Category Archives: APT

Australia is confident that China was behind attack on parliament, political parties

Australia ‘s intelligence is sure that China is behind the cyberattacks that hit its parliament and political parties, but decided to not publicly accuse it.

According to the Reuters agency, Australia’s intelligence has evidence that the attacks that hit its parliament and political parties were orchestrated by China. Anyway the Australian government decided to not publicly accuse it to preserve trade relations with Beijing.

Reuters cited five sources within the Australian intelligence that attributed the attacks on its national parliament and three largest political parties before the general election in May to China-linked hackers.

“Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters.” reported the Reuters.

“The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said.”

Australia Australian National University hack australian parliament house

Australia disclosed the attacks in February, at the time experts speculated the involvement of a nation-date actor without attributed the attacks to a specific threat actor.

China is Australia’s biggest trading partner and its not surprising that its government gathers intelligence on it. Beijing denied any involvement in the attacks and China’s Foreign Ministry pointed out that his country is also the target of numerous attacks.

“When investigating and determining the nature of online incidents there must be full proof of the facts, otherwise it’s just creating rumors and smearing others, pinning labels on people indiscriminately. We would like to stress that China is also a victim of internet attacks,” the Ministry told the Reuters.

“China hopes that Australia can meet China halfway, and do more to benefit mutual trust and cooperation between the two countries.”

When the Australian authorities discovered the attacks, the IT staff forced a password reset to every person working at the parliament.

According to information collected by Reuters, the hackers did access private emails and policy paper from members of the Liberal, National and Labor parties.

Australian experts shared their findings with the United States and the United Kingdom, the latter sent a team of cyber experts to Canberra to help investigate the attack.

“Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.” concludes the Reuters. “Australian investigators found the attacker used code and techniques known to have been used by China in the past, according to the two sources.”

Pierluigi Paganini

(SecurityAffairs – Australia, hacking)

The post Australia is confident that China was behind attack on parliament, political parties appeared first on Security Affairs.

The healthcare industry’s largest cyber challenges

Estimated reading time: 3 minutes

A 2018 national audit of healthcare preparedness observed that only 45 percent of businesses followed the NIST Cybersecurity Framework, a policy framework for cybersecurity guidance for private sector organizations in the United States.

No wonder then that the healthcare sector sees a tremendous penetration of cyberattacks year-after-year. A recent example of this is the theft of personal information of 14,591 patients that received medical care through Los Angeles County’s hospitals and clinics. Moreso, experts are now saying that the monetary losses to the global healthcare industry are mounting into billions, courtesy cyberattacks.

When it comes to the operational end of healthcare, the consequences of a cyber attack can be catastrophic. A cyber attack on a healthcare system can be dangerous and life-threatening – imagine critical care patients being locked out of the system. Also, considering the fact that industries in this sector store potentially vital personal information, it is even more worrisome that this sector is not investing a lot in cybersecurity.

The industry needs to act swiftly.

For stakeholders, here are some of the top cybersecurity issues facing this sector –

1.     Ransomware

Reiterating, healthcare data is a thriving breeding ground for hackers all over the world. Healthcare data primarily consists of hyper-confidential patient care details, insurance information and financial data. This information can be kidnapped and sold to an array of buyers – pharmaceutical behemoths, insurance bigwigs and banking juggernauts are just some of them.

Hence, ransomware is the preferred tactic for cyberattackers to sabotage the healthcare industry at large. Typically how this works is that hackers gain access to systems and encrypt data locking original users out. These users are then threatened that the encrypted information will be deleted or leaked unless they pay a ransom (mostly in the form of a cryptocurrency like Bitcoin). Hackers are specific to state that the data will only be freed post-payment.

2.     Insider Threats

Insider threats are certainly not a new risk anymore but their threat potential is increasing as we speak. Data is now routinely being stored in the cloud which means employees of an organization have a lot of access to sensitive data within the organization. This is compounded by the fact that humans can often be the weakest link in any cybersecurity framework.

3.     Advanced Persistent Threats (APT)

Advanced persistent threats refer to malicious campaigns where attackers breach a network and then stay there, quietly gathering intelligence about the target. They can sometimes go undetected for months or even years. The main aim of APTs is to steal sensitive confidential data. They enter an organizational network, expand their presence slowly and gather data before finally exiting. Data from the healthcare industry is exceedingly valuable – and hence cybercriminals know it’s worth it to think long-term in terms of securing this data.

4.     Mobile devices

According to statistics, 68% of healthcare security breaches were due to stolen/mobile devices. Healthcare providers are routinely using mobile devices for services such as submitting patient data, submitting bills, scheduling appointments, etc., increasing the amount of patient data being disseminated. Lost or stolen mobile data were one of the leading causes of healthcare data breaches.

5.     Spear phishing

A variation of phishing, spear phishing is a big threat to healthcare industries – just like APTs, it gives attackers access to valuable data. Hackers send a targeted email to an individual which appears to be from a trusted source. The agenda of these emails, like any other cyber fraud is to either gain access to the user’s system or obtain other classified information. Spear phishing is considered to be one of the most successful cyber-attack techniques because of the superior level of personalization done to attack users which makes it highly believable.

Stay protected against all these threats by employing Seqrite’s range of solutions which are defined by innovation and simplicity. Through a combination of intelligence, analysis of applications and state-of-the-art technology, Seqrite provides the best defence against myriad cybersecurity threats.

The post The healthcare industry’s largest cyber challenges appeared first on Seqrite Blog.

The US Treasury placed sanctions on North Korea linked APT Groups

The US Treasury placed sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The US Treasury sanctions on three North Korea-linked hacking groups, the Lazarus Group, Bluenoroff, and Andarial.

The groups are behind several hacking operations that resulted in the theft of hundreds of millions of dollars from financial institutions and cryptocurrency exchanges worldwide and destructive cyber-attacks on infrastructure. Lazarus Group is also considered the threat actors behind the 2018 massive WannaCry attack.

According to the Treasury, the three groups “likely” stole $571 million in cryptocurrency from five Asian exchanges in 2017 and 2018.

Intelligence analysts believe the groups are under the control of the Reconnaissance General Bureau, which is North Korea’s primary intelligence bureau.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Bluenoroff is considered a sub-group of the Lazarus APT that was formed by the North Korean government to earn revenue from hacking campaigns in response to increased global sanctions.  

“According to industry and press reporting, by 2018, Bluenoroff had attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.” continues the US Treasury.

Andariel, is another Lazarus subgroup that focuses in targeting businesses, government agencies, and individuals. In conducted multiple attacks aimed at stealing bank card information and on ATMs.

Andariel carried out cyber attacks against online gambling and poker sites.

The sanctions placed by the US Treasury aim to lock the access to the global financial system and to freeze any assets held under US jurisdiction.

“As a result of today’s action, all property and interests in property of these entities, and of any entities that are owned, directly or indirectly, 50 percent or more by the designated entities, that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.” states the US Treasury. “OFAC’s regulations generally prohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked or designated persons. “

Pierluigi Paganini

(SecurityAffairs – North Korea, hacking)

The post The US Treasury placed sanctions on North Korea linked APT Groups appeared first on Security Affairs.

Forcing the Adversary to Pursue Insider Theft

Jack Crook pointed me toward a story by Christopher Burgess about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ.

Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.

This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.

When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.

We sought to make digital intrusions more expensive than physical intrusions.

In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.

In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!

This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.

The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.

Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.

Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.

Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.

In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.