fbpx
Connect with us

Cybersecurity

3 former US officials charged in UAE hacking scheme

Published

 on

3 former US officials charged in UAE hacking scheme

Three former U.S. intelligence and military officials have admitted providing sophisticated computer hacking technology to the United Arab Emirates and agreed to pay nearly $1.7 million to resolve criminal charges in an agreement that the Justice Department described Tuesday as the first of its kind.

The defendants — Marc Baier, Ryan Adams and Daniel Gericke — are accused of working as senior managers at a UAE-based company that conducted hacking operations on behalf of the government. Prosecutors say the men provided hacking and intelligence-gathering systems that were used to break into computers in the United States and elsewhere in the world.

The Justice Department alleges that the men committed computer fraud and violated export control laws by providing defense services without the required license. The case also appears to be part of a growing trend highlighted earlier this year by the CIA of foreign governments hiring former U.S. intelligence operatives to bolster their own spycraft — a practice officials have said risks exposing U.S. secrets.

“This is a loud statement” that the Justice Department takes such cases seriously, said Bobby Chesney, a professor at the University of Texas School of Law who specializes in national security issues.

The charges were filed under a deferred prosecution agreement that, in addition to requiring a $1.68 million payment, will also force the men to cooperate with the Justice Department’s investigation, to sever any ties with any UAE intelligence or law enforcement agencies and to forego any security clearances. If they comply with those and other terms for three years, the Justice Department will abandon the prosecution.

As part of the agreement, the three men did not dispute any of the facts alleged by prosecutors.

The Justice Department described it as the “first-of-its-kind resolution of an investigation into two distinct types of criminal activity,” including providing unlicensed technology for the purposes of hacking.

“Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct,” Mark Lesko, acting assistant attorney general in charge of the Justice Department’s national security division, said in a statement.

According to court documents, the trio left a U.S.-based company that was operating in the UAE to join an Emerati company that would give them “significant increases” in their salaries.

The companies aren’t named in charging documents, but Lori Stroud, a former National Security Agency employee, said she worked with the three men in the UAE at U.S.-based CyberPoint and then for UAE-based DarkMatter.

Stroud said she quit because she saw DarkMatter hacking U.S. citizens. She said she assisted the FBI in its investigation and was glad to see the case come to a resolution.

“This is progress,” Stroud said.

The Emirati government did not immediately respond to a request for comment early Wednesday. Questions sent by email to officials at Abu Dhabi-based DarkMatter could not be delivered.

Since details of DarkMatter’s hacking campaign became public, the company’s profile has dropped over the last few years, with some staff moving onto a new Abu Dhabi-based firm called G42. That firm has been linked to a mobile app suspected of being a spying tool as well as Chinese coronavirus tests that American officials warned against using over concerns about patient privacy, test accuracy and Chinese government involvement.

DarkMatter’s founder and CEO, Faisal al-Bannai, told The Associated Press in 2018 that the company takes part in no hacking, although he acknowledged the firm’s close business ties to the Emirati government, as well as its hiring of former CIA and NSA analysts.

Prosecutors said that between January 2016 and November 2019, the defendants increased operations being providing to the UAE government. They bought exploits to break into computers and mobile devices from companies around the world, including those based in the U.S., according to the Justice Department. That includes one so-called “zero-click” exploit — which can break into mobile devices without any user interaction — that Baier bought from an unnamed U.S. company in 2016.

Lawyers for Adams and Gericke did not immediately return messages seeking comment, and a lawyer for Baier declined to comment.

The Justice Department described each of them as former U.S. intelligence or military personnel. Baier previously worked at the NSA, according to a former colleague who spoke on condition of anonymity because of the sensitivity surrounding the matter.

The CIA warned in a letter earlier this year about “an uptick in the number of former officers who have disclosed sensitive information about CIA activities, personnel, and tradecraft.”

The letter sent to former CIA officials was signed by Sheetal Patel, the agency’s assistant director for counterintelligence. It described as a “detrimental trend” a practice of foreign governments hiring former intelligence officers “to build up their spying capabilities.” Some listed examples included using access to CIA information or contacts for business opportunities as well as “working for state-sponsored intelligence related companies in non-fraternization countries.”

“We ask that you protect yourself and the CIA by safeguarding the classified tradecraft that underpins your enterprise,” Patel wrote.


Suderma WASHINGTON (AP)

Cybersecurity

Supernational fronts retaliate against cybercrime group REvil

Published

 on

Cybercrime group REvil was infiltrated by U.S. governmental agencies and obliged to go dark after cybercrime operation attacking from supernational fronts, reported by Reuters. 

Speculations circulating the group’s recent absence following Recorded Future security specialist Dimitry Smilyanets went to Twitter to reveal various messages from the account of a famous REvil operator, ‘0_neday.’

The messages displayed on the microblogging platform elaborated the events that led to the cybercriminal forum XSS, alleging that someone took charge of the cyber group’s Tor payment portal and was controlling sites’ data leaks.

In the message, the account revealed how he and ‘Unknown, ’chief representative of the cyber entity, were the only group members with REvil’s domain keys. Then, the group’s representative’s absence left other members to predict that he was dead.

In September, REvil proceeded with its cybercrime activities. A factor that led to the realization that the group’s domain name was being reached by Unknown’s decryption key.

“The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others – this was not. Good luck, everyone, I’m off,” 0_neday wrote in a message.

After REvil’s Kaseya cybercrime, the FBI acquired a universal decryption key initiating file recovery to those exposed to Kaseya’s breach, without the need to pay a ransom.

Now, with the news message surfacing on Twitter, it seems that that law enforcement officials concealed the fact that they had the key for weeks as it was stealthily going after REvil’s staff, according to Reuters. 

In reference to individuals familiar with the topic, law enforcement and intelligent cyber experts managed to compromise the criminal group’s network infrastructure and security management over some of its servers.

Following Unknown’s vanish, other group members re-obtained control over the websites last month. By doing so, REvil unintentionally restarted some intermetal systems, including the ones already powered by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” deputy head of the forensics lab at the Russian-led security company Group-IB, Oleg Skulkin said in a statement.

“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them,” Skulkin added.

Even though trust-worthy backups are perceived as a fundamental defense tactic to counteract ransomware activities, its vitality lies in remaining unconnected with other main networks. Otherwise, those too will be encrypted by cybercrimes groups similar to REvil.

One spokesperson close to the matter revealed that a foreign ally of the U.S. led the hacking mission that managed to infiltrate REvil’s network, while another anonymous former U.S. official commented on the mission saying the operation has not been finalized.

VMWare’s head of cybersecurity strategy, Tom Kellermann, told Reuters that the victory of federal operations immerges from a deep rigidity led by U.S. Deputy Attorney General Lisa Monaco, under the belief that cyberattacks on vital governmental ecosystems should be perceived as a threat to the country’s national security, and falls under the same umbrella as terrorist attacks.

The Kesaya and SolarWinds ransomware attacks are the two main cases that paved the way for harsher approaches to navigate this counterattack – and similar future ones – pushed in June the Justice Department to authorize harsher examinations of cyberthreats to much more paramount priority.

REvil’s attacks provided the Justice Department and different government agencies to consider cybercrimes a legal basis to inquire support from other federal organizations, such as the U.S. intelligence and the Department of Defense.

Both the FBI and the White House National Security Council refrained from commenting on the operation.

Continue Reading

Cybersecurity

Google nabs phishing attacks from state-sponsored cybercrimes

Published

 on

In a world where everyone is exposed to infiltration on their devices, Google sent Thursday approximately 50,000 alerts to users whose accounts were exposed to breaches by state-sponsored cybercrimes executing phishing and malware campaigns.

“Countering threats from Iran” is the label the Big Tech giant gave to its latest blog post, addressing Google’s Threat Analysis Group’s (TAG) latest tracking of disinformation campaigns, governmental backed hacking, and financially driven abuse.

“We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2011, we’ve sent over 50,000 warnings, nearly a 33 percent increase from this time in 2020,” the blog post stated.

While receiving the warning does mean an account could be exposed to potential cyber threats, not all those who have received the warning have been breached. 

The search engine elaborated that the company’s analytical branch directs these distressing warnings to accounts it perceives as a potential target to governmental-sponsored phishing attempts, brute-force attacks, malware delivery efforts initiated from a state-backed hacking ecosystem.

Google’s cybercrime statistics revealed that TAG has managed to identify more than 270 targets or hacker groups supported by governmental entities from more than 50 countries. Meaning, some of these accounts are targeted by more than one threat, expanding all around the globe.

Fending off cyberattacks from Iran

Iran’s hacking group, APT35, known for pursuing U.S. politicians before the 2020 Presidential elections, seems to have set its mind to proceed with its mission to creep into governmental representatives’ devices and accounts.

The tech mogul’s report not only highlighted that the group is still actively aiming to infiltrate some of the biggest bureaucratic personnel, but it appears that it allocated its goal to developing devious tricks to deter itself from being detected by security tools, then deceiving targets to submit accounts credentials, or into installing spyware on their devices.

APT35’s main line of specialty is indulging in account theft activities that allow it to spy on journalists, activists, government workers, academics, and anyone that might stimulate the Iranian regime’s curiosity.

Wielding Telegram for threat reports

According to one TAG researcher, Ajax Bash, the attackers’ most adopted tactic is exploiting an API for Telegram scripts, a messaging service, by creating bots in the chat app to facilitates accounts’ theft, alongside bank fraud.

“The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API send Message function, which lets anyone use a Telegram bot to send a message to a public channel,” Bach revealed.

In parallel, the messaging platform was informed by Google of the misleading activities accruing on its app, resulting in the bots being netted and eliminated by Telegram.

The governmentally supported group implements this tactic to send device-based data back to the channel, unveiling to hackers sensitive details such as IP, user-agent, and any local visitor to their phishing sites in real-time.

The implementation of Spyware Apps to optimize access

TAG’s systematic outcomes also featured that in May 2020, the company unearthed that APT35 tried to install malicious spyware to Google Play Store via an app masquerading as VPN software. If successfully uploaded, the cybercriminals could have obtained critical data, ranging from call logs, text messages, contacts, location data, and much more.

Once detected, Google eliminated the app from its store before any user installation.

Even though the app was extracted from the store, TAG caught additional attempts by the group to dispense the malicious VPN on other platforms as of July 2021.

Conference-themed phishing emails

ATP35’s most outstanding feature is the parody of conference officials to indulge in phishing attacks. By employing the Munich Security and the Think-20 (T20) Italy conference, attackers allure non-malicious contracts first as email messages for users to answer to. Once they receive a response, hackers then send phishing links in an email as a correspondent follow-up.

Usually, after responding, users would sail through at least one redirect before reaching a phishing domain that will give APT35 access to their email.

For this purpose, the adaptation of link shorteners and click trackers is heavily implemented, and they typically come implanted with PDF files.

In this case, Google broke down attempted cybercrimes using Google Drive, App Scripts, and site pages for specific campaigns as the cybercriminal entity made an effort to break down the tech giant’s embedded defense mechanisms.

If cybercrimes are measured on a governmental scale, once successful, malicious attacks are set to cause irreversible damage. For that reason, cybersecurity enterprises are expecting cyber intrusion rates to heighten in the upcoming years, with the U.S. being its main target. A scheme that could be detrimental to a country recovering its infrastructure from the pandemic’s crippling aftermath that broke its backbone in the past two years.

Continue Reading

Cybersecurity

US talks global cybersecurity without a key player: Russia

Published

 on

US talks global cybersecurity without a key player Russia

Amid an epidemic of ransomware attacks, the U.S. is discussing cybersecurity strategy this week with 30 countries while leaving out one key player: Russia.

The country that, unwittingly or not, hosts many of the criminal syndicates behind ransomware attacks was not invited to a two-day meeting starting Wednesday to develop new strategies to counter the threat.

White House national security adviser Jake Sullivan called it a gathering of “like-minded” governments in agreement on the urgency of the need to protect citizens and businesses from ransomware. “No one country, no one group can solve this problem,” he said in opening remarks.

The virtual discussions will focus in part on efforts to disrupt and prosecute ransomware networks like the one that attacked a major U.S. pipeline company in May, a senior administration official said. The attack on Colonial Pipeline, which led to gas shortages along the East Coast, was attributed to a Russia-based gang of cybercriminals.

The exclusion of a country so closely tied to the global ransomware phenomena reflects the overall poor relations between Moscow and Washington.

Despite that, the U.S. has used a “dedicated channel” to address cybersecurity with Russia, said the official, who briefed reporters on the condition of anonymity to preview this week’s meeting with around 30 countries and the European Union.

Since President Joe Biden raised the issue directly with President Vladimir Putin this summer in a summit and later phone call, there have been “candid discussions” about cybercriminals operating within Russia’s borders, the official said.

“We’ve had several, and they continue, and we share information regarding specific criminal actors within Russia, and Russia has taken initial steps,” the official said.

It is unclear what steps Putin’s government has taken. Russia does not extradite its own citizens, and FBI Deputy Director Paul Abbate told a security forum last month that he has seen “no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created there.”

The issue was expected to be on the agenda this week in Moscow as Undersecretary of State Victoria Nuland met for talks with Russian Deputy Foreign Minister Sergei Ryabkov.

The Biden administration took office amid a massive cyberespionage campaign known as the SolarWinds attack, which U.S. officials have linked to Russian intelligence operatives. Ransomware attacks, perpetrated generally by criminal hacker gangs rather than state-sponsored groups, have caused tens of billions of dollars in losses to businesses and institutions and become a major source of tension between the two nations.

Ransomware payments reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021, according to the U.S. government.

Actions taken by the Biden administration include imposing sanctions on a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency and issuing security directives that require pipeline companies to improve their cyber defenses.

In addition, the State Department has announced rewards of millions of dollars for information on people who engage in state-sponsored malicious cyber activities aimed at transnational criminal networks that Sullivan said operate “across multiple countries, multiple jurisdictions to carry out their attacks.”

Most of this week’s ransomware meeting is expected to be private as participants attend sessions led by India, Australia, Britain and Germany and will focus on themes such as developing resilience to withstand ransomware attacks.

Other participants include Israel, the United Arab Emirates, Bulgaria, Estonia, France, the Dominican Republic, Mexico, New Zealand, Singapore and Kenya.


WASHINGTON (AP)

Continue Reading

Trending