Category Archives: Cyber warfare

Iran-linked Phosphorous APT hacked emails of security conference attendees

Iran-linked APT group Phosphorus successfully hacked into the email accounts of multiple high-profile individuals and security conference attendees.

Microsoft revealed that Iran-linked APT Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) successfully hacked into the email accounts of multiple high-profile individuals and attendees at this year’s Munich Security Conference and the Think 20 (T20) summit.

“Today, we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.” reads the post published by Microsoft. “Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.”

Nation-state actors successfully targeted over 100 individuals, including former ambassadors and other senior policy experts.

According to the experts at Microsoft Security Intelligence Center, the attacks are part of a cyber-espionage campaign aims at gathering intelligence on the victims by exfiltrating data from their mailboxs and contact list.

Data was exfiltrated to the de-ma[.]online domain, and the g20saudi.000webhostapp[.]com, and ksat20.000webhostapp[.]com subdomains.

The attackers have been sending spoofed email invitations to to former government officials, policy experts, academics, and leaders from non-governmental organizations. Attackers attempted to exploit the fears of travel during the Covid-19 pandemic by offering remote sessions.

The emails were written in almost perfect English.

Experts believe that this campaign is not tied to the upcoming U.S. Presidential elections.

Microsoft experts have worked with conference organizers who are warning their attendees about the ongoing attacks and suggesting them to remain vigilant to this approach being used in connection with other conferences or events.

“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain. As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these.” suggest Microsoft. “For anyone who suspects they may have been a victim of this campaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any suspicious rules that may have been set during a successful compromise.”

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. In past campaigns, the APT group launched spear-phishing attacks against activists and journalists focusing on the Middle East, US organizations, and entities located in Israel, the U.K., Saudi Arabia, and Iraq.

Recently Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

The IT giant also warned of cyber espionage campaigns carried out by other nation state-sponsored hacking groups operating from Russia and China targeting organizations and individuals involved in this year’s U.S. presidential election.

Pierluigi Paganini

(SecurityAffairs – hacking, Phosphorous)

The post Iran-linked Phosphorous APT hacked emails of security conference attendees appeared first on Security Affairs.

US Treasury imposes sanctions on a Russian research institute behind Triton malware

US Treasury Department announced sanctions against Russia’s Central Scientific Research Institute of Chemistry and Mechanics behind Triton malware.

The US Treasury Department announced sanctions against a Russian research institute for its alleged role in the development of the Triton malware.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated, pursuant to Section 224 of the Countering America’s Adversaries Through Sanctions Act (CAATSA), a Russian government research institution that is connected to the destructive Triton malware.” reads a press release published by the Department of the Treasury.

Triton is a strain of malware specifically designed to target industrial control systems (ICS) system that has been spotted by researchers at FireEye in December 2017.

The malware was first spotted after it was employed in 2017 in an attack against a Saudi petrochemical plant owned by the privately-owned Saudi company Tasnee. According to the experts, the infection caused an explosion.

“In August 2017, a petrochemical facility in the Middle East was the target of a cyber-attack involving the Triton malware. This cyber-attack was supported by the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government-controlled research institution that is responsible for building customized tools that enabled the attack.” continues the press release.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye in 2017.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The US Treasury Department imposed sanctions on the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (also known as CNIIHM or TsNIIKhM).

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government research institute in Moscow.

FireEye collected strong evidence suggesting that the Russian CNIIHM institute has been involved in the development of some of the tools used in the Triton attack.

“FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow. The following factors supporting this assessment are further detailed in this post.” reads the analysis published by FireEye.

  1. FireEye uncovered malware development activity that is very likely supporting TEMP.Veles activity. This includes testing multiple versions of malicious software, some of which were used by TEMP.Veles during the TRITON intrusion.
  2. Investigation of this testing activity reveals multiple independent ties to Russia, CNIIHM, and a specific person in Moscow. This person’s online activity shows significant links to CNIIHM.
  3. An IP address registered to CNIIHM has been employed by TEMP.Veles for multiple purposes, including monitoring open-source coverage of TRITON, network reconnaissance, and malicious activity in support of the TRITON intrusion.
  4. Behavior patterns observed in TEMP.Veles activity are consistent with the Moscow time zone, where CNIIHM is located.
  5. We judge that CNIIHM likely possesses the necessary institutional knowledge and personnel to assist in the orchestration and development of TRITON and TEMP.Veles operations.” 

Experts pointed out that Triton is linked to Russia, the CNIIHM, and an individual located in Moscow. Some of the TEMP.Veles hacking tools were tested using an unnamed online scan service. A specific user of the service who has been active since 2013 has tested various tools across the time.

The user also tested several customized versions of widely available tools, including Metasploit, Cobalt Strike, PowerSploit, the PowerShell-based WMImplant, and cryptcat.

In many cases, the custom versions of the tools were used in TEMP.Veles attacks just days after being submitted to the testing environment.

The experts discovered that a PDB path contained in a tested file included a string that appears to be an online moniker associated with a Russia-based individual active in Russian information security communities since at least 2011.

According to a now-defunct social media profile, the individual was a professor at CNIIHM.

FireEye also discovered that one IP address registered to the Russian research institute was involved in the Triton attacks.

The sanctions prohibit US entities from engaging with CNIIHM and also seize any asset on the US soil belonging to the research institute.

“The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” said Secretary Steven T. Mnuchin. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

TsNIIKhM is being designated pursuant to Section 224 of CAATSA for knowingly engaging in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation.” concludes the press release.

“As a result of today’s designation, all property and interests in property of TsNIIKhM that are in or come within the possession of U.S. persons are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked. Moreover, non-U.S. persons who engage in certain transactions with TsNIIKhM may themselves be exposed to sanctions.”

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint report that provides details about a hacking campaign of a Russian hacking group known as Energetic Bear.

The EU Council also imposed sanctions on two Russian intelligence officers for their role in the 2015 Bundestag hack.

Pierluigi Paganini

(SecurityAffairs – hacking, Triton)

The post US Treasury imposes sanctions on a Russian research institute behind Triton malware appeared first on Security Affairs.

Iran-Linked Seedworm APT target orgs in the Middle East

The Iran-linked cyber espionage group tracked as Seedworm started using a new downloader and is conducting destructive attacks.

The Iran-linked cyber-espionage group Seedworm (aka MuddyWater MERCURY, and Static Kitten) was observed using a new downloader in a new wave of attacks. Security experts pointed out that the threat actor started conducting destructive attacks.

Also referred to as MuddyWater, MERCURY, and Static Kitten, the cyber-espionage group was initially analyzed in 2017.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

Earlier this month, the Iranian APT group was observed actively targeting the Zerologon flaw.

According to security firm ClearSky and Symantec, Seedworm recently started using a new downloader dubbed PowGoop. Experts noticed that the threat actors used the downloader to deliver the Thanos ransomware in an attack aimed at an organization in the Middle East.

“PowGoop is a loader that was exposed in a PaloAlto report and later used in Operation Quicksand. PowGoop is comprised of a DLL Loader and a PowerShell-based downloader.” reads the report published by ClearSky. “The malicious file impersonates a legitimate goopdate.dll file that is signed as a Google Update executable”

The experts observed the attacks between July 6 and July 9, 2020, the hackers employed a strain of ransomware that was able to evade security tools and that implemented a destructive feature by overwriting the MBR.

Experts pointed out that the primary objectives of previous MuddyWater campaigns were espionage and cyber espionage, but in the latest campaign, tracked as ‘Operation Quicksand’ threat actors used for the first time the destructive malware in attacks on prominent organizations in Israel and in other countries around the world.

“We assess that the group is attempting to employ destructive attacks (the likes of the NotPetya attack from 2017), via a disguised as ransomware attacks” continnues the report.

“Although we didn’t see execution of the destruction in the wild, due to the presence of the destructive capabilities, the attribution to nation-state sponsored threat actor, and the realization of this vector in the past, a destructive purpose is more likely than a ransomware that is being deployed for financial goals.”

Another report published by Symantec connected the dots between MuddyWater and the PowGoopdownlaoder.

“In several recent Seedworm attacks, PowGoop was used on computers that were also infected with known Seedworm malware (Backdoor.Mori). In addition to this, activity involving Seedworm’s Powerstats (aka Powermud) backdoor appears to have been superseded by DLL side-loading of PowGoop.” reads the report published by Symantec.

“Additionally, during PowGoop activity, we also observed the attackers downloading tools and some unknown content from GitHub repos, similar to what has been reported on Seedworm‘s Powerstats in the past.”

Symantec researchers noticed that on the same machine where Seedworm was active, the attackers deployed the PowGoop downloader which is known to be a malware that is part of Seedworm’s arsenal.

PowGoop appears to have been employed in attacks aimed at governments, education, oil and gas, real estate, technology, and telecoms organizations in Afghanistan, Azerbaijan, Cambodia, Iraq, Israel, Georgia, Turkey, and Vietnam.

Symantec’s analysis revealed that the PowGoop was masquerading as a Google tool and noticed the use of SSF and Chisel.

Experts speculate the PowGoop downloader might be an evolution of Powerstats tool employed by MuddyWater in previous attacks.

“Symantec has not found any evidence of a wiper or ransomware on computers infected with PowGoop.”Symantec concludes. “This suggests that either the simultaneous presence of PowGoop and Thanos in one attack was a coincidence or, if the two are linked, that PowGoop is not used exclusively to deliver Thanos,”

Pierluigi Paganini

(SecurityAffairs – hacking, Seedworm)

The post Iran-Linked Seedworm APT target orgs in the Middle East appeared first on Security Affairs.

FBI and CISA joint alert blames Russia’s Energetic Bear APT for US government networks hack

The US government declared that Russia-linked APT group Energetic Bear has breached US government networks and exfiltrated data.

A joint security advisory published by The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) revealed that Russia-linked APT group Energetic Bear has breached US government networks and exfiltrated data.

The Energetic Bear APT group (aka DragonFlyCrouching Yeti, TEMP.Isotope, Berserk Bear, TeamSpy, Havex, Koala). has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.

In March 2018, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as DragonflyCrouching Yeti, and Energetic Bear.

This joint advisory provides information on Russia-linked APT actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. 

Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.

Energetic Bear successfully compromised the infrastructure and as of October 1, 2020, exfiltrated data from at least two victim servers.

“Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets.” reads the advisory. “The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

The Russian-sponsored APT actor uses previously obtained user and administrator credentials to access the target network and then perform lateral movement to locate high-value assets and exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to sensitive network configurations and passwords, standard operating procedures (SOP), IT instructions, such as requesting password resets, vendors and purchasing information. printing access badges.

This advisory updates another joint CISA-FBI cybersecurity advisory, which warned of attackers combining VPN and Windows Zerologon flaws to target government networks.

The new advisory attributes the cyber attacks to the Russian threat actor and included technical details about the Energetic Bear’s TTPs.

The state-sponsored hackers scanned for vulnerable Citrix (CVE-2019-19781) and Microsoft Exchange services (CVE-2020-0688) and identified vulnerable installs for future exploitation.

According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Hackers also targeted Exim mail agents (CVE 2019-10149) and Fortinet SSL VPNs (CVE-2018-13379).

Once gained access to the target networks, Russian hackers moved laterally exploiting the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials to take over the target’s internal network.

“To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities,” continues the alert.

“As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised.”

Pierluigi Paganini

(SecurityAffairs – hacking, Energetic Bear)

The post FBI and CISA joint alert blames Russia’s Energetic Bear APT for US government networks hack appeared first on Security Affairs.

EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack

The Council of the European Union announced sanctions imposed on Russian military intelligence officers for 2015 Bundestag hack.

The Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag).

The 85th Main Centre for Special Services (GTsSS) is the military unit of the Russian government also tracked as APT28  (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM).

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

“The Council today imposed restrictive measures on two individuals and one body that were responsible for or took part in the cyber-attack on the German Federal Parliament (Deutscher Bundestag) in April and May 2015.” reads the press release published by the Council. “This cyber-attack targeted the parliament’s information system and affected its ability to operate for several days. A significant amount of data was stolen and the email accounts of several members of parliament, including that of Chancellor Angela Merkel, were affected.”

Immediately after the attack the daily Der Spiegel speculated that the Russian Government was behind the attack.  

Bundestag German politicians

The attackers used a sophisticated strain of malware to violated the Bundestag network and syphoned sensitive data. The experts that analyzed the malicious code employed in the hack found many similarities with a piece of malware used in a previous attack against a German Government network that took place in 2014.

“The cyber attack on the “Parlakom” network was discovered in early May. At the parliamentary IT network 20,000 Bundestag accounts are connected – including German Chancellor Angela Merkel and other government officials.” continues the Der Spiegel.

EU’s sanctions imposed on Russian military officers include travel bans and asset freezes, they also block EU organizations and individuals from transferring funds to sanctioned entities and individuals.

The Council’s sanctions target a total of 8 persons and 4 entities and bodies.

“Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplomacy toolbox), and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace,” a press release published earlier reads. “The relevant legal acts, including the names of the individuals and the body concerned, have been published in the Official Journal.”

Two of the officers sanctioned by the Council of the European Union are Dmitry Sergeyevich Badin and Igor Olegovich Kostyukov are known members of the GTsSS.

The two officers were also indicted by US DoJ in October 2018, along with other five members of the Russian Main Intelligence Directorate (GRU), for hacking, wire fraud, identity theft, and money laundering.

Kostyukov was also reached by an executive order issued by President Barack Obama in 2016 to impose sanctions on a number of Russian military and intelligence officials in response to the alleged hacking campaigns against the 2016 US Presidential Election.

Kostyukov is the current chief of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU).

“In this capacity, Igor Kostyukov is responsible for cyber-attacks carried out by the GTsSS, including those with a significant effect constituting an external threat to the Union or its Member States,” states the Council. “In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) which took place in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018.”

In July 2020, for the first-ever time, the EU has imposed economical sanctions on Russia, China, and North Korea following cyber-attacks aimed at the EU and its member states.

The EU Council announced sanctions imposed on a Russia-linked military espionage unit, as well as companies operating for Chinese and North Korean threat actors that launched cyber-attacks against the EU and its member states.

The sanctions were imposed as part of a legal framework established on May 17, 2019, which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks aimed at the EU or its member states.

Pierluigi Paganini

(SecurityAffairs – hacking, Bundestag)

The post EU Council sanctions two Russian military intelligence officers over 2015 Bundestag hack appeared first on Security Affairs.

ENISA Threat Landscape Report 2020

According to the ENISA Threat Landscape Report 2020, cyberattacks are becoming more sophisticated, targeted, and in many cases undetected.

I’m proud to present the ENISA Threat Landscape Report 2020, the annual report published by the ENISA that provides insights on the evolution of cyber threats for the period January 2019-April 2020.

The 8th annual ENISA Threat Landscape (ETL) report was compiled by the European Union Agency for Cybersecurity (ENISA), with the support of the European Commission, EU Member States and the CTI Stakeholders Group.

It is an amazing work that identifies and evaluates the top cyber threats for the period January 2019-April 2020.

This year the report has a different format that could allow the readers to focus on the threat of interest. The publication is divided into 22 different reports, which are available in both pdf form and ebook form.

The report provides details on threats that characterized the period of the analysis and highlights the major change from the 2018 threat landscape as the COVID-19-led transformation of the digital environment.

“During the pandemic, cyber criminals have been seen advancing their capabilities, adapting quickly and targeting relevant victim groups more effectively. (Infographic – Threat Landscape Mapping during COVID-19). states the report.

ENISA Threat Landscape Report 2020

The ETL report provides strategic and technical analysis of the events, it was created to provide relevant information to both technical and non-technical readers.

For a better understanding of how the ETL is structured, we recommend the initial reading of “The Year in Review” report, the following table could help readers to focus on the section of their interest included in the publication.

The report highlights the importance of cyber threat intelligence to respond to increasingly automated attacks leveraging automated tools and skills.

Another element of concern is the diffusion of IoT devices, in many cases, smart objects are exposed online without protection.

Below the main trends reported in the document:

  • Attack surface in cybersecurity continues to expand as we are entering a new phase of the digital transformation.
  • There will be a new social and economic norm after the COVID-19 pandemic even more dependent on a secure and reliable cyberspace.
  • The use of social media platforms in targeted attacks is a serious trend and reaches different domains and types of threats.
  • Finely targeted and persistent attacks on highvalue data (e.g. intellectual property and state secrets) are being meticulously planned and executed by state-sponsored actors.
  • Massively distributed attacks with a short duration and wide impact are used with multiple objectives such as credential theft.
  • The motivation behind the majority of cyberattacks is still financial.
  • Ransomware remains widespread with costly consequences to many organisations.
  • Still many cybersecurity incidents go unnoticed or take a long time to be detected.
  • With more security automation, organisations will be invest more in preparedness using Cyber Threat Intelligence as its main capability.
  • The number of phishing victims continues to grow since it exploits the human dimension being the weakest link.

Let me close with the Top Threats 2020, for each threat the report includes detailed information on trends and observed evolution.

ENISA Threat Landscape Report 2020 2

Enjoy it!

Pierluigi Paganini

(SecurityAffairs – hacking, ENISA Threat Landscape Report 2020)

The post ENISA Threat Landscape Report 2020 appeared first on Security Affairs.

Sweden bans Huawei and ZTE from building its 5G infrastructure

Sweden is banning Chinese tech giant Huawei and ZTE from building new 5G wireless networks due to national security concerns.

Another state, Sweden, announced the ban of Chinese tech companies Huawei and ZTE from building its 5G network infrastructure.

The Swedish Post and Telecom Authority announced this week that four wireless carriers bidding for frequencies in an upcoming spectrum auction for the new 5G networks (Hi3G Access, Net4Mobility, Telia Sverige and Teracom) cannot use network equipment from the Chinese firms.

The Swedish telecom regulator is also urging carriers to replace any existing equipment from Huawei or ZTE by January 1st, 2025, at the latest.

The decision is the result of assessments made by the Swedish military and security service.

“In accordance with new legislation, which entered into force on 1 January 2020, an examination of applications has been conducted in consultation with the Swedish Armed Forces and the Swedish Security Service, to ensure that the use of radio equipment in these bands does not cause harm to Sweden´s security.” reads a press release published by the Swedish Post and Telecom Authority.

The ban aims at new installations and new implementation of central functions for the radio use in the frequency bands.

Sweden is the latest country to ban Huawei from participating in building 5G networks.

Recently Belgian telecoms operators Orange Belgium and Proximus announced that it will gradually replace the equipment from the Chinese manufacturer Huawei.

Huawei ban

The U.S. is pushing its allies for banning Huawei, ZTE and other Chinese companies, Washington highlighted the risks for national security in case of adoption of Huawei equipment and is urging internet providers and telco operators in allied countries to ban Chinese firms.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew ZealandRomania, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

In April 2018, the UK GCHQ intelligence agency warned UK telcos firms of the risks of using ZTE equipment and services for their infrastructure.

In December 2018, a Czech cyber-security agency is warned against using Huawei and ZTE technologies because they pose a threat to state security.

In September, the US Federal Communications Commission (FCC) estimated the cost of a full replacement of all Huawei and ZTE hardware on American wireless networks at $1.837bn.

Klas Friberg, the head of Sweden’s domestic security service (SAPO) declared that foreign states have intensified their intelligence activity and the protection of 5G networks from cyber espionage and hacking campaign from threat actors is crucial for homeland security.

“China is one of the biggest threats to Sweden,” Friberg said. “The Chinese state is conducting cyber espionage to promote its own economic development and develop its military capabilities. This is done through extensive intelligence gathering and theft of technology, research and development. This is what we must consider when building the 5G network of the future.”

Huawei was “surprised and disappointed” by the decision of the Swedish authority.

“Huawei has never caused even the slightest shred of threat to Swedish cyber security and never will,” reads a statement from the Chinese giant Huawei. “Excluding Huawei will not make Swedish 5G networks any more secure. Rather, competition and innovation will be severely hindered.

Pierluigi Paganini

(SecurityAffairs – hacking, 5G)

The post Sweden bans Huawei and ZTE from building its 5G infrastructure appeared first on Security Affairs.

U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya

The U.S. DoJ announced charges against six Russian intelligence officers for their role in several major cyberattacks carried out over the last years.

The U.S. Department of Justice announced charges against six members of Russia’s GRU military intelligence agency for their alleged role in several major cyberattacks conducted over the past years.

The defendants are Yuriy Sergeyevich Andrienko, aged 32, Sergey Vladimirovich Detistov, 35, Pavel Valeryevich Frolov, 28, Anatoliy Sergeyevich Kovalev, 29, Artem Valeryevich Ochichenko, 27, and Petr Nikolayevich Pliskin, 32.

The six Russian intelligence officers are believed to be members of the Russia-linked Sandworm APT group (aka Telebots, Iron Viking and Voodoo Bear).

According to the indictment, the GRU officers were involved in attacks on Ukraine, including the attacks aimed at the country’s power grid in 2015 and 2016 that employed the BlackEnergy and Industroyer malware.

US DoJ charged the men with damaging protected computers, conspiracy to conduct computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.

Government experts linked the Russian APT group to major attacks, including NotPetya, a hacking operation targeting elections in France in 2017, the attack against PyeongChang Winter Olympics that involved the Olympic Destroyer malware, as well as a series of attacks on Georgian companies and government organizations.

“Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.” reads the press release published by the DoJ. “The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.”

Since November 2015 and until at least in October 2019, the defendants and their co-conspirators were involved in the development and deployment of destructive malware and took part in disruptive hacking campaign actions,.

Below the list overt acts for each defendant:

DefendantSummary of Overt Acts
Yuriy Sergeyevich Andrienko·      Developed components of the NotPetya and Olympic Destroyer malware.
Sergey Vladimirovich Detistov·      Developed components of the NotPetya malware; and·      Prepared spearphishing campaigns targeting the 2018 PyeongChang Winter Olympic Games. 
Pavel Valeryevich Frolov·       Developed components of the KillDisk and NotPetya malware.
Anatoliy Sergeyevich Kovalev·       Developed spearphishing techniques and messages used to target:-       En Marche! officials;-       employees of the DSTL;-       members of the IOC and Olympic athletes; and-       employees of a Georgian media entity.
Artem Valeryevich Ochichenko·       Participated in spearphishing campaigns targeting 2018 PyeongChang Winter Olympic Games partners; and·       Conducted technical reconnaissance of the Parliament of Georgia official domain and attempted to gain unauthorized access to its network.
Petr Nikolayevich Pliskin·       Developed components of the NotPetya and Olympic Destroyer malware. 

The FBI added the defendants to the Cyber’s Most Wanted list.

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI Deputy Director David Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

“For more than two years we have worked tirelessly to expose these Russian GRU Officers who engaged in a global campaign of hacking, disruption and destabilization, representing the most destructive and costly cyber-attacks in history,” said Scott Brady, U.S. Attorney for the Western District of Pennsylvania. “The crimes committed by Russian government officials were against real victims who suffered real harm. We have an obligation to hold accountable those who commit crimes – no matter where they reside and no matter for whom they work – in order to seek justice on behalf of these victims.”

GRU intelligence officers charged

Pierluigi Paganini

(SecurityAffairs – hacking, intelligence)

The post U.S. Charges Russia GRU Intelligence Officers for notorious attacks, including NotPetya appeared first on Security Affairs.

Google warned users of 33,015 nation-state attacks since January

Google delivered over 33,000 alerts to its users during the first three quarters of 2020 to warn them of attacks from nation-state actors.

Google delivered 33,015 alerts to its users during the first three quarters of 2020 to warn them of phishing attacks, launched by nation-state actors, targeting their accounts.

Google sent 11,856 government-backed phishing warnings during Q1 2020, 11,023 in Q2 2020, and 10,136 in Q3 2020.

Shane Huntley, Director at Google’s Threat Analysis Group (TAG), revealed that her team has shared its findings with the campaigns and the Federal Bureau of Investigation.

The IT giant pointed out that major events like elections and COVID-19 represent opportunities for threat actors.

The trend in the nation-state attacks is consistent with what others have subsequently reported.

Google TAG report nation-state actors

“Overall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem.” reads the report published by Google TAG.

Since last summer, TAG team has tracked a large spam network linked to China that is running an influence operation on multiple platforms, primarily on YouTube. The threat actor behind this campaign was primarily acquiring or hijacking existing accounts and using them to spread content crafted for their intent.

According to Google, the alerts are shown to up to 0.1% of all Gmail accounts. The company’s alert advises Gmail users to take several measures to secure their accounts, such as enrolling in the Advanced Protection Program, keeping software up to date, enabling Gmail 2-step verification, as well as using Google Authenticator and/or a physical security key for 2-step verification.

As the course of the COVID-19 pandemic evolves, Google experts warn of threat actors evolving their tactics as well. During the last summer, Google observed threat actors from China, Russia, and Iran targeting pharmaceutical companies and researchers involved in the development of a vaccine. 

In September, Google experts started to observe attacks carried out by multiple North Korea-linked APT groups aimed at COVID-19 researchers and pharmaceutical companies, especially those based in South Korea.

This week, the Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

This attack is the largest DDoS attack recorded to date and according to a report published by the Google Threat Threat Analysis Group (TAG) it was carried out by a state-sponsored threat actor.

Pierluigi Paganini

(SecurityAffairs – hacking, Google TAG)

The post Google warned users of 33,015 nation-state attacks since January appeared first on Security Affairs.

Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen

The Google Cloud team revealed that in September 2017 it has mitigated DDoS attack that reached 2.54 Tbps, the largest DDoS attack of ever.

The Google Cloud team revealed that back in September 2017 it has mitigated a powerful DDoS attack that clocked at 2.54 Tbps.

This attack is the largest distributed denial of service attack recorded to date.

“Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact.” reads the post published by Damian Menscher, a Security Reliability Engineer for Google Cloud.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us.”


Google researchers pointed out that the attack they mitigated was four times larger than the 623 Gbps attack launched from the Mirai botnet in 2016.

Experts noticed that this attack is bigger than the 2.3 Tbps DDoS attack mitigated by Amazon’s AWS in February.

A report published by the Google Threat Threat Analysis Group (TAG) speculates that the attack was carried out by a state-sponsored threat actor.

“we’ve seen bigger players increase their capabilities in launching large-scale attacks in recent years. For example in 2017, our Security Reliability Engineering team measured a record-breaking UDP amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and 9394), which remains the largest bandwidth attack of which we are aware.” reads the report published by Google.

Menscher revealed that the attack was part of a campaign that leveraged multiple DDoS amplification methods to hit Google’s servers.

Google decided to disclose the DDoS attack today to warn of an increasing trend of state-sponsored actors abusing DDoS attacks to target online resources.

Experts believe that DDoS attacks are becoming even more dangerous and would intensify in the coming years.

Pierluigi Paganini

(SecurityAffairs – hacking, distributed denial of service)

The post Google mitigated a 2.54 Tbps DDoS attack in 2017, the largest DDoS ever seen appeared first on Security Affairs.

Iran acknowledged cyberattacks on two governmental departments

Iran ’s cybersecurity authority revealed that two governmental departments were hit by cyberattacks this week, state media reported.

State media reported on Thursday that Iran’s cybersecurity authority acknowledged cyberattacks on two unnamed governmental departments.

The state-owned IRAN daily newspaper revealed that the cyberattacks took place on Tuesday and Wednesday respectively.

Iranian authorities are investigating the attacks that were defined as important.

Other governmental departments temporarily took down their online operation as a precaution measure.

Iran’s cybersecurity authority did not attribute the attack to a specific threat actor

This isn’t the first time that Irans‘ authorities claim to have been targeted by cyber attacks. In December 2019, the Iran telecommunications minister announced for two times in a week to have foiled a cyber attack against its infrastructure.

At the time, the Iranian minister Mohammad Javad Azari-Jahromi confirmed that the attack was neutralized by the national cyber shield, it also added that the attack was launched by the China-linked APT27 group seeking for gathering intelligence its country.

In October 2019, Iran announced it was fearing retaliation from Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

At the time, Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic Republic in retaliation for the shooting down of a US drone as well as attacks on oil tankers that the US has blamed Iran.

Tensions between Tehran and Washington have escalated since 2018 when President Trump reimposed sanctions on Iran. The situation went out of control after a US drone strike killed top Iranian general Qasem Soleimani in January.

The order to kill Soleimani was issued by President Trump that said Soleimani was planning an “imminent” attack on US personnel in Baghdad.

In January, the U.S. Department of Homeland Security (DHS) has issued warnings about the possibility of cyber-attacks launched by Iran-linked threat actors. The attacks could be the response of Teheran after Maj. Gen. Qassim Suleimani was killed by a U.S. drone airstrike at the Baghdad airport in Iraq.

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Iran acknowledged cyberattacks on two governmental departments appeared first on Security Affairs.

8 Types of Security Threats to the IoT


The IoT industry is currently booming at a rapid scale, allowing for insights backed by data to provide value to industries and enterprises. For instance, in supply chain, IoT is helping track the exact locations and condition of the cargo shipments to ensure that goods in transportation safely reach their destination. In agricultural sector, IoT devices help farmers to monitor changes in weather near crop fields to enhance labor, harvest health and water usage. Travel industry is making use of IoT sensors to notify on-arrival passengers when their luggage reaches the airport.

These and many more opportunities offered by IoT are making our lives easier and provide us with limitless services to enable increased work productivity and efficiency. However, its adoption is still not as widespread as anticipated. The reason is the security obstacles associated with IoT devices. In the year 2018, according to a survey by Bain & Company, security was the top reason for industrial and enterprise respondents to not adopt IoT technology. These security challenges can be overcome, but to understand how to do that, it’s important to first know what these challenges are.

Let us look at some of the many security threats faced by the Internet of Things.

  1. Radio Frequency (RF) Jamming

Hackers can use radio jamming to block wireless IoT devices by interfering with wireless communications to hinder their functionality. This can be done by getting hold of an RF Jammer, causing IoT devices to limit their communication ability by losing connectivity. For instance, residential and commercial wireless security alarms that are connected over a cellular network can be easily jammed and enable an intruder to break in without the knowledge of the security provider.

  • Distributed Denial of Service (DDoS) Attacks

A DDoS attack happens when all network devices are precariously made to send limitless messages that eventually cause congestion in the IoT network shut it down. Cyber criminals use DDoS attacks to control numerous compromised devices, thus preventing important information from reaching its destination.

  • Privacy Leakage

An unsecured IoT device that leaks its IP address, if identified by a hacker, can be misused to point to any location. It is recommended that IoT connections should be secured using Virtual Private Networks (VPNs). Just as an Internet Service Provider’s network can be secured by  installing VPN on a router to encrypt all traffic passing through (see HughesNet Internet for the best satellite internet services), the same can be applied to an IoT device to ensure that your IP is private and your smart network is protected.

  • Network Hacks

A network hack takes place when an IoT device is compromised through the network that it is connected to. This kind of security breach allows a hacker to access and control the device. For instance, they can gain control of the thermostat of an industrial furnace and start a fire or cause an autonomous vehicle to crash by controlling its driving.

  • Home Intrusion

This is one of the reasons why smart homes are not ideally seen as a reality and adapted far and wide till now. It is also one of the scariest scenarios which can turn a device meant for an individual customer’s convenience into a major threat to their home privacy. Unsecured IoT devices that are shipped to a user with default username as ‘admin’ and password as ‘12345’ are very vulnerable to home intrusion. This can not only be used in planned burglaries but also invades complete privacy of a residential household. This is why it’s very important to secure a device’s credentials and connect them through a VPN.

  • Lack of Device Updates

Companies are manufacturing IoT devices at an increasing rate due to the growing demand. However, since their focus is on production and competition, manufacturers are not very careful with handling IoT device-related risks and security issues. Many of the devices in the market do not have considerable security updates, and some of them are never updated at all. Even if a device initially caters to security requirements, it becomes insecure and vulnerable after the emergence of new technologies and new cyber security challenges, making it more prone to cyber-attacks, especially if it is not updated.

Some manufacturers deliver Over the Air (OTA) firmware updates but stop doing that once they start working on next generation devices, thus leaving the older devices exposed to security threats. 

  • Unsafe Communication

Most of the IoT devices do not encrypt messages while communicating over a network, which makes it one of the biggest security challenges of IoT. To prevent from intrusion, companies need to secure and encrypt their communication between cloud services and devices. Using transport encryption and standards such as TLS can ensure safe communication. Also, device isolation using different networks can ensure a secure private communication.

  • Difficulty in Determining a Device’s Compromised Status

Another one of the challenges of an IoT device is that it is very hard to ascertain if a device is hacked or not.  Especially when there are a large number of IoT devices, it gets very difficult to monitor the security status of all the devices. This is because IoT devices need services, apps and protocols to communicate; and with more devices, it’s becoming unmanageable to find out which of them are compromised. As a result, many such hacked devices continue to work without the user’s knowledge and their data and privacy keeps getting compromised.

The Bottom Line

There is no doubt that IoT promises a change that can bring more convenience to our lives and is destined to get bigger with time. However, the bigger it is going to get, the more headaches it will progressively carry along with itself as the accompanying IoT trends and threats also get bigger. This can only be overcome if device manufacturers and IoT industry stakeholders take security seriously and make it a top priority instead of joining a competitive race towards more production and short-term profits.

The post 8 Types of Security Threats to the IoT appeared first on CyberDB.