13 Apr Cyberwarfare Report, Vol. 5, No. 1: China’s Role In The Experian Breach, Iranian Hacking Soars
Northport, N.Y. – Apr. 6, 2020
North Korean and Chinese hackers were prime targets of the U.S. government during the first quarter of the year as indictments were handed down against Chinese military members for the massive data breach at Experian resulting in the theft of personal data of 148 million Americans and a lawsuit was filed to seize control of some cryptocurrency accounts used to stash $250 million in stolen digital money. Meanwhile, Iranian cyberattacks on the world reach 500 million a day in the wake of the death of Iranian military leader Qasem Soleimani in a U.S. airstrike.
Our diary of Cyberwarfare activity over the past three months makes clear that our nation cannot be distracted by the Coronavirus pandemic while the global cybercrime epidemic persists.
Mar. 26. Researchers at Google’s Threat Analysis Group reveal an unnamed hacker gang used no fewer than five Zero-day vulnerabilities to target North Koreans and North Korean-focused professionals. Malware exploiting the flaws in Internet Explorer, Chrome, and Windows was delivered via emails with malicious attachments or links to bad websites, as well as poisoned “watering holes.” Google notes that finding so many Zero-day exploits from the same actor in a relatively short time frame is rare. Cybersecurity firm Kaspersky says it has linked Google’s findings to South Korean group called DarkHotel.
Mar. 26. Google’s Threat Analysis Group reports it sent its account holders almost 40,000 warnings in 2019 that they were targets of government-backed hackers. Among the most targeted people were government officials, journalists, dissidents, and geopolitical rivals. The group adds that the number of warnings dropped 25 percent year-over-year, primarily due to new protections designed to curb cyberattacks on Google properties.
Mar. 19. Trend Micro, a developer of cloud, server, and small business cybersecurity solutions, reports that the state-affiliated group of hackers known as Fancy Bear has been using hacked email accounts belonging to high-profile people working at defense firms in the Middle East to launch credential phishing campaigns. It says the campaigns include spam waves against webmail providers in the United States, Russia, and Iran.
Mar. 17. G Data CyberDefense, a German cybersecurity software company, reveals it purchased a laptop on eBay containing a confidential user manual and schematics for a surface-to-air missile system used by the German air force. It notes the hard drive containing the data was not protected by a password or encryption. A spokesperson for the defense ministry says that how the computer ended up on eBay is unclear.
Mar. 17. Inspector General’s Office of U.S. Defense Department releases report finding that the DOD’s red team hacking units lack proper training and are failing to reveal vulnerabilities that they find to the military units that they hack. It notes that even when flaws are reported, there is little oversight of the process to determine if vulnerabilities are patched or remediated.
Mar. 13. NBC News reports Russia, China, and North Korea are crafting coronavirus phishing attacks on neighboring states. It says Russia has launched such campaigns against Ukraine, China against Southeast Asia, and North Korea against South Korea. It cites one campaign aimed at Vietnamese targets that used emails pretending to be from the prime minister of the county that contained links to malware.
Mar. 12. Chelsea Manning, the former Army intelligence officer who in 2010 leaked a trove of military and diplomatic documents to WikiLeaks, is released from federal prison where she was being held for refusing to testify before a grand jury investigating the website and its founder, Julian Assange. After dismissing that grand jury, Federal District Court Judge Anthony J. Trenga released Manning, saying her appearance before the grand jury was no longer needed. The release came one day after Manning was hospitalized following a suicide attempt on herself.
Mar. 11. The Cyberspace Solarium Commission, a bipartisan panel made up of U.S. senators and representatives, releases a report calling for a broad range of cybersecurity changes. “A major cyberattack on the nation’s critical infrastructure and economic system would create chaos and lasting damage exceeding that wreaked by fires in California, floods in the Midwest, and hurricanes in the Southeast,” the commission’s co-chairmen, Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R.-Wisc., write in a letter accompanying the report. To rebound from a major cyberattack, the pair’s letter notes, the nation needs to build up its resilience — the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior.
Mar. 10. Dutch prosecutor Thijs Berger accuses Russia of undermining investigation of three of its citizens and a Ukrainian charged with the murder of 298 passengers and crew of Malaysia Flight 17 when the plane was shot down by a missile in July 2014. He told judges at the trial of the four men that there is evidence that Russian intelligence agents attempted to hack into the computers of Malaysian and Dutch investigations into the downing of the plane.
Mar. 8. Hackers compromise Twitter account of Israel’s Defense Minister Naftali Bennett and post tweets of the Turkish flag accompanied by the name of Ottoman-born Turkish poet Mehmet Akif Ersoy and a picture of the Palestinian flag accompanied by the words “freedom for Palestine.” Ran Bar-Zik, a senior developer at Verizon Media who discovered the attack, says the posts were taken down within minutes of his reporting the attack to Twitter.
Mar. 5. Positive Technologies, a cybersecurity company, reports discovery of flaw in Intel hardware that could lead to hardware IDs being forged, digital content being extracted, and data from encrypted hard disks being decrypted. It says the issue isn’t too bad for the time being because of the difficulty in compromising the root cryptographic key at the center of Intel’s security scheme. Extracting that key, though, is only a matter of time, it adds.
Mar. 5. McAfee Mobile Threat Report identifies family of Korean language apps available on Google Play for more than five years that install MalBus malware on mobile phones. The malware indexes a phone’s directory structure and then looks for keywords relevant to military and political subjects, such as national defense, national intelligence service, military operations and many more. The apps have been removed from Google Play, but McAfee notes the programs demonstrate how mobile platforms can be used for espionage campaigns.
Mar. 3. Chinese cybersecurity company Qihoo 360 releases report claiming the CIA has hacked Chinese companies for more than 11 years. It says targets include China’s aviation industry, scientific research institutions, petroleum industry, Internet companies, and government agencies. It says CIA operations took place between September 2008 and June 2019, and most of the targets were located in Beijing, Guangdong, and Zhejiang, Qihoo.
Mar. 3. The Australian Broadcasting Corporation reports that a highly sensitive military database containing the personal details of tens of thousands of Australian Defense Force members was taken down for 10 days due to a security breach. Although acknowledging a “potential security concern,” the Defense Department says an investigation of the incident found no evidence that data had been exfiltrated.
Mar. 2. The Cyber Crime Center in the U.S. Defense Department releases results of the agency’s Vulnerability Disclosure Program. It reports 4,013 vulnerabilities were found by white hat hackers hired by the department to test its networks for weaknesses, and that 2,836 of them led to mitigation activities.
Mar. 2. U.S. Treasury Department’s Office of Assets Control sanctions two Chinese hackers, Tian Yinyin and Li Jiadong, for laundering cryptocurrency for a North Korean cybercriminal group known as Lazarus. According to Treasury, the Chinese pair laundered $250 million stolen from cryptocurrency exchanges in 2018 and received $91 million for their efforts, as well as $9.5 million for another North Korean hack. Under the sanctions, all U.S. property of the duo will be blocked and anyone dealing with them may be subject to sanctions, too.
Mar. 2. United States files lawsuit in federal court in Washington, D.C. to seize control of the cryptocurrency accounts North Korea allegedly used to steal more than $250 million from two cryptocurrency exchanges in 2018. The U.S. says it began looking at the theft in 2019 after the United Nations Security Council found North Korea was using cryptocurrency hacks to finance its military and skirt sanctions against it.
Feb. 26. Clearview AI, a facial recognition software maker, confirms data breach resulting in theft of its list of customers, number of searches they made, and number of accounts they set up. The company, whose customers are primarily law enforcement agencies, says its database of three billion photos was not compromised.
Feb. 26. Dmitri Alperovitch, co-founder of CloudStrike, a cloud infrastructure management company, in keynote speech at RSA conference in San Francisco, says the infrastructure used by Chinese military hackers indicted by the U.S. government in 2014, 2017, and 2018 disappeared after the charges against them were made public. He says that the specific groups named in the indictments “vanished” in a way that was “remarkable.” He speculates that some of the hackers may have been reassigned to other units that remain secret.
Feb. 21. New York Times reports that Russia has been trying to intervene in the Democratic presidential primaries to aid Sen. Bernie Sanders. Sanders says his campaign was briefed by the intelligence community about Russian interference in the 2020 election. According to the Times, Russia’s interference in the election on behalf of Trump and Sanders “underscores its efforts to sow chaos across the political spectrum.”
Feb. 20. The UK’s National Cyber Security Centre finds that Russian military intelligence was behind a massive cyberattack in 2019 that knocked out more than 2,000 websites in the country of Georgia, including its president’s website and that of the nation’s national TV broadcaster. The Centre says Russia’s goal was to “sow discord and disrupt the lives of ordinary Georgian people.”
Feb. 20. Former Republican Congressman Dana Rohrabacher denies reports he represented Donald J. Trump when offering WikiLeaks founder Julian Assange a presidential pardon in exchange for denying Russian involvement in leaking National Democratic emails during the 2016 U.S. presidential election campaign. “At no time did I talk to President Trump about Julian Assange. Likewise, I was not directed by Trump or anyone else connected with him to meet with Julian Assange,” he said in a statement.
Feb. 17. Reality Winner, the National Security Agency employee who leaked classified information on Russia’s interference with the 2016 U.S. presidential election, petitions President Donald J. Trump for clemency. Her petition was filed with the federal office of the pardon attorney, who advises presidents on pardons. Winner was sentenced to five years and three months in prison for her misdeeds. Her petition maintains her imprisonment is “costly, unnecessary to protect the public, burdensome to her health and wellbeing, and not commensurate with the severity of her offense.”
Feb. 16. ClearSky Cybersecurity releases report revealing a global cyber offensive campaign by Iran that’s succeeded in gaining a foothold in the networks of numerous companies and organizations in the IT, telecommunications, oil and gas, aviation, government, and security sectors. It says the campaign, called Fox Kitten by ClearSky, has been used largely for reconnaissance, but the infrastructure could be used as a platform for spreading and activating destructive malware.
Feb. 14. U.S. Cyber National Mission Force warns of six new malware families being used in current phishing campaigns by North Korean hackers. U.S. Cyber Command believes the malware will be used to give the online bandits remote access to infected systems in order to steal funds that can be transferred to Pyongyang as a way to avoid economic sanctions.
Feb. 10. U.S. Justice Department makes public indictments against four members of China’s military for hacking the Equifax credit service, which resulted in theft of sensitive personal data of some 148 million Americans. The four charged in the indictment are Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei, all alleged members of the 54th Research Institute, a component of China’s People’s Liberation Army.
Feb. 11. Reuters reports German Chancellor Angela Merkel’s ruling conservatives approve position paper recommending tougher rules governing foreign vendors working on the country’s 5G network, but doesn’t ban Chinese telecommunications giant Huawei from the process. It says the move is a rebuff to the United States, which has called on its allies to bar Huawei from working on 5G networks over security concerns.
Jan. 30. Reuters reports that the FBI is investigating the NSO Group, an Israeli spyware vendor, over possible hacks of American residents and companies, as well as intelligence gathering on governments. NSO says it’s not aware of any investigation. In the past it has said it sells its software only to governments and that it’s used only to fight terrorists and criminals.
Jan. 29. The New Humanitarian, a non-profit news agency, makes public for the first time a report revealing dozens of UN servers in Europe were compromised in July 2019. It says some 400GB of data was downloaded by the intruders, putting at risk the personal information of 4,000 UN staffers.
Jan. 22. The Guardian reports that mobile phone of Jeff Bezos, owner of Amazon and The Washington Post, was hacked in 2018 after receiving a WhatsApp message from the crown prince of Saudi Arabia. It says the infection originated from a poisoned video file and that large amounts of data were exfiltrated from Bezos’ phone within hours.
Jan. 21. National Security Archive, a not-for-profit research organization, releases heavily-redacted documents about U.S. Cyber Command’s cyberwar campaign against ISIS. Documents show that although campaign was successful, command faced some unforeseen challenges, including data storage requirements for the operation.
Jan. 16. Ukrainian Interior Ministry announces it has launched an investigation into the possible illegal surveillance of former U.S. Ambassador to Ukraine Marie Yovanovitch and a suspected cyberattack on Burisma, a Ukrainian energy company, in an attempt to find information damaging to Hunter Biden, son of presidential hopeful Joe Biden.
Jan. 8. CloudFlare, a cybersecurity company, reports Iranian cyberattacks on U.S. state, federal and government websites jumped 50 percent and continued to accelerate following death of Iranian military leader Qasem Soleimani in a U.S. airstrike. It finds that within 48 hours attacks traced to Iranian IP addresses tripled against targets around the world, peaking at half a billion attempts per day.
Jan. 2. Former head of international relations for Google, Ross LaJeunesse, tells the Washington Post he was forced out of the company after requesting it adopt formal human rights policies while expanding into China. In a blog published by Medium, he adds, “Each time I recommended a Human Rights Program, senior executives came up with an excuse to say no.”
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.