15 Oct Cyberwarfare Report, Vol. 4, No. 3: Election Insecurity, Offensive Cyber, And Mobile Spyware
Northport, N.Y. – Oct. 1, 2019
From July to September, various moves were made to strengthen election security in the United States and Russia, Uncle Sam flexed his cyber muscles, and hackers targeted mobile phones, military contractors, a U.S. fighter jet, and FBI communications.
September
Sep. 30. Rolling Stone, citing exclusive data from Microsoft, reports that in 2019 political campaigns, parties, and pro-democracy groups around the world have faced more than 800 cyberattacks. It notes the Microsoft data suggest that, when it comes to the threat of cyberattacks, the 2020 elections are shaping up to be as bad or worse than 2016.
Sep. 27. Washington Post reports President Donald J. Trump told two senior Russian officials in a 2017 Oval Office meeting that he was unconcerned about Moscow’s interference in the 2016 U.S. presidential election because the United States did the same in other countries. The comments were made at a meeting with Russian Foreign Minister Sergei Lavrov and Russian Ambassador Sergey Kislyak, in which the president revealed highly classified information that exposed a source of intelligence on the Islamic State.
Sep. 27. U.S. Navy appoints Aaron Weis as chief information officer, a new position in that military branch. Weis, who was serving as senior adviser to the Pentagon’s chief information officer, will lead a new 25-person office dedicated to improving the Navy’s cybersecurity, data, information management, digital strategy, and business systems. The appointment comes in the wake of two reports critical of the Navy’s cyber capabilities and ability to compete with countries like Russia and China.
Sep. 26. Agence France-Presse reports that there have been four major attacks by hackers on Airbus, a large European aerospace company, in the last 12 months. AFP notes that Airbus suppliers were targeted in the attacks aimed at stealing commercial secrets from the company, which is one of the largest makers of commercial aircraft in the world and a strategic military supplier. It adds that sources have linked the attacks to China. Suppliers targeted in the attacks include British engine-maker Rolls-Royce and the French technology consultancy and supplier Expleo.
Sep. 26. Rheinmetall Group, of Dusseldorf, Germany, a major supplier of military equipment and systems, announces a malware attack has disrupted operations at its automotive plants in Brazil, Mexico, and the United States. It estimates disruption could last two to four weeks at a cost of €3 million to €4 million per week, beginning with week two.
Sep. 25. Washington Post reports Trump Administration has refused for more than a year to allow Congress to audit a secret hacking policy that’s already been used to justify cyberattacks on Russia and Iran. It says lawmakers from both parties are concerned the policy could plunge the country into a cyberwar without congressional approval or oversight, or provoke retaliation that causes serious damage at home.
Sep. 24. Cisco’s Talos security unit exposes website catering to U.S. military veterans looking for jobs that is being used to infect visitors’ computers with malicious software. The site, operated by a group called Tortoiseshell, prompts victims to download an app which is a downloader for deploying spying tools and other nasty programs on infected systems.
Sep. 24. Eset identifies new phishing campaign launched by Fancy Bear, a hacker group tied to Russian military intelligence, and aimed at embassies and ministries of foreign affairs in Eastern European and Central Asian countries. It says the campaign starts with a phishing email containing a malicious attachment that launches a long chain of downloaders, ending with a backdoor.
Sep. 24. Checkpoint and Intezer release interactive map analyzing malicious software and tools used by Russian hacker groups. Their analysis of the data used to create the map finds in most cases, the Russian actors do not share code with one another, and that by avoiding re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations.
Sep. 23. Twenty-seven countries sign a joint agreement on what is fair and foul play in cyberspace. Countries agree to follow international law and that it’s okay to spy and hack intelligence and military targets but not civilian infrastructure. Although neither China nor Russia was named in the agreement, the nations did condemn behavior designed to “undermine democracies and international institutions and organizations, and undercut fair competition in our global economy by stealing ideas when they cannot create them.”
Sep. 22. Taiwan Vice Premier Chen Chi-mai reveals his nation and the United States would be holding their first joint cyber offensive and defensive exercises for five days in November. He adds the upcoming exercises will be similar to the Cyber Storm exercises, which are the U.S. Department of Homeland Security’s biennial exercises to strengthen cyber preparedness in the public and private sectors.
Sep. 23. Proofpoint reports it has discovered what appears to be a state-sponsored campaign targeting at least 17 entities in the U.S. utilities sector with malware from April to August 2019. It notes that “The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset.”
Sep. 17. U.S. Air Force announces it will give hackers at Def Con 2020, a cybersecurity conference annually held in Las Vegas, an opportunity to discover vulnerabilities in an orbiting satellite and its base station. During Defcon 2019, the Air Force allowed conference goers to hack the data system of an F-15 fighter jet and was pleased with the results. “We have to get over our fear of embracing external experts to help us be secure. We are still carrying cybersecurity procedures from the 1990s,” Air Force Assistant Secretary for Acquisition Will Roper told Wired magazine.
Sep. 16. Yahoo News breaks story about Russian intelligence operation from 2012 to 2016 that compromised the encryption used to secure communications of elite FBI surveillance teams and may have hacked U.S. intelligence computers not connected to the Internet. Yahoo says the operation stretched from San Francisco to Washington, D.C. and hampered the FBI’s ability to track Russian spies, forced it and the CIA to cease contact with some of their Russian assets, and required tighter security controls be imposed at national security facilities in the Washington area and elsewhere.
Sep. 15. Reuters reports Australian Signals Directorate, the country’s cyber intelligence agency, concluded in March that China’s Ministry of State Security was responsible for a cyberattack on member’s of the Australian federal parliament but kept the findings secret at the request of the Foreign Affairs Department, which did not want to upset trade relations with China. The news service says Australian authorities felt there was a very real prospect of damaging the country’s economy if it publicly accused China of the attack.
Sep. 13. U.S. Treasury Department places on a sanctions list three North Korean hacker groups. It says the groups — Lazarus Group, Bluenoroff, and Andarie — are controlled by the North Korean government. The U.N. has reported that North Korean hacker groups use cyberattacks to raise money for that nation’s weapons of mass destruction programs. The U.S. government’s action makes it easier to seize any assets the hacking groups may have within the jurisdiction of American financial institutions, although such assets are likely to be minima,l if they exist at all.
Sep. 12. Estonia’s government endorses creation of a new cyber diplomacy department in its foreign ministry. It also instructed the ministry to develop cooperation in the cybersecurity field. According to Estonia, cyber diplomacy mainly concerns state behavior in cyberspace and their compliance with cyber norms, trust-building measures, and existing international law.
Sep. 12. Polish Defense Minister Mariusz Blaszczak announces his nation will launch a cyberspace defense force by 2024 made up of about 2,000 soldiers trained in cybersecurity. Poland expects to have enough IT graduates by 2024 to meet the agency’s manpower needs.
Sep. 11. Security researchers at MalwareHunter Team announce discovery of some malware linked to the Ryuk family of ransomware that’s designed to steal confidential financial, military, and law enforcement files. Ryuk typically scrambles the files on a victim’s computer and demands a ransom, but doesn’t steal files. BeepingComputer reported that it’s not known if the new malware originated with the Ryuk group or someone with access to Ryuk’s code who incorporated it into their own software.
Sep. 11. Philippine military agrees to allow a native company substantially financed by China Telcom to install communications equipment on its army bases despite concerns by some lawmakers that the hardware could be used by China to steal state secrets. The company that won the deal, Mislatel, is a consortium controlled by Philippine tycoon Dennis Uy, a close associate of President Rodrigo Duterte. The holding companies in the consortium, which have no telecommunications experience, are partnering with China Telecom, which has a 40 percent stake in the consortium. In a statement, the Philippines military said Mislatel “guarantees that the devices, equipment, and/or structures installed at the site provided by [the military] shall not be used to obtain classified information.”
Sep. 6. Eugene Kaspersky, CEO of Kaspersky Lab, of Moscow, Russia, reveals his company is developing a secure election system for the Kremlin. “We are developing a system, called Polis, that ensures a secure, transparent, and anonymous election,” he says. “And we are guaranteeing that it will be very hard to hack.”
Sep. 3. Huawei, a Chinese technology company, accuses the United States of launching cyberattacks to infiltrate Huawei’s intranet and internal information systems, menacing its employees “to turn against the company,” urging other companies to bring unsubstantiated claims of wrongdoing against it, and denying visas to Huawei employees. The United States has placed Huawei on the “Entry List,” a blacklist for companies the U.S. Commerce Department sees as “engaged in activities that are contrary to U.S. national security or foreign policy interests.”
Sep. 2. Yahoo News reveals that an Iranian engineer recruited by the Dutch intelligence agency AIVD provided critical data that helped U.S. developers tailor the malware that damaged Iran’s nuclear enrichment program at Natanz, Iran. It adds that the engineer also provided inside access to the facility so its systems could be infected with the malware, known as Stuxnet, via USB stick.
August
Aug. 31. TechCrunch reports that a number of malicious websites used to hack into iPhones over a two-year period were targeting the Uyghur Muslim minority in China’s Xinjiang state. It explains the websites were part of a campaign to target the group by infecting iPhones with malicious code simply by visiting a booby-trapped web page and gain access to a victim’s messages and passwords, and track their location in near-real time.
Aug. 30. NPR reports President Donald J. Trump has posted to Twitter an image of an accident at an Iranian space facility that experts say was almost certainly taken by a classified satellite or drone. Ankit Panda, an adjunct senior fellow at the Federation of American Scientists, tells NPR that the photo in the tweet discloses “some pretty amazing capabilities that the public simply wasn’t privy to before this.”
Aug. 29. Benny Gantz, leader of the Blue and White Party in Israel, rejects reports of a massive hack of phones and computers belonging to himself and top campaign officials. Yaakov Peri, president of the CGI Group, which discovered the hack, calls Gantz’s remarks a “crude slander” and says four or five phones belonging to the party were infected, probably by an East European actor.
Aug. 28. New York Times reports that a secret cyberattack against Iran in June wiped out a critical database used by its paramilitary arm to plot attacks against oil tankers and degraded Tehran’s ability to covertly target shipping traffic in the Persian Gulf, at least temporarily, It adds Iran is still trying to recover information destroyed in the attack and restart some of its computer systems, including military communications networks.
Aug. 28. University of Lorraine and France’s CNRS research institute announce Pierrick Gaudry, a cryptology researcher, has discovered a security breach in Russia’s electronic voting system. It says it took Gaudry 20 minutes to break the encryption key used to secure voters’ identities and choices.
Aug. 26. The Cybersecurity Infrastructure Security Agency, a division of the U.S. Homeland Security Department, announces program to protect voter registration databases from ransomware attacks.
Aug. 20. U.S. Eighth Army announces American troops may have been among the one million victims of hackers who stole credit card information and posted it on the Dark Web. It says at least 38,000 U.S.-issued credit cards were compromised in thefts from businesses and financial entities in South Korea, including a credit union providing financial services to U.S. Air Force bases in the country.
Aug. 15. Wall Street Journal reports employees of Huawei, the world’s largest telecommunications company, have helped African governments spy on political opponents by using cell data to track their location and intercepting encrypted communications and social media. The Journal could find no evidence that Huawei executives in China approved or were aware of activities in Africa.
Aug. 14. Republican Sens. Chuck Grassley of Iowa and Ron Johnson of Wisconsin release memo revealing that multiple investigations by the Senate, intelligence community, FBI, and Justice Department could find no evidence that former Secretary of State Hillary Clinton’s private email server was breached by Chinese hackers.
Aug. 14. U.S. Cyber Command uploads to VirusTotal, a public database for malware and security research, a set of malware samples linked to North Korean hackers. Electric Fish, the malware uploaded by the agency, is a tunneling tool designed to exfiltrate data from one system to another over the Internet after installation of a “backdoor” on a system.
Aug. 14. Washington Post reports a team of highly-vetted hackers were given access to software for the F-15 fighter jet at Def Con 27, a computer conference for hackers held annually in Las Vegas, and discovered “a mother lode of vulnerabilities.” The Post says this was the first time outside researchers were allowed physical access to the critical F-15 system to search for weaknesses.
Aug. 7. Wall Street Journal reports suspected Iranian hackers have infiltrated critical infrastructure and government computers in Bahrain. It adds that the attacks have risen above normal cyber activity in the region.
Aug. 7. FireEye, a cybersecurity company based in Milipitas, Calif. reveals at the Black Hat hacker convention in Las Vegas that members of APT41, a state-sponsored group of Chinese hackers, have been supplementing their espionage activities with financially motivated side operations. It says the group has penetrated and spied on global tech, communications. and health care providers for the Chinese government while using ransomware against game companies and attacking cryptocurrency providers for personal profit.
Aug. 6. Politico reports U.S. CyberDome has begun offering free or discounted election security services to presidential campaigns. The group is the second to offer such services following an opinion of the Federal Election Commission allowing non-profits to provide such services. The first organization to offer such services was Harvard’s Defending Digital Campaigns.
Aug. 6. Bugcrowd, which manages bug bounty programs, reports U.S. Air Force bug bounty program identified 53 flaws in the military branch’s Common Computing Environment, a branch-wide cloud platform that serves up online applications, and awarded $123,000 in prizes to the team of 50 vetted-hackers in the program.
Aug. 5. Microsoft reports discovery of Fancy Bear, a group of hackers connected to Russian military intelligence, has been compromising IoT devices to gain initial access to corporate networks. It says it has not been able to conclusively determine what the group’s ultimate objectives are. It adds, “While much of the industry focuses on the threats of hardware implants, we can see in this example that adversaries are happy to exploit simpler configuration and security issues to achieve their objectives.”
July
Jul. 30. Crowdstrike, a Sunnyvale, Calif. cybersecurity technology company, releases report on attack trends on mobile phones and the rise of nation-state campaigns targeting mobile devices. It notes the maturity level of mobile security solutions lags behind traditional platforms and because of that, malicious actors are increasingly targeting mobile devices.
Jul. 30. A declassified audit by the Inspector General of the U.S. Defense Department finds that DOD employees are using more than 9,000 printers, cameras, and computers bought in 2018 containing vulnerabilities that could be used to spy or hack military personnel and facilities. It also notes that the department’s list of approved commercial products still includes some that can pose cyber risks, including computers made by Lenovo Group, China’s largest computer manufacturer, whose products, according to U.S. authorities, contain cyberespionage hardware and software.
Jul. 30. U.S. District Judge John Koeltl rejects lawsuit by the Democratic National Committee against Trump campaign, the Russian government, WikiLeaks, and various Trump campaign officials over alleged involvement in the hacking of Democratic Party email accounts during the 2016 presidential campaign.
Jul. 26. U.S. Senate Intelligence Committee releases report revealing all 50 states were probably targeted by Russia for attempted vote manipulation. It says the Russian government conducted various intelligence-related activities against U.S. election infrastructure at both state and local level, which began as early as 2014 and continued until at least 2017.
Jul. 24. German public broadcasters BR and NDR report that Winnti, a hacker group believed to be connected to China, is targeting high-tech, chemical, and pharmaceutical companies in Japan, France, the U.S., and Germany for industrial espionage. It also notes the group has attacked video game companies, including Valve, which owns the Steam gaming platform.
Jul. 24. Former Special Counsel Robert Mueller, testifying before Congress, warns lawmakers that Russia and other nations are likely to attempt to interfere with the 2020 elections.
Jul. 23. FBI Director Christopher Wray tells graduating class of FBI National Academy at Quantico, Va. that China is a bigger espionage threat than any other country. He notes that the FBI has more than 1,000 active investigations into intellectual property theft linked to the Beijing government.
Jul. 20. The Mirror, a UK newspaper, reports intelligence agencies GCHQ and MI6 are investigating reports that Iran lured a British oil tanker into its waters by spoofing GPS coordinates using Russian technology. The Stena Impero was seized by the Iranians July 19 in retaliation for the UK detaining an Iranian tanker in Gibraltar early in the month.
Jul. 19. Wall Street Journal reports U.S. downs Iranian drone using MADIS — Marine Air Defense Integrated System — which jams a drone’s communications, forcing it to crash. It’s also believed that MADIS also has the capability to shoot down drones.
Jul. 17. Microsoft reports that in the past year, it has notified nearly 10,000 customers they’ve been targeted or compromised by nation-state attacks. It says about 84 percent of these attacks targeted enterprise customers, and about 16 percent targeted consumer personal email accounts. It adds that while many of the attacks were unrelated to the democratic process, the data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives.
Jul. 16. Washington Post reports National Republican Congressional Committee will be offering GOP candidates cybersecurity assistance to protect them from foreign hacking operations. Services include staff training, software patching, and a free suite of anti-hacking tools.
Jul. 15. CNN reports that WikiLeaks founder Julian Assange received in-person deliveries, potentially of hacked materials related to the 2016 U.S. election, during a series of suspicious meetings at the Ecuadorian embassy in London. It says that despite being confined to the embassy while seeking safe passage to Ecuador, Assange met with Russians and world-class hackers at critical moments, frequently for hours at a time, and acquired powerful new computing and network hardware to facilitate data transfers just weeks before WikiLeaks received hacked materials from Russian operatives.
Jul. 14. Israeli Defense Forces reveals that Hamas terrorists have been attempting to use WhatsApp to collect secret information from Israeli soldiers. It says a number of IDF paratroopers reported such online encounters, noting that they were requested to share information on their unit’s training schedules and troop movements.
Jul. 13. Hacking group 0v1ru$ breaches information systems of SyTech, a contractor for Russia’s national intelligence service, the FSB, and steals 7.5TB of data, as well as defacing the company’s site. Data included information on projects to collect data on social media users, to remove anonymity from Tor traffic, to penetrate P2P networks like those used for torrents, and to create a closed internet for storing highly sensitive information.
Jul. 11. U.K. Foreign Minister Sir Alan Duncan tells members of House of Commons no evidence has been found that emails of Sir Kim Darroch, former ambassador to the United States were hacked. Darroch resigned his post after his emails critical of President Donald J. Trump were leaked to the public.
Jul. 10. Indian Army issues directive to its officers to avoid being part of any social media group with non-serving persons as members. It instructs all officers to exit WhatsApp and other social media, save for those with serving officers whose identity can be verified. It also restricts family members from posting information about serving officers to social media platforms.
Jul. 9. Yahoo News reports that a conspiracy theory centered on the death of Seth Rich, a Democratic National Committee staffer, stemmed from a fake report by Russian intelligence agents. It says the agents circulated a phony “bulletin” on the Internet about Rich being gunned down by a squad of assassins hired by Hilliary Clinton just three days after the staffer was killed by what police believe was a botched robbery.
Jul. 8. U.S. Coast Guard issues marine safety alert following “cyber incident” on a deep draft vessel bound for the port of New York and New Jersey. It says while computer system performance was degraded by the incident, the vessel’s control systems were unaffected.
Jul. 5. Researchers at Finite State and ReFirm Labs reveal firmware scans of 558 Huawei products discovered an average of 102 vulnerabilities per product, at least a quarter of the flaws severe enough to let a hacker gain full access to the device. “These are some of the worst devices we’ve ever tested,” Finite State founder Matt Wyckhouse told Breaking Defense.
Jul. 3. Alistair Cunningham of Wiltshire Council in the U.K. tells committee of Parliament that massive Denial of Service attacks were launched by Russia and rogue states on police and council computers following an assassination attempt on former Russian spy Sergei Skripal and his daughter Yulia in Salisbury. Cunningham says traffic at the sites went up tenfold, crippling use of the systems.
Jul. 2. The Guardian reports Chinese border police are secretly installing surveillance apps on the phones of travelers entering the Xinjiang region, where Beijing has restricted the freedoms of the local Muslim population. It says the software extracts emails, texts, and contacts, as well as information about the handset itself.
Jul. 2. U.S. Cyber Command posts tweet revealing it has found malicious use of an Outlook vulnerability patched by Microsoft in 2017 and recommends immediate patching, if not already done so. ZDNet notes that the flaw, which allows an attacker to escape from the Outlook sandbox and run malicious code on an underlying operating system, has been weaponized by Iranian hackers to infect systems.
– John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security.