Home Tags Ukraine

Tag: Ukraine

China launches second (and first homegrown) aircraft carrier

While it still requires outfitting, the new ship will be China's first fully combat-ready aircraft carrier.

Microsoft Word exploit linked to cyberspying in Ukraine conflict

A previously unknown Microsoft Office vulnerability was recently used to deliver spyware to Russian-speaking targets, in a possible case of cyberespionage.Security firm FireEye noticed the intrusion attempt, which taps a critical software flaw that hackers are using to craft malicious Microsoft Word documents.[ Expand your security career horizons with these essential certifications for smart security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]On Wednesday, FireEye said it uncovered one attack that weaponized a Russian military training manual. Once opened, the malicious document will deliver FinSpy, a surveillance software that’s been marketed to governments.To read this article in full or to leave a comment, please click here

Financial cyberthreats in 2016

In 2016 we continued our in-depth research into the financial cyberthreat landscape. We've noticed over the last few years that large financial cybercriminal groups have started to concentrate their efforts on targeting large organizations – such as banks, payment processing systems, retailers, hotels and other businesses where POS terminals are widely used.

Cyber-Reconnaissance Malware Bugging Computers in Ukraine

NEWS ANALYSIS: An industrial security company CyberX finds malware that is suspects was created by Russian hackers infecting computers and gathering audio data at critical infrastructure sites in Ukraine.

At Least 70 Organizations Targeted In Sophisticated Cyber Surveillance Operation

Most of the targets are in Ukraine, though a few have been spotted in Russia and elsewhere, CyberX says

Eavesdropping Malware Discovered Gathering Audio Data in Ukraine

NEWS ANALYSIS: "Operation BugDrop" malware stealthily infects computers and turns on the onboard microphone to gather audio files, which it exports to Dropbox files for retrieval and analysis.

Ukraine Blames Russia For New Virus Targeting Infrastructure

The Russian security service, software firms, and criminal hackers are accused of orchestrating cyberattacks on Ukraine's infrastructure.

New Mac malware pinned on same Russian group blamed for election...

Xagent for Macs steals passwords, grabs screenshots, and exfiltrates iPhone backups.

Ransomware app hosted in Google Play infects unsuspecting Android user

Aurich Lawsonreader comments 33 Share this story Google Play, the official market for Android apps, was caught hosting a ransomware app that infected at least one real-world handset, security researchers said Tuesday. The ransomware was dubbed Charger and was hidden inside an app called EnergyRescue, according to a blog post published by security firm Check Point Software. Once installed, Charger stole SMS contacts and prompted unsuspecting users to grant it all-powerful administrator rights.
If users clicked OK, the malicious app locked the device and displayed the following message: You need to pay for us, otherwise we will sell portion of your personal information on black market every 30 minutes. WE GIVE 100% GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT. WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER! TURNING OFF YOUR PHONE IS MEANINGLESS, ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS! WE STILL CAN SELLING IT FOR SPAM, FAKE, BANK CRIME etc… We collect and download all of your personal data.

All information about your social networks, Bank accounts, Credit Cards. We collect all data about your friends and family. The app sought 0.2 Bitcoin, currently worth about $180.
In an e-mail, Check Point researchers said the app was available in Google Play for four days and had only a "handful" of downloads. "We believe the attackers only wanted to test the waters and not spread it yet," the researchers told Ars.

The infection was detected by Check Point's mobile malware software, which the company sells to businesses.

Google officials have since removed the app and have thanked Check Point for raising awareness of the issue. Hiding in plain sight An analysis showed that Charger checked the local settings of an infected device and wouldn't execute the app's malicious payload if the device was located in Ukraine, Russia, or Belarus.

The behavior was likely an attempt to prevent the developers from facing legal actions in those countries.
In the blog post, Check Point researchers added: Most malware found on Google Play contains only a dropper that later downloads the real malicious components to the device.

Charger, however, uses a heavy packing approach which [makes] it harder for the malware to stay hidden, so it must compensate with other means.

The developers of Charger gave it everything they had to boost its evasion capabilities and so it could stay hidden on Google Play for as long as possible. The malware uses several advanced techniques to hide its real intentions and makes it harder to detect. It encodes strings into binary arrays, making it hard to inspect them. It loads code from encrypted resources dynamically, which most detection engines cannot penetrate and inspect.

The dynamically-loaded code is also flooded with meaningless commands that mask the actual commands passing through. It checks whether it is being run in an emulator before it starts its malicious activity. PC malware first introduced this technique which is becoming a trend in mobile malware having been adopted by several malware families including Dendroid. In 2012, Google unveiled a cloud-based scanner dubbed bouncer that was billed as a way for the company to detect malicious apps before they were made available in Play.

Five years later, discovery of malicious apps like Charger are a regular occurrence.

Google makes little reference to the tool these days. The incident is the latest to underscore the risks posed by apps hosted on Google servers. On Monday, Check Point documented the return of the virulent family of Android malware known as HummingBad, which managed to get from 2 million to 12 million downloads from the marketplace before the 20 affected apps were detected and removed.

What’s the biggest danger to the power grid? Hackers? Terrorists? Er,...

Turns out Mother Nature is a killer for power and people Video For decades now people have been claiming that the power grid could be taken down by terrorists. However, simple statistical analysis shows that the biggest danger isn't online hackers, but squirrels – aka rats with good PR. Cris Thomas, a strategist at Tenable Network Security who goes by the moniker Space Rogue, has been tracking animal-induced power outages since March 2013; we briefly checked out his Cybersquirrel1 project in November 2015. Fast forward to 2017, and Thomas is still beavering way: he's found that not only are furry and feathered critters a much bigger danger to the power grid than hackers, they are also killing people. Youtube Video In a presentation to the ShmooCon hacking conference at the weekend, Thomas showed that squirrels have been responsible for 879 power outages around the world, with the next most common animal saboteurs being birds – either directly via nests, or resulting from streams of excrement. "35 years of cyberwar and the squirrels are winning," he said. In all, he has tracked 1,753 animal-caused power outages that, taken in total, equate to 78 days without power in the US, leaving over 4.7 million people in the dark.

These incidents have also caused the death of eight people. In 2015, a fox shorting out a substation in Utah caused an outage that shut down an oxygen machine and led to the death of a patient.
In the same year, three Sri Lankan soldiers were electrocuted after a squirrel caused a fire that broke power lines – causing them to fall on the soldiers' vehicle. Natural saboteurs come in many strange forms.

For example, Thomas found 13 outages attributed to jellyfish that got sucked into water cooling systems and gummed up the works.

Another outage was caused by a bird that was collecting acorns in a microwave dish, eventually amassing 300lb of the things, which borked the hardware. There is a serious point to this So far, so funny, but there is a serious point to all of this.

Thomas sees the project not only as an interesting data exercise, but also as a way to puncture some of the pomposity of so-called cyberwarfare experts. "Why Cyberquirrel1? Basically to counteract the ludicrous cyberwar claims," he said. "It's really at an epic, unbelievable level some of the bullshit that gets peddled as fact by people at high levels of government and industry who are really spouting stuff they don't know anything about. We're trying to counter some of the FUD that's out there." The power grid is vulnerable, Thomas explained.

The US Federal Energy Regulatory Commission studied the grid and discovered that destroying just nine of the 55,000 substations across the US would black out the country for up to 18 months – what Thomas called a "democracy-ending event." The energy commission used confidential and protected information to come to its conclusion. Last year, security researchers at iSIGHT carried out a similar study, codenamed Project Gridstrike, and determined that, using publicly available information, an attacker could destroy 15 substations and trigger the same devastating blackout. But you have to look at the motivations.

Any major nation state attacking the US is going to want to keep the power on, so they can see what's going on, he opined. Minor threat actors like North Korea or the Daesh-bags lack the resources and/or motivation to bring down the US grid for a long period. Actual cyberattacks against infrastructure, such as those in the Ukraine, do occur, but they only last for a few hours at the most.
Shutting down the grid long term would take the physical destruction of equipment, not just computer hacking. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Who’s winning the cyber war? The squirrels, of course

Beware its furry cyber-wrath.Washington State reader comments 20 Share this story WASHINGTON, DC—For years, the government and security experts have warned of the looming threat of "cyberwar" against critical infrastructure in the US and elsewhere. Predictions of cyber attacks wreaking havoc on power grids, financial systems, and other fundamental parts of nations' fabric have been foretold repeatedly over the past two decades, and each round has become more dire.

The US Department of Energy declared in its Quadrennial Energy Review, just released this month, that the electrical grid in the US "faces imminent danger from a cyber attack." So far, however, the damage done by cyber attacks, both real (Stuxnet's destruction of Iranian uranium enrichment centrifuges and a few brief power outages alleged to have been caused by Russian hackers using BlackEnergy malware) and imagined or exaggerated (the Iranian "attack" on a broken flood control dam in Rye, New York), cannot begin to measure up to an even more significant cyber-threat—squirrels. That was the message delivered at the Shmoocon security conference on Friday by Cris "SpaceRogue" Thomas, former member of the L0pht Heavy Industries hacking collective and now a security researcher at Tenable.
In his presentation—entitled, "35 Years of Cyberwar: The Squirrels Are Winning"—SpaceRogue revealed the scale of the squirrelly threat to worldwide critical infrastructure by presenting data gathered by CyberSquirrel 1, a project that gathers information on animal-induced infrastructure outages collected from sources on the Internet.
SpaceRogue explains why it's all about the squirrels. Thomas sought to dispel what he called the "FUD" around cyber-attacks on critical infrastructure, citing dire predictions from a number of sources, including "the pre-eminent infosec expert Ted Koppel" (whose recent book, Lights Out, focuses on the vulnerability of the power grid).

And with government officials such as the Federal Energy Regulatory Commission Chairman Cheryl LaFleur declaring that "one [successful cyber attack] is too many," SpaceRogue likened the government's posture to the Cheney Doctrine, also known as the "One-Percent Doctrine." As Thomas explained, that doctrine is "if there's a one percent chance of something occurring, we must employ 100 percent of our resources to prevent it.

This is essentially [what happened with] Iraq, and we're now applying it to cyber and equating cyber to nukes and [mutual assured destruction].
It really doesn't work that way." That sort of stance is made even more unnerving by the fact that many of the cases where "cyber" has been attributed to incidents with energy infrastructure turned out to be false alarms.

Even in the few cases where a network intrusion resulted in disruption of the electrical grid—specifically in Ukraine, where two attacks caused power outages—the impact was relatively brief and was comparable to outages caused by other factors, Thomas noted. To "counteract the ludicrousness of cyberwar claims by people at high levels in government and industry," Thomas said, he launched CyberSquirrel1.
Inspired by a presentation at Thotcon by Josh Corman (now the director for Cyber Statecraft at the Atlantic Council) and Jericho of Attrition.org, SpaceRogue started CyberSquirrel1 initially as a Twitter feed on March 19, 2013.

The account simply "collected from a Google alert for news," he said.

But it soon evolved into a much larger data gathering effort, collecting from search engines and other Web sources to populate a spreadsheet. Jericho joined in to enhance the data set the next year, adding more details and events—but even so, Thomas noted that he was only catching a fraction. Enlarge / Successful squirrel attacks against the power grid in 2016, mapped by CyberSquirrel1. CyberSquirrel1 Squirrels are not the only "actors" tracked by CyberSquirrel1—birds, snakes, raccoons, rats, and martens factor in among the top animal threats that have been captured by the project's spreadsheet. Jellyfish have even gotten into the act, shutting down a nuclear power plant in 2013. CyberSquirrel1's data so far has tracked "over 1,700 outages, affecting nearly 5 million people," Thomas noted. "If you consolidated them into one location, it would basically take out the power for the San Francisco metropolitan area for two months." Shockingly, there have even been eight deaths attributed since the tracking began to follow animal attacks on infrastructure—six caused by squirrels downing power lines that struck people on the ground. Enlarge Enlarge Enlarge Enlarge / A table of successful cyberwarfare attacks to date.

The squirrels are winning. CyberSquirrel1 As of January 8, even if you count the Ukraine attacks still not firmly attributed to Russia, even frogs (with three outages) have more successful attacks on power grids than state actors.
Squirrels worldwide, however, are the clear cyberwar leaders: 879 successful attacks against infrastructure.

There's also that swan that performed the denial of service attack on a train in the UK on Friday, January 13—truly showing the breadth of the animal kingdom's toolbox.

Crims shut off Ukraine power in wide-ranging anniversary hacks

Phishing, denial of service, and remote exploitation part of hacking banquet Hackers of unknown origin cut power supplies in Ukraine for a second time in 12 months as part of wide-ranging attacks that hit the country in December. The attacks were revealed at the S4x17 conference in Miami in which Honeywell security researcher Marina Krotofil offered reporters some detail into the exploitation that began 16 December and raged for four days. She told Dark Reading attackers triggered an hour-long power black out at midnight 17 December by infecting the Pivnichna remote power transmission facility, knocking out remote terminal units and the connected circuit breakers. Further attacks against the State Administration of Railway Transport left Ukrainians unable to purchase rail tickets and delayed payments when the Treasury and Pension Fund was compromised. It was the second network-centric attack to knock out power supply in Ukraine.

Attackers of suspected Russian origin targeted facilities in December 2015. Those 23 December outages affected Ukraine's Prykarpattya Oblenergo and Kyivoblenergo utilities cutting power to some 80,000 customers for six hours. Last month's attacks also used the BlackEnergy and KillDisk malware. Other hacks included highly-convincing and successful phishing attacks against an unnamed Ukrainian bank, various remote exploitation, and denial of service attacks. @Marmusha talks about the recent cyber-attack in Ukraine #S4x17 pic.twitter.com/wg6IUqn3Lz — Parnian (@Parnian_7) January 10, 2017 The phishing attack on 14 July last year used the ancient trick of malicious Word document macros but wrapped it in high levels of obfuscation and anti-forensics. Information Systems Security Partners head of research Oleksii Yasynskyi, who worked on dissecting the hacks, reckoned the attackers were a mix of groups specialising in different aspects of offensive security, from infrastructure to obfuscation and payload delivery. Phishing emails numbered in the thousands. Hackers kept quiet observation for months whenever one payload was successful at breaching one of the Ukrainan assets, Krotofil told MotherBoard Yet the attackers' origin was not disclosed, if it is known; Kiev laid blame squarely on Russia for the similar 2015 utility hacking. Krotofil told Dark Reading the Ukraine's utilities may be seen as a test bed for attacks elsewhere, something she says is common with Russian hackers. Alex Mathews, security evangelist lead with Russian SCADA and industrial control system outfit Positive Technologies told El Reg says vulnerabilities in critical infrastructure are easy to find and difficult to get fixed. “It takes just two days to find a new SCADA flaw, yet almost a year to get it fixed," Mathews says. "The vulnerability of our critical infrastructure is evident. "Those charged with protecting industrial control system and SCADA networks must acknowledge that they’re exposed to cyber threats and take steps to reduce the risk." ® Bootnote While concerns the attacks are a test bed for further control system hacking in other countries, compromising such infrastructure cannot be done by cookie cutter hackers. Control systems are highly specialised with proprietary and often undocumented protocols that are not ordinarily understood outside of specialist fields. Using Ukraine as a means to hack US energy companies for example is further troubled by the variance in security controls that may exist in front of and around control systems. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub