Russian military reportedly hacked into European satellites at start of Ukraine war

American government officials told The Washington Post that the Russian military was responsible for a cyberattack on a European satellite internet service that affected Ukrainian military communications in late February.

The hack affected the KA-SAT satellite broadband network, owned by Viasat, an American satellite communications company. On February 24th, the day the Russian invasion of Ukraine began, the KA-SAT network was hit by outages that affected Ukraine and surrounding regions in Europe. A few days afterward, Viasat blamed outages on a “cyber event,” but did not release further details.

Though Ukrainian officials have not fully disclosed the impact, the outage is believed to have caused significant communications disruptions at the beginning of the war.

The NSA was reported to be collaborating on an investigation with Ukrainian intelligence services, but no results have been officially announced. However, anonymous officials reportedly told the Post that US intelligence analysts have now concluded that Russian military hackers were behind the attack.

A request for confirmation sent by The Verge to the Cybersecurity and Infrastructure Security Agency (CISA) had not received a response by the time of publication.

Officials from Viasat told Air Force Magazine that the attack was conducted through a compromise of the system that manages customer satellite terminals, and only affected customers of the KA-SAT network, a smaller broadband provider that Viasat bought last year from French satellite operator Eutelsat.

At the outset of the conflict, commentators feared that Russia could launch widespread and destructive cyberattacks. While one perspective holds that such attacks have failed to materialize, the slow release of additional information gives credence to the suggestion that many attacks may have occurred in the shadows.

In the aftermath of the hack, CISA and the FBI issued a joint cybersecurity advisory to satellite communications providers, warning that the agencies were aware of possible threats to US and international networks, and advising companies to report any indications of malicious activity immediately.

As the war in Ukraine continues — and US opposition to Russia grows in the form of sanctions — the Biden administration has issued increasingly serious warnings about the possibility of Russian cyberattacks on US infrastructure.

On Monday, President Biden advised US businesses to take added precautions against hacking, citing “evolving intelligence” that Russia was preparing to target the US with cyberattacks. Then on Thursday, the Department of Justice unsealed indictments against four Russians accused of mounting state-sponsored cyberattacks against the US, publicly releasing details of a highly sophisticated hacking campaign involving supply-chain software compromises and spear-phishing campaigns against thousands of employees of companies and US government agencies.

Repost: Original Source and Author Link


Data leak from Russian delivery app shows dining habits of the secret police

A massive data leak from Russian food delivery service Yandex Food revealed the delivery addresses, phone numbers, names, and delivery instructions belonging to those associated with Russia’s secret police, according to findings from Bellingcat.

Yandex Food, a subsidiary of the larger Russian internet company, Yandex, first reported the data leak on March 1st, blaming it on the “dishonest actions” of one of its employees and noting that the leak doesn’t include users’ login information. Russian communications regulator Roskomnadzor has since threatened to fine the company up to 100,000 rubles (~$1,166 USD) for the leak, which Reuters says exposed the information of about 58,000 users. The Roskomnadzor also blocked access to an online map containing the data — an attempt to conceal the information of ordinary citizens, as well as those with ties to the Russian military and security services.

Researchers at Bellingcat gained access to the trove of information, sifting through it for leads on any people of interest, such as an individual linked to the poisoning of Russian opposition leader Alexey Navalny. By searching the database for phone numbers collected as part of a previous investigation, Bellingcat uncovered the name of the person who was in contact with Russia’s Federal Security Service (FSB) to plan Navalny’s poisoning. Bellingcat says this person also used his work email address to register with Yandex Food, allowing researchers to further ascertain his identity.

Researchers also examined the leaked information for the phone numbers belonging to individuals tied to Russia’s Main Intelligence Directorate (GRU), or the country’s foreign military intelligence agency. They found the name of one of these agents, Yevgeny, and were able to link him to Russia’s Ministry of Foreign Affairs and find his vehicle registration information.

Bellingcat uncovered some valuable information by searching the database for specific addresses as well. When researchers looked for the GRU headquarters in Moscow, they found just four results — a potential sign that workers just don’t use the delivery app, or opt to order from restaurants within walking distance instead. When Bellingcat searched for FSB’s Special Operation Center in a Moscow suburb, however, it yielded 20 results. Several results contained interesting delivery instructions, warning drivers that the delivery location is actually a military base. One user told their driver “Go up to the three boom barriers near the blue booth and call. After the stop for bus 110 up to the end,” while another said “Closed territory. Go up to the checkpoint. Call [number] ten minutes before you arrive!”

In a translated tweet, Russian politician and Navalny supporter, Lyubov Sobol, said the leaked information even led to additional information about Russian President Vladimir Putin’s former mistress and their alleged “secret” daughter. “Thanks to the leaked Yandex database, another apartment of Putin’s ex-mistress Svetlana Krivonogikh was found,” Sobol said. “That’s where their daughter Luiza Rozova ordered her meals. The apartment is 400 m², worth about 170 million rubles [~$1.98 million USD]!”

If researchers were able to uncover this much information based on data from a food delivery app, it’s a bit unnerving to think about the amount of information Uber Eats, DoorDash, Grubhub, and others have on users. In 2019, a DoorDash data breach exposed the names, email addresses, phone numbers, delivery order details, delivery addresses, and the hashed, salted passwords of 4.9 million people — a much larger number than those affected in the Yandex Food leak.

Repost: Original Source and Author Link


Russian ‘King of Fraud’ sentenced to 10 years in prison for Methbot digital ad scheme

A Russian man convicted on wire fraud and money laundering charges for his role in the Methbot digital advertising scheme was sentenced to 10 years in prison on Wednesday.

The Department of Justice said between September 2014 and December 2016, Aleksandr Zhukov, 41, and several co-conspirators made deals with ad networks to place online ads but used a bot farm and rented servers to simulate users visiting spoofed versions of websites like the New York Times and the New York Daily News. The ads were never shown to human users, but Zhukov raked in $7 million running the fake traffic scam (which became known as “Methbot,” after the name of his phony ad network Media Methane), according to the DOJ.

“Sitting at his computer keyboard in Bulgaria and Russia, Zhukov boldly devised and carried out an elaborate multi-million-dollar fraud against the digital advertising industry, and victimized thousands of companies across the United States,” US Attorney Breon Peace said in a statement.

As part of the elaborate plan, Zhukov recruited programmers and others to help build the infrastructure that made the scheme possible. Authorities said he referred to the recruits as his developers and to himself as “the king of fraud.”

In May, a jury convicted Zhukov of wire fraud conspiracy, wire fraud, money laundering conspiracy, and money laundering. In addition to the 10-year prison term, Zhukov was ordered to pay $3.8 million in forfeiture.

Repost: Original Source and Author Link


Russian hackers reportedly attacked GOP computer systems

Russian state hackers affiliated with the group Cozy Bear were reportedly behind an attack last week on Synnex, a contractor that provides IT services for the Republican National Committee (RNC), Bloomberg writes. The attack may have exposed the organization’s information.

When asked by Bloomberg, a spokesperson for the RNC denied the organization’s systems had been hacked, but confirmed that one of its IT providers Synnex, had been exposed. The RNC provided the following statement in reference to the attack:

Over the weekend, we were informed that Synnex, a third party provider, had been breached. We immediately blocked all access from Synnex accounts to our cloud environment. Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials on this matter.

In a statement released on July 6th, Synnex further confirmed “it is aware of a few instances where outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment.” The company claims it is reviewing the attack alongside Microsoft and a third-party security firm. Manipulating enterprise software that interacts with Microsoft’s cloud rather than going after Azure or Office products directly shares some similarities with the SolarWinds hack in 2020.

And that connection would make sense: members of Cozy Bear working with SVR, Russia’s foreign intelligence service, are largely suspected to be behind the manipulation of the SolarWinds software for illegal ends. The SolarWinds breach potentially exposed information from over a hundred companies and government organizations, and even compromised the tools of cybersecurity companies designed to prevent these kinds of attacks, like FireEye.

There’s also parallels to draw between a breach of the RNC and the hack of the Democratic National Committee and Hilary Clinton’s presidential campaign in 2016. That breach, and the leak of thousands of emails on WikiLeaks, ultimately led to the indictment of 12 members of GRU, a Russian military intelligence agency with connections to another group of ursine-inspired Russian hackers called Fancy Bear.

The RNC attack arrives among a flurry of ransomware attacks on critical infrastructure and companies in the US. The list is long, but in the last year, Colonial Pipeline, insurance provider CNA, and more recently, IT software provider Kaseya, have all been the victims of ransomware attacks. Bloomberg suggests Cozy Bear’s attack could have used these ransomware hacks as a kind of cover, and even if they didn’t, attacking political targets is an ongoing problem that doesn’t always end in a dramatic leak.

Repost: Original Source and Author Link


Microsoft warns of ‘sophisticated’ Russian email attack targeting government agencies

Microsoft has raised the alarm over a “sophisticated” ongoing cyberattack believed to be from the same Russia-linked hackers behind the SolarWinds hack. In a blog post, Tom Burt, Microsoft’s corporate vice president for customer security and trust, said the attack appears to be targeting government agencies, think tanks, consultants, and NGOs. In total, around 3,000 email accounts are believed to have been targeted across 150 organizations. Victims are spread across upward of 24 countries, but the majority are believed to be in the US.

According to Microsoft, hackers from a threat actor called Nobelium were able to compromise the US Agency for International Development’s account on a marketing service called Constant Contact, allowing them to send authentic-looking phishing emails. Microsoft’s post contains a screenshot of one of these emails, which claimed to contain a link to “documents on election fraud” from Donald Trump. However, when clicked, this link would install a backdoor that let the attackers steal data or infect other computers on the same network.

“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts,” a spokesperson for Constant Contact said in a statement. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”

Microsoft says it believes that many of the attacks were blocked automatically, and that its Windows Defender antivirus software is also limiting the spread of the malware. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security has acknowledged Microsoft’s blog post and encouraged administrators to apply the “necessary mitigations.”

This salvo of malicious emails is a warning that supply chain cyberattacks against US organizations are showing no signs of slowing, and that hackers are updating their methods in response to previous attacks becoming public. In its post, Microsoft calls for new international norms to be established governing “nation-state conduct in cyberspace” along with expectations of the consequences for breaking them.

The US government has blamed SVR, the Russian foreign intelligence service, for the SolarWinds hack, Bloomberg notes, although Russia’s president Vladimir Putin has denied Russian involvement. The attack is believed to have compromised around 100 private sector companies and nine federal agencies. Up to 18,000 SolarWinds customers are believed to have been exposed to the malicious code. In response, President Biden announced new sanctions on Russia and moved to expel 10 Russian diplomats from Washington, Bloomberg reports.

Repost: Original Source and Author Link


Hackers backed by Russian government reportedly breached US government agencies

The same Russian government hacking group responsible for a security breach at FireEye compromised the Treasury and Commerce departments and other US government agencies, The Washington Post reported. The group, known as APT29, or Cozy Bear, was responsible for hacking the US State Department and the White House during the Obama administration, according to the Post, and is the group that officials believe targeted COVID-19 vaccine research over the summer.

Reuters reported that in addition to hacking Treasury and the Commerce Department’s National Telecommunications and Information Administration (NTIA), the hackers may have breached other US government entities.

Government officials considered the hack dire enough that the National Security Council held an emergency meeting at the White House on Saturday.

An NSC spokesman told Reuters that the government was “aware” of the reports, adding “we are taking all necessary steps” to remedy the situation. It’s not yet clear exactly what information may have been stolen or which foreign government was involved. But the “highly sophisticated” hackers were able to break into NTIA’s Microsoft Office software, tricking authentication controls in order to monitor staff emails for months, according to Reuters.

Microsoft released details on the methods used in the hack, late Sunday night. Microsoft says the hackers operating on behalf of an external nation state compromised SolarWinds’ Orion monitoring and management software giving attackers a foothold in target networks. Intruders were then able to “impersonate any of the organization’s existing users and accounts, including highly privileged accounts.”

Both Microsoft and SolarWinds are making countermeasures available to customers to help detect, protect, and respond to the threat.

Several federal law enforcement agencies, including the FBI, are investigating the breach.

Update December 14th, 4:47AM ET: Added details provided by Microsoft and SolarWinds.

Repost: Original Source and Author Link


US charges six Russian intelligence officers with hacking Ukraine, 2018 Olympics, and Skripal investigation

The Justice Department has charged six Russian intelligence officers with involvement in an extensive hacking campaign, including the notorious Petya ransomware attacks that targeted Ukraine in 2015. According to the indictment, the efforts also targeted the country of Georgia, the French elections, the 2018 winter Olympics, and investigations into the poisoning of former Russian military officer Sergei Skripal.

Many of the specific incidents in the indictment have been previously reported, but no law enforcement agency has publicly charged Russia’s GRU with orchestrating the attacks. Russia’s primary military intelligence agency, the GRU has previously been associated with a wide range of cyberattacks dubbed “Fancy Bear” by private-sector researchers. In this case, prosecutors even pin the operation down to a specific GRU building located at 22 Kirova Street in Moscow, which the indictment refers to as “the Tower.”

The indictment follows previous prosecutions concerning GRU campaigns against the 2014 Olympics or the Democratic National Committee during the 2016 campaign. One of the six defendants, Anatoliy Kovalev, was also named in the DNC indictments. But Monday’s indictment reaches further, alleging an international campaign of cyberattacks and political influence campaigns to further Russian national interests.

The most devastating of the attacks came against Ukrainian power grids in 2015. The first attack compromised internal networks at all three of the country’s major energy distribution companies, rendering computers inoperable and leaving more than 200,000 people without power in the dead of winter. The following year, a subsequent attack was launched against the country’s Ministry of Finance and State Treasury Service.

As with previous indictments against foreign hackers, Russia is unlikely to extradite the defendants, and it is unlikely that they will ever stand trial. Nonetheless, the new prosecution is a significant milestone in the ongoing efforts to hold the GRU accountable for its digital attacks.

The indictment is the result of more than two years of investigation by the FBI, a point that was emphasized by agents who worked on the case. “The exceptional talent and dedication of our teams in Pittsburgh, Atlanta and Oklahoma City who spent years tracking these members of the GRU is unmatched,” said Michael Christman, FBI special agent in charge of the Pittsburgh field office, in a statement. “These criminals underestimated the power of shared intelligence, resources and expertise through law enforcement, private sector and international partnerships.”

Repost: Original Source and Author Link


Russian hacker group reportedly targeted state Democratic parties in repeat of 2016 attacks

A Russian hacking group known as Fancy Bear targeted the emails of Democratic state parties in Indiana and California earlier this year as well as progressive think tanks, Reuters reported. The attempts were apparently not successful and were flagged by Microsoft, according to Reuters, with targets that included the Council on Foreign Relations, the Carnegie Endowment for International Peace, and the Center for American Progress.

The Russian embassy denied the allegations to Reuters, calling it “fake news.”

Fancy Bear has been connected to GRU, a Russian military intelligence agency, and in 2018, the Department of Justice indicted 12 members of GRU for hacking the Clinton campaign and the DNC. Fancy Bear was previously linked to the 2016 hacks of the Democratic National Committee and John Podesta, then-chair of the Clinton campaign. Emails collected through the hacks were published by WikiLeaks before the 2016 presidential election and proved damaging to the Clinton campaign.

Despite confirmation from the US intelligence community that the Russian government was behind the hack, President Trump has repeatedly expressed doubts that Russia was involved.

Microsoft said in a security report last month that Fancy Bear — also known as Strontium, or APT28 — was back and looking for targets related to the upcoming presidential election. The majority of the attacks were not successful, according to Microsoft, but Reuters previously reported that the hackers were targeting a communications firm working with the presidential campaign of Joe Biden and other prominent Democrats. The Biden campaign said at the time that a foreign actor had tried to breach the non-campaign email accounts of people affiliated with the campaign, but was not successful.

But Fancy Bear is nothing if not persistent, and according to cybersecurity firm FireEye, it’s known for going above and beyond the typical hack to get the information it wants. The group’s “unique history raises the prospect of follow-on information operations or other devastating activity,” FireEye warned in a note to customers.

Repost: Original Source and Author Link