December
Pegasus spyware used to hack U.S. diplomats working abroad
PUBLISHED: Dec. 3, 2021
Apple has alerted 11 U.S. Embassy employees that their iPhones have been hacked in recent months with Pegasus spyware from NSO Group, an Israel-based company that licenses software to government clients in dozens of countries that allows them to secretly steal files, eavesdrop on conversations and track the movements of its targets, according to people familiar with the notifications.
The revelation, the first confirmed cases of Pegasus being used to target American officials, comes a month after U.S. officials blacklisted the NSO Group amid allegations that its foreign government clients had enabled hacking against unspecified embassy employees, political activists, human rights workers and others.
Pegasus can be delivered remotely without any action, such as clicking on a link or notification. Once Pegasus penetrates a device, it essentially turns a smartphone into a spying device, allowing the operator — typically an intelligence or law enforcement official — to do anything the user can. That includes turning on the microphone, examining photos, emailing documents and tracking locations over time. Social media and contact lists can also help establish relationships with others.
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, said Friday, “Companies that enable their customers to hack U.S. government employees are a threat to America’s national security and should be treated as such by the government. I want to be sure the State Department and the rest of the federal government has the tools to detect hacks and respond to them quickly. Federal agencies shouldn’t have to rely on the generosity of private companies to know when their phones and devices are hacked.”
Sources:
November
Israel restricts cyberweapons export list by two-thirds, from 102 to 37 countries
PUBLISHED: Nov. 28, 2021
The Israeli government has restricted the list of countries to which local security firms are allowed to sell surveillance and offensive hacking tools by almost two-thirds, cutting the official cyber export list from 102 to 37 entries. The new list, obtained by Israeli business newspaper Calcalist earlier today, only includes countries with proven democracies, such as those from Europe and the Five Eyes coalition.
For sales to entities in countries not on this list, vendors must apply for a special license with the Israeli government. The list noticeably removes autocratic regimes, to which Israeli companies have often supplied surveillance tools.
Calcalist reporters said the government did not issue any statement on the list’s update, and it is not yet clear why it was narrowed down earlier this month. However, the timing suggests the Israeli government might have been forced into this decision by its allies.
The list’s update comes a week after Israeli and French officials held a secret meeting to discuss allegations that spyware made by the NSO Group might have been used against French president Emmanuel Macron. The update also came around the same time that the US sanctioned four surveillance vendors, including Israel’s Candiru and NSO Group.
Sources:
Organizations in multiple critical sectors breached by foreign hackers
PUBLISHED: November 8, 2021
Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology and education sectors -- and at least one of those organizations is in the US, according to findings from security firm Palo Alto Networks.
Officials from the NSA and the US Cybersecurity and Infrastructure Security Agency (CISA) are tracking the threat. A division of the NSA responsible for mitigating foreign cyber threats to the US defense industrial base contributed analysis to the Palo Alto Networks report.
Ryan Olson, a senior Palo Alto Networks executive, said that the nine confirmed victims are the "tip of the spear" of the apparent spying campaign, and that he expects more victims to emerge. It's unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers' tactics and tools overlap with those used by a suspected Chinese hacking group.
The NSA and CISA declined to comment on the identity of the hackers.
In the activity revealed by Palo Alto Networks, the attackers are exploiting a vulnerability in software that corporations use to manage their network passwords. CISA and the FBI warned the public in September that hackers were exploiting the software flaw and urged organizations to update their systems. Days later, the hackers tracked by Palo Alto Networks scanned 370 computer servers running the software in the US alone, and then began to exploit the software.
Source:
October
Russian SVR hacked at least 14 IT supply chain firms since May
PUBLISHED: Oct. 25, 2021
Microsoft says the Russian-backed Nobelium threat group behind last year's SolarWinds hack is still targeting the global IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 breached since May 2021. Just as in previous attacks, the Russian state hackers used a diverse and ever-changing toolkit, including a long list of tools and tactics ranging from malware, password sprays, and token theft to API abuse and spear phishing.
The main targets of these new attacks are resellers and technology service providers that deploy and manage cloud services and similar tech for their customers.
Nobelium is the hacking division of the Russian Foreign Intelligence Service (SVR), also tracked as APT29, Cozy Bear, and The Dukes. In April 2021, the U.S. government formally blamed the SVR division for coordinating the SolarWinds "broad-scope cyber espionage campaign" that led to the compromise of multiple U.S. government agencies. At the end of July, the US Department of Justice was the last US government entity to disclose that 27 US Attorneys' offices were breached during the SolarWinds global hacking spree.
Source:
September
UN computer networks breached by hackers earlier this year
PUBLISHED: Sept. 9, 2021
Hackers breached the United Nations’ computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization.
The hackers’ method for gaining access to the UN network appears to be unsophisticated: They likely got in using the stolen username and password of a UN employee purchased off the dark web.
“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Stéphane Dujarric, spokesman for the UN Secretary-General, said in a statement on Thursday. “The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach.”
“Traditionally, organizations like the United Nations have been targeted by nation state actors, but as cybercriminals are finding ways to more effectively monetize stolen data and as access to these organizations is more frequently available for sale by initial access brokers, we expect to see them increasingly targeted and infiltrated by cybercriminals,” said Allan Liska, a senior threat analyst at Recorded Future.
Source:
July
US and allies accuse China of global hacking spree
PUBLISHED: July 19, 2021
The United States and its allies accused China on Monday of a global cyberespionage campaign, mustering an unusually broad coalition of countries to publicly call out Beijing for hacking.
The United States was joined by NATO, the European Union, Britain, Australia, Japan, New Zealand and Canada in condemning the spying, which U.S. Secretary of State Antony Blinken said posed "a major threat to our economic and national security."
Simultaneously, the U.S. Department of Justice charged four Chinese nationals - three security officials and one contract hacker - with targeting dozens of companies, universities and government agencies in the United States and abroad.
While Washington and its close allies such as the United Kingdom and Canada held the Chinese state directly responsible for the hacking, others were more circumspect.
The campaign targeted trade secrets in industries including aviation, defense, education, government, health care, biopharmaceutical and maritime industries, the Justice Department said.
Sources:
Washington sanctions Russia's cybersecurity industry in wake of Kaseya ransomware attack
PUBLISHED: July 19, 2021
The United States on Friday took a new stab at Russia's cybersecurity industry, restricting trade with four information technology firms and two other entities over "aggressive and harmful" activities - including digital espionage - that Washington blames on the Russian government.
A Commerce Department posting said the six entities were sanctioned by the U.S. Treasury Department in April, which targeted companies in the technology sector that support Russian intelligence services. Their addition to the Commerce Department's blacklist means U.S. companies cannot sell to them without licenses, which are seldom granted.
They come as the United States is responding to a drumbeat of digital intrusions blamed on Russian government-backed spies and a spate of increasingly disruptive ransomware outbreaks blamed on Russian cybercriminals.
The United States adds entities to the Commerce Department's trade blacklist that it says pose a risk to U.S. national security or foreign policy interests.
Source:
June
U.S. meat supply hit by suspected Russian ransomware attack on JBS, world's top meat processor
PBLISHED: June 1, 2021
A ransomware attack on the world’s largest meat processing company disrupted production around the world just weeks after a similar incident shut down a U.S. oil pipeline.
Brazil’s JBS SA, however, said late Tuesday that it had made “significant progress” in dealing with the cyberattack and expects the “vast majority” of its plants to be operating on Wednesday.
“Our systems are coming back online and we are not sparing any resources to fight this threat,” Andre Nogueira, CEO of JBS USA, said in a statement.
Earlier, the White House said JBS had notified the U.S. of a ransom demand from a criminal organization likely based in Russia. White House principal deputy press secretary Karine Jean-Pierre said the White House and the Department of Agriculture have been in touch with the company several times this week.
Mark Jordan, who follows the meat industry as the executive director of Leap Market Analytics, said the disruption could be minimal assuming JBS recovers in the next few days. Meat processers are used to dealing with delays because of a host of factors, including industrial accidents and power outages, and they make up lost production with extra shifts, he said.
Source:
April
Remote work software compromised by China in yet another hack on U.S.
PUBLISHED: April 21, 2021
China is behind a newly discovered series of hacks against key targets in the U.S. government, private companies and the country’s critical infrastructure, cybersecurity firm Mandiant said Wednesday.
The hack works by breaking into Pulse Secure, a program that businesses often use to let workers remotely connect to their offices. The company announced Tuesday how users can check to see if they were affected but said the software update to prevent the risk to users won’t go out until May. There is no indication the identified backdoors were introduced through a supply chain compromise of the company’s network or software deployment process.
The campaign is the third distinct and severe cyberespionage operation against the U.S. made public in recent months, stressing an already strained cybersecurity workforce. The U.S. government accused Russia in January of hacking nine government agencies via SolarWinds, a Texas software company widely used by American businesses and government agencies. In March, Microsoft blamed China for starting a free-for-all where scores of different hackers broke into organizations around the world through the Microsoft Exchange email program.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, activated its strictest emergency powers Tuesday evening, mandating that every civilian government agency scan to see if they were affected by the hack and to take actions to fix it. Though it is historically rare for it to do so, it is the second time in seven weeks the agency has issued an emergency directive after the Exchange hack.
Sources:
March
Chinese cyber-attack on Microsoft morphs into global crisis
PUBLISHED: March 8, 2021
A sophisticated attack on Microsoft Corp.’s widely used business email software is morphing into a global cybersecurity crisis, as hackers race to infect as many victims as possible before companies can secure their computer systems.
The attack, which Microsoft has said started with a Chinese government-backed hacking group, has so far claimed at least 60,000 known victims globally, according to a former senior U.S. official with knowledge of the investigation. Many of them appear to be small or medium-sized businesses caught in a wide net the attackers cast as Microsoft worked to shut down the hack.
One U.S. cybersecurity company which asked not to be named said its experts alone were working with at least 50 victims, trying to quickly determine what data the hackers may have taken while also trying to eject them.
Some of the initial infections appear to have been the result of automated scanning and installation of malware, said Alex Stamos, a cybersecurity consultant. Investigators will be looking for infections that led to hackers taking the next step and stealing data -- such as e-mail archives -– and searching them for any valuable information later, he said.
“If I was running one of these teams, I would be pulling down email as quickly as possible indiscriminately and then mining them for gold,” Stamos said.
Source:
January
North Korean hackers use social media to target security researchers
PUBLISHED: Jan. 25, 2021
Google has issued a warning that it has uncovered an “ongoing” state-backed hacking campaign run by North Korea targeting cyber security researchers.
The Silicon Valley search giant said its threat analysis team found that cyber attackers posing as researchers had created numerous fake social media profiles on platforms such as Twitter and LinkedIn. After establishing communication with an actual researcher, the attackers would ask the target to work together on cyber vulnerability research and then share collaboration tools containing malicious code to install malware on the researcher’s systems.
Of particular concern is Google’s claim that, in some cases, the attackers were able to create a backdoor to the victim’s computer even when their systems were running fully patched and up-to-date Windows 10 and Chrome browser versions.
Google attributed the latest campaign to “a government-backed entity based in North Korea” — one of the biggest state sponsors of hacking alongside Russia, Iran and China. The Wall Street Journal has previously reported on accusations against North Korea of carrying out cyber attacks to steal coronavirus vaccine-related research and data.
Belying perceptions of the country as a technological backwater, its hackers have a record of major cyber disruptions including hacking Sony Pictures in 2014 and the WannaCry malware attack in 2017. In 2019 a UN sanctions report estimated that $2bn had been raised for Kim Jong Un’s weapons programme via North Korean cyber actors.
Source: