Normal view
- Cybersecurity News and Magazine
- Russian Hackers Used Two New Backdoors to Spy on European Foreign Ministry
- Cybersecurity News and Magazine
- British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks
British Columbia Discloses Multiple ‘Cybersecurity Incidents’ Impacting Government Networks
Opposition’s Spar in the House
B.C.'s political adversaries engaged in heated debate during the question period on Thursday morning, a day after the province disclosed the multiple cybersecurity incidents within its networks. British Columbia United MLA Todd Stone criticized the government, alleging it "concealed a massive cyberattack on the provincial government for eight days." Stone’s accusations came on the backdrop of a memo from The Office of the Chief Information Officer that directed all provincial employees to immediately change passwords. British Columbians are rightly concerned about their sensitive information, questioning whether it has been compromised by a foreign, state-sponsored cyberattack. So, I ask the premier today: Will he reveal who was responsible for this attack?" Stone demanded. Stone pointed out the timing of Eby's Wednesday statement, suggesting it was issued discreetly "while everyone was preoccupied with last night’s Canucks game." [caption id="attachment_67963" align="aligncenter" width="256"] BC United MLA Todd Stone arguing in the House during the QP on Thursday morning. (Credit: Legislative Assembly of B.C.)[/caption]“How much sensitive personal information was compromised, and why did the premier wait eight days to issue a discreet statement during a Canucks game to disclose this very serious breach to British Columbians?” the Opposition MLA asked.In response to BC United's criticisms, Public Safety Minister Mike Farnworth accused Stone of "playing politics." “We take our advice from the Canadian Cyber Security Service, who deal with these kinds of things on an ongoing basis. That’s who we will take the advice from in terms of protecting public information, every single time. We will never take advise from the opposition — all they ever want to do is play politics,” Farnworth retorted amid uproar in the House. [caption id="attachment_67981" align="aligncenter" width="271"] Public Safety Minister Mike Farnworth addressing opposition queries. (Credit: Legislative Assembly of B.C.)[/caption]
“When an incident like this happens, the first thing that happens is the protection of the system, honourable speaker. The protection of the information that’s done by technical experts, honourable speaker, who work on the advice of the Canadian Cyber Security System,” Farnworth explained.“And, honourable speaker, the reason they do that is because if you go out and give information before that’s done, you actually end up compromising people’s information, potentially.”
Multiple Cybersecurity Incidents Rock B.C. in Last Few Weeks
The latest revelation of cyberattacks on government networks comes on the heels of a string of cyberattacks that the westernmost province in Canada is facing. B.C. headquartered retail and pharmacy chain London Drugs announced April 28, closure of its stores across Western Canada after falling victim to a cybersecurity incident. The impact was such that they were forced to even take their phones offline and pharmacies could only satisfy “urgent” needs of patients on-site. Addressing reporters later Thursday afternoon, Farnworth clarified that there was no evidence linking the multiple cybersecurity incidents targeting the province networks to the event that led to the closure of London Drugs locations in the west for several days. "At present, we lack any information suggesting a connection. Once an incident is detected, technical security teams work swiftly to secure the system and ensure its integrity, while closely coordinating with the Canadian Cyber Security Service to address the situation," he explained. "While a comprehensive investigation involving multiple agencies is ongoing, we currently have no indication of any link to the London Drugs incident." The same day as the London Drugs cyberattack came to light, another western province entity BC Libraries reported a cybersecurity incident where a hacker attempted to extort payment for data exfiltrated from its newly commissioned server and threatening to release that data publicly if no payment was received.China’s Involved?
This development follows an official inquiry in Canada, revealing unsuccessful Chinese attempts to interfere in past elections. Beijing has refuted these allegations. The Canadian Security Intelligence Service (CSIS) recently published an annual report, warning of ongoing Chinese interference in Canadian political affairs, risking democratic integrity.“Canada’s strong democratic institutions, advanced economy, innovative research sectors, and leading academic institutions make Canada an attractive target for cyber-enabled espionage, sabotage, and foreign influenced activities, all of which pose significant threats to Canada’s national security,” the report said.The report identified China as a state-based threat conducting widespread cyber espionage across various sectors, including government, academia, private industry, and civil society organizations.
MITRE Hack: China-Linked Group Breached Systems in December 2023
MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.
The post MITRE Hack: China-Linked Group Breached Systems in December 2023 appeared first on SecurityWeek.
Iranian Cyberspies Hit Targets With New Backdoors
Iranian state-sponsored group APT42 is targeting NGOs, government, and intergovernmental organizations with two new backdoors.
The post Iranian Cyberspies Hit Targets With New Backdoors appeared first on SecurityWeek.
- Cybersecurity News and Magazine
- Six Australian MPs Confirm They were Targeted by China’s APT31 Hackers
Six Australian MPs Confirm They were Targeted by China’s APT31 Hackers
“The apparent intention [of the cyberattack] was to garner sufficient information to mount more sophisticated follow-on attacks, escalating in severity.”Those targeted included Senator James Paterson, Senator Claire Chandler, Senator Alex Antic, David Smith MP, Daniel Mulino MP and Tim Wilson MP.
Security Agencies Chose to Remain Tight-Lipped
Australia’s security agencies reportedly received two warnings about Chinese hackers targeting Australian MPs, but they chose not to inform the lawmakers about the cyberattacks. “It is staggering that both the targeted members of parliament and the broader Australian public have been kept in the dark about a direct attempt at cyber interference against Australian parliamentarians,” Senator Claire Chandler said.“Incredibly, despite Australian authorities being notified of this hacking attempt in 2022, agencies did not alert my colleagues and I that we had been targeted.It’s unacceptable that this information was withheld from us for two years,” Chandler added.The Five Eyes intelligence agency reportedly alerted Australia’s security agencies in mid-2021 about attacks that occurred earlier in January. Then, in June 2022, the FBI officially notified Australian authorities about attempts by the Chinese hacking group APT31 to target six Australian MPs. However, the agencies opted against informing the Government or the affected MPs. The IPAC, consisting of 20 Australian MPs, only became aware of the attempted attack when the US Department of Justice indicted seven Chinese hackers in April this year -three years after the initial warning. The National Cyber Security Centre of the United Kingdom also called out the Chinese APT31 actors for their malicious cyber targeting of UK’s democratic institutions and parliamentarians earlier in March. Following this revelation, MPs demanded an explanation from the Australian Security Intelligence Organisation regarding the lack of notification. After receiving a briefing, they released a joint statement today expressing outrage and demanding a robust response to protect Australian sovereignty. “We were not informed by Australian agencies at any time since 2021 about this targeting,” the statement from IPAC members targeted by APT31 said.
“This was not an attack on any single party or House of Parliament. This was an attack on Australian parliamentarians from both Houses and both parties who have dared to exercise their legitimate democratic right to criticize Beijing. As such, it was an attack on Parliament as a whole and demands a robust and proportionate response,” the IPAC members’ statement said.“It is very worrying for our democracy that elected members of parliament have been targeted by PRC-state sponsored hacking attempts specifically because we have expressed concern about the behavior of the PRC, including human rights violations in Xinjiang and coercive behavior against Australia,” Senator Claire Chandler said. “It is in Australia’s national interest for Australians to be properly informed about the behavior of the PRC government. The withholding of information about the targeting of Australian elected representatives by state-affiliated cyber criminals means that Australians have been given a misleading impression of the PRCs behavior towards our country,” Chandler added. The targeted IPAC members insisted on being informed about future attempts to target them by state-sponsored groups, for which they have received an assurance from the government.
“I welcome the assurance that in future agencies will inform MPs about any attempts by state-sponsored cyber actors to target parliamentarians,” Senator Claire Chandler said.The Australian agencies likely refrained from informing MPs because they considered the attacks crude and unsuccessful, according to Austrlian news agency The Nightly. Moreover, they occurred during a period when MPs and the public were already being cautioned to enhance their cybersecurity. Paterson, who is also the co-chair of IPAC Australia, denounced the attempted hack.
“Targeting parliamentarians, as the CCP has done, is not the act of a friend. It is yet another obstacle to a normal bilateral relationship. We should never hesitate to call out this behavior or be afraid to impose real costs to deter it,” he tweeted.
APT31 Used Pixel Tracking Emails
APT31 hackers targeted MPs with pixel tracking emails from a domain pretending to be a news outlet. If opened, these emails tracked the recipients' online behavior. According to the FBI's indictment released last month, the hackers spammed various government individuals worldwide associated with IPAC, with more than 10,000 malicious emails that also exploited zero-days and resulted in potential compromise of economic plans, intellectual property and trade secrets. Last month, FBI Director Christopher Wray highlighted the magnitude of Chinese hacking, stating that it surpassed that of every other major nation combined. He underscored the overwhelming scale of Chinese cyber operations, indicating the challenges faced by law enforcement in countering these threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.- SecurityWeek
- German Foreign Minister Says Russia will Face Consequences for Monthslong Cyber Espionage
German Foreign Minister Says Russia will Face Consequences for Monthslong Cyber Espionage
Germany accused Russian military agents of hacking the top echelons of Chancellor Olaf Scholz’s party and other government and industrial targets.
The post German Foreign Minister Says Russia will Face Consequences for Monthslong Cyber Espionage appeared first on SecurityWeek.
Whale Song Code
During the Cold War, the US Navy tried to make a secret code out of whale song.
The basic plan was to develop coded messages from recordings of whales, dolphins, sea lions, and seals. The submarine would broadcast the noises and a computer—the Combo Signal Recognizer (CSR)—would detect the specific patterns and decode them on the other end. In theory, this idea was relatively simple. As work progressed, the Navy found a number of complicated problems to overcome, the bulk of which centered on the authenticity of the code itself.
The message structure couldn’t just substitute the moaning of a whale or a crying seal for As and Bs or even whole words. In addition, the sounds Navy technicians recorded between 1959 and 1965 all had natural background noise. With the technology available, it would have been hard to scrub that out. Repeated blasts of the same sounds with identical extra noise would stand out to even untrained sonar operators.
In the end, it didn’t work.
- Cybersecurity News and Magazine
- Russian State Hackers Biggest Cyber Threat to US, UK and EU Elections
Russian State Hackers Biggest Cyber Threat to US, UK and EU Elections
“Multiple Russian groups have targeted past elections in the U.S., France, and Ukraine, and these groups have continued to demonstrate the capability and intent to target elections both directly and indirectly,” Mandiant said.
Why Russia is the Biggest Cyber Threat to Election Security
Russia's approach to election interference is multifaceted, blending cyber intrusion activities with information operations aimed at influencing public perceptions and sowing discord. State-sponsored cyber threat actors, such as APT44, better known as the cyber sabotage unit Sandworm, and APT28 have a history of targeting elections in the U.S., and Europe. These actors employ hybrid operations, combining cyber espionage with hack-and-leak tactics to achieve their objectives. The 2016 U.S. presidential election is a prime example of Russia's cyber interference capabilities, as per Mandiant. APT28, linked to Russia intelligence unit - the GRU, compromised Democratic Party organizations and orchestrated a leak campaign to influence the election's outcome. Similarly, in Ukraine, APT44 conducted disruptive cyber operations during the 2014 presidential election, aiming to undermine trust in the electoral process. Jamie Collier, Mandiant senior threat intelligence advisor said, “One group to watch out for is UNC5101 that has conducted notable hybrid operations in the past.” Mandiant reports UNC5101 engaging in cyber espionage against political targets across Europe, Palestinian Territories, and the U.S. The actor has also used spoofed Ukrainian government domains to spread false narratives directly to government employees' inboxes. Before Russia's 2023 and 2024 elections, UNC5101 registered domains related to opposition figures like Alexei Navalny and conducted likely information operations to deceive voters. Russian state-aligned cyber threat actors target election-related infrastructure for various reasons including applying pressure on foreign governments, amplifying issues aligned with Russia's national interests, and retaliating against perceived adversaries. Groups like APT28 and UNC4057 conduct cyber espionage and information operations to achieve these objectives, Mandiant said.Beijing’s Interest in Information Operations
Collier noted that state threats to elections are far more than just a Russia problem.“For instance, we have seen pro-China information operations campaigns carry out election-related activity in the US, Taiwan, and Hong Kong,” Collier said.China's approach to election cybersecurity focuses on intelligence collection and influence operations that promote narratives favorable to the Chinese Communist Party (CCP). State-sponsored actors like TEMP.Hex have targeted elections in Taiwan, using cyberespionage to gather critical information and using information operations to shape public discourse, Mandiant’s analysis found. In the lead-up to Taiwan's 2024 presidential election, Chinese threat actors intensified cyber espionage activities, targeting government, technology, and media organizations. Concurrently, pro-PRC information operations sought to discredit candidates perceived as unfriendly to China, using fabricated leaks and disinformation campaigns to sway public opinion, which even the Taiwanese government confirmed.
Watch-Out for Iran’s Espionage and Influence Campaigns
Iranian state hackers are another group of threat actors to keep an eye on for their cyber espionage and influence campaigns, Mandiant noted.“[Irans’s] campaigns will rise as elections approach in key nations of interest to the Islamic Republic, such as counterparts in the currently stalled nuclear negotiations, and countries offering support to Israel during current fighting in Gaza,” Mandiant said.During the 2020 U.S. presidential election, Iran attempted to compromise state voter registration websites and disseminate false information. The U.S. Department of Justice charged two Iranian nationals in 2021 for their involvement in this campaign. Pro-Iranian influence campaigns, including Liberty Front Press and Roaming Mayfly, target global audiences with anti-U.S. and anti-Israeli propaganda, amplifying partisan divisions and fostering distrust in democracies, Mandiant said.
Diverse Targets Multiple Vectors
Securing elections requires protecting not only voting machines and voter registries but also a wide range of entities involved in the electoral process. Political parties, news media, and social media platforms are frequent targets of cyber operations, which also comes under the attack surface of elections. [caption id="attachment_65433" align="aligncenter" width="551"] Credit: Mandiant[/caption] Cyber threat actors are increasingly employing hybrid operations, combining multiple tactics to amplify their impact. Examples from past elections, such as the Ukrainian presidential election in 2014, illustrate how they are using a combination of cyber intrusions, data leaks, and DDoS attacks to disrupt electoral processes. Owing to this Mandiant detailed likely threat vectors that could be used in the upcoming election season: [caption id="attachment_65432" align="aligncenter" width="819"] Credit: Mandiant[/caption] The threats posed by Russian, Chinese, and Iranian state actors to election cybersecurity are complex and multifaceted. By understanding the tactics and objectives of these actors, election organizations can develop effective mitigation strategies to safeguard democratic processes. However, addressing these threats requires a concerted effort involving international cooperation and a commitment to upholding the integrity of democratic elections worldwide. In-line with this, the U.S. agencies recently released guidance to defending the integrity of democratic processes. The guidance extensively details common tactics seen in foreign malign influence operations, offering real-world instances and suggesting possible countermeasures for stakeholders in election infrastructure. Though many of these tactics aren't new, the widespread use of generative artificial intelligence (AI) has notably amplified adversaries' ability to produce and spread persuasive malicious content, the guidance said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations
Russia-linked APT28 deploys the GooseEgg post-exploitation tool against numerous US and European organizations.
The post Russian Cyberspies Deliver ‘GooseEgg’ Malware to Government Organizations appeared first on SecurityWeek.
- Cybersecurity News and Magazine
- TransparentTribe: The Elusive Threat Targeting India’s Defense Sector
TransparentTribe: The Elusive Threat Targeting India’s Defense Sector
Decoding the New Threat Actor: TransparentTribe
According to the Cyble Vision Threat Library, TransparentTribe, also known as APT 36 or Project Mythic Leopard, has been active, with its last sighting dated April 1, 2023. Their activities extend beyond traditional cyber espionage, with recent investigations uncovering connections to watering hole sites focused on Indian military personnel. [caption id="attachment_63901" align="alignnone" width="662"] Source: Cyble Vision Threat Library[/caption] Moreover, TransparentTribe's reach spans across borders, with primary targets including India and Afghanistan, along with various other nations such as Australia, Japan, and the USA, among others. Their relentless pursuit of sensitive information knows no bounds, targeting sectors ranging from defense to education and governmental organizations. [caption id="attachment_63902" align="alignnone" width="442"] Source: Cyble Vision[/caption] Operating out of Pakistan, TransparentTribe poses a significant threat to national security, employing aliases like Green Havildar and APT-C-56. Suspected ties with other APT groups like SideCopy and SideWinder further underscore the complexity of the threat landscape.The Mechanics of TransparentTribe Hacker Group
[caption id="attachment_63903" align="alignnone" width="1378"] Source: Cyble[/caption] The lifecycle of TransparentTribe's attacks involves multiple infection vectors, including phishing emails, malvertising, and social engineering. Their persistence is evident in the continuous monitoring of developments within targeted sectors, exploiting them as lures for their campaigns. Windows, Linux, and Android systems alike fall prey to TransparentTribe's tactics, with tailored approaches for each platform. Exploiting vulnerabilities like CVE-2012-0158 and CVE-2010-3333, they deliver their payloads, including a diverse range of RATs like Crimson RAT, DarkComet, and QuasarRAT, each with its specific capabilities and functionalities. Their network activities are intricate, utilizing well-crafted phishing URLs and registering domains on servers associated with Hostinger ASN. Moreover, the overlap in command and control (C&C) infrastructure and the use of platforms like Google Drive for hosting malware further complicate detection and mitigation efforts. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.U.S. Scrutiny of Chinese Company Could Disrupt U.S. Supply Chain for Key Drugs
Microsoft Is Spying on Users of Its AI Tools
Microsoft announced that it caught Chinese, Russian, and Iranian hackers using its AI tools—presumably coding tools—to improve their hacking abilities.
From their report:
In collaboration with OpenAI, we are sharing threat intelligence showing detected state affiliated adversaries—tracked as Forest Blizzard, Emerald Sleet, Crimson Sandstorm, Charcoal Typhoon, and Salmon Typhoon—using LLMs to augment cyberoperations.
The only way Microsoft or OpenAI would know this would be to spy on chatbot sessions. I’m sure the terms of service—if I bothered to read them—gives them that permission. And of course it’s no surprise that Microsoft and OpenAI (and, presumably, everyone else) are spying on our usage of AI, but this confirms it.
EDITED TO ADD (2/22): Commentary on my use of the word “spying.”