Posts Tagged ‘Kaspersky’

US agencies banned from using Russia’s Kaspersky software

September 14, 2017

Federal agencies in the US have 90 days to wipe Kaspersky software from their computers. Officials are concerned about the Russian company’s ties to the Kremlin and possible threats to national security.

Headquarters of Internet security giant Kaspersky in Moscow (Getty Images/AFP/K. Kudryavtsev)

The administration of US President Donald Trump has ordered government agencies to remove products made by Russian company Kaspersky Labs from their computers.

The Department of Homeland Security (DHS) said Wednesday it was concerned that the cybersecurity firm was susceptible to pressure from Moscow and thus a potential threat to national security.

Read more: Facebook, Russia and the US elections – what you need to know

DHS said in a statement that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies,” as well as Russian laws that might compel Kaspersky to hand over information to the government.

But the makers of the popular anti-virus software have said “no credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions.”

US tech retailer Best Buy confirmed earlier Wednesday that it would no longer sell Kaspersky products, but has declined to give further details on the decision.

Ties between Kaspersky, Kremlin ‘alarming’

Civilian government agencies have 90 days to completely remove Kaspersky software from their computers. The products have already been banned in the Pentagon.

US congressional leaders have applauded the move. Democratic Senator Jeanne Shaheen said the “strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented,” and asked the DHS if the company’s products were used for any critical infrastructure, such as for voting systems, banks and energy supply.

Although Kaspersky Labs was founded by a KGB-trained entrepreneur, Eugene Kaspersky, and has done work for Russian intelligence, the company has repeatedly denied carrying out espionage on behalf of President Vladimir Putin and his government.

es/cmk (AP, Reuters)


U.S. Senate moves to ban Moscow-based cybersecurity firm Kaspersky Lab over ties to Russia

June 29, 2017

The Hill

Senate moves to ban Moscow-based cybersecurity firm over ties to Russia
© Getty Images

The Senate’s draft of the Department of Defense’s budget rules reveals a provision that would block the use of products from the Russian-based global cybersecurity firm Kaspersky Lab, citing concerns that the company “might be vulnerable to Russian government influence.”

Reuters reporter Dustin Volz first shared the news in a tweet Wednesday.

“BREAKING: Senate draft of [National Defense Authorization Act] bans use of Kaspersky products by [Department of Justice] due to reports company “might be vulnerable to Russian [government] influence,” Volz tweeted.

The decision to ban the products within the National Defense Authorization Act (NDAA), which specifies budget and expenditures for the Department of Defense, comes after the FBI visited at least 10 Kaspersky employee’s homes.

The investigative agency, however, has not yet contacted the company.While Kaspersky is based in Russia, the company has research centers around the world, including in the U.S.

“As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts,” the company said in a reissued statement.

“The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations,” the statement continued. “Kaspersky Lab is available to assist all concerned government organizations with any ongoing investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded.”

Its founder, Eugene Kaspersky, has also offered to testify in front Congress after NBC News reported that its employees were largely asked about their relationship between the U.S. and Russian.

Image result for Eugene Kaspersky, photos

Eugene Kaspersky

New Threats Fuel Fears of Another Global Cyberattack

May 18, 2017

A new attack hit thousands of computers and a hacking group said it would release more attack software

Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15. Businesses and security experts fear more cyberattacks could be in the pipeline.

Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15. Businesses and security experts fear more cyberattacks could be in the pipeline. PHOTO: YONHAP/AGENCE FRANCE-PRESSE/GETTY IMAGES

Updated May 17, 2017 8:01 p.m. ET

A new fast-spreading computer attack and a hacking group’s threat to release a fresh trove of stolen cyberweapons are fueling fears among businesses and security experts of another global technology assault.


The new attack, called Adylkuzz, follows last week’s WannaCry outbreak, which crippled computers in more than 100 countries over the weekend. Both attacks rely on a Windows bug that was patched on March 14 and only affect PCs that haven’t installed the latest version of Microsoft’s software updates. Unlike its predecessor, Adylkuzz doesn’t lock up computer screens; it slows down systems as it quietly steals processing power to generate a little-known digital currency called Monero.

Adylkuzz began spreading about two weeks ago and by Wednesday had infected more than 150,000 machines around the globe, according to Ryan Kalember, senior vice president with the security intelligence firm Proofpoint Inc. PFPT -5.80% That is nearly the same count as WannaCry, which has largely stopped spreading, security experts said. Security company Kaspersky Lab ZAO pegged the number of Adylkuzz infections at just several thousand by Wednesday.

The news comes a day after a hacking group called the Shadow Brokers separately posted an internet message saying it would release a new trove of cyberattack tools next month. The group claimed to have software that would affect web browsers, routers, mobile phones and Microsoft Corp.’s Windows 10 operating system. Its first trove, which it and Microsoft said was stolen from the National Security Agency, was dumped last month and used by WannaCry.

The spread of the ransom malware that wreaked global havoc over the weekend appears to be slowing down, but how bad was the damage, and who’s to blame? WSJ’s Tanya Rivero has four things you need to know. Photo: European Pressphoto Agency

A Microsoft spokeswoman said the company is aware of the new Shadow Brokers claim and that its security teams actively monitor for emerging threats. The NSA has declined to comment on the authenticity of the Shadow Brokers documents or the WannaCry attack.

The threats highlight the growing risks of global assaults for businesses and governments posed by a nexus of mysterious hackers and powerful, government-crafted cyberweapons.

“In a few years we’re going to be looking back and saying that 2017 was clearly a turning point,” said Edward Amoroso, the former security chief at AT&T Inc. “That’s when we started to see businesses affected. If your employees are coming in and they can’t work, that’s a big deal.”

For companies looking to protect their systems, security experts agree on one piece of advice: install patches to Windows software now.

Still, that may not be enough to stop the next attack. “There’s no wall you can build that’s high enough or deep enough to keep a dedicated adversary out,” said John Carlin, a former cybercrimes prosecutor at the Justice Department.

Larger companies will need to step up their security training, patching and planning, he says. Smaller mom-and-pop businesses may need to hand over security to companies that specialize in these services. “It’s crazy to expect a mom-and-pop to on their own have to deal with cybersecurity issues,“ said Mr. Carlin, now the chair of the law firm Morrison & Foerster LLP’s global risk and crisis management practice.

A programmer shows a sample of decrypting source code in Taipei on May 13.

A programmer shows a sample of decrypting source code in Taipei on May 13. PHOTO: RITCHIE B. TONGO/EPA

The scope and intensity of the WannaCry cyberattack will bring staffing, investment and policy under review, security chiefs and CIOs have said. Corporate computer security spending is expected to hit $90 billion world-wide this year, an increase of 7.6% from a year earlier, according to research firm Gartner Inc.

That increased spending has helped drive up share prices at security companies such asRapid7 Inc., FireEye Inc. and Symantec Corp. , all of whom have seen shares rise by more than 25% this year.

The recent attacks were much more widespread in Russia, India, Ukraine and Taiwan, Kaspersky said. And while that may have prevented many U.S. companies from feeling the full brunt of the latest attacks, that comes as small consolation for local governments and small- or medium-size businesses that must defend against these threats with limited budgets. The attacks “just keep ratcheting up year after year,” said Dan Lohrmann, chief security officer with the training company Security Mentor Inc. and Michigan’s former chief security officer. “You think it can’t go any higher but every year it does.”

The Shadow Brokers’ release of what it says are U.S. government hacking tools comes after WikiLeaks in March published a cache of alleged Central Intelligence Agency cybersecrets, offering a window into a world where the research and development of computer attacks has become increasingly professionalized.

The stage for today’s cyberattacks was set more than a decade ago. In the mid-2000s, Microsoft, embarrassed by a series of computer worm and virus outbreaks, began to comb through its software for bugs and develop new coding techniques designed to thwart hackers. At the same time, hackers discovered they could command large fees for their work. Apple Inc., for example, pays $200,000 for details on the most severe bugs affecting its software. Government agencies and private corporations often pay more, especially if the research includes “exploit code” that can be used in an attack. Last year, the Federal Bureau of Investigation paid more than $1 million for a hacking tool that gave it access to the iPhone used by the gunman in the San Bernardino, Calif., attack.

These factors have slowed the flow of bugs and the tools that exploit them on public venues, where they were once freely—and more frequently—disclosed, said David Aitel, chief executive at Immunity Inc., a computer-security services company. “There’s a scarcity of high-quality attack tools,” he said.

But if companies thought the risk of attacks had evaporated, WannaCry served as a wake-up call. And the attack could have been much worse if it had made sensitive corporate information public, said Mr. Aitel, a former NSA analyst.

Recent events are “a taste of the kind of threats we may be facing going forward,” said Virginia Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, which oversees the nation’s spy agencies. “I’m not sure if the whole of government—or for that matter, the whole of society—is fully prepared.”

While few victims appear to have paid the $300 ransom WannaCry demanded from affected users, the software affected hundreds of thousands of systems, including networks at Renault SA and Britain’s public health service. It not only rendered computers unusable but deployed encryption to make data stored on them unreadable.

Another computer worm may soon appear, either based on the Shadow Brokers’ code used by WannaCry or similarly devastating code released by Shadow Brokers in April that was used on Microsoft’s Remote Desktop Protocol software, said Robert M. Lee, chief executive of security consultancy Dragos Inc.

There’s no wall you can build that’s high enough or deep enough to keep a dedicated adversary out.

—John Carlin

And while it isn’t known yet how dangerous any new releases might be, “everything the Shadow Brokers have talked about leaking so far has been legitimate,” he said.

Microsoft, whose Windows software is the most frequent target of attacks, is calling on governments to report software flaws rather than stockpiling or exploiting them.

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Brad Smith, the company’s top lawyer, wrote in a blog post Sunday.

Given the widespread use of these attacks, and the fact that nations such as North Korea are unlikely to abide by international cybersecurity conventions akin to those proposed by Microsoft, Immunity’s Mr. Aitel says such suggestions aren’t likely to be adopted. “No country on earth thinks this is a good idea,” he said.

Write to Robert McMillan at

Appeared in the May. 18, 2017, print edition as ‘Cyberthreats Breed Deep Unease.’

Researcher finds ‘kill switch’ for cyberattack ransomeware — after cyberattacks wreak havoc globally

May 13, 2017


© AFP / by Kate BARTLETT | A cybersecurity researcher appears to have discovered a “kill switch” that can prevent the spread of the WannaCry ransomware — for now — that has caused the cyberattacks wreaking havoc globally


A cybersecurity researcher appears to have discovered a “kill switch” that can prevent the spread of the WannaCry ransomware — for now — that has caused the cyberattacks wreaking havoc globally, they told AFP Saturday.

The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.

“Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,” @MalwareTechBlog told AFP in a private message on Twitter.

The researcher warned however that people “need to update their systems ASAP” to avoid attack.

“The crisis isn’t over, they can always change the code and try again,” @MalwareTechBlog said.

Friday’s wave of cyberattacks, which affected dozens of countries, apparently exploited a flaw exposed in documents leaked from the US National Security Agency.

The attacks used a technique known as ransomware that locks users’ files unless they pay the attackers a designated sum in the virtual currency Bitcoin.

Affected by the onslaught were computer networks at hospitals in Britain, Russia’s interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx and many other organisations.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” @MalwareTechBlog tweeted.

Unfortunately however, computers already affected will not be helped by the solution.

“So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”

The malware’s name is WCry, but analysts were also using variants such as WannaCry.

Forcepoint Security Labs said in a Friday statement that the attack had “global scope” and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.

In the United States, FedEx acknowledged it had been hit by malware and was “implementing remediation steps as quickly as possible.”

Also badly hit was Britain’s National Health Service, which declared a “major incident” after the attack, which forced some hospitals to divert ambulances and scrap operations.

Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 (275 euros) in Bitcoin, saying: “Ooops, your files have been encrypted!”

It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.

A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.

Kaspersky researcher Costin Raiu cited 45,000 attacks in 74 countries as of Friday evening.

Mike Flynn Worked for Several Russian Companies, Was Paid More Than $50,000, Documents Show

March 16, 2017

Former Trump national security adviser had business connections with Russia beyond RT that hadn’t been previously known

Mike Flynn, President Trump’s former national security adviser, with Russian President Vladimir Putin at an exhibition in 2015 marking the 10th anniversary of RT (Russia Today).

Mike Flynn, President Trump’s former national security adviser, with Russian President Vladimir Putin at an exhibition in 2015 marking the 10th anniversary of RT (Russia Today). PHOTO: MICHAEL KLIMENTYEV / SPUTNIK / K/EUROPEAN PRESSPHOTO AGENCY

President Trump’s former national security adviser, Mike Flynn, was paid tens of thousands of dollars by Russian companies shortly before he became a formal adviser to the then-candidate, according to documents obtained by a congressional oversight committee that revealed business interests that hadn’t been previously known.

Mr. Flynn was paid $11,250 each by a Russian air cargo company that had been suspended as a vendor to the United Nations following a corruption scandal, and by a Russian cybersecurity company that was then trying to expand its business with the U.S. government, according to the documents, which were reviewed by The Wall Street Journal.

Those engagements took place in the summer and fall of 2015, a year after Mr. Flynn had been fired as the director of the Defense Intelligence Agency and while he continued to maintain a top-secret level security clearance.

December 2015, the Kremlin-backed news organization RT also paid Mr. Flynn $33,750 to speak about U.S. foreign policy and intelligence matters at a conference in Moscow.

In February 2016, Mr. Flynn became an official adviser to the presidential campaign of Mr. Trump, who at the time was taking a softer stance toward Moscow than his Republican rivals.

Mike Flynn resigned as Trump’s national security adviser. He came under fire for making conflicting statements on whether he discussed sanctions with a Russian official before the president’s inauguration. Photo: Reuters (Originally published Feb., 14, 2017)

Price Floyd, a spokesman for Mr. Flynn, said he reported his RT appearance to the Defense Intelligence Agency, as required. Mr. Floyd didn’t immediately respond to questions about the other fees.

The new details about Mr. Flynn’s speaking engagements are contained in emails and documents provided to congress by his speaker’s bureau, which is called Leading Authorities, and shed light on a continuing inquiry into Mr. Flynn’s and other Trump associates’ ties to Moscow.

On Monday, FBI Director James Comey and other current and former U.S. officials are scheduled to testify about possible Russian interference in the 2016 presidential election before a congressional committee that is also probing Trump associates’ ties to Russia.

Attorney General Jeff Sessions has recused himself from any investigation related to the 2016 presidential campaign after he failed to disclose the extent of his own contacts with the Russian ambassador to the U.S., Sergei Kislyak.

Mr. Flynn resigned under pressure in February after he failed to tell White House officials about phone calls he had with Mr. Kislyak, in which the two discussed the potential lifting of U.S. sanctions on Russia, according to U.S. officials familiar with the contents of the conversations.

While the documents from Mr. Flynn’s speaker’s bureau provide the most detail to date on his business dealings with Russia, they don’t show what other work he may have been doing outside his role as a paid speaker. Mr. Flynn commanded high fees for speaking on the state of global security and talking about his role as one of the most senior intelligence officials in the Obama administration.

Mr. Flynn was removed from his post as DIA chief after complaints of poor management and organization, not because of a policy dispute, according to people who worked with him at the time.

Last week, Mr. Flynn filed papers with the Justice Department disclosing that his firm was paid $530,000 to work in the U.S. on behalf of the interests of the Turkish government. Mr. Flynn had performed those services while he was advising Mr. Trump, then a presidential candidate.

Little additional information has become public about other clients the former military intelligence chief’s private consulting firm, Flynn Intel Group, may have had before the retired general’s appointment as national security adviser.

In a letter sent Thursday by Rep. Elijah Cummings (D., Md.) to Mr. Trump, Defense Secretary Jim Mattis and Mr. Comey, Mr. Cummings wrote that by taking the RT speaking fee, Mr. Flynn had “accepted funds from an instrument of the Russian government.”

Mr. Cummings, the top Democrat on the House Oversight and Government Reform Committee, pointed to a Central Intelligence Agency analysis written in 2012, while Mr. Flynn was running the DIA, that said RT was “created and financed by the Russian government,” which spent hundreds of millions of dollars a year to help the network create and disseminate programming that is broadcast in English around the world, including in the U.S.

Mr. Cummings said that by taking the fee, Mr. Flynn had violated the emoluments clause of the Constitution, which prohibits people in public office from accepting money from foreign governments. Some analysts have said this prohibition may apply to retired officers as well, because they could be recalled to service.

“I cannot recall anytime in our nation’s history when the president selected as his national security adviser someone who violated the Constitution by accepting tens of thousands of dollars from an agent of a global adversary that attacked our democracy,” Mr. Cummings wrote.

Though Mr. Flynn’s RT appearance had been reported, the documents provided new details about how he came to speak at the RT conference in December 2015, an event marking the network’s 10th anniversary.

While Mr. Flynn’s speakers’ bureau acted as a middleman, email communications indicate that RT sought to orchestrate the event and the content of his remarks.

“Using your expertise as an intelligence professional, we’d like you to talk about the decision-making process in the White House—and the role of the intelligence community in it,” an official from RT TV-Russia wrote in an email on Nov. 20, 2015, the month before Mr. Flynn’s appearance in Moscow.

In an earlier email in October, an RT official described the event as a networking opportunity for Mr. Flynn and an occasion to meet “political influencers from Russia and around the world.” At a gala dinner during the event, Mr. Flynn sat at the head table next to Russian President Vladimir Putin.

“It was something of a surprise to see General Flynn there,” said Ray McGovern, a former CIA officer and political activist who also attended.

Before the dinner, Mr. Flynn gave an interview on stage with an RT correspondent and chastised the Obama administration for objecting to Russia’s intervention in Syria.

“The United States can’t sit there and say, ‘Russia, you’re bad,’” Mr. Flynn said, according to a video of the interview, noting that both countries had shared global interests and were “in a marriage, whether we like it or not.” The countries should “stop acting like two bullies in a playground” and “quit acting immature with each other,” Mr. Flynn said.

Mr. Flynn attended with his son, Michael Flynn Jr., who worked as the chief of staff to his consulting firm. Records show that RT paid for travel and lodging expenses for both Flynns, including business-class airfare, accommodations at Moscow’s Hotel Metropol, and meals and incidental expenses while in Russia.

Mr. Putin entered the dinner late with two body guards, Mr. McGovern said. He waved and took his seat at the table, where he remained for about 20 minutes. After a fifteen-minute speech, Mr. Putin sat down, listened to a performance by the Russian Army chorus and then left, Mr. McGovern said.

It isn’t clear what Mr. Flynn said during speeches to the other two companies, computer security firm Kaspersky and Russian airliner Volga-Dnepr.

Mr. Flynn appears to have to spoken to Kaspersky at a conference the company sponsored in Washington, D.C., in October 2015. It wasn’t clear where Mr. Flynn spoke to Volga-Dnepr, but records from his speaker’s bureau show the engagement took place on August 19, 2015.

Kaspersky sponsors a number of events world-wide and in recent years has been trying to expand its business in the U.S., looking to supply government clients with antivirus products for industrial control systems.

Kaspersky said in a statement that its U.S. subsidiary paid Mr. Flynn a speaker fee for remarks at the 2015 Government Cyber Security Forum in Washington, D.C.

“As a private company, Kaspersky Lab has no ties to any government, but the company is proud to collaborate with the authorities of many countries, as well as international law enforcement agencies in the fight against cybercrime,” the company said.

Volga-Dnepr didn’t respond to a request for comment. The Russian cargo air firm is known for operating one of the largest military transport aircraft in the world, the An-124, which the U.S. has contracted in the past to lift military equipment, including Russian helicopters, into Afghanistan. The plane has a larger capacity than the U.S. military’s biggest cargo plane.

Write to Shane Harris at, Paul Sonne at and Carol E. Lee at



One-Time Trump National Security Pick Registers As Foreign Agent for Ukrainian Oligarch

One-Time Trump National Security Pick Registers As Foreign Agent for Ukrainian Oligarch

Monica Crowley was once U.S. President Donald Trump’s top pick for a top White House national security role. After being caught up in a plagiarism scandal, she backed out of the job. But now she has a new one: lobbying for Ukrainian oligarch Victor Pinchuk.

Her move comes right on the heels of a scandal involving former national security advisor Michael Flynn’s belated registration as a foreign agent for work he did for Turkey while advising the Trump campaign. While Crowley never served in the administration, her move to lobby for a Ukrainian oligarch further clouds Trump’s campaign pledge to “drain the swamp” of Washington.

Crowley registered as a foreign agent for Victor Pinchuk according to documents submitted to the Department of Justice on March 10. According to the files, the conservative news commentator will “be providing outreach services on behalf of Mr. Pinchuk” including “inviting government officials and other policy makers to attend conferences and meetings…to engage in learning and dialogue regarding issues of concern to Mr. Pinchuk.”

Pinchuk is a controversial political figure in Ukraine. The son-in-law of former Ukrainian president Leonid Kuchma, Pinchuk made over $1 billion off his steel company and other ventures in the rough-and-tumble business landscape of post-Soviet Ukraine. He backed Ukrainian President Petro Poroshenko and became a vocal opponent of Russia’s actions in Ukraine. He also gained notoriety for forging close ties with the Clinton family, pouring between $10 and $25 million into the Clinton Foundation as of 2016, according to the New York Times.

Pinchuk came under fire in 2015 when a Newsweek investigation revealed his businesses had trade links with Iran in 2011 and 2012 when Iran was under sanction — a claim Pinchuk denied. He also found himself in legal trouble when the Commerce Department investigated his steel company, Interpipe, Ltd., for illegally dumping steel tubes used in natural gas production into the United States.

Pinchuk’s foundation also donated $150,000 to Trump’s foundation after the real-estate mogul delivered a speech on Ukraine in 2015 to a meeting organized by the foundation.

Pinchuk emerged as a potential conduit to Trump for the Ukrainian government, as Foreign Policy reported in February. He caught flak at home for penning a Wall Street Journal op-ed in December arguing that Ukraine should make “painful compromises” with Russia, though he hasn’t backed off his denunciation of Russia’s antics in stoking the crisis. His new business relationship with Crowley indicates he could be seeking new inroads with the White House after years of forging ties with the Clintons.

Crowley plagiarized over 50 sections of her 2012 book, What The (Bleep) Just Happened,  from sources including Wikipedia, Investopedia, news outlets, and think tank reports. She withdrew herself from the running to be senior director of communications for Trump’s national security council when revelations of her plagiarism first broke in January. Her publisher, HarperCollins, subsequently removed the book from shelves.

Doug Schoen, another news commentator and political analyst, is listed in the documents as the primary registrant for Crowley’s work with Pinchuk. Schoen arranged multiple meetings for Pinchuk with top State Department officials while Hillary Clinton served as Secretary of State, and as recently as 2014 earned $40,000 a month for advising Pinchuk, according to the New York Times.

Flynn, who served less than one month in office, retroactively registered as a foreign agent in March for lobbying on behalf of a company with ties to the Turkish government while advising Trump’s presidential campaign. He resigned in February for misleading White House officials, including Vice President Mike Pence, on meetings he held with the Russian ambassador.

Photo credit: Drew Angerer/Getty Images

One-Time Trump National Security Pick Registers As Foreign Agent for Ukrainian Oligarch

Russian Banks Subject of Cyberattacks

December 5, 2016


© POOL/AFP/File | Russian President Vladimir Putin attends the 7th annual VTB Capital “Russia Calling!” Investment Forum in 2015

MOSCOW (AFP) – State-controlled Russian bank VTB said Monday that its websites had been hit by a cyberattack but insisted its systems were still working “as normal”.

“A DDoS (distributed denial of service) attack was carried out against VTB Group internet sites,” Russia’s second largest bank said in a statement carried by Russian news agencies.

“Our IT infrastructure is working as normal and the bank’s clients are not experiencing any difficulties.”

Russia on Friday said it had uncovered plans by foreign intelligence services to carry out massive cyberattacks this month targeting the country’s financial system.

The FSB security service said in a statement that it had received information on “plans by foreign secret services to carry out large-scale cyberattacks from December 5”.

The FSB did not say which countries’ secret services were involved in the latest plot against Russian banks but alleged the attacks would use servers and “command centres” located in the Netherlands belonging to Ukrainian hosting company BlazingFast.

Russia has been embroiled in a hacking scandal with the US over allegations from Washington that Moscow was behind the theft and leaking of documents online during the run-up to the US presidential election aimed at influencing the outcome.

Vice President Joe Biden warned that the US would respond to the suspected Russian hacking “at the time of our choosing and under the circumstances that have the greatest impact”.

The latest attack on VTB comes after Moscow-based security giant Kaspersky said in November that a massive DDoS cyberattack had hit at least five of Russia’s largest banks.

DDoS attacks involve flooding websites with more traffic than they can handle, making them difficult to access or taking them offline entirely.

Kaspersky said those attacks used devices located in 30 countries including the United States.

Russia’s largest lender, state-controlled Sberbank, acknowledged it had been hacked but said its operations had not been interrupted.

Russian hackers target cash before politics — Over 1,000 hackers in Russia specialising in financial crime — Internet illegal activity is flourishing

November 8, 2016


AFP/File / by Thibault Marchand | Moscow-based internet security giant Kaspersky has estimated that there are over 1,000 hackers in Russia specialising in financial crime

MOSCOW (AFP) – Just as the scandal over alleged Russian hacking of the US Democratic Party erupted in June, police in Russia were rounding up a group known as Lurk.

In the underground world of Russian hackers, a shadowland of anonymous internet forums where users exchange the latest malware, Lurk was legendary.

The group, active since 2011, was accused of stealing some three billion rubles ($47 million, 42.5 million euros) from Russian banks and aspiring hackers were keen to join.

Then more than 50 members, most of whom hailed from the Urals city of Ekaterinburg, were arrested in a sweeping raid that entailed 86 probes in 15 regions across the vast country.

But despite the eye-catching operation, the crackdown on Lurk only touched the tip of the iceberg of a lucrative criminal industry.

Moscow-based internet security giant Kaspersky has estimated that there are over 1,000 hackers in Russia specialising in financial crimes.

Between 2012 and 2015, by the company’s conservative estimate, Russian-speaking hackers stole at least $790 million across the globe.

Meanwhile, this type of illegal activity is flourishing.

“The number of financial cyber criminals is growing as the use of online banking rises,” explained Yury Namestnikov, the head of Kaspersky’s Russia research and analysis department.

Adding to security woes are also the prevalence of smartphones — which are less well protected than computers — and the rise in “ransomware”, a technique that allows hackers to steal data and then ransom it back to the owner.

“It is no secret that most of today’s crypto-ransomware has Russian roots, both in terms of the authors of the malicious code and of the actors who spread the malware and demand the ransom,” Kaspersky noted in a report.

– Soviet-style education –

For industry experts Russia’s dubious honour as a major power in the hacking world is no accident.

“We have good mathematics schools and Russians know how to code properly,” said Namestnikov. “What is special about the Russian hackers is that they have been active for so long.”

Artem Sychev is in charge of cyber security at Russia’s Central Bank and concurs that “Russian-speaking hackers were educated in the Soviet-style system,” whose emphasis on high-level maths and science continues today.

“They are most creative people, including unfortunately in the area of fraud,” he said.

– ‘Patriot hackers?’ –

The furore over the US election hacks has shone a spotlight on alleged ties between hackers and the Russian government.

Authorities in Washington have accused top-ranking Russian officials of directing attacks on the US aimed at undermining the election.

CrowdStrike, the security firm that uncovered the hacking of the Democratic National Committee, said that the group behind it, Cozy Bears, was linked to Russian military intelligence.

Another group, Fancy Bears — which has hacked targets including the World Anti-Doping Agency — meanwhile has ties to the FSB spy agency, according to Crowdstrike.

Russia has dismissed the allegations and said US politicians are blaming Moscow in a bid to drum up their polling numbers.

Local experts insist the vast majority of hacking in Russia is aimed at thieving cash — not interfering in politics.

“99 percent of internet pirates are looking to steal money,” said Ilya Sachkov, founder of Russian security firm IB-Group.

“There are no patriotic hackers.”

Even while the Kremlin is adamant in denying a role in any of the hacking scandals, the authorities are certainly struggling to tackle the issue — and often appear to turn a blind eye.

“Unfortunately, for Russian-speaking cybercriminals current conditions are more than favourable: the risk of prosecution is low while the potential rewards are high,” wrote Kaspersky.

As an example, Russian hacker Yevgeny Bogachev has a $3 million price on his head from the FBI.

His network of hackers — which operated from Ukraine and Russia before being dismantled in 2014 — stole more than $80 million from victims mainly in the US.

Despite being wanted, Bogachev reportedly lives freely in the southern Russian city of Krasnodar.

by Thibault Marchand

 (March 2013)

 (December 2014)

 (June 2015)

Related articles prior to June 2015:

China's newest warplane, the J-20 stealth fighter, made its first public flight at an airshow in the southern city of Zhuhai. It bears an uncanny resemblance to US military's F-22 Raptor

China’s newest warplane, the J-20 stealth fighter, made its first public flight at an airshow in the southern city of Zhuhai. It bears an uncanny resemblance to US military’s F-22 Raptor




 (China has a pattern of silencing or censoring critics)

Philippines ranks 33rd among cyberattack-prone countries

November 27, 2015


By Yuji Vincent Gonzales
The Philippine Daily Inquirer

The Philippines ranked 33rd out of 233 countries prone to cybersecurity threats in third quarter of 2015, up 10 notches from its placing in the second quarter, an Internet security company reported.

Kaspersky Security Network’s Q3 Threat Evolution report said the country experienced a rapid rise in malware infections for July, August, and September this year.

The report also said 17 percent of Filipino Internet users are “infected” by malicious programs, two percent higher than the data posted in the second quarter.

“From 43rd place to 33rd place in just three months, this shows that cyberattacks against the Philippines are accelerating at full speed. The Philippines may not be one of the top targets yet, but there is no doubt that cybercriminals are now noticing the country,” said Jimmy Fong, Channel Sales Director of Kaspersky Lab Southeast Asia, in a statement.


In a global scale, Kaspersky said mobile threats and attempted theft in online banking are also increasing.

“The developments in Q3 demonstrate that the global threat landscape is continuing to evolve at a fast pace. Malicious mobile programs are on the rise and in countries where online banking is popular, people are at considerable risk from Trojans looking to target them,” said David Emm, principal senior security researcher at Kaspersky Lab’s Global Research and Analysis team.

“With 5.6 million cases of attempted theft from online bank accounts, and cybercriminals continually developing sophisticated attacks, the use of high quality cybersecurity products has never been more important. It’s vital that all those using the Internet – both individuals and organizations – protect themselves from these growing threats,” he added.

The report added that a total of the 235.45 million malicious attacks from online resources have been located in the world, 75.4 million unique URLs were recognized as “malicious” by web antivirus components, and 5.69 million registered notifications about attempted malware infections aiming to steal money from bankaccounts accessed online.

– See more at:

Israel denies any link to ‘cyberattack on Iran talks’

June 11, 2015


The denial comes after Kaspersky Lab found spyware in three European hotels where talks between Iran and six powers happened


An Israeli deputy minister dismissed as baseless reports Israel may have had a connection to a computer virus that a security company said was used to hack into venues linked to international talks on Iran’s nuclear programme.

Russia-based Kaspersky Lab said on Wednesday it found the spyware  in three European hotels that hosted negotiations involving Iran and six world powers and also on the company’s own computers.

Both Kaspersky and US security company Symantec said the virus shared some programming with previously discovered espionage software called Duqu, which security experts believe to have been developed by Israelis.

U.S. Secretary of State John Kerry, right, talks to Iranian Foreign Minister Mohammad Javad Zarif on May 30 in Geneva.
U.S. Secretary of State John Kerry, right, talks to Iranian Foreign Minister Mohammad Javad Zarif on May 30 in Geneva. PHOTO: SUSAN WALSH/PRESS POOL

Israeli government officials had declined to comment, but on Thursday Tzipi Hotovely, deputy foreign minister, denied Israel was involved. “The international reports of Israeli involvement in the matter are baseless,” she told Army Radio.

“What is much more important is that we prevent a bad agreement where at the end of the day we find ourselves with a Iranian nuclear umbrella,” she said.

Israel, widely believed to be the Middle East‘s only nuclear power, has denounced the diplomatic opening to Iran, saying it doubts any agreement arising from the talks will sufficiently restrain the atomic programme of its arch-enemy.

The West suspects Iran wants to develop a nuclear weapons capability from its enrichment of uranium. Iran says it is seeking nuclear energy for electricity and medical isotopes.


Who Was Listening To All The Iran Nuclear Talks?

June 10, 2015


GENEVA (REUTERS) – A computer virus was used to hack into venues linked to international talks on Iran’s nuclear programme, Russian computer security company Kaspersky Lab said on Wednesday.

The Wall Street Journal said the virus was widely believed to be used by Israeli spies and Kaspersky had linked it to”three luxury European hotels” used in the negotiations involving Iran and six world powers.

Kaspersky said it looked into the “cyber-intrusion” after detecting the “Duqu 2.0” Duqu 2.0 in its own systems in early spring this year, which it said was designed to spy on its technology, research, and internal processes.

Other victims of Duqu had been found in Western countries, the Middle East and Asia, it said in an emailed statement.

“Most notably, some of the new 2014-2015 infections are linked to the P5+1 events and venues related to the negotiations with Iran about a nuclear deal,” the statement said.

“P5+1” refers to the six world powers negotiating with Iran on curbs to its disputed nuclear programme — the United States, Russia, China, Britain, France and Germany. The talks have been held in Geneva, Lausanne, Montreux, Munich and Vienna.

In February, the United States accused Israel of using selective leaks from the talks to distort the U.S. position. Israel has denounced the diplomatic opening to Iran, saying it doubts any agreement arising from the talks will sufficiently restrain the disputed nuclear programme of its arch-enemy.

During various rounds of the talks, Israeli officials said they knew what was being discussed from various sources including intelligence gathering and information relayed by allies. The officials did not elaborate on the latter, but did assert that Israel never spied on the United States, its closest ally.

The unidentified group behind the Duqu malware, according to Kaspersky, was “one of the most skilled, mysterious and powerful threat actors in the APT (advanced persistent threat) world”. Advanced persistent threats typically refer to sophisticated software created by state-backed cyberspies.

Kaspersky said Duqu was previously used for an unspecified cyberattack in 2011 that bore similarities to Stuxnet, a computer “worm” that partially sabotaged Iran’s nuclear programme in 2009-2010 by destroying a thousand or more centrifuges that were enriching uranium.

Another Duqu attack, Kaspersky said, was carried out “in relation to” the commemoration of the 70th anniversary in January this year of the liberation of the Auschwitz-Birkenau Nazi concentration camp in Poland.

That ceremony was attended by the heads of state of Germany, France, Britain and other nations.

The targets of the Duqu attacks in 2011 and more recently were not specified by Kaspersky.

(Reporting by Tom Miles in Geneva, Eric Auchard in Berlin and Dan Williams in Jerusalem; Editing by Mark Heinrich)



By: Symantec Security Response

Duqu 2.0, the cyberespionage tool that was used to compromise security firm Kaspersky Lab, has also been used in a number of other attack campaigns against a range of targets, including several telecoms firms. Analysis by Symantec concurs with Kaspersky’s assessment today that Duqu 2.0 (detected by Symantec as W32.Duqu.B) is an evolution of the older Duqu worm, which was used in a number of intelligence-gathering attacks against a range of industrial targets before it was exposed in 2011. Although their functionalities were different, the original Duqu worm had many similarities with the Stuxnet worm used to sabotage the Iranian nuclear development program.

New attacks
Symantec has found evidence that Duqu has been used in a number of different attack campaigns against a small number of selected targets.  Among the organizations targeted were a European telecoms operator, a North African telecoms operator, and a South East Asian electronic equipment manufacturer. Infections were also found on computers located in the US, UK, Sweden, India, and Hong Kong.

In addition to the attack against itself, Kaspersky believes Duqu was used to target countries involved in international negotiations surrounding Iran’s nuclear program. Given the diversity of targets, Symantec believes that the Duqu attackers have been involved in multiple cyberespionage campaigns. Some organizations may not be the ultimate targets of the group’s operations, but rather stepping stones towards the final target. The group’s interest in telecoms operators could be related to attempts to monitor communications by individuals using their networks.

Symantec has found no evidence to suggest that it has been affected by attacks using this malware.

Duqu 2.0 in operation
This new version of Duqu is stealthy and resides solely in the computer’s memory, with no files written to disk. It comes in two variants. The first is a basic back door that appears to be used to gain a persistent foothold inside the targeted entity by infecting multiple computers.

The second variant is more complex. It has the same structure as the first, but contains several modules that provide a range of functionality to the malware, such as gathering information on the infected computer, stealing data, network discovery, network infection, and communication with command-and-control (C&C) servers. This variant appears to be deployed to computers deemed to be targets of interest by the attackers.

Common code and code flow
Duqu and Duqu 2.0 share large amounts of code, in addition to similarities in how that code is organized. The shared code includes a number of helper functions. For example, as shown in Figure 1, there is a “gen_random” function (as labelled by an engineer) that is shared between Duqu and Duqu 2.0.

Not only is that gen_random code shared, but the code that calls that function is also organized almost identically. Such similarities in how code is called is repeated in several other locations throughout Duqu 2.0, including in how C&C IP addresses are formatted, how network messages are generated, and how files are encrypted and decrypted.

Figure 1.  Duqu vs Duqu 2.0 code flow

When a program needs to store data, the program author will design structures to store that data in a logical and easily accessible manner. Duqu and Duqu 2.0 share a number of these data structures.

Network communications
Another shared feature between the two variants, as shown in Figure 1, is the use of a cookie header with a hardcoded string and a random string when sending messages to a C&C server. For example:

  • Duqu: Cookie: PHPSESSID=
  • Duqu 2.0: Cookie: COUNTRY=

A second shared feature in the network communications code is to connect to a number of Microsoft URLs to retrieve a proxy address, as shown in Figure 2.

Figure 2. Duqu vs Duqu 2.0 network code

The list of Microsoft URLs connected to, by both variants, is identical.

Finally, for network communications, when Duqu uses HTTP, it will use image names in the “Content-Disposition” header. For Duqu, the value “DSC00001.jpg” was used, whereas for Duqu 2.0, the value “%05d.gif” is used.

Based on our analysis, Symantec believes that Duqu 2.0 is an evolution of the original threat, created by the same group of attackers. Duqu 2.0 is a fully featured information-stealing tool that is designed to maintain a long term, low profile presence on the target’s network. Its creators have likely used it as one of their main tools in multiple intelligence gathering campaigns.

Given that activity surrounding the original version of Duqu dropped off following its discovery, it is likely that the group may now retreat before re-emerging with new malware.

Symantec and Norton products detect this threat as: