Posts Tagged ‘hackers’

Singapore: Cyber attack type carried out by foreign governments

August 6, 2018

The biggest ever cyber attack to hit Singapore was carried out by highly sophisticated hackers typically linked to foreign governments, a cabinet minister said Monday, but did not give names.

Hackers broke into a government database and stole the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong who was specifically targeted in the “unprecedented” hack, the government has said.

Image result for singapore lion, photos

“We have done a detailed analysis of this attack and have determined that it is the work of an advanced persistent threat (APT) group,” Minister for Communications and Information S. Iswaran said Monday.

“This refers to a class of sophisticated cyber attackers typically state-linked who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations,” he told parliament, which discussed the issue.

© AFP | Hackers broke into a government database and stole the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong

Iswaran said the APT group “was persistent in its efforts to penetrate and anchor itself on the network, bypass the security measures and illegally access and exfiltrate data”.

While the attack fitted the profile of “certain known APT groups”, Iswaran said he would not publicly give any names for reasons of national security.

Hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted “unusual activity”, authorities have said.

The compromised data includes personal information and medication dispensed to patients, but medical records and clinical notes have not been affected, according to the authorities.

Security experts had also earlier pointed to state-actors as the likely culprit, citing the scale and sophistication of the hack.

Healthcare data is of particular interest to hackers because it can be used to blackmail people in positions of power, Jeff Middleton, chief executive of cybersecurity consultancy Lantium, told AFP last month.

Medical information, like personal data, can also be easily monetised on criminal forums, said Sanjay Aurora, Asia Pacific managing director of Darktrace, a cyber security firm.

Iswaran, who is also the minister in charge of cyber security, has convened a committee of inquiry to look into the hack.

“We will do our utmost to strengthen our cyber security. But it is impossible to completely eliminate the risk of another cyber attack,” he said.

“This is an ongoing battle with potential cyber attackers who are constantly developing their capabilities and seeking out new vulnerabilities.”

Iswaran said the attack will not derail the affluent and highly-wired city-state’s ambitions to become a “smart nation” through the extensive use of technology in daily activities and transactions.



Iran Cyberattack Hits Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel

August 3, 2018

The group, dubbed “Leafminer,” has attacked networks in Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan, according to a report issued by US cyber security firm Symantec.



Hacker. (photo credit: INGIMAGE / ASAP)

Manama, Bahrain (Tribune News Service) – A group of “highly active” hackers based in Iran have been found to be trying to steal vital information from governments in the Middle East.

The group, dubbed “Leafminer,” has attacked networks in Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan, according to a report issued by US cyber security firm Symantec.

However, an Information and eGovernment Authority (iGA) spokesman told the GDN yesterday “no indication was found up until now that Leafminer targeted the portal or any systems managed by IGA.”

The cyber espionage group’s targets includes the “energy, telecommunications, financial services, transportation and government” sectors.

Means of intrusion used to infiltrate target networks consisted of infecting malware on websites often visited by the users, also known as watering hole style attacks, and using brute-force login attempts, which features trying numerous passwords with the hope of eventually breaching the network.

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East,” stated a threat intelligence report by Symantec.

Operations reportedly began in early 2017 but has increased since the end of last year.

“Leafminer is a highly active group, responsible for targeting a range of organizations across the Middle East.

“The group appears to be based in Iran and seems to be eager to learn from, and capitalize on, tools and techniques used by more advanced threat actors.”


Image may contain: one or more people and text

The report also said an investigation into Leafminer revealed a list, written in Farsi, of 809 systems targeted by the hackers.

“Targeted regions included in the list are Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan.”

The report said the attackers were looking for e-mail data, files and database servers on their target systems in financial, government, energy, airlines, construction, telecommunication and other sectors in the region.

Symantec said it was able to identify Leafminer after discovering a compromised web server that was used in several different attacks.

“It [the cyber espionage group] made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools.

“That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks.”

IGA said, in a statement to the GDN yesterday, that part of its job was to monitor any report issued by security vendors such as Symantec regarding any threat actors targeting the region.

“The team then conducts further investigation to look for any sign of indication related to the threat actors,” it said.

“If an indication is detected, the case is reported to IGA’s cybersecurity incident management team to take the needful action to approach the incident.

“With regards to the Leafminer cyber espionage group, no indication was found up till now that Leafminer targeted the portal or any systems managed by IGA.”

IGA officials previously said that around 27,000 attacks on government systems were managed last year, with majority of them originating from countries in the east, namely Iran.

Meanwhile, a spokesman from Bahrain-based security firm CTM360 said it was aware of Leafminer and urged companies and individuals to install anti-virus software as well as use complex passwords.

“Leafminer targeted government organizations and businesses in the Middle East by using the existing available threats out there,” said the spokesman.

“The group studied reports published by different security firms about malwares or threats, and fix the loopholes mentioned in those papers for an advanced malware attack.”


©2018 the Gulf Daily News (Manama, Bahrain). Distributed by Tribune Content Agency, LLC.


Israel and Other Middle Eastern Government Networks Targeted in Iranian Cyber Attack

Israel and Other Middle Eastern Government Networks Targeted in Iranian Cyber Attack

By LTC Steven Howard, U.S. Army (Ret.) 
Contributor, InCyberDefense

An Iranian hacker group known as “Leafminer” recently attacked government networks in Saudi Arabia, the United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan. The U.S. cybersecurity firm Symantec first reported the attacks on August 2.

According to Symantec, the targets included “energy, telecommunications, financial services, transportation, and government” sectors. The company states that the attacks began in early 2017, but have increased since the end of last year.

Iranian Cyber Attack Used Multiple Methods of Intrusion

The most common means of intrusion used in the Leafminer attacks were brute-force login attempts and watering-hole style attacks that involved malware infections on websites often visited by government network users.

Symantec reportedly discovered a compromised web server that was used in several of the attacks. The report goes on to say that the hackers “made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks.”

Hacker breaches defenses at Reddit

August 3, 2018

Popular social news website Reddit on Thursday was warning users that a hacker broke into its systems, intercepting some employee text messages to get past defenses.

Reddit didn’t disclose the extent of the hack, saying it was conducting a “painstaking” investigation to determine what was accessed and to harden security.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems,” Reddit said in an online post.

Image may contain: text

“They gained read-only access to some systems that contained backup data, source code and other logs.”

In essence, the hacker could look at data but not change anything.

Information accessed included some current email addresses and a 2007 user database containing old passwords that were scrambled, according to Reddit, which was founded in 2005.

Reddit determined that a hacker compromised some employee accounts with cloud and source-code providers.

Reddit heightens computer security with “two-factor authentication” that requires passwords to be accompanied by temporary codes sent via text messages, but the cyber-attack involved “SMS intercept” of texted codes, according to the company.

“As website breaches go, this one doesn’t seem too severe,” cyber-security specialist Brian Krebs said in a post on his Krebs on Security website.

“What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.”

The old database accessed in the hack held backup copies of Reddit user data from its first two years in operation.

Also accessed were email digests from a few weeks in June, according to Reddit.

Reddit was co-founded by Alexis Ohanian, husband of tennis superstar Serena Williams. Reddit is ranked among the most visited US websites, and has more than 138,000 “communities” for discussions on various topics.

Reddit is also known for ask-me-anything (AMA) sessions with well-known people such as Microsoft co-founder Bill Gates and former US president Barack Obama.


Australia: Hackers Want Your Medical Records

August 2, 2018

Health Minister Greg Hunt has announced changes to the My Health Record system in an attempt to allay growing concerns about its lack of security and privacy for all those who do not opt out by October 15.

While some doctors’ groups and politicians seem reassured by these minor changes, fundamental flaws have not been addressed. This ill-conceived platform is neither useful nor safe enough to proceed.

Last month, hackers accessed 1.5 million health records in the Singaporean government’s online health system — even the Prime Minister’s.

By Katharine Kemp,Bruce Baer Arnold and David Vaile

Image result for doctor with patient, photos

The vast breach shows the risks of storing our sensitive health information in massive, centralised online databases, as Australia is about to do.

The jackpot for identity thieves

My Health Record’s own privacy policy notes risks from the online transmission and storage of our personal information in this system.

And the Singapore hack is only the most recent in a series of health data breaches we have witnessed in Australia and overseas, while the incentives for these breaches are increasing.

While some have suggested there’s nothing interesting in their own medical records, this shows a misunderstanding about the value of this information.

Medical records are far more valuable than credit card details as a means of identity theft, due to the massive amount of personal information they contain about you, your family and your life history. They are a jackpot for hackers, fetching a high price on the dark web.

A doctor's hand points at a laptop. A stethoscope sits on the desk. Another pair of hands are clasped opposite the laptop.

System defaults to non-secure

The changes announced by the Minister do not alter My Health Record’s design and defaults, which err on the side of minimal privacy and security for our sensitive health information.

If you do not opt out by October 15 this year, the government will create a record which will be stored in this online database. The default position is that those providing you with healthcare — including pharmacists, physiotherapists, podiatrists — will have access to your medical record without seeking your prior consent. It is unlocked.

To change this, you would need to set PIN codes for different documents and providers, a laborious and complex effort.

It’s not surprising that the number of people opting to use these privacy settings is “fewer than 2 out of every 1000 individuals registered,” according to the ADHA.

Privacy to pry, however, is assured for the 900,000 people who will have access to your My Health Record. Their names won’t be logged and audited when accessing your record, only their institution’s name.

Best practice out the window

According to global best practice in data protection, patients should be “fully informed” and give “express consent” for use of their health information.

My Health Record completely rejects this standard. It presumes consent, relying on patients to educate themselves and opt out.

The problems were foreseeable; they were forecast by privacy and health experts for years.

We must learn from Australian and overseas experience and recognise the Minister’s announcement is a band-aid solution.

A systemic review of My Health Record design is imperative, as is taking responsibility for the flawed model of a government-controlled central database which has not been designed to serve the interests of patients and their doctors.

Without responsibility, organisations do not learn, and we won’t get the properly designed, useful and safe electronic medical records system we need.


Katharine Kemp is a lecturer in the Faculty of Law at UNSW and co-leader of the Data as a Source of Market Power research stream of the Allens Hub for Technology, Law and Innovation. Bruce Baer Arnold is assistant professor in the School of Law at the University of Canberra. David Vaile is a teacher of cyberspace law and leader of the Data Protection and Surveillance stream of the Allens Hub for Technology Law and Innovation.


Russian Hackers Appear to Shift Focus to U.S. Power Grid

July 28, 2018

State-sponsored Russian hackers appear far more interested this year in demonstrating that they can disrupt the American electric utility grid than the midterm elections, according to United States intelligence officials and technology company executives.

Despite attempts to infiltrate the online accounts of two Senate Democrats up for re-election, intelligence officials said they have seen little activity by Russian military hackers aimed at either major American political figures or state voter registration systems.

Image result for u.s. electric grid, photos

By comparison, according to intelligence officials and executives of the companies that oversee the world’s computer networks, there is surprisingly far more effort directed at implanting malware in the electrical grid.

The officials spoke on the condition of anonymity to discuss intelligence findings, but their conclusions were confirmed by several executives of technology and technology security firms.

By David Sanger
The New York Times

This week, the Department of Homeland Security reported that over the last year, Russia’s military intelligence agency had infiltrated the control rooms of power plants across the United States. In theory, that could enable it to take control of parts of the grid by remote control.

While the department cited “hundreds of victims” of the attacks, far more than they had previously acknowledged, there is no evidence that the hackers tried to take over the plants, as Russian actors did in Ukraine in 2015 and 2016.

In interviews, American intelligence officials said that the department had understated the scope of the threat. So far the White House has said little about the intrusions other than raise the fear of such breaches to maintain old coal plants in case they are needed to recover from a major attack.

On Friday, President Trump was briefed on government efforts to protect the coming midterm elections from what a White House statement described as “malign foreign actors.” It said it was giving cybersecurity support to state and local governments to protect their election systems.

“The president has made it clear that his administration will not tolerate foreign interference in our elections from any nation state to other malicious actors,” the statement said.

Read the rest:



Small-Scale Attack on U.S. Power Grid Could Cause Nationwide Blackout

Image result for u.s. electric grid, photos

U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks

U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks

Hackers already targeting 2018 election, Microsoft executive says

July 20, 2018

Hackers have already targeted candidates in this year’s U.S. midterm elections, a Microsoft executive said.

Image result for Aspen Security Forum, Tom Burt, Photos

Tom Burt, Microsoft’s vice president for customer security and trust, spoke at the Aspen Security Forum on Thursday. Responding to a question, he said hackers responsible for targeting political organizations in the 2016 U.S. presidential election have already attempted to target staffers of at least three unidentified candidates.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks and we saw metadata that suggested those phishing attacks were being directed at three candidates who are standing for election in the midterm elections,” Burt said. “We can’t disclose [identities] because we maintain our customer privacy, but I can tell you that they were all people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint. We took down that domain, and working with the government we were able to avoid anybody being infected by that particular attack.”

The phishing approach, in which candidates are tricked into visiting a fake web page and give up sensitive information, was used by Russian hackers in 2016. Some cybersecurity firms believe the new attacks are linked to Russian intelligence, the BBC reported on Friday.

The hacking team is known to Microsoft engineers as Strontium, but it is also known as APT28, Fancy Bear and Pawn Storm, Newsweek reported. Under those names, the group previously worked with the Russian military intelligence agency GRU.

Burt added that the level of activity is currently less than in 2016, but cautioned it “doesn’t mean we are not going to see it. There’s a lot of time left before the election.”

One-third of the 100-member U.S. Senate, all 435 seats in the House of Representatives and numerous state and local offices are at stake in the Nov. 6 election.

What’s the best way to get back at Russian hackers? Lawsuits

July 20, 2018

The recent indictments of 12 Russian intelligence officers raise two questions that ought to be asked of special counsel Robert Mueller: Why now? And what can we do about it?

While new to the public, it is old news inside intelligence circles: The general facts, and likely the very specific details listed in the indictment, about Russian intrusion were well known inside the US intelligence community since 2016. All the indictment did was show America’s enemies the reach and depth of our counter-cyber capabilities — hardly helpful.

It also makes America look toothless. Indicting a dozen intelligence officers, who prosecutors know will never be turned over to face justice, makes America seem powerless. Russians allegedly invade the privacy of a presidential candidate, her staff, DNC chieftains and other powerful insiders — and America responds with an unenforceable piece of paper?

By Richard Miniter
New York Post

Worse, the Mueller indictments now put US officials at risk of foreign prosecution. Now that the special counsel has set the precedent, other hostile powers may reciprocate.

The indictments also weaken Mueller’s ability to extract confessions from Russia’s alleged US confederates. Why tell suspects what you know? Why, especially, give away facts that they could never be able to gather in discovery requests? Now defendants might tailor their testimony to fit known evidence.

The other question should concern every American: What can the federal government do to deter future hacking attacks?

Certainly, Hillary Clinton and John Podesta, the head of her 2016 campaign, deserve some blame under the theory of contributory negligence. She bypassed the federal government’s hardened and secure computer system for a server set up in a Colorado bathroom and he used as a password, as Julian Assange told Fox News, the word “password.” (Podesta’s representatives denied the use of that weak password.)

Insisting that federal officials follow the law and confine their communications to secure networks is Step One. As for private citizens, using a long password that includes both capital and lower-case letters as well as numbers and symbols is just basic security. Using a password manager to store, and periodically change, passwords along with activating two-factor authentication are other basic defenses.

But relying on adherence to basic security protocols is hardly enough when confronted with sophisticated hackers backed by foreign governments.

Aside from criminal prosecution, policymakers have three options: diplomatic protests, military retaliation and civil action. The first two are nonstarters. Diplomatic demands are toothless and military action, say a cyber-strike on a hacker’s Russian computer, invites retaliation.

Civil lawsuits could be a powerful tool against hackers, if the bad guys couldn’t hide behind sovereign immunity. Most foreign hackers — including Russia, China and Qatar — have considerable US assets that could be seized by courts. The problem? The Foreign Sovereign Immunities Act was written in 1976 and doesn’t mention state-sponsored cyber-attacks.

Still, there are two exceptions that should apply — the “non-commercial tort” and “commercial activities” exceptions. Congress should pass clarifying legislation, so state and federal judges don’t wrestle with the issues and come to differing decisions based on specific fact patterns. Congress passed, in 2016, a law allowing citizens to sue terrorists in American courts. A similar measure could assure the right of citizens to seek justice against foreign hackers.

As a journalist, I’ve been hacked by foreign governments several times. One hack appeared to be the work of Algeria; it followed an article I wrote after spending 10 days in a refugee camp in Algerian Sahara. When hacked (and faked) emails of mine were given to Moroccan newspapers, I was able to sue in Casablanca. Ultimately, I prevailed and was awarded 60,000 dirhams (about $6,350). I have been unable to collect, so far.

The latest hack appears to be the work of Qatar, which has been accused of hacking a former RNC finance chairman and others. I cannot expect justice in the courts of the very country that, I believe, hacked me. Why can’t I sue Qatar and its collaborators in American courts? Or, is America going to give a free pass to overseas malefactors, who want to disrupt elections and punish critics?

Richard Miniter, CEO of the American Media Institute, is a bestselling author.

FILED UNDER         

Russian hackers: Conspiracy to interfere in the 2016 presidential election

July 17, 2018
Russian government hackers on American technology companies such as Twitter
Exactly seven months before the 2016 presidential election, Russian government hackers made it onto a Democratic committee’s network.

One of their carefully crafted fraudulent emails had hit pay dirt, enticing an employee to click a link and enter her password.

That breach of the Democratic Congressional Campaign Committee was the first significant step in gaining access to the Democratic National Committee network.

To steal politically sensitive information, prosecutors say, the hackers exploited some of the United States’ own computer infrastructure against it, using servers they leased in Arizona and Illinois. The details were included in an indictment released Friday by special counsel Robert Mueller, who accused the GRU, Russia’s military intelligence agency, of taking part in a wide-ranging conspiracy to interfere in the 2016 presidential election. The companies operating the servers were not identified in the court papers.

President Vladimir Putin looks at the Main Intelligence Directorate’s symbol while on a visit to its Moscow headquarters in 2006. The agency, known by its acronym GRU, has been blamed for embarking on information warfare campaigns as Russia tries to boost its influence.
President Vladimir Putin looks at the Main Intelligence Directorate’s symbol while on a visit to its Moscow headquarters in 2006. The agency, known by its acronym GRU, has been blamed for embarking on information warfare campaigns as Russia tries to boost its influence. PHOTO:DMITRY ASTAKHOV/ASSOCIATED PRESS

The Russians are accused of exploiting their access to inexpensive, powerful servers worldwide — conveniently available for rental — that can be used to commit crimes with impunity. Reaching across oceans and into networks without borders can obfuscate their origins.

The indictment painstakingly reconstructs the hackers’ movements using web servers and a complex bitcoin financing operation.

Two Russian hacking units were charged with tasks, including the creation and management of a hacking tool called “X-agent” that was implanted onto computers. The software allowed them to monitor activity on computers by individuals, steal passwords and maintain access to hacked networks. It captured each keystroke on infected computers and took screenshots of activity displayed on computer screens, including an employee viewing the DCCC’s online banking information.

From April to June 2016, the hackers installed updated versions of their software on at least 10 Democratic computers. The software transmitted information from the infected computers to a GRU-leased server in Arizona, the indictment said. The hackers also created an overseas computer to act as a “middle server” to obscure the connection between the DCCC and the hackers’ Arizona-based server.

Once hackers gained access to the DCCC network, it searched one computer for terms that included “hillary,” ‘’cruz,” and “trump” and copied select folders, including “Benghazi Investigations.”

In emails, the hackers embedded a link that purported to be a spreadsheet of Clinton’s favorability ratings, but instead it directed the computers to send its data to a GRU-created website.

Meanwhile, around the same time, the hackers broke into 33 DNC computers and installed their software on their network. Captured keystrokes and screenshots from the DCCC and DNC computers, including an employee viewing the DCCC’s banking information, were sent back to the Arizona server.

The Russian hackers used other software they developed called X-Tunnel to move stolen documents through encrypted channels to another computer the GRU leased in Illinois.

Despite the use of U.S.-based servers, such vendors typically aren’t legally liable for criminal activities unless it can be proved in federal court that the operator was party to the criminal activity.

A 1996 federal statute protects internet vendors from being held liable for how customers use their service, and except for a few exceptions, provides immunity to the providers. The law is considered a key part of the legal infrastructure of the internet, preventing providers from being saddled with the behemoth task of monitoring activity on their servers.

“The fact that someone provided equipment and or connectivity that was used to engage in data theft is not going to be attributed to the vendor in that circumstance,” Eric Goldman, a professor of law and co-director of the High Tech Law Institute at Santa Clara University School of Law, said. A notable exception, however, is if federal prosecutors are bringing a criminal charge for violations of a federal criminal law.

In that case, “we’re going to require a high level of knowledge of their activity or intent,” Goldman said.

Related image

When the DNC and DCCC became aware they had been hacked, they hired a cybersecurity firm, Crowdstrike, to determine the extent of the intrusions. Crowdstrike, referred to as “Company 1” in the indictment, took steps to kick the hackers off the networks around June 2016. But for months the Russians eluded their investigators and a version of the malware remained on the network through October — programed to communicate back to a GRU-registered internet address.

“We do not have any information to suggest that it successfully communicated,” said Adrienne Watson, the DNC’s deputy communications director.

As the company worked to kick them off, GRU officials allegedly searched online for information on Company 1 and what it had reported about its use of X-Agent malware and tried to delete their traces on the DCCC network by using commercial software known as CCleaner. Though Crowdstrike disabled X-agent on the DCCC network, the hackers spent seven hours unsuccessfully trying to connect to their malware and tried using previously stolen credentials to access the network on June 20, 2016.

The indictment also shows the reliance of Russian government hackers on American technology companies such as Twitter, to spread its stolen documents.

The hackers also accessed DNC data in September 2016 by breaking into DNC computers hosted on the Amazon Web Services’ cloud. The hackers used Amazon Web Services’ backup feature to create “snapshots” that they moved onto their own Amazon cloud accounts. Amazon also provides cloud computing services for various government agencies, including the Central Intelligence Agency.


Follow Tami Abdollah at

Associated Press

Russia, Putin, Hillary Clinton Get Everyone A Lesson in the Need for Cybersecurity: The Russian intelligence agents behind Guccifer 2.0

July 14, 2018

The latest Mueller indictment names the Russian intelligence agents behind the Guccifer 2.0 persona, the public face of the cyber break-in at the Democratic National Committee.

The big picture: Though the WikiLeaks email leaks got nearly all the attention, other press outlets — including The Hill, The Smoking Gun and Gawker — also received leaked documents from the hackers of the Democratic National Committee and Democratic Congressional Committee. Guccifer 2.0 was the persona used to leak those documents to the press — including me, then a reporter at The Hill.

Image result for hackers, photos



  • Guccifer 2.0 also released a smaller amount of documents on his own WordPress blog.
  • He interacted with people over Twitter direct messages, including — famously — Trump confidant Roger Stone.
  • New in the indictment, he also provided documents to a U.S. congressional candidate about his opponent.
  • We knew, from the files leaked to The Hill, that Guccifer 2.0 had stolen recruitment documents when the Democrats searched for candidates to run in various elections.

Who he is: Guccifer 2.0 borrowed his name from Guccifer, a famous Romanian hacker that struck celebrities — including Clinton insiders — in the past. The original Guccifer was obsessed with linking victims to the Illuminati.

  • Guccifer 2.0 claimed to be from Romania and ended his first WordPress post “F*ck the Illuminati and their conspiracies.” He soon dropped the Illuminati schtick.
  • Guccifer 2.0’s first leaks came immediately after a Washington Post story attributed the DNC hack to Russia, and most experts believe that the persona was an attempt to salvage what they could out of a blown operation.

What we know: Guccifer 2.0 always presented himself as a single apolitical hacker. It was pretty clear to most people who chatted with him that Guccifer 2.0 was actually more than one person. It was also fairly clear from security research, intelligence reports and the documents he selected for leaks that he was largely interested in sandbagging the Democratic campaign nationally, and especially in swing states.

Based on the indictment:

  • We now know who made up the team that procured and leaked the documents — Viktor Boris Ovich, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osad Chuk, Aleksey Aleksandrovich Potemkin and Anatoliy Sergeyevich Kovalev.
  • Russian intelligence operatives ran searches of several of the phrases in Guccifer 2.0’s first WordPress post hours before the post went live, implying some kind of advance knowledge.
  • One reporter who received documents — not me — asked about timing of when to publish.

The fallout: Washington Post columnist Josh Rogin tweeted after the Russia indictment that “American reporters who took stories from Guccifer 2.0 or DC Leaks have to wonder if they weren’t used as a tool of a foreign military intelligence operation against our country.”

  • We did wonder about thatAt The Hill, we always tried to make it clear that Guccifer 2.0 was likely a Russian asset. We never published full documents — though we did summarize some — and only printed stories we believed explained some aspect of Russia’s intent with the campaign.
  • With Kevin Collier, I was one of two reporters who had ThreatConnect perform forensic analysis on emails from Guccifer 2.0 that ultimately determined he used a Russian anonymity service known as a VPN. (I scrubbed the emails of any identifying information other than the IP address to protect my source’s anonymity).
  • The first reporter to conduct an interview with Guccifer 2.0, Motherboard’s Lorenzo Franceschi-Bicchierai, quickly established that Guccifer 2.0 did not speak Romanian.

Go deeper:

See also:

How Russia Hacked the Democrats in 2016 (New York Times)



Stolen U.S. Military Drone Documents Found for Sale on Dark Web, Researchers Say

July 11, 2018

Discovery comes amid heightened concern about how U.S. military secrets may be insufficiently protected from hackers

An MQ-9 Reaper drone in flight at Creech Air Force Base on Oct. 17, 2015, in Indian Springs, Nev.
An MQ-9 Reaper drone in flight at Creech Air Force Base on Oct. 17, 2015, in Indian Springs, Nev. PHOTO: SRA CORY PAYNE/ZUMA PRESS

An unidentified hacker tried to sell purported U.S. military documents containing information about combat drones last month, a cybersecurity research firm said, after they were allegedly stolen from an Air Force officer’s computer.

The hacker sought buyers for maintenance documents about the MQ-9 Reaper drone, a remotely controlled aerial vehicle used by the Pentagon and other parts of the government to conduct offensive strikes or reconnaissance and surveillance operations.

Discovery of the attempted sale of the stolen documents comes amid heightened concern about how U.S. military secrets may be insufficiently protected from hackers. Military officials said last month that the Defense Department’s inspector general was investigating a major security breach after Chinese hackers allegedly stole data pertaining to submarine warfare, including plans to build a supersonic antiship missile.

There was no evidence that the hacker who acquired the Reaper drone documents was affiliated with a foreign country, or that he was intentionally seeking to obtain military documents, said Andrei Barysevich, a senior threat researcher at Recorded Future, the U.S.-based cybersecurity firm that spotted the attempted sale. Instead, the hacker scanned large parts of the internet for misconfigured Netgear routers and exploited a two-year-old known vulnerability, involving default login credentials, to steal files from compromised machines.

Recorded Future said it has notified the Defense Security Service and the Department of Homeland Security about the hacker’s activities. A DHS spokesman said the agency was reviewing the information provided by Recorded Future but deferred further comment to the Air Force. The Air Force and DSS didn’t respond to requests for comment.

Posing as a potential buyer, researchers at the cyber firm contacted the seller, and during weeks of back-and-forth discussions were sent screenshots of the purportedly stolen documents. Those documents included the name of an Air Force captain stationed at the Creech Air Force Base in Nevada from whom the hacker is believed to have obtained the stolen drone files.

The hacker likely didn’t know the value of the documents he had obtained because he was attempting to sell them for as little as $150, Barysevich said. He added that the hacker communicated in flawed English but would occasionally slip into Spanish, which along with other indicators led some of the researchers to think he may be based in South America.

Criminal hackers often attempt to anonymously purchase and sell stolen data on the dark web, but those transactions typically involve information that can be monetized in fraud schemes, such as passwords, usernames or financial records. But the sale of military documents on an open forum is incredibly rare, Barysevich said.

“I’ve been personally researching dark web for 15 years, and I have never seen anything like this,” he said in an interview.

The documents shared by the hacker weren’t marked as classified but could be used by an adversary to evaluate the capabilities and potential weaknesses of the Reaper drone, Recorded Future said. Some of the files included a warning that the material included technical data that was subject to export control.

A U.S. Air Force officer passes in front of an MQ-9 Reaper drone at Kandahar Air Base, Afghanistan
A U.S. Air Force officer passes in front of an MQ-9 Reaper drone at Kandahar Air Base, Afghanistan PHOTO: OMAR SOBHANI/REUTERS

Barysevich said the hacker’s methods weren’t particularly sophisticated, and that his apparent success should raise concerns about what more advanced hacking groups may be stealing from the U.S. military.

The hacker also advertised the sale of another tranche of military documents that included a tank operation manual and training material on how to mitigate improvised explosive devices. It wasn’t clear how the hacker obtained those documents, but they likely were taken from the Pentagon or a U.S. Army official, Recorded Future said.

Write to Dustin Volz at