Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks

Monday, April 10, 2017 Swati Khandelwal





Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.

Since March, as part of its "Vault 7" series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).

Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world.



Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors.

Although the group's targets were all in the Middle East, Europe, Asia, and Africa, researchers said the group once infected a computer in the United States, but an uninstaller was launched within an hour, which indicates the "victim was infected unintentionally."

What's interesting is that Symantec linked some of CIA hacking tools and malware variants disclosed by Wikileaks in the Vault 7 files to Longhorn cyber espionage operations.


Fluxwire (Created by CIA) ≅ Corentry (Created by Longhorn)
Fluxwire, a cyber espionage malware allegedly created by the CIA and mentioned in the Vault 7 documents, contains a changelog of dates for when new features were added, which according to Symantec, closely resemble with the development cycle of "Corentry," a malware created by Longhorn hacking group.

"Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file," Symantec explains. "The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0."
"Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler."

Similar Malware Modules
Another Vault 7 document details 'Fire and Forget' specification of the payload and a malware module loader called Archangel, which Symantec claims, match almost perfectly with a Longhorn backdoor called Plexor.



"The specification of the payload and the interface used to load it was closely matched in another Longhorn tool called Backdoor.Plexor," says Symantec.


Use of Similar Cryptographic Protocol Practices
Another leaked CIA document outlined cryptographic protocols that should be used within malware tools, such as using AES encryption with a 32-bit key, inner cryptography within SSL to prevent man-in-the-middle attacks, and key exchanges once per connection.

One leaked CIA document also recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.

According to Symantec, these cryptographic protocol and communication practices were also used by Longhorn group in all of its hacking tools.


More About LongHorn Hacking Group
Longhorn has been described as a well-resourced hacking group that works on a standard Monday to Friday working week — likely a behavior of a state-sponsored group — and operates in an American time zone.

Longhorn's advanced malware tools are specially designed for cyber espionage with detailed system fingerprinting, discovery, and exfiltration capabilities. The group uses extremely stealthy capabilities in its malware to avoid detection.

Symantec analysis of the group's activities also shows that Longhorn is from an English speaking North American country with code words used by it referring, the band The Police with code words REDLIGHT and ROXANNE, and colloquial terms like "scoobysnack."

Overall, the functionality described in the CIA documents and its links to the group activities leave "little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group."

US spy chief ‘resolute’ on Russia cyber attack, differs with president-elect Trump

Image Credit: REUTERS

  06 Jan 2017 , 11:50

The top U.S. intelligence official said on Thursday he was “even more resolute” in his belief that Russia staged cyber attacks on Democrats during the 2016 election campaign, rebuking persistent skepticism from Republican President-elect Donald Trump about whether Moscow was involved.

James Clapper, the director of national intelligence, said he had a very high level of confidence that Russia hacked Democratic Party and campaign staff email, and disseminated propaganda and fake news aimed at the Nov. 8 election.

“Our assessment now is even more resolute than it was” on Oct. 7 when the government first publicly accused Russia, Clapper told a hearing of the Senate Armed Services Committee. He said motives for the attack would be made public next week.

Trump on Thursday morning called himself a “big fan” of intelligence agencies. But he has cast doubt on their assessments that Russia targeted the campaign of his opponent, former Secretary of State Hillary Clinton, drawing ire from his fellow Republicans as well as Democrats who are wary of Moscow and distrust Trump’s praise of Russian President Vladimir Putin.

The intelligence officials at Thursday’s hearing said they worried a lack of support from atop the government could prompt valued staff members to leave their agencies.

“There’s a difference between healthy skepticism … and disparagement,” Clapper said. Vice President-elect Mike Pence has used the expression “healthy skepticism” to defend Trump’s criticism of intelligence findings.

Central Intelligence Agency Director John Brennan, speaking at the University of Chicago Institute of Politics on Thursday, said that because Trump had never served in government, he was unfamiliar with the intelligence profession.

“It doesn’t bother me if someone is going to be skeptical and challenge our work and maybe disagree with our views, but I expect that the president of the United States will recognize that the CIA and intelligence community were established by statute for a very important reason,”

The congressional hearing was overseen by Republican Senator John McCain, a vociferous Russia critic. It was the first in a promised series of briefings and hearings on allegations that Russia tried to disrupt or influence the U.S. campaign, one of the most bitter in recent history.

Moscow denies the allegations.

McCain told reporters that Senator Lindsey Graham, also a vocal critic of Moscow, would chair a new Armed Services subcommittee dedicated to cyber issues.

Trump will be briefed by intelligence agency chiefs on Friday on the hacks. President Barack Obama received a report on the matter on Thursday. An unclassified version will be made public early next week.

“I don’t think we’ve ever encountered a more aggressive or direct campaign to interfere in our election process than we’ve seen in this case,” said Clapper, who leaves when Trump becomes president on Jan. 20. Clapper stopped short of declaring Russia’s actions “an act of war,” saying that determination was beyond the scope of his office.

Clapper and the two other officials who testified, National Security Agency Director Admiral Mike Rogers, and Marcel Lettre, undersecretary of defense for intelligence, did not say what made U.S. intelligence confident Russia was behind the cyber attacks, a conclusion also reached by several private firms.

CRITICAL OF ASSANGE

Obama last week ordered the expulsion of 35 suspected Russian spies and imposed sanctions on two Russian intelligence agencies he said were involved in hacking U.S. political groups such as the Democratic National Committee.

The CIA has identified Russian officials who fed material hacked from the DNC and Democratic Party leaders to WikiLeaks at Putin’s direction through third parties, according to a new U.S. intelligence report, senior U.S. officials said.

Documents stolen from the DNC and Clinton’s campaign chairman, John Podesta, were posted on the Internet before the election, embarrassing the campaign.

In a tweet on Wednesday, Trump was skeptical about a Russian role in the affair, writing: “(WikiLeaks founder) Julian Assange said ‘a 14 year old could have hacked Podesta’ – why was DNC so careless? Also said the Russians did not give him the info!”

But on Thursday, Trump said in another Twitter post that he was not against intelligence agencies or in agreement with Assange. “The media lies to make it look like I am against ‘intelligence’ when in fact I am a big fan!” Trump tweeted.

Clapper said Assange had put American lives in danger and deserved no credibility. McCain and other lawmakers also blasted Assange.

Senator Claire McCaskill, a Democrat, said there would be “howls” from Republicans if a Democrat described intelligence officials as Trump had.

U.S. intelligence officials have said Russian cyber attacks were specifically aimed at helping Trump beat Clinton. Several Republicans have acknowledged the Russian hacking but have not linked it to an effort to help Trump win.

Trump and top advisers believe Democrats are trying to delegitimize his victory by accusing Russia of helping him.

Senator Tim Kaine, an Armed Services member who was Clinton’s vice presidential running mate, said: “It is my hope that this Congress is willing to stand in a bipartisan way for the integrity of the electoral process.”

Graham said Obama’s actions against Moscow fell short.

“I think what Obama did was throw a pebble. I’m ready to throw a rock,” Graham said. “Putin is up to no good and he better be stopped.”

Reuters

Lithuania finds spyware on its government computers, holds Kremlin responsible

Image Credit: Malwarebytes

  23 Dec 2016 , 09:48

The Baltic state of Lithuania, on the frontline of growing tensions between the West and Russia, says the Kremlin is responsible for cyber attacks that have hit government computers over the last two years.

The head of cyber security told Reuters three cases of Russian spyware on its government computers had been discovered since 2015, and there had been 20 attempts to infect them this year

“The spyware we found was operating for at least half a year before it was detected – similar to how it was in the USA,” Rimtautas Cerniauskas, head of Lithuanian Cyber Security Centre said.

The Kremlin did not immediately respond to a Reuters written request for comments over the Lithuanian claims. But Russia has in the past denied accusations of hacking Western institutions.

Fears of cyber attacks have come to the fore since the U.S. election campaign when hacking of Democratic Party emails led to allegations from U.S. intelligence that Russia was involved. Lithuania, Estonia and Latvia, all ruled by Moscow in communist times, have been alarmed by Russia’s annexation of Ukraine’s Crimea peninsula in 2014 and its support for pro-Russian separatists in eastern Ukraine.

In what Baltic officials say was a wake-up call, Estonia was hit by cyber attacks on extensive private and government Internet sites in 2007. State websites were brought to a crawl and an online banking site was closed. Lithuanian intelligence services, in their annual report, say cyber attacks have moved from being mainly targeted at financial crimes to more political spying on state institutions.

Russian spyware was transferring all documents it could find, as well as all passwords entered on websites such as GMail or Facebook, to an internet address commonly used by Russian spy agencies, Cerniaukas said. “This only confirms that attempts are made to infiltrate our political sphere,” said Cerniaukas.

Preparations

Germany’s domestic intelligence agency reported earlier this month a striking increase in Russian targeted cyber attacks against political parties and propaganda and disinformation campaigns aimed at destabilising German society. The domestic intelligence chief said Russia may seek to interfere in its national elections next year.

Although no Russian cyber meddling was detected in the run up and during the Lithuanian general election in October, Cerniauskas said his country needs to understand it is vulnerable to such meddling.”Russians are really quite good in this area. They have been using information warfare since the old times. Cyberspace is part of that, only more frowned upon by law than simple propaganda”, he said.

“They have capacity, they have the attitude, they are interested, and they will get to it – so we need to prepare for it and we need to apply countermeasures.” Lithuanian officials targeted by the Russian spyware held mid-to-low ranking positions at the government, but their computers contained a stream of drafts for government decisions of its positions on various matters, said Cerniauskas.

The head of the Lithuanian counter-intelligence agency Darius Jauniskis said Russia tried to sow chaos in Lithuania by orchestrating a cyber attack in 2012 against the Lithuanian central bank and its top online news website. “It is all part of psychological warfare,” he told Reuters earlier this month.

Reuters

Cyber attacks in China and Hong Kong grew 969% from 2014 to 2016, says survey

Image credit: Reuters

  30 Nov 2016 , 10:53

Cyber attacks on Chinese companies have soared in the past two years, according to a survey, with new technologies that connect household items to the internet and allow them to receive and send data seen as particularly vulnerable.

The average number of cyber attacks detected by companies in mainland China and Hong Kong grew 969 percent between 2014 and 2016. The number of attacks averaged more than 7 a day for each of the survey’s 440 China-based respondents – around half of the global average of 13.

However, the average number of attacks fell by 3 percent globally over the last two years, and 30 percent since 2015, in contrast to the rise in China.

China’s rapid adoption of new consumer and industrial technology for the ‘Internet of Things (IoT)’ era may be part of the reason. PwC said such connected devices are the leading targets of cyber-attacks.

“IoT devices in general have not paid attention to cyber security,” said Marin Ivezic, a partner on cyber security at PwC in Hong Kong.

“In China and Hong Kong … we have more adoption than anywhere else in the world,” he said, noting China was also one of the biggest manufacturers of these items.

Chinese-made connected home devices such as webcams with security loopholes that gave way to botnet malwares were blamed by security researchers for a massive cyber attack in the US last month that temporarily paralyzed major internet sites.

The Chinese companies surveyed had cut their cybersecurity budget by 7.6 percent in 2016 compared with flat global spending. Thirty four percent of them identified competitors as a source of attacks, a rate higher than anywhere else in the world.

The PwC survey does not track the country of origin of the attacks, which Ivezic said is “almost impossible”. The drop in the global number of cyber attacks did not reflect a safer environment, he said, but was rather the result of more sophisticated cyber criminals who more selective in who they targeted.

Reuters

Comedian Leslie Jones lashes back at hackers in “Saturday Night Live” over recent celeb hacks

  24 Oct 2016 , 15:02

A day after hackers unleashed an attack on some of the world’s best-known websites, comedian Leslie Jones weighed in on cyber-security in a commentary on “Saturday Night Live,” saying cyber criminals could put their talents to far better use than hacking celebrities. Jones, whose own website was hacked in August resulting in nude photos and personal information including her passport and driver’s license being posted, offered her perspective during her recurring gig as an impassioned contributor to the weekly comedy show’s “Weekend Update” news segment.

“I am very comfortable with who I am. I am an open book,” Jones declared, noting “I keep my porn in a folder labeled porn.” “If you wanna see Leslie Jones naked, just ask,” the comedian added, in what one Twitter user, an entertainment website editor, said may have been Jones’ “finest SNL moment.” After starring in the “Ghostbusters” film this summer, Jones briefly quit Twitter because she was bombarded by racist and abusive comments.

“If I was good at computers, I wouldn’t waste it trolling on people,” Jones said. Instead, “I would do something useful, like renew my driver’s license from home. I would hack into Tinder and delete all those other girls’ profiles, so no matter where you swipe, you get me.”

Adopting a seemingly more serious tenor, Jones scolded hackers by saying “If you want to hurt anybody these days, you’re going to have to do way more than leak their news or call them names. You can’t embarrass me more than I have embarrassed myself.”

“At a certain point you got to stop being embarrassed and just start being you, and I have been me for 49 years. Because the only person who can hack me is me,” she vowed, adding: “My firewall is a crazy-ass bitch with a shovel.”

Reuters

US Securities and Exchange Commission may make Yahoo the test case of data breach disclosure rules

#YAHOO

 

 01 Oct 2016 , 11:01

Yahoo’s disclosure that hackers stole user data from at least 500 million accounts in 2014 has highlighted shortcomings in U.S. rules on when cyber attacks must be revealed and their enforcement. Democratic Senator Mark Warner this week asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives properly disclosed the attack, which Yahoo blamed on Sept. 22 on a “state-sponsored actor.”

The Yahoo hack could become a test case of the SEC’s guidelines, said Jacob Olcott, former Senate Commerce Committee counsel who helped develop them, due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo’s discovery. Yahoo has not specifically addressed when it learned of the 2014 attack. And the vagueness of SEC’s 2011 rules on disclosure and its failure to enforce them are drawing equal attention, privacy lawyers and cyber security experts said.

The agency has “been looking for the right case to bring forward,” said Olcott. The agency in 2011 told publicly traded companies to report hacking incidents that could have a “material adverse effect on the business” but did not define that. SEC has never acted against a company for failing to disclose a cyber security incident or threat, and it has brought just two enforcement actions against companies for insufficient data protection, an agency spokesman said. Lawyers said this reflected difficulty in determining if breaches were material and many companies’ belief that reporting on cyber threats generally satisfies the disclosure requirement.

Yahoo has not offered a precise timeline about when it was made aware of the breach. On Sept. 9, it said in an SEC filing it did not know of “any incidents of, or third party claims alleging … unauthorized access” of customers’ personal data that could have a material adverse effect on Verizon Communication Inc’s planned $4.8 billion acquisition of Yahoo’s core business. Since then, Yahoo has not clarified if it knew of the attack before that SEC filing. “Our investigation into this matter is ongoing and the issues are complex,” a Yahoo spokesman said last week.

In his letter, Warner asked the SEC to evaluate whether the current disclosure regime was adequate. He cited reports that fewer than 100 of 9,000 public companies disclosed a material data breach since 2010. “I don’t know that we need new rules. But in certain situations, you may need more aggressive enforcement,” said Roberta Karmel, a Brooklyn Law School professor. The SEC in 2014 examined whether cyber disclosure rules needed to be strengthened and imposed new requirements for broker-dealers and investment advisers but not public companies.

‘Punish the victim’

Some policymakers worry rules compelling prompt disclosure of cyber attacks could deter companies from cooperating with authorities.“We cannot blame executives for worrying that what starts today as an honest conversation about a cyber attack could end tomorrow in a ‘punish the victim’ regulatory enforcement action,” Commerce Secretary Penny Pritzker said this week. Congress last year expanded liability protections for companies that share cyber information with the government, and Pritzker urged granting companies temporary immunity during the response to a hack.

Amid SEC inaction, the Federal Trade Commission has brought 60 successful data security cases since 2001 in part, lawyers said, because its authority is clearer than the SEC’s. Those cases have dealt with deceptive statements by companies and security lapses. The FTC is hampered by the lack of a national requirement for companies to notify the public about data breaches. That idea got widespread support after the 2013 hacking of shoppers’ credit card information from Target Corp. But legislation proposed by President Barack Obama in 2015 fizzled.

Reuters