Belarus: Cyber upstart, or Russian staging ground?

As the prospect of further Russian aggression in Ukraine looms, the Biden administration is concerned about Russian cyber operations against the U.S. and its allies. Yet as the White House engages with Moscow and builds out plans around these risks, it must watch an overlooked development in Russia’s near-abroad: growing cyber integration between Belarus and the Kremlin. In November 2021, Mandiant published a report assessing with “high confidence” that the UNC1151 cyber group, which assisted the longstanding “Ghostwriter” campaign — stealing government credentials and spreading disinformation in Europe — is linked to the Belarusian government. It also assessed with “moderate confidence” that Belarus “is also likely at least partially responsible for the Ghostwriter campaign.” Significantly, the report’s authors added: “We cannot rule out Russian contributions to either UNC1151 or Ghostwriter.” The report raises the prospect that Belarus is engaged in cyber-enabled influence operations abroad, and the authors explicitly say that Moscow’s […]

The post Belarus: Cyber upstart, or Russian staging ground? appeared first on CyberScoop.

Continue reading Belarus: Cyber upstart, or Russian staging ground?

Ukraine exposes expansive Russian hacking operation targeting its government, infrastructure

Ukraine’s top law enforcement agency published a detailed analysis Thursday outing what it says are Russian hackers and “traitors who sided with the enemy” behind a sweeping campaign that began in 2014. The hackers, according to the Security Service of Ukraine, are responsible for more than 5,000 cyberattacks on Ukrainian state entities and critical infrastructure that attempted to “infect” more than 1,500 government computer systems. The report says the Russian intelligence agency the Federal Security Service (FSB) is behind the “Armageddon” group, known more broadly outside Ukrainian borders as Gamaredon or Primitive Bear. It’s distinct from other Russian intelligence and military hacking groups behind attacks on targets around the world, including the infamous hacks of the Democratic National Committee and Hillary Clinton’s campaign ahead of the 2016 elections. Armageddon dates back to 2013 or 2014, the Ukrainian report says, making it “relatively young,” but nevertheless worthy of attention and “able […]

The post Ukraine exposes expansive Russian hacking operation targeting its government, infrastructure appeared first on CyberScoop.

Continue reading Ukraine exposes expansive Russian hacking operation targeting its government, infrastructure

Notorious Russian ransomware gang Evil Corp. reportedly hit Sinclair Broadcast Group

Evil Corp., one of the most notorious and prolific Russian cybercrime groups in recent years with a leader who has been accused of working with Russian intelligence, was reportedly behind last weekend’s cyberattack on Sinclair Broadcast Group. The revelation, first reported by Bloomberg Wednesday, is noteworthy because the U.S. Treasury department sanctioned the group in December, 2o19, making any U.S. company’s transactions with it illegal. The group used a new strain of malware called Macaw in the Sinclair attack, said Allan Liska, a senior threat analyst at Recorded Future. The Justice Department also announced a sealed indictment against Evil Corp. leader Maksim Yakubets in 2019 the same day as the Treasury sanctions. The U.S. government accused Yakubets and another Russian national, Igor Turashev, of being behind malware strains known as Bugat and Dridex, which authorities say hackers employed to target hundreds of banks in more than 40 countries and net the […]

The post Notorious Russian ransomware gang Evil Corp. reportedly hit Sinclair Broadcast Group appeared first on CyberScoop.

Continue reading Notorious Russian ransomware gang Evil Corp. reportedly hit Sinclair Broadcast Group

Chinese hackers implicated in breach of Russian government agencies

Chinese hackers were likely behind a series of intrusions at Russian government agencies last year, security firm SentinelOne said Tuesday. Malicious code used in the breaches is similar to hacking tools associated with a broad set of suspected Chinese spies that have also targeted Asian governments in recent years, SentinelOne researchers said. SentinelOne’s research builds on a report released last month by the Federal Security Service (FSB), one of Russia’s main spy agencies, and the cyber unit of telecom firm Rostelecom. It said Russian government agencies had been targeted by “cyber mercenaries pursuing the interests of the foreign state.” The attackers collected stolen data using top Russian technology providers Yandex and Mail.Ru, according to the report, which did not name a culprit in the breaches. SentinelOne’s findings point to an often overlooked reality in U.S.-centric cybersecurity discussions: that the Russian and Chinese governments conduct plenty of cyber-espionage against each other. Last […]

The post Chinese hackers implicated in breach of Russian government agencies appeared first on CyberScoop.

Continue reading Chinese hackers implicated in breach of Russian government agencies

Adventures in Contacting the Russian FSB

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB’s website said in order to contact them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware.

The reason I contacted the FSB — one of the successor agencies to the Russian KGB — ironically enough had to do with security concerns raised about the FSB’s own preferred method of being contacted. Continue reading Adventures in Contacting the Russian FSB

U.S. government accuses Russian companies of recruiting spies, hacking for Moscow

The Biden Administration took a sideswipe at the Russian government’s network of companies it allegedly relies on to conduct intelligence and military hacking Thursday — part of a broader effort to beat back Russian government hacking and information operations targeting Americans, the U.S. private sector and the federal government. In one of the most striking actions the Biden administration took Thursday, the U.S. Treasury Department sanctioned Positive Technologies, a cybersecurity firm headquartered in Moscow. According to the Treasury Department, Positive Technologies may appear to be a regular IT firm, but it actually supports Russian government clients, including the Federal Security Service. The firm also “hosts large-scale conventions that are used as recruiting events for the FSB and GRU,” the Treasury Department said, referring to the Federal Security Service (FSB) and Russia’s Main Intelligence Directorate (GRU). U.S. intelligence documents show that the company has gone even further at times and has […]

The post U.S. government accuses Russian companies of recruiting spies, hacking for Moscow appeared first on CyberScoop.

Continue reading U.S. government accuses Russian companies of recruiting spies, hacking for Moscow

Kaspersky discovers overlap between SolarWinds hack, Turla

Security researchers on Monday linked the SolarWinds breach to a different set of suspected Russian hacking tools, finding commonalities between that attack and the methods of the Turla group. Moscow-based Kaspersky said the source code for Sunburst, one of the nicknames for the malware that attackers used in the SolarWinds hack, overlapped with the Kazuar backdoor that Turla has deployed in the past. The Turla group is known for stalking embassies and ministries of foreign affairs in Europe and elsewhere for sensitive data. Sources have told reporters that the Russian hacking group APT29, or Cozy Bear, is responsible for the SolarWinds attack. Cozy Bear is most often linked to the SVR, the Russian foreign intelligence service. Turla, by contrast, is usually affiliated with another Russian intelligence service, the FSB. U.S. government investigators have only said the attack is “likely Russian in origin.” Cyber threat intelligence firms have been cautious about […]

The post Kaspersky discovers overlap between SolarWinds hack, Turla appeared first on CyberScoop.

Continue reading Kaspersky discovers overlap between SolarWinds hack, Turla

VMware Flaw a Vector in SolarWinds Breach?

U.S. government cybersecurity agencies warned this week that the attackers behind the widespread hacking spree stemming from the compromise at network software firm SolarWinds used weaknesses in other, non-SolarWinds products to attack high-value targets. According to sources, among those was a flaw in software virtualization platform VMware, which the U.S. National Security Agency (NSA) warned on Dec. 7 was being used by Russian hackers to impersonate authorized users on victim networks. Continue reading VMware Flaw a Vector in SolarWinds Breach?

Why, and how, Turla spies keep returning to European government networks

Turla, a group of suspected Russian hackers known for pinpoint espionage operations, have used updated tools to breach the computer network of an unnamed European government organization, according to new research. The research from consulting giant Accenture shows how, despite a large body of public data on Turla techniques, and a warning from Estonian authorities linking the hackers with Russia’s FSB intelligence agency, the group remains adept at infiltrating European government networks. The hacking tools are tailored to the victim organization, which Accenture did not name, and have been used over the last few months to burrow into the internal network and then ping an external server controlled by the attackers. The stealth is typical of Turla, which is known for stalking embassies and foreign affairs ministries in Europe and elsewhere for sensitive data. Turla’s tools are associated with a damaging breach of U.S. military networks in the mid-to-late 1990s, and an attack on […]

The post Why, and how, Turla spies keep returning to European government networks appeared first on CyberScoop.

Continue reading Why, and how, Turla spies keep returning to European government networks

Following Putin Order, FSB Cracks Down on Russian Credit Card Marketplaces

Earlier this week I was chatting with one of the top experts on Russian Cybercrime (who has asked to remain anonymous here).  We were discussing the news that was released on 24MAR2020 that the FSB had raided 62 addresses in 11 regions of Russia a… Continue reading Following Putin Order, FSB Cracks Down on Russian Credit Card Marketplaces