Menu
Navigation

Global articles on espionage, spying, bugs, and other interesting topics.

Keep abreast of the espionage threats facing your organisation.

Global cyber-espionage campaign

Security researchers have identified an ongoing cyber-espionage campaign that compromised 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries in the past 10 days.

The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.

Dubbed MiniDuke, the attack campaign used targeted email messages — a technique known as spear phishing — that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.

The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.

The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.

The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine’s NATO membership action plan, a report on Ukraine’s regional foreign policy and a report on the 2013 Armenian Economic Association, and more.

If the exploit is successful, the rogue PDF files install a piece of malware that’s encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.

Another interesting aspect of this threat is that it’s only 20KB in size and was written in Assembler, a method that’s rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were “old-school,” he said.

The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.

The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that’s uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.

The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it’s possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.

The malware used in the new attacks is unique and hasn’t been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.

MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.

In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.

The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.

That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There’s a “666” signature in the code and 29A is the hexadecimal representation of 666, Raiu said.

A “666” value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.

News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.

Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.

Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.


Obama to combat cyber espionage

The United States has recently stepped up the rhetoric against China on cyber espionage, with President Barack Obama joined the chorus on Wednesday.

He complained billions of dollars could be lost due to theft of American corporate secrets, following warnings by Pentagon officials that cyber espionage could be a dire threat to America’s national security.

Washington’s allegations show it is rather impatient with rampant backdoor thefts in the digital world, but casting China as a specific culprit for the ubiquitous problem is unfair.

Computer hacking is an emerging threat to global security. Both China and the United States are victims of electronic assaults.

In 2012, more than 14 million computers in China were hijacked and controlled from foreign IP addresses, with more than 10 million of those being controlled from IP addresses in the U.S., according to CNCERT, China’s top Internet coordination center.

In fairness, that does not mean the hackers were American, or that Washington was supporting or condoning the digital attacks against China. With computer technologies evolving so fast, hackers can easily hide or change their IPs. That makes hackers anonymous and difficult to trace.

Using the same logic, any hasty accusation aimed at a specific country for cyber attacks is technologically flawed and politically inappropriate.

Blaming the attacks on Chinese hackers is a rash statement that lacks credible evidence, while picking on Beijing as backing such acts sounds like an insidious attempt to tarnish China’s image.

The Chinese government has launched dozens of campaigns against backdoor spying and malicious software, cutting off remote control by tens of millions of IP addresses.

To eradicate cyber crime on the borderless Internet is barely possible without transnational cooperation. In this new field, the United States and China share common interests.

China-U.S. relations are the most important bilateral relations on earth. Instead of trading barbs and taking aggressive steps against each other, the world’s biggest and second largest economies would do well to combine their efforts to build a safer virtual world.


Security Agencies Claim To Have Access to Skype Messages

Russian security services have the ability to monitor Skype communications, IT security experts said Thursday.

Ilya Sachkov, general director of the Group-IB computer security firm, said Russian security services have been able not only to eavesdrop on communications over Skype, but also to determine users’ locations “for a couple of years now,” Vedomosti reported.

“That’s why our company’s employees are prohibited from discussing work-related issues via Skype,” Sachkov said.

According to Peak Systems head Maxim Amm, when Microsoft bought Skype in May 2011, it fitted it out with a special technology for legal eavesdropping of online communications. The technology involved switching users to a special mode in which their messages are encrypted on a server where security agencies can decipher and read messages and voice conversations.

In the original Skype settings, messages were encrypted and thus impossible for third parties to read.

Another industry expert said that Microsoft provides monitoring capabilities for all secret services worldwide, not only Russian ones, Vedomosti reported.

Mikhail Pryanishnikov, the head of Microsoft’s Russian branch, said earlier that the company could legally give the Federal Security Service access to Skype’s source code.

Neither the Interior Ministry nor the Federal Security Service have commented on the news, but a source in the police said that “monitoring Skype cannot be considered an insurmountable task for Russian law enforcement agencies.”

Two experts on information security told Vedomosti that Russian security services do not always need a court decision to get access to private communications on Skype, and that in some cases they can eavesdrop “simply by request.”


MI5 test for Mandarin-speaking snoops ‘just too easy’

British intelligence nerve-centre MI5 is recruiting fluent Chinese speakers to eavesdrop on phone calls – but it got more than it bargained for when its Mandarin comprehension test was ridiculed by Redditors.

Blighty’s Security Service set up an online language exam, which encourages peeps with Mandarin, Russian, Sylheti, Swahili, Somali and Pashto skills to test their suitability for a role with the service.

It explains as follows:

The tests reflect the nature of some of the work of our Foreign Language Analysts, Mandarin Intelligence Analysts and Russian Analysts, who listen to lawfully intercepted phone calls made by the targets of our investigations.

You’ll use your judgement, language skills and cultural knowledge to decide between those calls that are important and those calls that are not, and transcribe your findings in clear and succinct written English to help further investigations.

However, users of the wildly popular social news website Reddit took the Chinese exam – which requires the applicant read or listen to a passage and answer a set of related questions – and were none too impressed with the quality of the language.

One Redditor, willdunz, opined yesterday: “This can’t be the real admission test right? I mean nobody talks like that in China; even those news anchors on CCTV [China Network Television] talk faster than this.”

Another, snackburros, claimed that the “written passage has some grammar, usage and sentence structure awkwardness to it”. One wag, getting his MI6 and MI5 mixed up, added: “Easiest test ever. I’m gonna be the first American James Bond in China.”

To be fair, the test is meant to be a basic first hurdle for those interested in such a role, rather than a green light for Chinese speakers into one of the UK’s most secretive and revered institutions.

MI5 explained as much in the following disclaimer:

The clips do not reflect the full complexity of the challenges offered by our analyst roles but they are indicative of the type of skills successful candidates should be comfortable using on a routine basis.

The Security Service, which mainly tackles major crime and terrorism within the UK, needs more language experts as it makes more requests to telcos than any other body for information on phone calls and internet activities in the UK.

That was according to a parliamentary report last month into a controversial draft communications surveillance law, which calls for much wider snooping powers. Officials claimed there is a 25 per cent “shortfall” in the comms data the authorities want and what they can currently get.


Researchers discover new global cyber- espionage campaign

Security researchers have identified an ongoing cyber-espionage campaign that compromised 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries in the past 10 days.

The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.

Dubbed MiniDuke, the attack campaign used targeted email messages — a technique known as spear phishing — that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.

The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.

The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.

The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine’s NATO membership action plan, a report on Ukraine’s regional foreign policy and a report on the 2013 Armenian Economic Association, and more.

If the exploit is successful, the rogue PDF files install a piece of malware that’s encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.

Another interesting aspect of this threat is that it’s only 20KB in size and was written in Assembler, a method that’s rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were “old-school,” he said.

The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.

The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that’s uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.

The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it’s possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.

The malware used in the new attacks is unique and hasn’t been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.

MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.

In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.

The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.

That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There’s a “666” signature in the code and 29A is the hexadecimal representation of 666, Raiu said.

A “666” value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.

News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.

Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.

Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.