Posts Tagged ‘FireEye’

North Korea gets second web connection via Russian firm

October 5, 2017

AFP

© AFP | A North Korea woman sits at a computer in Pyongyang

SEOUL (AFP) – A state-owned Russian company has opened up a second internet connection for North Korea which could strengthen Pyongyang’s cyber capabilities and undermine US efforts to isolate the regime, security experts said.

The activation of the new line from TransTeleCom was first detected Sunday by analysts at Dyn Research, which monitors global internet connectivity.

The new connection supplements the existing link provided by China Unicom, which has almost exclusively routed North Korean internet traffic since 2010.

The additional line gives Pyongyang “significantly more resilience against attacks on their network infrastructure,” said Bryce Boland, the chief technology officer in the Asia-Pacific for cybersecurity firm FireEye.

The Washington Post reported earlier that the US Cyber Command had carried out attacks against hackers in North Korea aimed at cutting off their access to the Internet.

The operation ended Saturday, the report said.

North Korea has a 6,800-strong unit of trained cyberwarfare specialists, according to Seoul’s defence ministry, and has been accused of launching high-profile cyberattacks including the 2014 hacking of Sony Pictures.

But with only one internet provider to rely on, the regime has often found itself vulnerable to external cyberattacks against its own network infrastructure.

North Korea suffered several internet connection failures — some which lasted for hours — shortly after the Sony attack, which many suspected to be a US retaliation.

With the alternate route from Russia, “the possibility of disconnecting North Korea from the Internet just became much more difficult,” Boland said.

Advertisements

N. Korea hackers ‘suspected of stealing bitcoins’

September 12, 2017

AFP

© AFP/File | Experts suspect North Korean hackers of trying to steal bitcoins and other virtual currencies

SEOUL (AFP) – North Korea is suspected of intensifying cyber-attacks to steal virtual currency in order to obtain funds and avert tightening sanctions, according to security experts.North Korean hackers have mounted attacks on at least three South Korean cryptocurrency exchanges since May, security researcher FireEye said in a report Monday.

The attacks include an apparently successful one when four wallets at Seoul-based exchange Yapizon were compromised.

Local news reports said that in May Yapizon had more than 3,800 bitcoins worth $15 million stolen — although FireEye said there were no clear indications of North Korean involvement in that case.

South Korea’s opposition Bareun Party lawmaker Ha Tae-Kyung, who has followed North Korean hacking attempts, said it had apparently stolen more than 90 billion won ($80 million) from South Korea through hacking attacks in the four years to June, including cyber-attacks on ATMs.

“North Korea has set its sights on the so-called next generation financial markets, including virtual currencies, pin-tech and blockchains,” he told journalists last week.

“Alongside the UN-imposed sanctions, international cooperation is also required to curb the North’s cyber-hacking which can be used to finance its nuclear and missile programmes”, he said.

South Korea has become one of the world’s busiest trading hubs for cryptocurrencies, with Seoul-based Bithumb ranking as the world’s largest exchange for the ethereum virtual currency.

In June Bithumb was hit by cyber attacks, possibly linked to the North, in which information about 30,000 customers was leaked.

Some 160 customers are preparing a class action suit against Bithumb, claiming they lost around $10 million in total.

North Korean actors used “spearphishing” attacks targeting the personal email accounts of employees at digital currency exchanges, FireEye said in its report published Monday.

They frequently use tax-themed lures and deployed malware and variants linked to the North Koreans who are suspected of being behind intrusions into global banks in 2016, FireEye said.

“It should be no surprise that cryptocurencies, as an emerging asset class, are becoming a target of interest by a regime that operates in many ways like a criminal enterprise”, it said.

Vietnam’s President Calls for Tougher Internet Controls — “Going Chinese”

August 20, 2017

HANOI — Vietnam’s president called on Sunday for tougher controls on the internet in the face of dissidents who are using it to criticize the ruling Communist Party, and to combat threats to cybersecurity.

Vietnam’s government has stepped up a crackdown on activists this year, but despite the arrest and sentencing of several high profile figures, there has been little sign of it silencing criticism on social media.

President Tran Dai Quang made the call in an article published on the government website.

Image result for no freedom of speech, tape over mouth, photos

He said hostile forces had used the internet to organize offensive campaigns that “undermined the prestige of the leaders of the party and the state, with a negative impact on cadres, party members and people”.

Quang said Vietnam needed to pay greater attention to controlling online information, especially on social networks, and needed an effective solution “to prevent news sites and blogs with bad and dangerous content”.

Quang’s own standing had been the subject of internet rumor and gossip in recent days because he has been largely absent from the public eye.

Vietnam has intensified crackdowns on both government critics and officials accused of corruption since security-minded conservatives gained greater sway within the Communist Party early last year.

Vietnam is in the top 10 countries for Facebook users by numbers and Google’s YouTube is also a popular platform.

Quang also highlighted threats to cybersecurity, saying Vietnam was under increasing attack by criminals seeking information and state secrets, and attempting to carry out acts of sabotage.

Thousands of computers in Vietnam were affected by the WannaCry virus in May.

In a report three months ago, security company FireEye said hackers working on behalf of the Vietnamese government had broken into the computers of multinationals in the country. Vietnam forcefully rejected the accusation.

(Reporting by Mi Nguyen; Writing by Matthew Tostevin; editing by David Stamp)

Image result for tape over mouth, photos, Hong Kong

Vietnam-linked hackers likely targeting Philippines over South China Sea dispute: FireEye — State-sponsored hacker groups involved

May 27, 2017

Reuters

Hackers linked with Vietnam’s government are likely targeting Philippine state agencies to gather intelligence related to the maritime dispute in the South China Sea, cybersecurity company FireEye (FEYE.O) said on Thursday.

Vietnam’s government was not immediately available for comment – though it has regularly dismissed similar allegations in the past. The Philippines’ foreign ministry told Reuters it would look into the report.

FireEye said the hackers, called APT32, had attacked a Philippine consumer products corporation and a Philippine technology infrastructure firm in 2016, alongside other companies, some doing business in Vietnam.

The attackers were also targeting Philippine government agencies, FireEye’s chief technology officer for Asia Pacific, Bryce Boland, added in a media briefing.

“This is presumably in order to gain access to information about military preparation and understanding how the organizations within the government operate in order to be better prepared in case of potentially military conflict,” Boland said.

“There are overlapping claims between Vietnam and the Philippines over some islands in the South China Sea and it is quite likely that intelligence gathering is starting around that,” Boland said.

APT stands for advanced persistent threat, a term often used to describe state-sponsored hacker groups.

“We believe all of the activities of APT32 are aligned to the interests of the Vietnamese government,” Boland said.

The Philippines, Vietnam, China, Malaysia, Taiwan and Brunei contest all or parts of the South China Sea, through which about $5 trillion in ship-borne trade passes every year.

Vietnam’s foreign ministry said this month the government of did not allow any form of cyber attacks against organizations or individuals.

“All cyber attacks or threats to cyber security must be condemned and severely punished in accordance with regulations and laws,” spokeswoman Le Thi Thu Hang said, responding to similar accusations.

Philippines foreign ministry spokesman Robespierre Bolivar said on Thursday the government took hacking allegations very seriously.

“Any credible information received will be investigated and addressed as necessary,” he said in a text message.

(Reporting by Karen Lema; Additional reporting by Mai Nguyen in HANOI; Editing by Nick Macfie and Andrew Heavens)

New Threats Fuel Fears of Another Global Cyberattack

May 18, 2017

A new attack hit thousands of computers and a hacking group said it would release more attack software

Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15. Businesses and security experts fear more cyberattacks could be in the pipeline.

Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15. Businesses and security experts fear more cyberattacks could be in the pipeline. PHOTO: YONHAP/AGENCE FRANCE-PRESSE/GETTY IMAGES
.

Updated May 17, 2017 8:01 p.m. ET

A new fast-spreading computer attack and a hacking group’s threat to release a fresh trove of stolen cyberweapons are fueling fears among businesses and security experts of another global technology assault.

 

The new attack, called Adylkuzz, follows last week’s WannaCry outbreak, which crippled computers in more than 100 countries over the weekend. Both attacks rely on a Windows bug that was patched on March 14 and only affect PCs that haven’t installed the latest version of Microsoft’s software updates. Unlike its predecessor, Adylkuzz doesn’t lock up computer screens; it slows down systems as it quietly steals processing power to generate a little-known digital currency called Monero.

Adylkuzz began spreading about two weeks ago and by Wednesday had infected more than 150,000 machines around the globe, according to Ryan Kalember, senior vice president with the security intelligence firm Proofpoint Inc. PFPT -5.80% That is nearly the same count as WannaCry, which has largely stopped spreading, security experts said. Security company Kaspersky Lab ZAO pegged the number of Adylkuzz infections at just several thousand by Wednesday.

The news comes a day after a hacking group called the Shadow Brokers separately posted an internet message saying it would release a new trove of cyberattack tools next month. The group claimed to have software that would affect web browsers, routers, mobile phones and Microsoft Corp.’s Windows 10 operating system. Its first trove, which it and Microsoft said was stolen from the National Security Agency, was dumped last month and used by WannaCry.

The spread of the ransom malware that wreaked global havoc over the weekend appears to be slowing down, but how bad was the damage, and who’s to blame? WSJ’s Tanya Rivero has four things you need to know. Photo: European Pressphoto Agency
.

A Microsoft spokeswoman said the company is aware of the new Shadow Brokers claim and that its security teams actively monitor for emerging threats. The NSA has declined to comment on the authenticity of the Shadow Brokers documents or the WannaCry attack.

The threats highlight the growing risks of global assaults for businesses and governments posed by a nexus of mysterious hackers and powerful, government-crafted cyberweapons.

“In a few years we’re going to be looking back and saying that 2017 was clearly a turning point,” said Edward Amoroso, the former security chief at AT&T Inc. “That’s when we started to see businesses affected. If your employees are coming in and they can’t work, that’s a big deal.”

For companies looking to protect their systems, security experts agree on one piece of advice: install patches to Windows software now.

Still, that may not be enough to stop the next attack. “There’s no wall you can build that’s high enough or deep enough to keep a dedicated adversary out,” said John Carlin, a former cybercrimes prosecutor at the Justice Department.

Larger companies will need to step up their security training, patching and planning, he says. Smaller mom-and-pop businesses may need to hand over security to companies that specialize in these services. “It’s crazy to expect a mom-and-pop to on their own have to deal with cybersecurity issues,“ said Mr. Carlin, now the chair of the law firm Morrison & Foerster LLP’s global risk and crisis management practice.

A programmer shows a sample of decrypting source code in Taipei on May 13.

A programmer shows a sample of decrypting source code in Taipei on May 13. PHOTO: RITCHIE B. TONGO/EPA
.

The scope and intensity of the WannaCry cyberattack will bring staffing, investment and policy under review, security chiefs and CIOs have said. Corporate computer security spending is expected to hit $90 billion world-wide this year, an increase of 7.6% from a year earlier, according to research firm Gartner Inc.

That increased spending has helped drive up share prices at security companies such asRapid7 Inc., FireEye Inc. and Symantec Corp. , all of whom have seen shares rise by more than 25% this year.

The recent attacks were much more widespread in Russia, India, Ukraine and Taiwan, Kaspersky said. And while that may have prevented many U.S. companies from feeling the full brunt of the latest attacks, that comes as small consolation for local governments and small- or medium-size businesses that must defend against these threats with limited budgets. The attacks “just keep ratcheting up year after year,” said Dan Lohrmann, chief security officer with the training company Security Mentor Inc. and Michigan’s former chief security officer. “You think it can’t go any higher but every year it does.”

The Shadow Brokers’ release of what it says are U.S. government hacking tools comes after WikiLeaks in March published a cache of alleged Central Intelligence Agency cybersecrets, offering a window into a world where the research and development of computer attacks has become increasingly professionalized.

The stage for today’s cyberattacks was set more than a decade ago. In the mid-2000s, Microsoft, embarrassed by a series of computer worm and virus outbreaks, began to comb through its software for bugs and develop new coding techniques designed to thwart hackers. At the same time, hackers discovered they could command large fees for their work. Apple Inc., for example, pays $200,000 for details on the most severe bugs affecting its software. Government agencies and private corporations often pay more, especially if the research includes “exploit code” that can be used in an attack. Last year, the Federal Bureau of Investigation paid more than $1 million for a hacking tool that gave it access to the iPhone used by the gunman in the San Bernardino, Calif., attack.

These factors have slowed the flow of bugs and the tools that exploit them on public venues, where they were once freely—and more frequently—disclosed, said David Aitel, chief executive at Immunity Inc., a computer-security services company. “There’s a scarcity of high-quality attack tools,” he said.

But if companies thought the risk of attacks had evaporated, WannaCry served as a wake-up call. And the attack could have been much worse if it had made sensitive corporate information public, said Mr. Aitel, a former NSA analyst.

Recent events are “a taste of the kind of threats we may be facing going forward,” said Virginia Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, which oversees the nation’s spy agencies. “I’m not sure if the whole of government—or for that matter, the whole of society—is fully prepared.”

While few victims appear to have paid the $300 ransom WannaCry demanded from affected users, the software affected hundreds of thousands of systems, including networks at Renault SA and Britain’s public health service. It not only rendered computers unusable but deployed encryption to make data stored on them unreadable.

Another computer worm may soon appear, either based on the Shadow Brokers’ code used by WannaCry or similarly devastating code released by Shadow Brokers in April that was used on Microsoft’s Remote Desktop Protocol software, said Robert M. Lee, chief executive of security consultancy Dragos Inc.

There’s no wall you can build that’s high enough or deep enough to keep a dedicated adversary out.

—John Carlin

And while it isn’t known yet how dangerous any new releases might be, “everything the Shadow Brokers have talked about leaking so far has been legitimate,” he said.

Microsoft, whose Windows software is the most frequent target of attacks, is calling on governments to report software flaws rather than stockpiling or exploiting them.

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Brad Smith, the company’s top lawyer, wrote in a blog post Sunday.

Given the widespread use of these attacks, and the fact that nations such as North Korea are unlikely to abide by international cybersecurity conventions akin to those proposed by Microsoft, Immunity’s Mr. Aitel says such suggestions aren’t likely to be adopted. “No country on earth thinks this is a good idea,” he said.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Appeared in the May. 18, 2017, print edition as ‘Cyberthreats Breed Deep Unease.’

https://www.wsj.com/articles/new-threats-fuel-fears-of-another-global-cyberattack-1495042636

Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea

May 16, 2017

Link involves version of software used in latest attack and uploaded to archive

Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea.

Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea. PHOTO: YONHAP/EUROPEAN PRESSPHOTO AGENCY

.

Updated May 15, 2017 9:57 p.m. ET

Cybersecurity researchers identified a digital clue connecting the global ransomware assault to previous cyberattacks by a group linked to North Korea.

The link involves a version of the software used in the latest attack, known as WannaCry, that was detected earlier this year and uploaded to an archive for security researchers.

Neel Mehta, a security researcher at Alphabet Inc.’s GOOGL 0.43% Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group. Security experts say that hacking group carried out a series of multimillion-dollar online banking thefts as well as the 2014 cyberattacks on Sony Entertainment —attacks they believe North Korea orchestrated.

Representatives from three major cybersecurity firms— Symantec Corp.SYMC 3.19% , Kaspersky Lab ZAO and Comae Technologies—later on Monday said they found the same the link.

Image result for sony pictures, photos

A Google spokesman had no comment on the findings. Mr. Mehta didn’t immediately respond to a request for further comment. The North Korean mission to the United Nations couldn’t be reached for comment.

The findings don’t necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven’t been identified, could have copied the code in question, for example.

“Similarities of code are only one component of what goes into attribution,” said Robert M. Lee, chief executive of cybersecurity company Dragos Inc.

“We have looked into the Lazarus theory. At this time, the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator. However, we are continuing to investigate all possible attribution scenarios,” said John Miller, manager of analysis at FireEye Inc.

The Lazarus-linked code was eventually removed from the WannaCry ransomware and isn’t part of the software that infected more than 200,000 computers world-wide over the past few days, security experts said.

The connection found in the old version lies in software that both programs use to securely connect to other systems over the internet, said Kurt Baumgartner, a Kaspersky Lab researcher. The earlier WannaCry version and the Lazarus software appear to have been built by someone with access to the same source code, which is used by software developers to write their programs, but not generally accessible to others.

“We certainly need a lot more data at this point, but it’s a very interesting find,” Mr. Baumgartner said.

The WannaCry code that’s been linked to Lazarus was uploaded into a code analysis database called VirusTotal in February. It was likely a test version of the code, developed months before the ransomware software began infecting hundreds of thousands of machines world-wide, Mr. Baumgartner said.

It was found on a small number of systems, some of which were also infected with other tools used by the Lazarus group, said Vikram Thakur, a technical director at Symantec.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

https://www.wsj.com/articles/researchers-identify-clue-connecting-ransomware-assault-to-group-tied-to-north-korea-1494898740

Related:

 Image result for NSA, photos

Suspected Russia hackers ‘targeted Macron campaign’

April 25, 2017

Researchers say the hacker group Pawn Storm tried to interfere in the campaign of French presidential front-runner Emmanuel Macron. US spy agencies suspect the group of having links to Russia’s intelligence apparatus.

Symbolbild Cyberangriff (picture-alliance/dpa/MAXPPP/A. Marchi)

French presidential candidate Emmanuel Macron’s political campaign was targeted by a hacker group with suspected Russian connections, a report by a cybersecurity research group said on Tuesday, bolstering previous suggestions that the Kremlin has been trying to interfere in the French elections.

Researchers with the Japan-based anti-virus firm Trend Micro said the Pawn Storm group, which is alleged to have carried out a number of high-profile hacking attacks in the West, used so-called “phishing” techniques in an attempt to steal personal data from Macron and his campaign staffers.

“Phishing” employs lookalike websites designed to fool victims into entering sensitive information such as usernames, passwords and credit card details. Trend Micro said it had recently detected four Macron-themed fake domains being created on digital infrastructure used by Pawn Storm, which is also known as Fancy Bear or APT28.

Trend Micro researcher Feike Hacquebord said that determining who was behind a spying campaign was a difficult challenge in the world of cybersecurity, but that he was almost certain.

“This is not a 100 percent confirmation, but it’s very, very likely,” he said.

Read more: France warns Russia

The Kremlin at work?

Trend Micro did not name any country as being behind Pawn Storm’s activities, but the group is widely suspected of having links to Russia’s security services.

The Kremlin is seen as a keen backer of Macron’s rival in the presidential race, Marine Le Pen, who espouses policies considered as likely to be favored by Moscow, such as France’s exit from the European Union. Macron has always staunchly advocated strengthening, rather than weakening, the bloc.

Russia has repeatedly denied accusations of trying to interfere in the French – or other – elections. On Monday, Kremlin spokesman Dmitry Peskov was quoted as saying that claims of the Kremlin’s attempting to influence the election outcome in France were “completely incorrect.”

Pawn Storm is also thought to be behind cyberattacks last summer on the US Democratic National Committee that were suspected to be aimed at undermining Hillary Clinton’s bid for the White House. Other suspected targets in recent months include media groups such as “The New York Times” and Al-Jazeera.
Read more: ‘Election cyberattacks threat in Germany’

Präsidentschaftswahl in Frankreich Emmanuel Macron (Getty Images/V. Isore/IP3)Macron is widely seen as likely to win the second round of elections on May 7

Attempted intrusions

The head of Macron’s digital campaign, Mounir Mahjoubi, confirmed to The Associated Press that there had been attempted intrusions, but said they had all been foiled.

Mahjoubi also confirmed that at least one of the fake sites identified by Trend Micro had been recently used as part of an attempt to steal sensitive information from campaign staffers.

An internal campaign report lists thousands of attempted cyberattacks since Macron launched his campaign last year. In February, the campaign’s secretary-general, Richard Ferrand, said the scale and nature of the intrusions indicated that they were the work of a structured group and not individual hackers.

Macron, who won the first round of France’s presidential election on Sunday, will face Le Pen in a runoff on May 7.

The French elections were carefully monitored for digital interference following suspicions that hackers backed by Moscow had attempted to influence the US electoral contest in 2016.

http://www.dw.com/en/suspected-russia-hackers-targeted-macron-campaign/a-38580848

Related:

Germany’s Federal Office for Information Security: Cyber Spies Target Germany Ahead of Election, Party Think Tanks Say

April 25, 2017

FRANKFURT — Two foundations tied to Germany’s ruling coalition parties were attacked by the same cyber spy group that targeted the campaign of French presidential favourite Emmanuel Macron, a leading cyber security expert said on Tuesday.

The group, dubbed “Pawn Storm” by security firm Trend Micro, used email phishing tricks and attempted to install malware at think tanks tied to Chancellor Angela Merkel’s Christian Democratic Union (CDU) party and coalition partner, the Social Democratic Party (SPD), Feike Hacquebord said.

Hacquebord and other experts said the attacks, which took place in March and April, suggest Pawn Storm is seeking to influence the national elections in the two European Union powerhouses.

“I am not sure whether those foundations are the actual target. It could be that they used it as a stepping stone to target, for example, the CDU or the SPD,” Hacquebord said.

The mysterious cyber spying group, also known as Fancy Bear and APT 28, was behind data breaches of U.S. Presidential candidate Hillary Clinton and Merkel’s party last year, Hacquebord said.

Other security experts and former U.S. government officials link it to the Russian military intelligence directorate GRU. Hacquebord and Trend Micro have stopped short of making that connection.

No automatic alt text available.

Russia has denied any involvement in the cyber attacks.

Since 2014, Merkel has pushed the European Union to maintain sanctions on Russia over its actions in eastern Ukraine and Crimea. Her coalition partners, the Social Democrats, back a more conciliatory stance towards Moscow.

“What we are seeing is kind of a replication of what happened in the United States,” David Grout, a Paris-based technical director of U.S. cyber security firm FireEye, said of technical attacks and efforts to spread fake news in Europe.

No automatic alt text available.

Hacquebord said on Monday he had found new evidence that Macron’s campaign was targeted by Pawn Storm. (https://goo.gl/8Ja2Bq)

German officials have told Reuters that politicians fear sensitive emails stolen from senior lawmakers by Russian hackers in 2015 could be released before the election to damage Merkel, who is seeking a fourth term, and her conservative party.

Trend Micro uncovered efforts to break into the accounts of CDU politicians in April and May, 2016. The BSI, Germany’s federal cyber security agency confirmed these attempts but said they were unsuccessful. New attacks in 2017 suggest renewed efforts to gain comprising data is underway, Hacquebord said.

Pawn Storm set up a fake computer server located based in Germany at kasapp.de to mount email phishing attacks against the CDU party’s Konrad Adenauer Foundation (KAS) and a server located in the Ukraine at intern-fes.de to target the SPD’s Friedrich Ebert Foundation (FES).

A KAS spokesman said BSI warned KAS in early March of “peculiarities” but that a subsequent network scan by the government cyber security agency found “nothing suspicious”.

The BSI declined to comment, as did the Friedrich Ebert Foundation.

Kremlin spokesman Dmitry Peskov dismissed allegations of Russian involvement.

“We would be pleased if this investigative group sent us the information, and then we could check it,” Peskov told reporters on Tuesday. “Because for now it does not go beyond the boundaries of some anonymous people.”

Trend Micro published a 41-page report charting Pawn Storm attacks over the past two years, building on a dozen previous technical reports (https://goo.gl/WvjuLv). A timeline can be downloaded here (https://goo.gl/npY0OJ).

(Additional reporting by Peter Maushagen in Frankfurt, Andreas Rinke and Andrea Shalal in Berlin and Maria Tsvetkova in Moscow; Editing by Richard Lough)

*********************************************

“We are noticing attacks against government networks on a daily basis,” Arne Schoenbohm, president of Germany’s Federal Office for Information Security (BSI), told the newspaper Welt am Sonntag.

BSI is in close contact with election officials, political parties and German federal states to discuss how to guard against cyber attacks and stands ready to react to potential attacks ahead of the elections, Mr Schoenbohm said.

http://www.telegraph.co.uk/news/2017/03/19/german-cybersecurity-watchdog-raises-attack-alert-level/

China’s Secret Weapon in South Korea Missile Fight: Hackers

April 21, 2017

China denies it is retaliating over the Thaad missile system, but a U.S. cybersecurity firm says they are

This 2015 handout photo from the U.S. Department of Defense shows a terminal High Altitude Area Defense interceptor being test launched on Wake Island in the Pacific Ocean.

This 2015 handout photo from the U.S. Department of Defense shows a terminal High Altitude Area Defense interceptor being test launched on Wake Island in the Pacific Ocean. PHOTO: AFP PHOTO / DOD / BEN LISTERMAN
.

April 21, 2017 5:20 a.m. ET

Chinese state-backed hackers have recently targeted South Korean entities involved in deploying a U.S. missile-defense system, says an American cybersecurity firm, despite Beijing’s denial of retaliation against Seoul over the issue.

In recent weeks, two cyberespionage groups that the firm linked to Beijing’s military and intelligence agencies have launched a variety of attacks against South Korea’s government, military, defense companies and a big conglomerate, John Hultquist, director of cyberespionage analysis at FireEye Inc., said in an interview.

No automatic alt text available.

The California-based firm, which counts South Korean agencies as clients, including one that oversees internet security, wouldn’t name the targets.

While FireEye and other cybersecurity experts say Chinese hackers have long targeted South Korea, they note a rise in the number and intensity of attacks in the weeks since South Korea said it would deploy Terminal High-Altitude Area Defense, or Thaad, a sophisticated missile-defense system aimed at defending South Korea from a North Korean missile threat.

China opposes Thaad, saying its radar system can reach deep into its own territory and compromise its security. South Korea and the U.S. say Thaad is purely defensive. The first components of the system arrived in South Korea last month and have been a key issue in the current presidential campaign there.

One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. Hultquist, a former senior U.S. intelligence analyst. FireEye believes the other, known as APT10, may be linked to other Chinese military or intelligence units.

China’s Ministry of Defense said this week Beijing has consistently opposed hacking, and that the People’s Liberation Army “has never supported any hacking activity.” China has said it is itself a major hacking victim but has declined to offer specifics.

Mr. Hultquist said the two hacking groups gained access to their targets’ systems by using web-based intrusions, and by inducing people to click on weaponized email attachments or compromised websites. He declined to offer more specific details.

HACK ATTACKS

Recent cyberattacks attributed to Chinese state-backed groups.

  • Since February Spear-phishing* and watering hole** attacks were conducted against South Korean government, military and commercial targets connected to a U.S. missile defense system.
  • February, March Attendees of a board meeting at the National Foreign Trade Council were targeted with malware through the U.S. lobby group’s website.
  • Since 2016 Mining, technology, engineering and other companies in Japan, Europe and North America were intruded on through third-party IT service providers.
  • 2014-2015 Hackers penetrated a network of U.S. Office of Personnel Management to steal records connected to millions of government employees and contractors.
  • 2011-2012 South Korean targets, including government, media, military and think tanks were targeted with spear-phishing attacks.
  • *Sending fraudulent emails made to look as if they come from a trusted party in order to trick a target into downloading malicious software.
  • **A strategy in which the attacker guesses or observes which websites a targeted group often uses and infects them with malware to infect the group’s network..
  • Sources: FireEye, Trend Micro, Fidelis, PricewaterhouseCoopers and BAE Systems, WSJ reporting

Mr. Hultquist added that an error in one of the group’s operational security provided FireEye’s analysts with new information about the group’s origins.

South Korea’s Ministry of Foreign Affairs said last month that its website was targeted in a denial-of-service attack—one in which a flood of hacker-directed computers cripple a website—that originated in China.

A spokesman said that “prompt defensive measures” ensured that the attacks weren’t effective, adding that it was maintaining an “emergency service system” to repel Chinese hackers.

The ministry this week declined to comment further, or to say which cybersecurity firm it had employed or whether he thought the attacks were related to Thaad.

Another cybersecurity company, Russia’s Kaspersky Lab ZAO, said it observed a new wave of attacks on South Korean targets using malicious software that appeared to have been developed by Chinese speakers starting in February.

The attackers used so-called spear-phishing emails armed with malware hidden in documents related to national security, aerospace and other topics of strategic interest, said Park Seong-su, a senior global researcher for Kaspersky. The company typically declines to attribute cyberattacks and said it couldn’t say if the recent ones were related to Thaad.

The two hacking groups with alleged ties to Beijing have been joined by other so-called hacktivists—patriotic Chinese hackers acting independently of the government and using names like the “Panda Intelligence Bureau” and the “Denounce Lotte Group,” Mr. Hultquist said.

South Korea’s Lotte Group has become a particular focus of Chinese ire after the conglomerate approved a land swap this year that allowed the government to deploy a Thaad battery on a company golf course.

Last month, just after the land swap was approved, a Lotte duty-free shopping website was crippled by a denial-of-service attack, said a company spokeswoman, who added that its Chinese website had been disrupted with a virus in February. She declined to comment on its source.

China’s Ministry of Foreign Affairs didn’t respond to questions about the website attacks. The ministry has previously addressed Lotte’s recent troubles in China by saying that the country welcomes foreign companies as long as they abide by Chinese law.

The U.S. has also accused Chinese state-backed hacking groups of breaking into government and commercial networks, though cybersecurity firms say such activity has dropped since the two nations struck a cybersecurity deal in 2015.

The two Chinese hacking groups named by FireEye are suspected of previous cyberattacks.

FireEye linked Tonto Team to an earlier state-backed Chinese hacking campaign, identified by Tokyo-based cybersecurity firm Trend Micro Inc. in 2012, which focused on South Korea’s government, media and military. Trend Micro declined to comment.

Two cybersecurity reports this month accused APT10 of launching a spate of recent attacks around the globe, including on a prominent U.S. trade lobbying group. One of those reports, jointly published by PricewaterhouseCoopers LLP and British weapons maker BAE Systems, said the Chinese hacker collective has recently grown more sophisticated, using custom-designed malware and accessing its targets’ systems by first hacking into trusted third-party IT service providers.

Because of the new scrutiny from that report, FireEye said in a recent blog post that APT10 was likely to lay low, though in the longer run, it added, “we believe they will return to their large-scale operations, potentially employing new tactics, techniques and procedures.”

Write to Jonathan Cheng at jonathan.cheng@wsj.com and Josh Chin at josh.chin@wsj.com

 

.