used to advise the owners of the devices to change their passwords.

Jan. 24. U.S. Army announces  Intelligence, Information, Cyber, Electronic Warfare, & Space detachment in Fort Lewis, Wash. Unit combines long-range targeting, hacking, jamming, and space under one command and will focus on countering Chinese efforts in those areas. Army adds a corresponding detachment will be created for Europe to counter Russian efforts there.

Jan. 23. BuzzFeed reports the Integrity Institute, a UK think tank known for exposing Russian influence operations, was hacked from November 2018 to January and four batches of stolen data posted to the Internet. It adds that RT and Sputnik, news sites controlled by the Russian government, claim the leaked material shows the British government, not the Kremlin, is trying to poison Internet discourse with propaganda.

Jan. 18. French Defense Minister Florence Parly announces his country will invest €1.6 billion to bolster domestic cyber defenses and hire an additional 1,000 cyber fighters by 2025.

Jan. 17. Facebook deletes nearly 500 pages and accounts it says are connected to two disinformation campaigns originating from Russia. Many of the pages were linked to employees of Sputnik, a news agency controlled by the Russian government, who used independent news pages on topics like weather, travel, and sports to mask their activities.

Jan. 17. Democratic National Committee amends complaint in lawsuit against Russia and Trump reelection campaign alleging a coordinated phishing attack was launched against the committee by Russian intelligence a few days after the U.S. midterm elections in 2018.

Jan. 16. South Korean press reports reveal hackers gained administrative access to the systems of the Defense Acquisition Program Administration, which is part of the Ministry of Defense, and stole documents about arms procurement for the country’s next-generation fighter aircraft.

Jan. 12. Shalev Hulio, a co-founder of the NSO Group, maker of the mobile phone spyware called Pegasus, denies to the Times of Israel that the application was involved in the torture and murder of journalist Jamal Khashoggi by agents of the Saudi Arabian government. In October, Citizens Lab, a Canadian watchdog group, reported Pegasus was used to exfiltrate data from the phone of  Omar Abdulaziz, a dissident living in Canada who was communicating with Khashoggi, to the Saudis.

Jan. 11. New York Times reports FBI opened investigation into President Trump working on behalf of Russia against American interests following firing of the bureau’s director James Comey.

Jan. 9. FireEye reports it has discovered a massive DNS hijacking campaign that it believes is being mounted by Iran. “This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success,” it notes, and has affected dozens of domains belonging to government, telecommunications, and internet infrastructure entities across the Middle East, North Africa, Europe, and North America. 

Jan. 9. Israel’s Prime Minister Benjamin Netanyahu vows there would be no online meddling with his country’s elections in April. “Israel is braced to foil cyber interference. We are ready for any scenario. There is no country better prepared than us,” he tells Reuters. His comments came two days after Shin Bet chief Nadav Argaman, who heads the country’s domestic intelligence efforts, accused a foreign power of planning to hack the vote.

Jan. 9. Politico reports Kaspersky Lab played a key role in the apprehension of Harold T. Martin III, an NSA contractor behind what’s believed to be the largest breach of classified information in U.S. history. It says Kaspersky, which has been barred from government contracts for alleged ties with Russian intelligence, blew the whistle on Martin after receiving strange Twitter messages from an account linked to him. Martin exfiltrated 50 terabytes of data and apps from the NSA and other agencies over a 20-year period, including some of the agency’s most sophisticated hacking tools.

Jan. 8. Prosecutors in Frankfurt, Germany, identify 20-year-old youth living with his parents as hacker behind one of the largest data leaks in the country’s history. The youth, whose name was not revealed due to legal restrictions, exposed online in December the private information of some 900 politicians, including German Chancellor Angela Merkel.

Jan. 8. Newspapers Okaz and Saudi Gazette release statement claiming an Iranian-backed militia attempted to hack the publication’s websites. They state the attackers attempted to publish a vulgar message and destroy the credibility of the two publications. They add they were targeted because of their coverage of Iran and the war in Yemen.

Jan. 7. U.S. National Counterintelligence and Security Center starts distributing to businesses detailed advisories to show them how to guard against cyber intrusions. “We’re arming U.S. companies with information they need to better understand and defend against these threats,” NCSC Director William Evanina said in a statement.

Jan. 7. Australia’s Early Warning Network announces in a Facebook posting that a bad actor using compromised credentials sent a message over its system to some of its subscribers that EWN had been breached and their personal information had been compromised. It assures subscribers no personal information was compromised in the event.

Jan. 3. Hiscox, a British insurance company, confirms some documents related to the September 11, 2001 terrorist attacks on the United States were stolen in a cyberattack on a law firm the insurer employs. A hacker group called Dark Overlord says it has the files and will release them to the public unless paid a ransom in cryptocurrency. 

Jan. 2. The Taipei branch of the Investigation Bureau, an agency within the Taiwan Ministry of Justice, after months of investigation, reports cyberattack on 70 computer systems of the nation’s Department of Health that resulted in the theft of personal information of 2.98 million residents of the capital city originated in Shanghai, China. It concludes that the Taiwan attacks were part of a worldwide campaign that compromised 1,509 websites in 38 countries, including government agencies in the United States and Europe.

Cyberwarfare Report Archives

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.