Experts link Shadow Brokers and Russia – Yahoo Finance

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

‘The perfect cyberespionage attack’

The precise sources of the classified material leaked by Shadow Brokers — as well as the specific individuals behind the group — are not clear. 

In December, a developer working in the NSA’s elite Tailored Access Operations (TAO) hacking unit pleaded guilty to taking home classified tools that are believed to have been stolen by hackers working for Russian intelligence. The employee, Nghia Hoang Pho, 67, had been using Kaspersky software on his home computer, where he stored the NSA files. Kaspersky said that it had retrieved classified NSA tools through its antivirus software — but claimed to have deleted the information.

In any case, a recent technical analysis by security researcher Patrick Wardle clearly demonstrated how signatures sent by antivirus software like Kaspersky’s could be used to surreptitiously detect and exfiltrate classified documents.

Wardle, chief research officer at Digita Security, told Yahoo Finance that he based the experiment on the question: “Could I create a signature that would seamlessly integrate into [Kaspersky’s] existing antivirus engine that would, instead of looking for malware, look for classified documents?”

The former NSA hacker said that he found “the answer is resoundingly yes, and this is just by nature of what antivirus tools do: They scan for stuff.”

After Wardle explained the process to the New York Times, Kaspersky stated that “it is not possible for Kaspersky Lab products to secretly deliver a specific signature or update to a single user.”

Wardle, who reverse-engineered Kaspersky’s product and tweaked one of the signatures as part of his experiment, doesn’t believe the company’s claim. “It was interesting that Kaspersky didn’t say, ‘We don’t do that.’ They said, ‘It would be impossible to do that,’” Wardle told Yahoo Finance. “[But] they control the update server. You could just filter on IP address, and when that IP address comes in, you could hand it a different set of signatures. So the fact that they said it was impossible to do is very interesting because this is software they control. It’s not impossible — that’s ridiculous.”

In the conclusion of his analysis, Wardle asserted that “a malicious or willing insider within any antivirus company who could tactically deploy such a signature would likely remain undetected.” Furthermore, “any antivirus company that is coerced to, or is willing to, work with a larger entity (such as a government) would equally be able to stealthily leverage their product to detect and exfiltrate any files of interest.”

The circumstances, according to Wardle, makes using antivirus software in this way “the perfect cyberespionage attack.”

Kennedy, citing Wardle’s research, noted that Pho and others like him — NSA employees or contractors running Kaspersky software on home computers containing classified information — would be the targets of this particular Russian espionage operation.

Shadow Brokers leaks ‘like throwing a grenade in the room’

What is particularly striking about the Shadow Brokers leaks is that they became public.

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

“If you look at what [Russia] burned with the Shadow Brokers dump, those were very good capabilities,” Kennedy said. “You’re talking an exploit that can essentially open any Windows machine that you want to, as well as a number of arsenals around Linux, as well as operations regarding what the U.S. was conducting with the Equation Group. There was a lot of actionable intelligence for Russia,” Kennedy said. “What’s interesting is that they dumped it. And so why did they dump something so valuable?”

The Equation Group, a code name related to the NSA’s TAO hacking, was first publicly detailed by Kaspersky in February 2015. In October 2016, after the Shadow Brokers began leaking NSA tools, the enigmatic group announced that it was holding an auction for Equation Group tools and then canceled the auction.

The latest Shadow Brokers leak of NSA tools occurred in April 2017 and was followed by cyberattacks that leveraged some of the published code. (The CIA reportedly attributed one of those attacks, which primarily targeted Ukraine and erased data from target computers, to a specialized division of Russia’s GRU military intelligence agency.)

Kennedy, a former U.S. Marines hacker, said that his “purely hypothetical speculation would be that Russia was severely at a disadvantage when it came to our cyber-capabilities and how we were conducting our operations. And they used this method [of stealing U.S. classified tools and leaking them through Shadow Brokers] as a way to weaken and remove a lot of our capabilities to establish some level of dominance again.”

Leaking the Shadow Brokers material, according to the former senior U.S. official who spoke with Yahoo Finance, “is like throwing a grenade in the room. Who cares who you kill? You’re just creating mayhem. You’re disturbing the natural order.”

The former official added: “You throw that stuff out there and our heads are exploding over it. And it serves two purposes: It ties up our resources in trying to address it, to counter it, to shut it down. At the same time, it’s tying up our resources in one place, and what are they doing in another place? What are they doing with the quiet tools? What are they doing while we’re distracted?”

Kennedy noted that the Shadow Brokers situation is just one part of the much larger intelligence game between the U.S. and Russia.

“Why this is so fascinating is that we are now seeing 1/100th of what’s really going on,” Kennedy said. “And that’s what’s unique. This information warfare game that we’re seeing right now is nothing new. We’ve been doing it forever, they’ve been doing it forever — it’s the way that the world works and how we conduct and gain intelligence. … How did we win World War II? Through signals intelligence.”

Kennedy explained that different countries use different techniques and tactics when it comes to modern cyber-operations. The U.S., for example, tends to leverage adversary information by bolstering vulnerable systems or planting false data. Russia, meanwhile, has increasingly exposed U.S. operations in an attempt to neutralize them.

“We have exploit code from Russia. We have capabilities that Russia has used,” Kennedy noted. “The difference is that instead of using [stolen NSA code] for intelligence purposes, Russia used it to destroy our intelligence purposes, which is really one of the first times that we’ve seen that.”

More from Michael B. Kelley: 

Follow Michael on Twitter @MichaelBKelley.

Russian hackers are heavily targeting the US Senate, says Trend Micro

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

The same Russian hackers that broke into the Democratic National Convention in 2016 are also responsible for numerous cyberattacks against the U.S. Senate and other government groups, according to a new report released today by cybersecurity firm Trend Micro Inc.

Trend Micro attributed multiple attacks to Russian hacker group Pawn Storm, including a phishing site that mimicked the Active Directory Federation Services of the U.S. Senate, which manages access to internal secure systems. Trend Micro researcher Rik Ferguson told the Associated Press the company is “100 percent sure that [the attacks] can attributed to the Pawn Storm group.”

The report did not confirm if any of the phishing attempts have been successful, and Trend Micro noted that the Senate’s ADFS is normally not reachable on the open internet, so Pawn Storm would not be able to directly access the system using stolen credentials. However, the firm also said the compromised login information could still be used by any bad actors, such as Russian spies, who may have gained physical access to the Senate’s network.

Trend Micro expects politically motivated cyberattacks from groups such as Pawn Storm to continue to be a serious problem in 2018, especially during the upcoming Winter Olympics. “Rogue political influence campaigns are not likely to go away in the near future,” Feike Hacquebord, a senior threat researcher at Trend Micro, wrote in the report. “Political organizations have to be able to communicate openly with their voters, the press and the general public. This makes them vulnerable to hacking and spear phishing.”

Hacquebord added that secure government networks are not the only target, as social media has also become a key focus for state-sponsored hackers. “Social media platforms continue to form a substantial part of users’ online experience, and they let advertisers reach consumers with their message,” said Hacquebord. “This makes social media algorithms susceptible to abuse by various actors with bad intentions. Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools.”

Photo: Geoff Livingston The Dark Capitol via photopin (license)

 


Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.  

The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsorstweet your support, and keep coming back to SiliconANGLE:


 

Russian hackers are heavily targeting the US Senate, says Trend Micro

The same Russian hackers that broke into the Democratic National Convention in 2016 are also responsible for numerous cyberattacks against the U.S. Senate and other government groups, according to a new report released today by cybersecurity firm Trend Micro Inc.

Trend Micro attributed multiple attacks to Russian hacker group Pawn Storm, including a phishing site that mimicked the Active Directory Federation Services of the U.S. Senate, which manages access to internal secure systems. Trend Micro researcher Rik Ferguson told the Associated Press the company is “100 percent sure that [the attacks] can attributed to the Pawn Storm group.”

The report did not confirm if any of the phishing attempts have been successful, and Trend Micro noted that the Senate’s ADFS is normally not reachable on the open internet, so Pawn Storm would not be able to directly access the system using stolen credentials. However, the firm also said the compromised login information could still be used by any bad actors, such as Russian spies, who may have gained physical access to the Senate’s network.

Trend Micro expects politically motivated cyberattacks from groups such as Pawn Storm to continue to be a serious problem in 2018, especially during the upcoming Winter Olympics. “Rogue political influence campaigns are not likely to go away in the near future,” Feike Hacquebord, a senior threat researcher at Trend Micro, wrote in the report. “Political organizations have to be able to communicate openly with their voters, the press and the general public. This makes them vulnerable to hacking and spear phishing.”

Hacquebord added that secure government networks are not the only target, as social media has also become a key focus for state-sponsored hackers. “Social media platforms continue to form a substantial part of users’ online experience, and they let advertisers reach consumers with their message,” said Hacquebord. “This makes social media algorithms susceptible to abuse by various actors with bad intentions. Publishing stolen data together with spreading fake news and rumors on social media gives malicious actors powerful tools.”

Photo: Geoff Livingston The Dark Capitol via photopin (license)

 


Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.  

The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsorstweet your support, and keep coming back to SiliconANGLE: