Author Archives: Sean Lyngaas

Right country, wrong group? Researchers say it wasn’t APT10 that hacked Norwegian software firm

Posted on by

Keeping the world’s dizzying array of hacking groups straight has become a challenge for researchers and journalists. One person’s Helix Kitten is another’s OilRig, sowing confusion — in this writer as well as others — about where one group ends and the next one begins. But getting hacking taxonomy right matters because knowing which group is responsible for malicious activity can help network defenders secure their data. That’s why researchers from multiple companies are pointing out what they say is a case of mistaken attribution of a global hacking operation. A report published last week by cybersecurity companies Recorded Future and Rapid7, blamed a well-known Chinese threat group, labeled APT10 in the West, for breaching a Norwegian software vendor, a U.S. law firm, and an international apparel company. APT10, which U.S. officials and private analysts have linked to China’s civilian intelligence agency, gained greater notoriety in December when the Department of Justice announced […]

The post Right country, wrong group? Researchers say it wasn’t APT10 that hacked Norwegian software firm appeared first on CyberScoop.

Continue reading Right country, wrong group? Researchers say it wasn’t APT10 that hacked Norwegian software firm

GreyEnergy malware has ‘massive amounts of junk code’ meant to confuse researchers

Posted on by

The investigation of the network of hackers generally associated with the seminal 2015 cyberattack on the Ukrainian power grid continues. A researcher has reverse-engineered malware used by a subgroup of those attackers and found “massive amounts of junk code” meant to throw analysts off the trace. “The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure that the infection would go unnoticed,” Alessandro Di Pinto, a researcher at industrial cybersecurity company Nozomi Networks, wrote in a paper published Tuesday. The malware Di Pinto analyzed is the handiwork of GreyEnergy, a likely derivative of the hacking group known as BlackEnergy, which Western governments have attributed to Russian military intelligence. (Both the groups and the malware they deployed have been referred to as BlackEnergy and GreyEnergy.) BlackEnergy was behind the first known cyberattack to cause a blackout when 225,000 people lost power in Ukraine in 2015. […]

The post GreyEnergy malware has ‘massive amounts of junk code’ meant to confuse researchers appeared first on CyberScoop.

Continue reading GreyEnergy malware has ‘massive amounts of junk code’ meant to confuse researchers

U.S. busts Romanian cybercrime ring that phished Americans, laundered millions of dollars

Posted on by

U.S. authorities on Thursday announced the indictment of 20 people and the extradition of a dozen in a big bust of an organized cybercrime ring in Romania. The defendants are accused of being part of an online auction scheme that defrauded Americans of millions of dollars. The racket involved advertising nonexistent cars and other purportedly valuable items on Craigslist and eBay and tricking victims into paying for them, often using stolen identities. The fraudsters then allegedly laundered their ill-gotten gains via cryptocurrency, the Department of Justice said in a statement. In a separate, cyber-focused indictment unsealed Thursday, one of the defendants, Adrian Mitan, is accused of phishing for customers’ credit and debit card information, breaching U.S. companies, and then doing a brute-force attack on point-of-sale systems to extract more card data. The 24-year-old Romanian allegedly told American money launderers to set up credit and debit card accounts with the stolen […]

The post U.S. busts Romanian cybercrime ring that phished Americans, laundered millions of dollars appeared first on CyberScoop.

Continue reading U.S. busts Romanian cybercrime ring that phished Americans, laundered millions of dollars

Foreign VPN apps need a close look from DHS, senators say

Posted on by

The Department of Homeland Security should assess the security threat posed by foreign VPN applications to U.S. government employees, a bipartisan pair of senators says. Some popular VPN apps send a phone’s web-browsing data to servers in countries interested in targeting federal personnel, raising “the risk that user data will be surveilled by those foreign governments,” Sens. Marco Rubio, R-Fla., and Ron Wyden, D-Ore., wrote in a letter to DHS Thursday. VPN providers promise to obfuscate the physical location of a web browser, but users are generally at the mercy of those companies’ decisions to collect and log data. The senators cite government warnings about products made by Chinese telecommunications companies and Russian antivirus vendor Kaspersky Lab as examples of the surveillance that certain foreign technology can enable. (Kaspersky and Chinese companies Huawei and ZTE have denied those allegations.) “If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, […]

The post Foreign VPN apps need a close look from DHS, senators say appeared first on CyberScoop.

Continue reading Foreign VPN apps need a close look from DHS, senators say

D.C. Metro system beefs up supply-chain cybersecurity provisions for new railcars

Posted on by

The Washington, D.C., area’s Metro system, in response to U.S. senators who raised security concerns about a new line of railcars, now says it will use the National Institute of Standards and Technology’s cybersecurity framework to vet software and hardware proposed for the project. Bidders on the railcar procurement, worth an estimated $1 billion and covering up to 800 railcars, also will have to show evidence that a third party tested their software or hardware, Washington Metropolitan Area Transit Authority CEO Paul J. Wiedefeld said Wednesday. The NIST framework — used widely throughout other industries and government agencies — is a key part of the  updated request for proposal, Wiedefeld wrote in a letter to Democratic senators from Virginia and Maryland. “We are confident that these approaches will impose appropriate controls that limit any malicious actor’s ability to embed malware and for WMATA to monitor and enforce security requirements,” Wiedefeld wrote to […]

The post D.C. Metro system beefs up supply-chain cybersecurity provisions for new railcars appeared first on CyberScoop.

Continue reading D.C. Metro system beefs up supply-chain cybersecurity provisions for new railcars

DHS briefs industry on shift in Chinese hacking that ‘increases the risk for all of us’

Posted on by

U.S. officials on Wednesday continued to warn industry about the threat posed by Chinese government-backed hackers by detailing how those teams have evolved and urging companies to better secure IT services that can be an avenue for stealing proprietary data. “Their strategies have shifted from labor-intensive, one-off compromises of individual targets to the use of the force-multiplier effects that enable them to compromise multiple targets through a single attack,” Rex Booth, a Department of Homeland Security cyber official, said during a webinar presentation to the private sector. “That shift in strategies increases the risk for all of us.” The public webinar focused on APT10, a group tied to China’s civilian intelligence agency, the Ministry of State Security. Analysts say the MSS has supplanted the People’s Liberation Army to become Beijing’s preferred arm for conducting economic espionage. U.S. officials and security researchers say APT10 has targeted the “managed service providers” that […]

The post DHS briefs industry on shift in Chinese hacking that ‘increases the risk for all of us’ appeared first on CyberScoop.

Continue reading DHS briefs industry on shift in Chinese hacking that ‘increases the risk for all of us’

Hack of billion-dollar Norwegian firm is tied to Chinese espionage group APT10

Posted on by

Weeks after the Department of Justice announced the indictment of two men linked with a Chinese state-sponsored hacking group, security researchers say they have uncovered a cyber-espionage campaign by the same entity against a European software company, a U.S. law firm, and a global apparel company. Analysts at Recorded Future and Rapid7 tracked the hacking operation between November 2017 and September 2018, and publicly revealed the breaches Wednesday. The researchers assessed with “high confidence” that APT10, a group tied to China’s civilian intelligence agency, was responsible for the hacking, calling the group “the most significant Chinese state-sponsored cyber threat to global corporations known to date.” Only one of the three victims is named: Visma, a billion-dollar Norwegian software company that claims 850,000 customers around the world. The hackers likely breached Visma to gain access to other organizations’ networks, the researchers said, but targeted the law and apparel firms “to gather information for commercial advantage.” Visma […]

The post Hack of billion-dollar Norwegian firm is tied to Chinese espionage group APT10 appeared first on CyberScoop.

Continue reading Hack of billion-dollar Norwegian firm is tied to Chinese espionage group APT10

How the government and private sector can better defend against a cascading cyberattack

Posted on by

The U.S. government and private sector need to be planning now for a cascading cyberattack on critical infrastructure by mapping out emergency authorities and supply-chain contingencies – lest they be caught off-guard during the real thing, a new study says. If the public and private sector don’t begin developing specific procedures for mitigating such an attack now, “the United States will find itself flat-footed during a major cyber event,” says a report published Tuesday by the think tank Foundation for Defense of Democracies and consultancy The Chertoff Group. The report is the output of a tabletop exercise that FDD held in October, the details of which were first reported by CyberScoop. That exercise considered a hypothetical, debilitating cyberattack on multiple sectors of the U.S. economy. Former national security and law enforcement officials, along with executives from the banking, electricity, and retail sectors, discussed how the U.S. government and industry might respond […]

The post How the government and private sector can better defend against a cascading cyberattack appeared first on CyberScoop.

Continue reading How the government and private sector can better defend against a cascading cyberattack

How hackers used a PowerPoint file to spy on Tibet’s government-in-exile

Posted on by

A recently discovered PowerPoint file offers new clues on how hackers are trying to spy on Tibet’s government-in-exile. The malicious document was emailed to subscribers of a mailing list managed by the Central Tibetan Administration (CTA), the organization representing Tibet’s exiled government, according to Talos, Cisco’s threat intelligence unit. Tibet is officially part of China, but Tibetan leaders have lived in exile in India for decades. The email masqueraded as a file that would appeal to their politics. The PowerPoint file name – “Tibet-was-never-a-part-of-China.ppsx” – caters to the CTA mailing list, as does the message in the body of the email marking the upcoming 60th anniversary of the exile of Tibetan spiritual leader the Dalai Lama, researchers said. “Unfortunately, this [is] just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons,” Talos researchers said in a blog published Monday. They did not attribute the […]

The post How hackers used a PowerPoint file to spy on Tibet’s government-in-exile appeared first on CyberScoop.

Continue reading How hackers used a PowerPoint file to spy on Tibet’s government-in-exile

Here’s how DHS prepared to keep hackers out of the Super Bowl

Posted on by

When the New England Patriots and Los Angeles Rams kick off in Atlanta on Sunday, a network of at least nine operational centers staffed by city, state, and federal officials will be humming with activity near the stadium to monitor for cyber and physical threats. About 60 employees from DHS’s Cybersecurity and Infrastructure Security Agency (CISA) will be onsite — with a DHS cyber official at each operational center — making it one of the biggest DHS cybersecurity operations at a Super Bowl to date. “We really want everything to run smoothly,” Klint Walker, a DHS cybersecurity adviser in Atlanta told CyberScoop, adding that the goal is to keep opportunistic attackers who would target a high-profile event “from making the newspaper.” Walker was part of a team of DHS officials who worked through the 35-day partial government shutdown without pay to finish assessing and mitigating cybersecurity risk at the Super Bowl. […]

The post Here’s how DHS prepared to keep hackers out of the Super Bowl appeared first on CyberScoop.

Continue reading Here’s how DHS prepared to keep hackers out of the Super Bowl