Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FSB. Show all posts

Russian FSB Cyber Espionage: Navigating the Threat Landscape


The field of cybersecurity is always changing, and recent developments have refocused attention on Russian hackers and their purported participation in an elaborate cyber-espionage scheme. Russian security chief agency Federal Security Service (FSB) is suspected of leading a hack-and-leak operation that targeted the private communications of high-ranking officials.

The incident, as reported by various news outlets, underscores the persistent challenges faced by governments in safeguarding sensitive information and securing digital infrastructures. The timing of these revelations adds an additional layer of complexity to an already tense geopolitical environment.

The hacking campaign, attributed to the FSB by both UK and US authorities, involves the infiltration of private communications of senior politicians. The information obtained through these breaches is then strategically leaked, creating a potential minefield of diplomatic and political fallout. The targets and methods employed in these cyber-attacks reflect a level of sophistication highlighting the evolving capabilities of state-sponsored hacking entities.

As the world becomes increasingly interconnected, the consequences of cyber espionage extend far beyond individual privacy concerns. The alleged involvement of the FSB in such activities raises questions about the broader implications for international relations, trust between nations, and the need for more robust cybersecurity measures.

The Financial Times reports that Russian hackers may possess a trove of data yet to be leaked, heightening concerns about the potential impact on global affairs. The evolving nature of cyber threats requires constant vigilance and collaborative efforts on a global scale to fortify digital defenses.

"The cyber threat landscape is dynamic and complex, and defending against it requires a comprehensive approach that includes strong cybersecurity policies, advanced technologies, and international cooperation," emphasizes a statement from cybersecurity experts.

The Telegraph sheds light on the gravity of the situation, emphasizing the need for governments to reassess and strengthen their cybersecurity protocols. In an era where information is a valuable currency, protecting sensitive data from malicious actors is a paramount challenge.

As the international community grapples with the aftermath of these alleged FSB-backed cyber-attacks, one thing is clear: the landscape of global security is evolving, and nations must adapt swiftly to the changing nature of cyber threats. The recent events serve as a stark reminder that cybersecurity is not merely a technical challenge but a crucial aspect of modern statecraft, with implications that reverberate across borders.

A US Cyber Team's Perspective on US Military Cyber Defense of Ukraine

 


Despite analysts' numerous predictions, Russia could not destroy Ukraine's computer systems in this year's invasion with a massive cyber-attack. This may be because an unknown US military branch hunts down rivals online to enforce their interests. To cover these global missions, the BBC was granted exclusive access to the cyber-operators who carried them out. 

The US military landed in Ukraine in December last year on a recon mission led by a young major who led a small team. There were plans to deploy more troops ahead of this deployment. 

On Thursday, the Ukrainian government's premier counterintelligence and law enforcement agency revealed the real identities of five individuals allegedly involved in cyber-espionage activities attributed to the Gamaredon cyber-espionage group. According to the agency, these members are connected to the Russian Federal Security Service (FSB). 

It has been apparent in recent months that Gamaredon is very active in the threat actor community. When you open Twitter and type in #Gamaredon, you'll find several tweets a week with updated information on the IOC and samples it has created. 

Gamaredon Group is another advanced persistent threat (APT) group targeting the Ukrainian government today. It is also known as Shuckworm, Iron Tilden, Primitive Bear, Winter Flounder, and Accinium. 

A common attack tool is phishing emails with attachments of Microsoft Office documents. These emails can be used to gain access to the victim's system through initial attacks using phishing emails. 

In recent months, there have been reports of Russian troops amassing along the Ukrainian border, raising fears of war breaking out. As much as Russia denies any plans to invade, it demands sweeping security guarantees, including a guarantee that NATO will never admit the Ukrainians to NATO. 

The Ukrainian security services, who believed that the act of terrorism had been committed by officers of the Russian Federal Security Service from Crimea, publicly attributed the act of terrorism to Gamaredon in November. An online comment request was sent to the Russian Embassy in Washington regarding Gameredon; however, there was no immediate response from the Russian Embassy. 

A spokesperson for Ukraine's Security Service (SSU) said in a statement today that the hacker group had been depicted as "an FSB special project that specifically targeted Ukraine," at the same time confirming that many of the perpetrators of the hack were "Crimean FSB officers and traitors who defected to the enemy during the occupation of the peninsula in 2014." 

According to the country's authorities, over 1,500 government entities, public entities, and private enterprises have been targeted by actors in the past seven years in Ukraine. This group aims to gather intelligence, disrupt operations, and take control of critical infrastructure facilities to collect critical data. 

Between 2020 and the present, Malwarebytes has identified five operations that have taken place. They were victims of armed clashes between Russian-aligned individuals and Ukrainian citizens who had taken part in the discredited referendums called for by Moscow on September 2022. These referendums were called for in the Ukrainian territories of Luhansk, Donetsk, Zaporizhzhia, and Kherson. In the Dnepropetrovsk, Lugansk, and Crimea regions, there has been a massive outbreak of infections in state, agricultural, and transportation ministries. 

Ukrainian intelligence agencies track Armageddon, a threat group that launched the attacks, as responsible for the attacks. While it is known by the names Gamaredon, Primitive Bear, Winterflounder, BlueAlpha, Blue Otso, Iron Tilden, and Sector C08 in the cybersecurity community, it operates by many other names as well. 

Several campaigns in eastern Ukraine involved Malwarebyte attackers exfiltrating snapshots, USB flash drives, keyboard strokes, and microphone recordings, depending on the campaign. 

On Wednesday, Anne Neuberger, a White House cyber official, said Russia could destabilize and invade Ukraine using cyberattacks. 

In early 2013, it appeared that Russia had sponsored the Gamaredon Group, which is a misspelled anagram of the word "armageddon" and has been sporadically perpetrating cyberattacks on Ukrainian military, government, and non-profit organizations since then. 

Threat actors leverage legitimate Microsoft® Office documents to inject remote templates into legitimate Microsoft® Office documents. The technique works even when Microsoft® Word security features have been turned on. There is a way to bypass Microsoft Word macro protections, which are designed to prevent attackers from compromising sensitive systems with malware, infecting them with the infection, accessing the data, and then spreading the infection to other systems.

Russian Scam Industry Expands as a Result of Mobilization

 

After experiencing setbacks on the Ukrainian front, Russian President Vladimir Putin ordered a partial mobilization. Russian men who are eligible for enlistment have turned to illegal channels that grant them fabricated exemptions, whereas those fleeing the country to neighboring regions have turned to using identity masking tools.

Due to the aforesaid circumstance, it is now highly profitable for people to sell illegal services. In a similar vein, scammers and hackers see a good opportunity to take advantage of anxious people in haste.

Cybercriminals selling fake documents on the dark web, Telegram, and other encrypted channels are the initial scams to attempt to profit from the situation.

The scammers have even gone to the point of actively publicizing their phony services on social media and making direct contact with individuals through channels that preach about mobilization. The hackers allegedly offer people certificates of ineligibility for military duty, which they claim will enable them to avoid enlistment, according to a report by RIA Novosti.

For the recruitment officers to never hunt for the buyer, the agreement also calls for updating the regional enlistment office's database within 48 hours. The scammers demand 27,000 rubles ($470) in exchange for the same, as well as a copy of the client's passport.

Once the funds are paid, the con artists cut off contact with the victim and probably utilize the identity they have stolen to commit more fraud or sell it on the dark web. These advertisements claim to be able to produce fake HIV and hepatitis certificates for 33,000 and 38,000 rubles ($630), respectively.

According to Russian news site Kommersant, there is a 50% increase in demand for so-called 'gray' SIM cards as a result of the widespread migration of Russians. These SIM cards support 'pay-as-you-use' plans and thus are compatible with the networks of MTS, MegaFon, Beeline, Tele2, and Yota. Since the government can use regular SIMs to trace young men liable for military duty and potentially halt them at the border, Russians are eagerly looking for these cards.

IMEI (International Mobile Equipment Identity), is a special 15-digit number that is connected to the device's hardware instead of the SIM card. Roskomsvoboda, a Russian internet rights group, says there have been numerous cases of people being forced by FSB officers to divulge their IMEI numbers while entering Georgia, Kazakhstan, and Finland. IMEI monitoring is aided by using telecommunication stations for approximate location triangulation. 

Law enforcement has used IMEI for several years, and tracking software that promises to find your lost or stolen device also employs it. Except for a few Huawei, Xiaomi, and ZTE models that store the IMEI in a rewritable memory region in violation of the technology's rules and allow users to flash it with specific tools, assigned IMEIs are not interchangeable or editable.

As an alternative, Roskomvoboda advises evacuating Russians to either submit a burner phone at the border or purchase a new device once they have left the nation.


The Examination of the Seized Equipment of the Lurk Group did not Reveal the Fact of an Attack on the US Government

 

A law enforcement source said that the examination of the equipment seized from the members of the Lurk hacker group did not reveal traces of attacks on the servers of the American government. During the court session, hacker Konstantin Kozlovsky, who is being held as one of the defendants in the case of the Lurk hacker group, declared his involvement in hacking the servers of the Democratic Party of the USA, as well as in hacking Hillary Clinton's mail. 

However, the examination showed that this is not the case. "The examination was carried out by the security forces together with the leading companies in the field of information security in Russia, all seized equipment, media, communications were checked. No evidence of attacks on the U.S. government was found. Also, the group members did not discuss it in the seized correspondence," the source said. 

He added that the investigation did not establish a connection between Kozlovsky and any FSB officers. "If you follow his statements, they always follow the high-profile hacking topics in the media, to which he is trying to link his criminal case: first it was Russian interference in the US elections, then, when information about the arrest of employees of the FSB Information Security Center appeared in the media, he also mentioned it. 

Even in the list of those involved in the attack on American information resources, published by the US Department of Justice, there is neither Kozlovsky himself nor other members of the Lurk group," the source explained. 

The detention of a group of Lurk hackers became known on June 1, 2016. There are 22 people in the dock. According to investigators, the participants of the hacker group stole 1 billion 264 million rubles (16.7 million dollars) from commercial companies and banks. 

They also hacked the network of Yekaterinburg Koltsovo airport and copied information from servers. It should be noted that Kozlovsky is not the first to try on the role of a hacker of the servers of the Democratic Party. Previously, a hacker with the nickname Guccifer 2.0 took responsibility for hacking. The user called himself a Romanian hacker, but spoke Romanian with machine translation errors.

Criminals Targeted Security Gaps at Financial Services Firms as Employees Moved to WFH

 

According to a report released on Tuesday by the international Financial Stability Board (FSB), criminals targeted security flaws at financial services organizations as their employees switched to working from home. The Financial Stability Board (FSB) was established after the G20 London meeting in April 2009 to offer non-binding recommendations on the global financial system and to coordinate financial policies for the G20 group of nations. 

“Working from home (WFH) arrangements propelled the adoption of new technologies and accelerated digitalization in financial services,” the report states. Phishing, spyware, and ransomware were used to target workers at home. Between February 2020 and April 2021, the number of crimes increased from less than 5000 per week to more than 200,000 per week. 

On July 8, 2021, the Cyber Security Agency of Singapore (CSA) released data suggesting that cybercrime accounted for 43% of all crime in the city-state in 2020. "Although the number of phishing incidents remained stable and website defacements declined slightly, malicious cyber activities remain a concern amid a rapidly evolving global cyber landscape and increased digitalization brought about by the COVID-19 pandemic," said the agency. 

Ransomware attacks increased by 154% from 35 in 2019 to 89 in 2020, ranging from "indiscriminate, opportunistic attacks" to "Big Game Hunting," according to the CSA. They also used leak and shame techniques, as well as RaaS (Ransomware-as-a-Service) models. Between 2019 and 2020, the number of hostile command-and-control servers increased by 94%, with Emotet and Cobalt Strike malware accounting for one-third of the total. 

As IT departments tried to secure remote workers, increased dependence on virtual private networks and unsecured WiFi access points “posed new types of hurdles in terms of patching and other cyber security issues,” according to the FSB assessment. External providers, according to the research, also built cracks for hackers to exploit. According to the report, "While outsourcing to third-party providers, such as cloud services, seems to have enhanced operational resilience at financial institutions, increased reliance on such services may give rise to new challenges and vulnerabilities." 

Working from home isn't going away any time soon. According to Gartner, nearly half of knowledge employees will be working remotely by 2022. Even Apple's retail team follows a hybrid work schedule. Institutions' cyber risk management systems, incident reporting, response and recovery efforts, and how they manage cloud and other third-party services should all be adjusted properly, according to the FSB.

The FSB recorded an attempt to encrypt the data of patients in hospitals in Russia

The deputy director of the National coordination center for computer incidents (NCCI) Nikolay Murashov during a speech at the information security forum stated that for the first time in 2020, the Special Services recorded attempts by hackers to introduce malicious software into the information resources of Russian medical institutions in order to encrypt user data.

According to him, there were also hacker attacks on the information resources of the Central Election Commission and Civic Chamber of the Russian Federation.

Murashov said that the special services managed to prevent attacks on the services of state structures.

In total, over the past year, the NCCI has stopped the work of more than 132 thousand malicious resources. At the same time, according to Murashov, the main sources of cyber attacks on Russian resources are located outside the country: 67 thousand foreign malicious resources and 65 thousand such resources in Russia were blocked by the Center for the year. The attacks were carried out from Turkey, the Netherlands, and Estonia and were aimed at state authorities and industrial enterprises.

In general, according to Murashov, remote work has complicated the protection of personal data, as attacks began to be carried out through insufficiently protected remote access centers and vulnerable software. NCCI specialists also registered the sending of phishing messages, most often, card data were stolen through phishing.

The National coordination center for computer incidents has been recording for several years that the main sources of hacker attacks on Russian organizations are located abroad.

In late January, the NCCI center warned of possible cyberattacks from the United States. The threat of attacks in the Center was associated with accusations against Russia from Western countries of involvement in hacker attacks on American government resources, as well as with threats from them to carry out "retaliatory" attacks on Russian critical information infrastructure.

According to the Investigative Committee, in general, the number of cybercrimes over the past seven years in Russia has increased 20 times, and every seventh crime is committed using information technology or in cyberspace.

The NCCI was created in 2018 by order of the FSB to combat the threat of hacker attacks on Russia's infrastructure.

Russian Security Services Track Down Colossal Credit Card Fraud Ring


Russian Security Services (RSB) has tracked down and charged an international credit card fraud ring arresting 25 accused. The carding kingpin is suspected to be linked with dozens of carding shops and with some of the most significant data breaches plaguing the Western World. FSB, the Russian Federal System, issued a statement this week stating they arrested 25 individuals accused of circulating illegal means of payment tied with around 90 websites that sold stolen credit cards. Though the FSB did not release a list of names, a blog LiveJournal by cybersecurity blogger Andrey Sporov leaked the details of the raid and exposed that the infamous hacker Alexey Stroganov, who goes by the hacker names "Flint" and "Flint24" was also among the arrested.


According to Intel 471, a cyber intelligence firm Stroganov is with some of the major cyber threats since 2001. Stroganov and his associate Gerasim Silivanon (a.k.a. "Gaborik ") were also sentenced to six years of imprisonment in Russia in 2006 but were out in two years. "Our continuous monitoring of underground activity revealed despite the conviction, Flint24 never left the cybercrime scene," reads an analysis by Intel 471. "You can draw your conclusions [about why he was released early]," Sporaw wrote, hinting at the use of unfair means to get out of jail early. Flint is one of the big players of the stolen credit card market, working as a wholesaler of credit card data with cyber crooks who bought these cards from him in bulk - 100,000 pieces at once.

Various cyber forums say that Stroganov and his guys were caught because they broke "the golden rule" of hackers from Soviet countries- never target your country people or bank. Flint's "Trust Your Client" These carding sites had a standard scheme they supported to earn trust and loyalty from those who bought these stolen cards. This system allowed their customers to get instant refunds on bad cards without proving that the tickets were canceled by the bank before they could be used. So, these sites installed money-back insurance called "checkers," which can be used by their customers to check the cards (accessible only for a few minutes of buying the tickets) by giving extra money, few cents per card. But slowly, it was claimed that these checkers gave inaccurate results to benefit the card shops.

So, Flint and his gang came up with a policy "Trust your client," through which if the customer claimed that the card was fraudulent, they would get a refund no question asked but only within six hours of buying the ticket. But they probably had their checkers too for checking bad cards.

The Federal Security Service (FSB) of the Russian Federation purchased equipment for hacking smart devices - Hacker group Digital Revolution


Hacker group Digital Revolution published documents according to which the FSB ordered the creation of the Fronton program for organizing cyberattacks using the Internet of things devices.

According to the technical documentation published by hackers, there are three versions of the program — Fronton, Fronton-3D and Fronton-18. They allow infecting smart devices (from digital assistants to smart homes), integrate them into a network and “crash” the servers responsible for the stability of large Internet services and the Internet in entire countries.

It's interesting to note that the Moscow company 0day (LLC 0DT) could have participated in the development of the programs. Previously, the company also carried out orders of the Ministry of Internal Affairs.

According to the published documents, the Internet of things is "less secure, unlike mobile devices and servers." This is due to the fact that many users use smart devices instantly, without changing factory usernames and passwords.

FSB contractors cite the experience of Mirai, the largest network of infected IoT devices, which had 600,000 bots. In 2016, it disabled the DNS servers of the American company Dyn, which made PayPal, Twitter, Netflix and about 70 other services unavailable for some time. At the same time, the organizers of the attack did not use computers, but printers, children's monitors and IoT routers.
Hackers noted that Fronton can be used for "spying on the whole world". The BBC suggests that, most likely, the main targets of cyberattacks may be digital cameras.

The documents note that 95% of the botnet should consist of IP cameras and digital video recorders. Search server must find targets for hacking, which can be connected via a virtual private network or the Tor browser. Documentation also emphasizes that "the use of the Russian language and the connected Cyrillic alphabet is excluded". It is suggested to hack devices using a dictionary of typical passwords from the Internet of things devices.

In December 2018, Digital Revolution said that it hacked the server of the Kvant Scientific Research Institute, owned by the FSB, and found documents on the system of automatic monitoring of social networks for protest moods. In the summer of 2019, hackers said that they broke into the servers of the Moscow IT company Sitek, which carried out projects for Russian special services and agencies.

Hacker from Novovoronezh was convicted of a cyber attack on the library

A resident of Novovoronezh received a year of imprisonment for a cyber attack on the Kurgan Regional Universal Scientific Library. The crime was solved by employees of the FSB of the Voronezh region.

According to the Press Service of the Voronezh Prosecutor's Office, in February 2018, 24-year-old Mikhail Nazarov installed malicious software on his PC with which allowed him to destroy, block, modify or copy the information and to bypass its protection. The guy found the Internet resource of the Government of the Kurgan region, namely the Library and committed a series of cyber attacks. Why the young man chose this resource is not specified.

However, hacker came to the attention of the FSB, whose officers seized cyber attacks and detained the attacker. Law enforcement authorities opened a criminal case under the article “Creating, using and distributing malicious computer programs”. The maximum penalty under this article is 4 years of imprisonment.

The Court found the young man guilty and sentenced him to one year in prison conditionally. Nazarov received a shorter sentence since he admitted his guilt.

We will remind that earlier the Court of the Voronezh region has sentenced a 30-year-old local resident to one and a half years of imprisonment and 10 thousand roubles a fine for hacker attacks on State sites of Siberia and the Far East. Moreover, the hacker managed to hack the websites of commercial organizations. The man used the hacked services for personal mercenary purposes, including mining.

The Head of the FSB appealed for the creation of international rules on the Internet


The Head of the FSB of Russia Alexander Bortnikov stated the need to create international rules on the Internet. In particular, to make encrypted messages in mobile applications open to intelligence agencies.

If the international community can come to a consensus on this issue, the terrorists will actually lose the list of opportunities, such as propaganda, recruitment, financing, communication, management, said Bortnikov at an International Conference on Countering Terrorism on 18 April 2019 in St. Petersburg.

He noted that the use of cryptography in services for communication prevents the effective fight against terror. According to him, Russia has developed a concept for the creation of "the system of the deposit of encryption keys generated by mobile applications, which will be open for control” to solve this problem. Bortnikov proposed to the world community to realize this idea together and to provide intelligence agencies with legal access to important encrypted information of the terrorists.

In addition, Bortnikov noted that at the moment there are more than 10 thousand sites of existing international terrorist structures and thousands of accounts in social networks. The information is published in more than 40 languages, but the leading positions are occupied by Arabic, English and Russian languages.

Bortnikov added that the ability to hide data in IP-telephony and foreign e-mail servers leads to an increase in the spread of false reports of terrorist attacks, as well as the sale of weapons and explosives.

According to one of the amendments to the law on Autonomous RUnet (http://www.ehackingnews.com/2019/02/the-kremlin-told-about-hacker-attacks.html), IT-companies were obliged to use Russian cryptography for all traffic in the Russian segment. It is assumed that the Government will determine the issuance and use of codes and encryption.

In addition, in April 2018 Russia tried to block the Telegram messenger for refusing to provide the FSB with the encryption key of the negotiations of suspected terrorists (http://www.ehackingnews.com/2018/04/russian-court-orders-to-block-telegram.html).