Cyber-Warfare: Can Fancy Bear Be Stopped?



(click on above link to be re-directed)

The Civilian Operator needs to understand the serious effect 4GW tactics, information warfare and cyber-warfare/espionage by both Russia, China, North Korea and Iran are having on our country right now.

By studying these attacks and tactics, the CO can better arm themselves with knowledge for the future battlefield.

Stay Alert, Stay Armed and Stay Dangerous!

Espionage Files: The Life of the Modern Spy

The days of spy vs. spy of the Cold War are over. The enemies changed and technology revolutionized the world … and not always for the better. But spies remained an important part of the modern battlefield.

This week on the War College Podcast, Jamillah Knowles chats with Reuters reporter and author Stephen Grey about his book The New Spymasters.


Read the Original Article and Find the Podacst Links at War is Boring

Security Firm Warns of NEW Chinese Cyber Attacks

China is stepping up their game and timeline for War. -SF

China’s cyber attacks against U.S. government and private sector databases are part of a major intelligence-gathering operation and are likely to continue, according to a new report by a cyber security firm.

Chinese hackers stole health care data pertaining to some 80 million Americans last year, and the Office of Personnel Management cyber attacks netted sensitive records on 22 million federal workers, according to an annual threat report made public Wednesday by CrowdStrike, a cyber security and intelligence company. The company is widely consulted by both government and private sector organizations.

The gathering of personal data by the Chinese represents a new trend in Beijing’s aggressive cyber attacks.

“This targeting underscores that intrusion operations associated with nation-states pose a significant risk to all data, no matter how uninteresting it may seem,” the report said.

The 49-page “2015 Global Threat Report” also states that the U.S.-China agreement not to conduct commercial cyber theft has had little impact on Beijing’s cyber operations.

“Beneath the surface, however, China has not appeared to change its intentions where cyber is concerned,” the report said.

Any reduction in Chinese cyber attacks this year likely will be temporary, and an apparent reduction may result from the use of more clandestine methods for conducting attacks following a major military reorganization.

The military changes “will likely increase [China’s] reliance on its civilian intelligence agencies and associated contractors, all of which generally employ better tradecraft,” the report said.

“If observed campaigns in late 2015 were any indication, it is unlikely China will completely cease its cyber operations, and 2016 will show the new direction it is headed,” the report said.

More cyber attacks seeking personal data could take place in the future, and organizations that hold such data “should remain alert to the possibility of similar activity going into 2016,” the report said.

China’s cyber spies usually use cyber intrusions to steal strategic information, such as intellectual property, business operations data, and sensitive government documents.

Stolen personal data, on the other hand, “is typically used to facilitate identity theft or other types of financially motivated crimes,” the report said.

However, the compromised personal information from health insurance companies Anthem, Premera, and CareFirst last year could be used by the government or state-run companies.

The large data theft also appears to be part of Chinese efforts to “build out profiles on individuals to support future operations.”

The federal government data breaches were more damaging and included sensitive background investigation information on federal employees, the report said.

“Without doubt, access to this degree of [personally identifiable information] for both successful and unsuccessful applicants represents a treasure trove of information that may be exploited for counterintelligence purposes,” the report said.

The Chinese can now exploit millions of stolen records for intelligence operations.

“Knowledge acquired during these operations could be used to create more individualized, and therefore more effective, spear phishing campaigns, or also in more traditional, real-world espionage activity,” the report said, noting that the background investigation data “would be particularly useful to traditional [human intelligence] operations as it contains details of a very personal nature about current and former government employees, as well as private sector employees working on government contracts.”

The Chinese government, through the Ministry of Public Security, has launched a major domestic campaign to crack down on online dissent. The Ministry is conducting cyber operations against people and websites that post information opposed by communist authorities, including use of an offensive cyber security force called the “Great Cannon,” a supplement to the Great Firewall designed to block online users from accessing unapproved content.

In Russia, hackers linked to the government used malicious software for intelligence-gathering and for political coercion, such as against Ukraine. Moscow hackers also have conducted cyber reconnaissance—preparation of the cyber battlefield—in Europe and elsewhere.

“In February, widespread spear phishing … was detected and analyzed,” the report said. “These attacks targeted numerous entities in government, defense, and non-governmental organizations (NGOs) in the U.S., Europe, Asia, and South America.”

Russian hackers used stolen emails from a hack against the U.S. strategic consulting firm Stratfor, the report said, a tactic not typical of Russian hacking in the past.

International pressure on Moscow over its military activities, such as the annexation of Ukraine’s Crimea “portend increased intelligence collection by Russia-based adversaries particularly against regional targets and global energy companies,” the report said.

A Russian cyber intelligence operation, dubbed Berserk Bear, targeted oil and gas companies in the Middle East. Another operation, called Fancy Bear, targeted Chinese defense firms.

One Russian hacker group called CyberBerkut operating in Ukraine appears linked to Russian intelligence services.

North Korean cyber activities last year principally involved intelligence-gathering operations directed against South Korea.

Pressure from China could prompt Pyongyang to take a more aggressive cyber posture. And North Korean cyber activities also could expand into criminal activities to raise money for the regime, the report said.

Iran is expected to step up cyber attacks against Saudi Arabia. Regional tensions “increase the likelihood that Iran would use its proven cyber capabilities in 2016, targeting Saudi Arabia and regional governments that are becoming involved in the two countries’ dispute by choosing to align with Saudi Arabia.”

The report names more than 70 cyber adversaries and divides them into three types of attackers: Target intruders, such as nation states, cyber criminals, and “hacktivists.”

For cyber crime, attacks on banks and the use of ransom schemes increased during 2015.

“Phishing emails continued to dominate crimeware distribution throughout the year as the primary mechanism used for the aforementioned banking Trojans and ransomware threats,” the report said.

So-called hacktivist activities including politically motivated cyber attacks by groups like the Syrian Electronic Army and pro-ISIS hackers.

Several pro-Iranian hacker groups also were active last year, including Parastoo, Remember EMAD, and SOBH Cyber Jihad.

The group Remember EMAD—named after the Hezbollah terrorist Imad Mughniyah who was killed in a Damascus car bomb in 2009—claimed to have penetrated Pentagon networks and then threatened to release stolen data. No data was ever released.

ISIS hacking was very active last year and included campaigns of web defacement, the release of personal data—known as “doxing”—and the hijacking of social media accounts.

Read the Original Article at Free Beacon

Cyber-Espionage: The Biggest Dangers are the Ones You Will Never Know About


For years, I slept fitfully after a “friend” told me that it wasn’t the noisy mosquitos buzzing in my ears at night that were a problem.  Instead, it was the female mosquitos that made no noise at all but laid eggs in your ears at night.  That image wrecked my sleep until the Internet helped me to dispel the myth years later.

The cyber threat is a little like the silent mosquito.  The biggest dangers are the ones that you will never know about.

However, if you follow the public discourse on the nature of the cyber threat to the U.S., it seems that the bulk of the dialogue has to do with the issue of hackers and the thousands of daily thwarted attacks against government and private computer systems.  It is almost as if the danger is easily detected, and a better password and up-to-date antivirus software can solve the problem.

However, the far bigger threat is from foreign intelligence and terrorist groups, who have the talent, resources, and wherewithal to do serious damage to U.S. interests – damage we may never realize until it is too late.  While we publically frame the problem by citing how many attacks are observed every day, the far bigger problem is hidden.  An intelligence organization’s job is to pick your pocket without you ever knowing anything is amiss.  You won’t make it very far as an intelligence officer if your adversary becomes aware of your activities.

Of the capable organizations that are determined to do us harm, perhaps the most competent, dedicated, and focused is Russia’s Special Communications Service, the Russian equivalent of the U.S. National Security Agency (NSA).

Russia doesn’t do many things well (dancing bears, perhaps).  Spying, however, is a Russian specialty honed by decades of experience controlling its population and stealing from the West.  The U.S. has been their main enemy since WWII and remains so today.  Indeed, while we more often hear about Chinese cyber activities, the Russian cyber espionage enterprise is far more sophisticated and capable than its Chinese counterpart, according to statements by U.S. intelligence officials.

Unlike in the U.S., the Russian espionage effort is central to its foreign policy, and its offensive cyber capability is a particularly powerful weapon that is used to challenge the U.S. across the board.  Indeed, the Russian NSA equivalent is used for – among other things – cyber warfare, espionage, counterintelligence, internal control of its citizens, disinformation, and propaganda.  Russia’s cyber attacks – both blatant and stealthy – are used to achieve geopolitical ends and to maintain an asymmetric ability to damage the U.S.

The Russians have shown a willingness to use the cyber weapons at their disposal, and have done so effectively.  In 2007, the Russians swamped Estonian computer systems to express their anger at perceived Estonian disrespect of Russian symbols.  A year later, they combined sophisticated cyber intrusions with their military attack against Georgian forces.  More recently, they used offensive cyber tools to support their aggressive annexation of Crimea and eastern Ukraine.  We even witnessed Russian cyber probing of top U.S. financial institutions in 2013.

Internally, the Russians use cyber weapons to maintain control over their population.  By law, all private encryption equipment in Russia is required to be licensed by Russian Intelligence.  Likewise, all internet providers in Russia have to install hardware/equipment provided by the Russian NSA equivalent (and pay for it themselves).  There is no such thing as privacy in Russia.

While the U.S. Government is probably the biggest target of Russian cyber spying, you can be confident that they go after anyone and anything that can help them get what they need.  They surely steal directly from Yahoo, Google, Facebook, and social media platforms.  If they want to collect compromising information on a person in a bank, military unit, national laboratory, or nuclear power plant, you can be sure that they are swimming in e-mail and personal data that can help them craft an approach to that individual.

At the same time, the Russians are collecting the capability to understand and possibly disrupt our power grid, air traffic control, oil and gas infrastructure, and transit networks.  Additionally, recent reports cite a significant increase in Russian submarine surveillance activity in the vicinity of the strategic underwater fiber cables that facilitate commercial and classified communications.  This aggressive effort has intensified fears of Russian efforts to tap or cut these critical deep sea communication conduits that carry trillions of dollars a day in global business.

The only real way to protect ourselves from this kind of sophisticated cyber warfare is a robust public-private partnership between our intelligence and law enforcement services, and those companies that provide the backbone of our computer networks.  In this sense, perhaps the most damaging of Edward Snowden’s many traitorous acts was to destroy the trust between the private sector and our security professionals.  We are now talking past each other, and the Russians, Chinese, Iranians, and others are having a field day.  Until those key relationships and trust is restored, we will remain in a vulnerable state.

So, the next time you hear a story about hackers attacking various computer networks, think of the buzzing mosquito, and remember that there is probably something much more dangerous happening away from public notice.

Read the Original Article at Cipher Brief

Apt. 29, aka “The Dukes”: 7 Years of Russian Cyber Espionage


Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making.

The Dukes (sometimes also referred to as APT29) are known to employ a wide arsenal of malware toolsets including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke,CloudDuke (aka MiniDionis), and HammerDuke (aka HAMMERTOSS [PDF]).

Despite the extensive technical research by us and others into many of the toolsets of the Dukes, we felt that we were still missing crucial parts of the story. Meanwhile, others had envisioned how the story might look, but had concluded that “it is difficult to lead the defense against that which one is not aware of or does not comprehend.” (Maldre, 2015)

With this in mind, we recently set out on a journey back through all of our previous research on the Dukes looking for clues and threads that we might have missed or whose importance we might not have understood at the time. Through this process, we were able to uncover clues pointing to the existence of two previously unidentified Duke malware toolsets, PinchDuke and GeminiDuke.

While we had previously analyzed malware from both toolsets, what we hadn’t understood at the time was their context. With the discovery of new clues such as these two toolsets, we went rummaging through our troves of old malware searching for cases that we had previously not known to attribute to the Dukes. Through this process of proverbial connect-the-dots, we were able to slowly build a bigger, better picture of the Dukes and uncover new details of their over 7 years of activities.

The whitepaper [PDF], with all of these juicy details (plus sample hashes), is available here

Read the Original Article at F-Secure