Proactive Computing | Optimizing IT for usability, performance and reliability since 1997

Category: #Russia

Auto Added by WPeMatico

US government strikes back at Kremlin for SolarWinds hack campaign

US government strikes back at Kremlin for SolarWinds hack campaign

Enlarge (credit: Matt Anderson Photography/Getty Images)

US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments for that and other recent actions.

In a joint advisory, the National Security Agency, FBI, and Cybersecurity and Information Security Agency said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from Austin, Texas-based SolarWinds.

The operation infected SolarWinds’ software build and distribution system and used it to push backdoored updates to about 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. Besides the SolarWinds supply-chain attack, the hackers also used password guessing and other techniques to breach networks.

Read 15 remaining paragraphs | Comments

index?i=jbwDqiZF4UY:MCO6oSD2J-E:V_sGLiPB index?i=jbwDqiZF4UY:MCO6oSD2J-E:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA

Source: https://arstechnica.com/tech-policy/2021/04/us-government-strikes-back-at-kremlin-for-solarwinds-hack-campaign/
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Dan Goodin

FBI charges woman with stealing Pelosi laptop and trying to send it to Russian intelligence

Riley Williams, a 22-year old woman who allegedly participated in the attack on the U.S. Capitol, has been charged by the FBI over her role in the riot. NBC News’s Tom Winter reports that she “told a former partner that she intended to take a laptop / hard drive stolen from Pelosi’s office, ship it to Russia, where a friend would turn it over to the SVR.” — Read the rest

Source: https://boingboing.net/2021/01/18/fbi-charges-woman-with-stealing-pelosi-laptop-and-trying-to-send-it-to-russian-intelligence.html
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Rob Beschizza

Nuclear weapons agency updates Congress on hacking attempt

20200712-hacker-getty-773.jpg

The Department of Energy and the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile, told congressional staffers in several briefings this week that there is currently no known impact to its classified systems from a massive hack that targeted its networks, according to an official with direct knowledge of the briefings.

The officials told staffers, however, that the incident has proven how difficult it is to monitor the Energy Department’s unclassified systems, and acknowledged that an issue with a network extension within the Office of Secure Transportation — which specializes in the secure transportation of nuclear weapons and materials — had been discovered.

Energy Secretary Dan Brouillette, DOE’s Chief Information Officer Rocky Campione, and NNSA CIO Wayne Jones all participated in the briefings to the relevant congressional oversight bodies.

The officials told congressional staffers that there was an attempt to breach Los Alamos National Laboratory and the nuclear administration’s field office in Nevada via the vulnerability in a software developed by SolarWinds — a company whose IT management tools are used across the government. The supply-chain attack has affected dozens of federal and private sector entities, who were exploited by suspected Russian hackers as early as March of this year.

The officials said they do not consider either the lab or the field office to have been compromised, and noted that all national labs have been instructed to shut down and fully remove SolarWinds products from their systems.

Still, the department’s investigation is ongoing, the officials said, and neither DOE nor NNSA has a full picture of the impact of the hack — or what it will cost to fix it. The officials said it will probably be expensive to mitigate the damage and prevent it from happening again, but that they are still determining what kind of extra funding and resources the department will need.

The internal investigation has been complex and time-consuming because the compromised SolarWinds software was used widely throughout the nuclear security administration, officials told the staffers — including at the Los Alamos, Lawrence Livermore, and Sandia national labs; NNSA headquarters; NNSA’s Emergency Communication Network; NNSA’s Mixed Oxide Fuel Fabrication Facility, where fuel is made for reactors; the Nevada National Security Site, a disposal site; and Naval Reactors, which provides propulsion plants for nuclear powered ships.

DOE first found evidence of the hack last Monday, officials familiar with the matter said, and began coordinating notifications about the breach to their congressional oversight bodies on Thursday after being briefed by Campione, who oversees DOE’s cybersecurity. Campione told DOE officials last week that, in addition to the labs and the Office of Secure Transportation, suspicious activity had also been found in networks belonging to the Federal Energy Regulatory Commission (FERC), which stores sensitive data on the nation’s bulk electric grid.

Shaylyn Hynes, a DOE spokesperson, said in a statement last week that an ongoing investigation into the hack had found that the perpetrators did not get into critical defense systems.

“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration,” Hynes said. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”

Source: https://www.politico.com/news/2020/12/22/nuclear-weapons-agency-congress-hacking-450184
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Natasha Bertrand

Microsoft says hackers backed by Russia and North Korea targeted COVID-19 vaccine makers

GettyImages-1229305401.jpg?w=600

Microsoft has revealed that hackers backed by Russia and North Korea have targeted pharmaceutical companies involved in the COVID-19 vaccine development efforts.

The technology giant said Friday that the attacks targeted seven companies in the U.S., Canada, France, India, and South Korea. But while it blocked the “majority” of the attacks, Microsoft acknowledged that some were successful.

Microsoft said it had notified the affected companies, but declined to name them.

“We think these attacks are unconscionable and should be condemned by all civilized society,” said Tom Burt, Microsoft’s customer security and trust chief, in a blog post.

The technology giant blamed the attacks on three distinct hacker groups. The Russian group, which Microsoft calls Strontium but is better known as APT28 or Fancy Bear, used password spraying attacks to target their victims, which often involves recycled or reused passwords. Fancy Bear may be best known for its disinformation and hacking operations in the run-up to the 2016 presidential election, but the group has also been blamed for a string of other high-profile attacks against media outlets and businesses.

The other two groups are backed by the North Korean regime, one of which Microsoft calls Zinc but is better known as the Lazarus Group, which used targeted spearphishing emails disguised as recruiters in an effort to steal passwords from their victims. Lazarus was blamed for the Sony hack in 2016 and the WannaCry ransomware attack in 2017, as well as other malware-driven attacks.

But little is known about the other North Korea-backed hacker group, which Microsoft calls Cerium. Microsoft said the group also used targeted spearphishing emails masquerading as representatives from the World Health Organization, charged with coordinating the effort to combat the COVID-19 pandemic.

A Microsoft spokesperson acknowledged it was the first time the company had referenced Cerium, but the company did not offer more.

This is the latest effort by hackers trying to exploit the COVID-19 pandemic for their own goals. Earlier this year, the FBI and Homeland Security warned that hackers would try to steal coronavirus vaccine research.

Today’s news coincides with the Paris Peace Forum, where Microsoft president Brad Smith will urge governments to do more to combat cyberattacks against the healthcare sector, particularly during the pandemic.

“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law,” Burt said. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate — or even facilitate — within their borders.”

Let’s block ads! (Why?)

Source: https://techcrunch.com/2020/11/13/microsoft-russia-north-korea-hackers-coronavirus-vaccine/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Zack Whittaker

Russia’s Fancy Bear hackers likely penetrated a federal agency

SONY DSC

Enlarge / SONY DSC (credit: Boris SV | Getty Images)

A warning that unidentified hackers broke into an agency of the US federal government and stole its data is troubling enough. But it becomes all the more disturbing when those unidentified intruders are identified—and appear likely to be part of a notorious team of cyberspies working in the service of Russia’s military intelligence agency, the GRU.

Last week the Cybersecurity and Infrastructure Security Agency published an advisory that hackers had penetrated a US federal agency. It identified neither the attackers nor the agency, but it did detail the hackers’ methods and their use of a new and unique form of malware in an operation that successfully stole target data. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest a likely answer to the mystery of who was behind the intrusion: They appear to be Fancy Bear, a team of hackers working for Russia’s GRU. Also known as APT28, the group has been responsible for everything from hack-and-leak operations targeting the 2016 US presidential election to a broad campaign of attempted intrusions targeting political parties, consultancies, and campaigns this year.

Read 11 remaining paragraphs | Comments

index?i=_WYO4jGbRh8:CGHWBfOOQok:V_sGLiPB index?i=_WYO4jGbRh8:CGHWBfOOQok:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA

Source: https://arstechnica.com/?p=1711453
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: WIRED

Russia, China and Iran trying to hack presidential race, Microsoft says

200116-msft-gty-773.jpg

Russian, Chinese and Iranian hackers have mounted cyberattacks against hundreds of organizations and people involved in the 2020 presidential race and U.S.-European policy debates, with targets including the campaigns of both Donald Trump and Joe Biden, Microsoft said Thursday.

The report is the most expansive public warning to date about the rapid spread of foreign governments’ efforts to wield hackers to undermine U.S. democracy.

The perpetrators include the same Kremlin-aligned Russian hacking group whose thefts and leaks of confidential Democratic Party documents helped torpedo Hillary Clinton’s presidential hopes in 2016, said Microsoft, which offers products designed to detect such attacks.

Targets this time include the Trump and Biden campaigns, administration officials and an array of national and state parties, political consultants and think tanks, as well as groups such as the German Marshall Fund and Stimson Center that promote international cooperation.

“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated,” Microsoft said in a blog post. It added that its security tools detected and blocked “the majority of these attacks.”

The company did not answer numerous questions from POLITICO seeking more details about the attacks.

The revelations come amid a feud between congressional Democrats and the administration over what it knows about foreign threats against the election, in particular the Democrats’ accusations that Trump’s intelligence leaders are failing to alert the public about the Kremlin’s activities. Trump and his supporters have pushed a message that the Chinese are trying to help Biden — a claim not supported by intelligence officials, who have told POLITICO that Russia’s efforts pose the most active and acute danger.

An official intelligence community statement last month said China prefers that Trump not be reelected, that Russia is denigrating Biden and that Iran is undermining the president.

Some of the hackers’ targets confirmed Microsoft’s reporting, though none said the cyberattacks had succeeded.

“As President Trump’s re-election campaign, we are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff,” said Thea McDonald, deputy press secretary for the president’s campaign team. “We work closely with our partners, Microsoft and others, to mitigate these threats. We take cybersecurity very seriously and do not publicly comment on our efforts.”

Likewise, the Republican National Committee has “been informed that foreign actors have made unsuccessful attempts to penetrate the technology of our staff members,” an RNC spokesperson said.

Biden’s campaign did not immediately respond to a request for comment.

Microsoft has also alerted SKDKnickerbocker, one of Biden’s chief communications and strategy firms, that Russian hackers had unsuccessfully targeted its networks, Reuters said early Thursday ahead of the report’s release. Those attempts also failed, Reuters reported. The firm did not respond to later requests for comment.

The attacks on the Stimson Center were first observed in May, spokesperson David Solimini said, and Microsoft notified the think tank about the nature and source in late July. He and German Marshall Fund spokesperson Sydney Simon both said they’d seen no evidence that the attacks succeeded.

Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Microsoft’s findings are “consistent with earlier statements by the Intelligence Community on a range of malicious cyber activities targeting the 2020 campaign.”

“It is important to highlight that none [of the targets] are involved in maintaining or operating voting infrastructure and there was no identified impact on election systems,” Krebs said in a statement. He added, “Everyone involved in the political process should stay alert against these sorts of attacks.”

The Treasury Department announced its own steps to combat Kremlin interference Thursday, saying it had designated the pro-Russian Ukrainian lawmaker Andriy Derkach for sanctions for promoting discredited allegations against Biden.

Graham Brookie, director of the Atlantic Council’s Digital Forensic Research Lab, confirmed that his group had been the target of apparently unsuccessful attacks from Chinese hackers, but cautioned that those did not appear election-related.

“It is not surprising that we would be targeted by China, based on the substance of our work,” Brookie said. “This appeared to be about information gathering and espionage as opposed to election interference of any kind.”

Among other details, Microsoft reported that:

— The hacking group popularly known as Fancy Bear, which is linked to Russian military intelligence and played a major role in the 2016 attacks on Democrats, has gone after more than 200 organizations in recent months. The targets include political campaigns, national and state party organizations, consultants for both parties and think tanks. (The group is also known as APT28, and Microsoft refers to it as Strontium.)

— A Chinese hacking group called Zirconium or APT31 has attacked high-profile people in Biden’s campaign and at least one prominent person in Trump’s campaign, the tech giant said.

— Phosphorus, an Iranian hacker group often called Charming Kitten, has gone after Trump campaign staffers and administration officials.

Microsoft’s blog post said that it had blocked the majority of the attacks.

The company’s analysis offered some new details on the hackers’ methods.

For instance, in 2016 the Russian group primarily relied on so-called spearphishing, which tricks victims into clicking on malicious email links to gain access to documents that it later released through outlets like WikiLeaks. But in recent months, Russia has shifted toward more crude “brute force” attacks and a technique called password spray, in which hackers input many passwords in a bid to guess their way into a system.

“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service,” wrote Tom Burt, corporate vice president for customer security and trust. “Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”

This is far from the first time that a company in the cybersecurity business, not the federal government, has been the first to go public with details about major attacks against their customers by nation-states. Previous examples include a landmark 2013 report by the cyber firm Mandiant on Chinese Army-connected hackers conducting cyber espionage against U.S. critical infrastructure like the electrical power grid.

Meridith McGraw and Natasha Bertrand contributed to this report.

Source: https://www.politico.com/news/2020/09/10/russia-china-iran-cyberhack-2020-election-411853
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Tim Starks