spy Archives - Page 2 of 79 - Electronic Bug Sweeps

China passes counter-espionage law

BEIJING (Reuters) – China passed a counter-espionage law on Saturday aimed at tightening state security and helping build a “comprehensive” national security system, state media reported.

The law will allow authorities to seal or seize any property linked to activities deemed harmful to the country, the Xinhua news agency said.

Authorities can also ask organizations or individuals to stop or modify any behavior regarded as damaging to China’s interests, Xinhua said. Refusal to comply would allow enforcement agencies to confiscate properties.

Possession of espionage equipment, as defined by the state security department, had also been made illegal, Xinhua said. The news agency gave no further details.

As China already has broad laws governing state secrets and security, it was not clear to what extent the new law – passed by revising and re-naming a previous national security law for the first time in 21 years – would enhance policing powers.

The revised security law followed a Communist Party meeting last month that promised to allow courts more independence and curtail officials’ influence over legal cases, though the vows were criticized by some as lacking in substance.

Parliament also revised an “administrative procedure law” that would expand peoples’ right to sue the government.

The defendants in these legal cases, such as government officials, would be fined or detained if they “force a plaintiff to withdraw the suit through illegal means such as threats or fraud”, Xinhua said.

(Reporting by Koh Gui Qing; Editing by Robert Birsel)

By on 04/12/2014

Cyber ring stole secrets for gaming stock market, security firm says

Security researchers say they have uncovered a cyber espionage ring focused on stealing corporate secrets for the purpose of gaming the stock market, in an operation that has compromised sensitive data about dozens of publicly held companies.

Cybersecurity firm FireEye, which disclosed the operation Monday, said that since the middle of last year, the group has attacked email accounts at more than 100 firms, most of them pharmaceutical and healthcare companies.

Victims also include firms in other sectors, as well as corporate advisors including investment bankers, attorneys and investor relations firms, according to FireEye.

The cybersecurity firm declined to identify the victims. It said it did not know whether any trades were actually made based on the stolen data.

Still, FireEye Threat Intelligence Manager Jen Weedon said the hackers only targeted people with access to highly insider data that could be used to profit on trades before that data was made public.

They sought data that included drafts of U.S. Securities and Exchange Commission filings, documents on merger activity, discussions of legal cases, board planning documents and medical research results, she said.

“They are pursuing sensitive information that would give them privileged insight into stock market dynamics,” Weedon said.

The victims ranged from small to large cap corporations. Most are in the United States and trade on the New York Stock Exchange or Nasdaq, she said.

An FBI spokesman declined comment on the group, which FireEye said it reported to the bureau.

Home Depot faces dozens of lawsuits related to data breach Home Depot Inc. faces at least 44 lawsuits in the U.S. and Canada over a massive data breach this year that affected 56 million debit and credit cards. Home Depot Inc. faces at least 44 lawsuits in the U.S. and Canada over a massive data breach this year that affected 56 million debit and credit cards.

The security firm designated it as FIN4 because it is number 4 among the large, advanced financially motivated groups tracked by FireEye.

The hackers don’t infect the PCs of their victims. Instead they steal passwords to email accounts, then use them to access those accounts via the Internet, according to FireEye.

They expand their networks by posing as users of compromised accounts, sending phishing emails to associates, Weedon said.

FireEye has not identified the hackers or located them because they hide their tracks using Tor, a service for making the location of Internet users anonymous.

FireEye said it believes they are most likely based in the United States, or maybe Western Europe, based on the language they use in their phishing emails, Weedon said.

She said the firm is confident that FIN4 is not from China, based on the content of their phishing emails and their other techniques.

Researchers often look to China when assessing blame for economically motivated cyber espionage. The United States has accused the Chinese government of encouraging hackers to steal corporate secrets, allegations that Beijing has denied, causing tension between the two countries.

Weedon suspects the hackers were trained at Western investment banks, giving them the know-how to identify their targets and draft convincing phishing emails.

“They are applying their knowledge of how the investment banking community works,” Weedon said.

By on 03/12/2014

Police bugging: secrecy must stop

“This secrecy must stop”: Greens justice spokesman David Shoebridge. Photo: Darren Pateman

The police bugging scandal that has plagued top levels of the NSW force for more than a decade will be examined by a NSW parliamentary inquiry with concerns the Ombudsman has taken too long to finalise his investigation.

The state government tasked the Ombudsman in October 2012 with inquiring into allegations surrounding illegal bugging by the NSW Police’s Special Crime and Internal Affairs and the NSW Crime Commission between 1999 and 2001 and the investigation that followed into it.

But after more than two years, the $3 million inquiry, dubbed Operation Prospect and held behind closed doors, has released no specific details.

Now, The Shooters and Fishers Party, with the support of Labor and The Greens, will establish an inquiry that will examine the bugging allegations, the subsequent police investigation into those allegations and the Ombudsman’s inquiry. It will report by February 2015.

Shadow attorney-general Paul Lynch said Labor was in support of the inquiry because the original matters involving allegations of police bugging “were extremely serious”.

“It’s taken way too long to get to this stage,” he said. “These things will undoubtedly benefit from ventilation in public”.

The Greens justice spokesman David Shoebridge said the inquiry would remove the secrecy behind the police bugging scandal which has affected the most senior ranks of the NSW Police.

The current Commissioner, Andrew Scipione, and a current Deputy Commissioner, Catherine Burn, worked at SCIA at relevant times. One of the detectives SCIA was bugging was Nick Kaldas, now also a Deputy Commissioner.

“What we have is a secret police investigation that obtained secret warrants, that was then reviewed by a secret police investigation and is now being considered by a seemingly endless secret Ombudsman’s inquiry,” Mr Shoebridge said. “This secrecy must stop.”

Between 1999 and 2001, the SCIA and the crime commission ran a covert investigation codenamed Operation Mascot into allegedly corrupt NSW police.

Central to Mascot was a serving NSW police officer, codenamed M5, who went to work for SCIA and the commission, wearing a wire to bug his colleagues, some of whom were undoubtedly corrupt. But many of those he sought to entrap were honest police.

Some listening device warrants obtained by SCIA and the commission contained more than 100 names, mainly of former and serving police.

In many cases, the affidavits presented to Supreme Court judges contained no information whatsoever that would justify the bugging, and Fairfax Media has established that some of the information in the affidavits was false.

Many police involved in the case believe numerous criminal offences have been committed by some officers of the SCIA and the commission.

Complaints by police, including some from within SCIA itself, were internally investigated by NSW police from Strike Force Emblems as far back as 2004. But inquiries were stymied by the secrecy provisions of the NSW Crime Commission, which refused to co-operate or hand over crucial documents.

Successive governments refused to release the Emblems reports – but they were obtained by Fairfax Media. The reports said “criminal conduct” and revenge might have been behind the mass bugging.

The first Emblems report found there may have been “criminal conduct” involved in the bugging of 100 serving and former police.

Even M5, the NSW police officer doing the undercover bugging, confessed that in some cases he was “settling old scores” and “assisting, nurturing corruption”.

By on 30/11/2014

Global cyber-espionage campaign

Security researchers have identified an ongoing cyber-espionage campaign that compromised 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries in the past 10 days.

The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.

Dubbed MiniDuke, the attack campaign used targeted email messages — a technique known as spear phishing — that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.

The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.

The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.

The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine’s NATO membership action plan, a report on Ukraine’s regional foreign policy and a report on the 2013 Armenian Economic Association, and more.

If the exploit is successful, the rogue PDF files install a piece of malware that’s encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.

Another interesting aspect of this threat is that it’s only 20KB in size and was written in Assembler, a method that’s rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were “old-school,” he said.

The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.

The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that’s uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.

The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it’s possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.

The malware used in the new attacks is unique and hasn’t been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.

MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.

In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.

The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.

That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There’s a “666” signature in the code and 29A is the hexadecimal representation of 666, Raiu said.

A “666” value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.

News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.

Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.

Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.

By on 18/03/2013

Obama to combat cyber espionage

The United States has recently stepped up the rhetoric against China on cyber espionage, with President Barack Obama joined the chorus on Wednesday.

He complained billions of dollars could be lost due to theft of American corporate secrets, following warnings by Pentagon officials that cyber espionage could be a dire threat to America’s national security.

Washington’s allegations show it is rather impatient with rampant backdoor thefts in the digital world, but casting China as a specific culprit for the ubiquitous problem is unfair.

Computer hacking is an emerging threat to global security. Both China and the United States are victims of electronic assaults.

In 2012, more than 14 million computers in China were hijacked and controlled from foreign IP addresses, with more than 10 million of those being controlled from IP addresses in the U.S., according to CNCERT, China’s top Internet coordination center.

In fairness, that does not mean the hackers were American, or that Washington was supporting or condoning the digital attacks against China. With computer technologies evolving so fast, hackers can easily hide or change their IPs. That makes hackers anonymous and difficult to trace.

Using the same logic, any hasty accusation aimed at a specific country for cyber attacks is technologically flawed and politically inappropriate.

Blaming the attacks on Chinese hackers is a rash statement that lacks credible evidence, while picking on Beijing as backing such acts sounds like an insidious attempt to tarnish China’s image.

The Chinese government has launched dozens of campaigns against backdoor spying and malicious software, cutting off remote control by tens of millions of IP addresses.

To eradicate cyber crime on the borderless Internet is barely possible without transnational cooperation. In this new field, the United States and China share common interests.

China-U.S. relations are the most important bilateral relations on earth. Instead of trading barbs and taking aggressive steps against each other, the world’s biggest and second largest economies would do well to combine their efforts to build a safer virtual world.