fbpx
Connect with us

Cybersecurity

Indonesia says no evidence of alleged Chinese intel hack

Published

 on

Indonesia says no evidence of alleged Chinese intel hack

Indonesian authorities have found no evidence that the country’s main intelligence service’s computers were compromised, after a U.S.-based private cybersecurity company alerted them of a suspected breach of its internal networks by a Chinese hacking group, an official said.

The Insikt Group, the threat research division of Massachusetts-based Recorded Future, said it discovered the hack in April when it detected malware servers operated by the “Mustang Panda” group communicating with hosts inside Indonesian government networks.

The activity targeted the Badan Intelijen Negara, or BIN, intelligence agency as well as nine other Indonesian government agencies, Recorded Future said.

“We assess that this activity is very likely linked to the Chinese state-sponsored threat activity group Mustang Panda based on our continued tracking of Chinese state-sponsored cyberespionage activity,” the company said in an e-mail to The Associated Press.

Chinese government offices were closed Monday for the Mid-Autumn Festival and could not be reached, but authorities have consistently denied any form of state-sponsored hacking and said China itself is a major target of cyberattacks.

Recorded Future said its experts traced the hack back to as early as March, and the last observed date of the intrusion was Aug. 20.

“We have not seen additional activity targeting BIN since that date,” the company said.

After being notified by Recorded Future, BIN investigated the suspected breach together with other agencies and related stakeholders, but found “our server is safe and under control, there is no indication that it was hacked by suspected Chinese hackers,” said Wawan Hari Purwanto, a deputy chief and spokesman for the agency.

BIN coordinates information sharing and operations for Indonesia’s other intelligence agencies, as well as conducting its own operations. Because of its work, Purwanto said BIN’s computers are an attractive target for hackers, and the agency conducts regular checks and maintenance on its systems as a precaution.

He said BIN cooperated with Indonesia’s National Cyber and Encryption Agency, the Ministry of Communication and Information Technology and other government agencies to ensure “our network is safe and free from hacking.”

The Cyber and Encryption Agency referred all questions to BIN.

Purwanto dismissed the Insikt Group’s findings and urged people not to worry that the agency’s data had been compromised.

“BIN calls on people to not believe the rumors of hacking of BIN and other government institutions, and to keep checking, rechecking and crosschecking information circulating on internet and social media,” he said.


JAKARTA, Indonesia (AP)

Cybersecurity

Supernational fronts retaliate against cybercrime group REvil

Published

 on

Cybercrime group REvil was infiltrated by U.S. governmental agencies and obliged to go dark after cybercrime operation attacking from supernational fronts, reported by Reuters. 

Speculations circulating the group’s recent absence following Recorded Future security specialist Dimitry Smilyanets went to Twitter to reveal various messages from the account of a famous REvil operator, ‘0_neday.’

The messages displayed on the microblogging platform elaborated the events that led to the cybercriminal forum XSS, alleging that someone took charge of the cyber group’s Tor payment portal and was controlling sites’ data leaks.

In the message, the account revealed how he and ‘Unknown, ’chief representative of the cyber entity, were the only group members with REvil’s domain keys. Then, the group’s representative’s absence left other members to predict that he was dead.

In September, REvil proceeded with its cybercrime activities. A factor that led to the realization that the group’s domain name was being reached by Unknown’s decryption key.

“The server was compromised, and they were looking for me. To be precise, they deleted the path to my hidden service in the torrc file and raised their own so that I would go there. I checked on others – this was not. Good luck, everyone, I’m off,” 0_neday wrote in a message.

After REvil’s Kaseya cybercrime, the FBI acquired a universal decryption key initiating file recovery to those exposed to Kaseya’s breach, without the need to pay a ransom.

Now, with the news message surfacing on Twitter, it seems that that law enforcement officials concealed the fact that they had the key for weeks as it was stealthily going after REvil’s staff, according to Reuters. 

In reference to individuals familiar with the topic, law enforcement and intelligent cyber experts managed to compromise the criminal group’s network infrastructure and security management over some of its servers.

Following Unknown’s vanish, other group members re-obtained control over the websites last month. By doing so, REvil unintentionally restarted some intermetal systems, including the ones already powered by law enforcement.

“The REvil ransomware gang restored the infrastructure from the backups under the assumption that they had not been compromised,” deputy head of the forensics lab at the Russian-led security company Group-IB, Oleg Skulkin said in a statement.

“Ironically, the gang’s own favorite tactic of compromising the backups was turned against them,” Skulkin added.

Even though trust-worthy backups are perceived as a fundamental defense tactic to counteract ransomware activities, its vitality lies in remaining unconnected with other main networks. Otherwise, those too will be encrypted by cybercrimes groups similar to REvil.

One spokesperson close to the matter revealed that a foreign ally of the U.S. led the hacking mission that managed to infiltrate REvil’s network, while another anonymous former U.S. official commented on the mission saying the operation has not been finalized.

VMWare’s head of cybersecurity strategy, Tom Kellermann, told Reuters that the victory of federal operations immerges from a deep rigidity led by U.S. Deputy Attorney General Lisa Monaco, under the belief that cyberattacks on vital governmental ecosystems should be perceived as a threat to the country’s national security, and falls under the same umbrella as terrorist attacks.

The Kesaya and SolarWinds ransomware attacks are the two main cases that paved the way for harsher approaches to navigate this counterattack – and similar future ones – pushed in June the Justice Department to authorize harsher examinations of cyberthreats to much more paramount priority.

REvil’s attacks provided the Justice Department and different government agencies to consider cybercrimes a legal basis to inquire support from other federal organizations, such as the U.S. intelligence and the Department of Defense.

Both the FBI and the White House National Security Council refrained from commenting on the operation.

Continue Reading

Cybersecurity

Google nabs phishing attacks from state-sponsored cybercrimes

Published

 on

In a world where everyone is exposed to infiltration on their devices, Google sent Thursday approximately 50,000 alerts to users whose accounts were exposed to breaches by state-sponsored cybercrimes executing phishing and malware campaigns.

“Countering threats from Iran” is the label the Big Tech giant gave to its latest blog post, addressing Google’s Threat Analysis Group’s (TAG) latest tracking of disinformation campaigns, governmental backed hacking, and financially driven abuse.

“We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2011, we’ve sent over 50,000 warnings, nearly a 33 percent increase from this time in 2020,” the blog post stated.

While receiving the warning does mean an account could be exposed to potential cyber threats, not all those who have received the warning have been breached. 

The search engine elaborated that the company’s analytical branch directs these distressing warnings to accounts it perceives as a potential target to governmental-sponsored phishing attempts, brute-force attacks, malware delivery efforts initiated from a state-backed hacking ecosystem.

Google’s cybercrime statistics revealed that TAG has managed to identify more than 270 targets or hacker groups supported by governmental entities from more than 50 countries. Meaning, some of these accounts are targeted by more than one threat, expanding all around the globe.

Fending off cyberattacks from Iran

Iran’s hacking group, APT35, known for pursuing U.S. politicians before the 2020 Presidential elections, seems to have set its mind to proceed with its mission to creep into governmental representatives’ devices and accounts.

The tech mogul’s report not only highlighted that the group is still actively aiming to infiltrate some of the biggest bureaucratic personnel, but it appears that it allocated its goal to developing devious tricks to deter itself from being detected by security tools, then deceiving targets to submit accounts credentials, or into installing spyware on their devices.

APT35’s main line of specialty is indulging in account theft activities that allow it to spy on journalists, activists, government workers, academics, and anyone that might stimulate the Iranian regime’s curiosity.

Wielding Telegram for threat reports

According to one TAG researcher, Ajax Bash, the attackers’ most adopted tactic is exploiting an API for Telegram scripts, a messaging service, by creating bots in the chat app to facilitates accounts’ theft, alongside bank fraud.

“The attackers embed JavaScript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API send Message function, which lets anyone use a Telegram bot to send a message to a public channel,” Bach revealed.

In parallel, the messaging platform was informed by Google of the misleading activities accruing on its app, resulting in the bots being netted and eliminated by Telegram.

The governmentally supported group implements this tactic to send device-based data back to the channel, unveiling to hackers sensitive details such as IP, user-agent, and any local visitor to their phishing sites in real-time.

The implementation of Spyware Apps to optimize access

TAG’s systematic outcomes also featured that in May 2020, the company unearthed that APT35 tried to install malicious spyware to Google Play Store via an app masquerading as VPN software. If successfully uploaded, the cybercriminals could have obtained critical data, ranging from call logs, text messages, contacts, location data, and much more.

Once detected, Google eliminated the app from its store before any user installation.

Even though the app was extracted from the store, TAG caught additional attempts by the group to dispense the malicious VPN on other platforms as of July 2021.

Conference-themed phishing emails

ATP35’s most outstanding feature is the parody of conference officials to indulge in phishing attacks. By employing the Munich Security and the Think-20 (T20) Italy conference, attackers allure non-malicious contracts first as email messages for users to answer to. Once they receive a response, hackers then send phishing links in an email as a correspondent follow-up.

Usually, after responding, users would sail through at least one redirect before reaching a phishing domain that will give APT35 access to their email.

For this purpose, the adaptation of link shorteners and click trackers is heavily implemented, and they typically come implanted with PDF files.

In this case, Google broke down attempted cybercrimes using Google Drive, App Scripts, and site pages for specific campaigns as the cybercriminal entity made an effort to break down the tech giant’s embedded defense mechanisms.

If cybercrimes are measured on a governmental scale, once successful, malicious attacks are set to cause irreversible damage. For that reason, cybersecurity enterprises are expecting cyber intrusion rates to heighten in the upcoming years, with the U.S. being its main target. A scheme that could be detrimental to a country recovering its infrastructure from the pandemic’s crippling aftermath that broke its backbone in the past two years.

Continue Reading

Cybersecurity

US talks global cybersecurity without a key player: Russia

Published

 on

US talks global cybersecurity without a key player Russia

Amid an epidemic of ransomware attacks, the U.S. is discussing cybersecurity strategy this week with 30 countries while leaving out one key player: Russia.

The country that, unwittingly or not, hosts many of the criminal syndicates behind ransomware attacks was not invited to a two-day meeting starting Wednesday to develop new strategies to counter the threat.

White House national security adviser Jake Sullivan called it a gathering of “like-minded” governments in agreement on the urgency of the need to protect citizens and businesses from ransomware. “No one country, no one group can solve this problem,” he said in opening remarks.

The virtual discussions will focus in part on efforts to disrupt and prosecute ransomware networks like the one that attacked a major U.S. pipeline company in May, a senior administration official said. The attack on Colonial Pipeline, which led to gas shortages along the East Coast, was attributed to a Russia-based gang of cybercriminals.

The exclusion of a country so closely tied to the global ransomware phenomena reflects the overall poor relations between Moscow and Washington.

Despite that, the U.S. has used a “dedicated channel” to address cybersecurity with Russia, said the official, who briefed reporters on the condition of anonymity to preview this week’s meeting with around 30 countries and the European Union.

Since President Joe Biden raised the issue directly with President Vladimir Putin this summer in a summit and later phone call, there have been “candid discussions” about cybercriminals operating within Russia’s borders, the official said.

“We’ve had several, and they continue, and we share information regarding specific criminal actors within Russia, and Russia has taken initial steps,” the official said.

It is unclear what steps Putin’s government has taken. Russia does not extradite its own citizens, and FBI Deputy Director Paul Abbate told a security forum last month that he has seen “no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created there.”

The issue was expected to be on the agenda this week in Moscow as Undersecretary of State Victoria Nuland met for talks with Russian Deputy Foreign Minister Sergei Ryabkov.

The Biden administration took office amid a massive cyberespionage campaign known as the SolarWinds attack, which U.S. officials have linked to Russian intelligence operatives. Ransomware attacks, perpetrated generally by criminal hacker gangs rather than state-sponsored groups, have caused tens of billions of dollars in losses to businesses and institutions and become a major source of tension between the two nations.

Ransomware payments reached more than $400 million globally in 2020 and topped $81 million in the first quarter of 2021, according to the U.S. government.

Actions taken by the Biden administration include imposing sanctions on a Russia-based virtual currency brokerage that officials say helped at least eight ransomware gangs launder virtual currency and issuing security directives that require pipeline companies to improve their cyber defenses.

In addition, the State Department has announced rewards of millions of dollars for information on people who engage in state-sponsored malicious cyber activities aimed at transnational criminal networks that Sullivan said operate “across multiple countries, multiple jurisdictions to carry out their attacks.”

Most of this week’s ransomware meeting is expected to be private as participants attend sessions led by India, Australia, Britain and Germany and will focus on themes such as developing resilience to withstand ransomware attacks.

Other participants include Israel, the United Arab Emirates, Bulgaria, Estonia, France, the Dominican Republic, Mexico, New Zealand, Singapore and Kenya.


WASHINGTON (AP)

Continue Reading

Trending