Архив рубрики: Spy

Russian Military Spy Software is on Hundreds of Thousands of Home Routers

In May, the Justice Department told Americans to reboot their routers. But there’s more to do — and NSA says it’s up to device makers and the public.

LAS VEGAS — The Russian military is inside hundreds of thousands of routers owned by Americans and others around the world, a top U.S. cybersecurity official said on Friday. The presence of Russian malware on the routers, first revealed in May, could enable the Kremlin to steal individuals’ data or enlist their devices in a massive attack intended to disrupt global economic activity or target institutions.

On May 27, Justice Department officials asked Americans to reboot their routers to stop the attack. Afterwards, the world largely forgot about it. That’s a mistake, said Rob Joyce, senior advisor to the director of the National Security Agency and the former White House cybersecurity coordinator.

“The Russian malware is still there,” said Joyce.

On May 8, cybersecurity company Talos observed a spike in mostly Ukrainian victims of a new malware attack. Dubbed VPNFilter, the malware used code similar to the BlackEnergy tool that Russian forces have used (in modified form) to attack Ukrainian infrastructure. The U.S. intelligence community believes the culprits are the hackers known as APT 28 or Fancy Bear, Russian military operatives who were behind information attacks against the Democratic National Committee, State Department, and others. The new malware, if activated, could allow the Russian military to peer into the online activities of hundreds of thousands of people.

“The Cisco-Talos reports on the incident estimated hundreds of thousands of devices affected worldwide,” Joyce said.

Specifically, the May 23 report said, at least 500,000 victims in up to 54 countries.

The malware executes in three stages, according to the Talos report. The first stage is akin to a tick burrowing into a victim’s skin, to “dig in” with its teeth by changing the infected devices’ non-volatile persistent memory, the portion of the memory that persists even after the machine is turned off. During this phase, the malware also establishes links to any servers it finds.

Stages two and three are about receiving and executing the orders. These could include: stealing traffic data from the victim (via port 80), launching “man in the middle” attacks, using the router as a platform to attack other computers as part of a botnet, or overwriting the memory on the router to render it unusable.

The U.S. government effort to stop the attack “was effective at knocking down their command and control. But — and this is a ‘but’ we haven’t seen talked about that much — there was a persistent ‘stage one’ on all of those routers,” said Joyce. “If it was at a stage-two or stage-three implant, it knocked it back to one, which was power- and reboot-persistent. At that point, we couldn’t call back out via those two methods to re-establish command and control,” he told the crowd.

Bottom line: “It’s still on those routers and if you know the wake-up knock you can go in, control those routers, and put a stage two or three back on them… What do you think the odds are that the actors in Russia who put those down have the addresses of the places where the put the malware? I think it’s pretty high,” he said.

What’s needed now, Joyce said, is for government, industry, and cybersecurity professionals to find a way to straightforwardly tell individuals how to detect the presence of the malware on their routers and then to restore the device to its trustworthy state. The government won’t be able to do that for them “because, again, these are consumer devices…That’s the sort of thing we’re up against.”

Joyce served as the head of the NSA’s elite tailored access operations division. In effect, he was the official who presided over the NSA’s most sophisticated hacking research before joining the White House as cybersecurity coordinator. In April, the White House announced that Joyce would leave that job to return to the NSA, where he currently serves as an advisor to the director, Army Gen. Paul Nakasone, who also heads the military’s U.S.Cyber Command.

He used the majority of his Friday talk at DEFCON to focus on China, Russia, Iran, and North Korea and their malicious behavior online.

Like other cybersecurity professionals, he said that North Korea’s malicious targeting of financial institutions, particularly South Korean e-currency exchanges, was likely to continue. He also said that he expected to see probing of newly deployed missile defense radars and batteries in the region, such as Terminal High Altitude Area Defense, or THAAD, in South Korea.

Iranian hackers also pose a threat, Joyce said, saying that the demise of the Iran nuclear deal hinted at more attacks to come.

“When bilateral relations between Iran and Saudi Arabia decreased, we think that was a major factor in that January 2017 data deletion attacks in Saudi,” he said, referring to an incident where Iran state-backed hackers attacked 15 Saudi government and media targets with malware that was strikingly similar to the 2012 ‘Shamoon’ malware that Iran deployed against Saudi oil interests. “As we move to a point where the U.S. has just re-imposed sanctions on Iran, there’s a lot of focus on, ‘How are they going to respond?’”

Source

Israel Hacked Kaspersky, Caught Russian Spies Hacking American Spies

kaspersky-hacking-news

The cold cyber war has just turned hot.

According to a story published today by the New York Times, Israeli government hackers hacked into Kaspersky’s network in 2015 and caught Russian government hackers red-handed hacking US government hackers with the help of Kaspersky.

In other words — Russia spying on America, Israel spying on Russia and America spying on everyone.

What the F^#% is going around?

It is like one is blaming another for doing exactly the same thing it is doing against someone else. Wow!

Well, the fact that everyone is spying on everyone is neither new nor any secret. However, somehow now Kaspersky Labs is at the centre of this international espionage tale for its alleged devil role.

Just last week, the Wall Street Journal, an American media agency, published a story against the Kaspersky, a Russian antivirus provider, claiming that the Russian government hackers stole highly classified NSA documents and hacking tools in 2015 from a staffer’s home PC with the help of Kaspersky Antivirus.

Even if the incident is real, quoting multiple anonymous sources from US intelligence community, Wall Street Journal article failed to provide any substantial evidence to prove if Kaspersky was intentionally involved with the Russian spies or some hackers simply exploited any zero-day vulnerability in the Antivirus product.

Now, the latest NYT story, again quoting an anonymous source from Israeli Intelligence Agency, seems another attempt to justify the claims made by WSJ article about Russians hacking NSA secrets.

«The role of Israeli intelligence in uncovering [the Kaspersky Labs] breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed,» the NYT reported.

According to the report, United States officials began an immediate investigation in 2015 after Israel officials notified the U.S. National Security Agency (NSA) about the possible breach.

Indeed, in mid-2015, Moscow-based Kaspersky Lab detected sophisticated cyber-espionage backdoor within its corporate network and released a detailed report about the intrusion, although the company did not blame Israel for the attack.

At the time, Kaspersky said that some of the attack code the company detected shared digital fingerprints first found in the infamous Stuxnet worm, same malware which was developed by America and Israel to sabotage Iran’s nuclear program in 2010.

This suspicion of malicious Kaspersky’s behaviour eventually leads the U.S. Department of Homeland Security (DHS) to ban and remove Kaspersky antivirus software from all of its government computers.

Moreover, just last month, the U.S. National Intelligence Council shared a classified report with NATO allies concluding that the Russian FSB intelligence agency had access to Kaspersky’s databases and as well as the source code.

However, Kaspersky Lab has always denied any knowledge of, or involvement in, any cyber espionage operations.

«Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,» Kaspersky’s founder Eugene Kaspersky said in a statement.

Eugene today also announced that he has just launched an internal investigation to cross-check if United States LEA has relevant facts.

Eugene previously admitted there’s a possibility that NSA hacking tools could have been picked up as malware by their Anti-malware scanner because antivirus products are designed to work in that way.

«We absolutely and aggressively detect and clean malware infections no matter the source,» the antivirus company said.

Until now it is quite tough to judge if Kaspersky was involved in any wrongdoing, but the ball is in America’s court, who has to provide the actual evidence to the world about the highly classified Israeli counter-intelligence operation.

Межправительственный шпионаж будет главным мотивом кибератак в 2013 году

Эксперты наблюдают серьезный рост целевых атак, использующих не универсальные способы взлома.

ЛабораторияКасперского,один из лидеров рынка защитного ПО, опубликовала краткий перечень угроз, потрясших ИБ сферу в уходящем 2012 году, а также список проблем, на которые, возможно, придется реагировать в наступающем 2013 году. По мнению исследователей, в ближайшее время нас ожидают первые серьезные инциденты безопасности в облачных сетях, новые угрозы дляMac-систем,а также развитие рынка эксплоитов для мобильных платформ.

По мнению сотрудников ЛК, при всей разнокалиберности угроз 2013 года, наибольшее масштабные и сложные кибератаки в этот период будут проводится в целях промышленного шпионажа. Компьютерные системы окончательно утвердятся как одно из «холодных» полей сражений, наряду с экономическим и политическим противостояниями.

Последние два года эксперты ЛК наблюдают рост целевых атак, направленных на конкретные сети. При этом нецелевые атаки, в ходе которых вирусописатель использует универсальные техникивзломаи, например, размещает свой инструмент на популярныхсайтах,также сохраняют свою популярность, в частности, при сборе данных с серверов определенных государственных организаций.

«Мы вступаем в век холодной «кибервойны», в который нации имеют возможность противостоять одна другой, не сдерживая себя ограничениями, принятыми во время войны в реальном мире. Заглядывая вперед, мы можем ожидать развития кибероружия со стороны многих стран, разработанного для кражи данных и нарушения работы систем, не в последнюю очередь потому, что кибероружие создать дешевле, чем настоящее оружие», — отмечают исследователи.

С публикацией Лаборатории Касперского можно ознакомитьсяздесь.

Подробнее:http://www.securitylab.ru/news/433371.php