Tag Archive for: military

U.S. Wages Cyber War on Russian Military Botnet


The United States and its allies have struck a significant blow to a Russian military botnet network whose targets included numerous government and military entities and corporations.

A January 2024 court-authorized operation effectively neutralized a network of hundreds of small office/home office (SOHO) routers that the Armed Forces of the Russian Federation (GRU) Military Unit 26165 used to conceal and enable a variety of cybercrimes, according to a U.S. Department of Justice Office of Public Affairs news release. The GRU unit is also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

The GRU’s cybercrimes included vast spearphishing and similar credential harvesting campaigns against targets of interest to the Russian government, the Justice Department said.

Federal Bureau of Investigation (FBI) Director Christopher Wray spoke at the Munich Security Conference this week where he announced the impact of Operation Dying Ember on the Russian cyber operation.

“Operation Dying Ember, where working with our U.S. — and, again, worldwide law enforcement partners — we ran a court-authorized technical operation to kick the Russian GRU off well over a thousand home and small business routers and lock the door behind them, killing the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world, including America and its allies in Europe,” Wray said.

He continued, “With these operations, and many more like them, we’ve set our sights on all the elements that we know from experience make criminal organizations tick: their people — a term we define broadly to include not just ransomware administrators and affiliates, but their facilitators, like bulletproof hosters and money launderers; their infrastructure; their servers, botnets, etc.; and their money, the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates and lease infrastructure.

“Because we don’t just want to hit them — we want to hit them everywhere it hurts, and put them down, hard.”

Cyber Experts Weigh In

Tom Kellermann, senior vice president of Cyber Strategy at Contrast Security, who partners with MSSPs,…

Source…

Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network


Feb 07, 2024NewsroomCyber Espionage / Network Security

Dutch Military Network

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Cybersecurity

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

Cybersecurity

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NETGEAR routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a…

Source…

US military steps up cyberwarfare effort | | elpasoinc.com – El Paso Inc.



US military steps up cyberwarfare effort | | elpasoinc.com  El Paso Inc.

Source…

Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Kyivstar


Over nearly a decade, the hacker group within Russia’s GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine’s power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

On Tuesday, a cyberattack hit Kyivstar, one of Ukraine’s largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

Kyivstar’s CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged [Kyivstar’s] infrastructure [and] limited access.”

“We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy’s access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

The Ukrainian government hasn’t yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia’s GRU.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group’s Telegram account. The message also includes screenshots that appear to show access to Kyivstar’s network, though this could not be verified. “We attacked Kyivstar…

Source…