CYBINT/DNINT Cyber Intelligence,Techniques and developments

[Bogeyman]

China to disclose secret US ‘global reconnaissance system,’ claims official​

Chinese authorities have pledged to “publicly disclose a highly secretive global reconnaissance system” operated by the U.S. government following an investigation into the alleged hacking of earthquake monitoring equipment in Wuhan.

The claim marks the latest of a series of attempts by the People’s Republic of China to highlight Washington’s intelligence-gathering efforts in response to criticisms of Beijing’s activities, which, according to the U.S., are often conducted in breach of international law by targeting commercial rather than national security material.

The Global Times, China’s state-controlled English-language newspaper, reported Monday that the disclosure would be made as a result of progress in a joint investigation by China's National Computer Virus Emergency Response Center (CVERC) and the internet security company Qihoo 360 into alleged espionage targeting seismic intensity data.

It quoted Xiao Xinguang, a member of a crucial advisory body to the Chinese Communist Party and the chief software architect at anti-virus company Antiy Labs, saying the seismological data had “significant intelligence value for judging geological terrain, analyzing weapons system tests, and nuclear tests.”

Violation of international law?​

Du Zhenhua, a senior engineer from the CVERC, claimed that the “US military intelligence agencies' use of their information technology advantage to launch cyberattacks on civilian infrastructure is a criminal act in clear violation of international law, seriously infringing on China's national security and public interest.”

Du warned that if damage had been caused to the monitoring system, it could have impacted early warning and disaster assessment efforts in the case of an earthquake, potentially “leading to more severe loss of life and property.”

“Even more dangerous is that if the attackers tamper with the earthquake monitoring data, triggering false alarms, it could lead to social panic and disorder, resulting in casualties among innocent people," he added.

It is not clear whether there were any such attempts to cause damage. Recorded Future News previously asked the CVERC whether it had observed any attempts to interfere with the integrity of the seismological data, or if the malware was capable of doing so. Despite an initial interest in receiving our questions, a spokesperson subsequently declined to comment.

The claims by Chinese officials that the data was of legitimate intelligence value and that the computer network exploitation was a violation of international law appear to be inconsistent. Typically, espionage is not considered to be a violation of international law, though there is some ambiguity around the interpretation of the UN Charter on the matter.

The United States explicitly considers espionage a legitimate part of statecraft. It avows the existence of its intelligence agencies and has legislation governing their operations domestically and abroad.

China has been accused of foreign intelligence activities, but Beijing does not publicly avow these. China has also been criticized in the West for what are perceived to be the overly-broad powers afforded to its security apparatus under its laws.

‘It’s espionage. It’s what nation-states do.’​

The Global Times’ report on the earthquake monitoring equipment hack was published shortly after Microsoft announced a threat actor based in China known as Storm-0558 had exploited a bug in its cloud email service to spy on government agencies in the U.S. and Western Europe.

Unlike alleged incidents in which state-sponsored Chinese hacking groups have targeted commercial companies to steal intellectual property, or have left exposed web shells on victim servers in what was described as a “reckless” breach of U.N. cyber norms, the Storm-0558 incident did not prompt the U.S. to accuse China of breaking international law.

Rob Joyce, the NSA's director of cybersecurity, told the Aspen Security Forum that the hack was “China doing espionage” adding: “It is what nation-states do. We have to defend against it, we need to push back against it. But that is something that happens.”

Last September, China denounced the U.S. Embassy in Beijing following a joint report from two of the country’s most prominent cyber authorities accusing the NSA of stealing “sensitive information” from Chinese institutions.

The Northwestern Polytechnical University, which the NSA was accused of targeting, is considered to be “a Chinese military university that is heavily involved in military research,” according to the U.S. Department of Justice — and thus likely to be seen as a legitimate target for espionage under international law.

Global reconnaissance system​

Xiao told the Global Times that “by leveraging its global comprehensive reconnaissance ability, along with various means of intrusion, theft, and other comprehensive measures to obtain all kinds of telemetry data, and combining other multi-source auxiliary data, [the U.S.] forms the ability to analyze, judge, attribute, and locate China's economic, social operations, and even military actions.”

It is not clear that this reconnaissance ability involves, nor did Xiao state when the Chinese authorities would attempt to publicize it. Through the Global Times, officials in the country have made several allegations about U.S. intelligence collection activities in recent years, but these often seem dependent upon material that is already in the public domain.

Reports often cite public-domain material leaked by Edward Snowden, the Shadow Brokers, and WikiLeaks — with a reference to the ECHELON system appearing in Monday’s report.

However they appear without the kinds of details often included in U.S. Department of Justice indictments, nor do they provide indicators of compromise (IoCs) or other technical intelligence used when the Western cybersecurity community attributes similar incidents to China and attempts to inform defenders about how to protect their networks.

China to disclose secret US ‘global reconnaissance system,’ claims official

The claim is the latest in a series of attempts by the People’s Republic of China to highlight alleged U.S. intelligence-gathering operations.

therecord.media

 

[Bogeyman]

Army struggling to hire cyber staff as attacks on Britain ramp up​

The Army is struggling to hire cyber security experts amid intense competition from business, its recruitment chief has admitted.

Richard Holroyd, managing director of Defence and Security at Capita, which handles recruitment for the Armed Forces, said it was having difficulty attracting candidates given the wealth of jobs on offer.

He told the Telegraph: “You’re saying to people with an interest in it, come and be a cyber specialist in the armed forces, but Raytheon is saying come and be a cyber specialist, BT are saying come and be a cyber specialist. So in those spaces, you’re competing.

“In a labour market with full employment it’s a tough, tough play.”

Mr Holroyd said Capita was on track to only meet 80pc of its Army recruitment target this year, in part because of difficulties filling technical roles.

He said: “Anything related to STEM [science, technology, engineering and mathematics] is a highly competitive environment. So STEM skills are tough.”

Capita’s exact target wasn’t given and the Ministry of Defence declined to comment on it.

The admission comes despite the increasing importance of cyber for both offensive and defensive capabilities.

The Minister of Defence said last month there was an “urgent requirement to continue to modernise the force to keep pace with technological developments”.

Boosting the digital skills is a “matter of priority” over the next three years, officials wrote in the Defence Command paper.

Mr Holroyd said cyber security experts have “much more choice” than in previous years and admitted that private sector companies have proven faster at recruiting, sometimes making offers within a few weeks.

Demand for cyber security experts is growing rapidly across both the public and private sector as attacks on Britain ramp up.

Cabinet Office minister Oliver Dowden warned earlier this year about the rise of “ideologically motivated” hackers who are increasingly targeting critical infrastructure and major businesses in an effort to disrupt everyday life.

Britain faces a national skills shortage in cyber with employers struggling to fill almost four in 10 of the roles, official government figures show. Demand for cyber security experts jumped by a third last year, with over 160,000 jobs advertised.

Cyber is seen as an increasingly important area in modern warfare, alongside space.

The Minister of Defence and GCHQ, Britain’s digital intelligence agency, launched the National Cyber Force (NCF) in 2020 to respond to growing challenges. The NCF said in April it “carries out cyber operations on a daily basis to protect against threats to the UK, further the UK’s foreign policy, support military operations, and prevent serious crime”.

Then-GCHQ chief Sir Jeremy Fleming said at the time: “In an increasingly volatile and interconnected world, to be a truly responsible cyber power, nations must be able to contest and compete with adversaries in cyberspace.”

A Ministry of Defence spokesperson said: “We are confident ongoing work will ensure the Armed Forces remains a highly attractive employer. The Ministry of Defence will continue to address skills shortages in the coming years as outlined in the Defence Command Paper 2023, particularly around cyber security.

“In July we announced plans to prioritise greater career flexibility; implement a Total Reward Approach; and digitise our people management system.”

As well as technical roles, Mr Holroyd said Capita was having difficulty recruiting chefs and tanker drivers for the Army, where the service is competing with supermarkets and energy companies.

A hoped-for uptick in interest in an Armed Forces career following the start of the Ukraine war did not materialise, he said, although the funeral of Queen Elizabeth II and the coronation of King Charles III provided a boost.

Capita won a 10-year contract to run recruitment for the Armed Forces in 2012 and was handed a two-year extension in 2020. It has previously come under fire for its running of the programme, which for several years missed its recruitment targets.

Army struggling to hire cyber staff as attacks on Britain ramp up

Fiercely competitive labour market hindering efforts to modernise UK defence

www.telegraph.co.uk

 

[Bogeyman]

Hosting firm says it lost all customer data after ransomware attack​

Danish hosting firms CloudNordic and AzeroCloud have suffered ransomware attacks, causing the loss of the majority of customer data and forcing the hosting providers to shut down all systems, including websites, email, and customer sites.

The two brands belong to the same company and stated that the attack unfolded last Friday night. However, today's operational status remains highly problematic, with the firm's IT teams only managing to restore some servers without any data.

Moreover, the firm's statement clarifies that it won't be paying the threat actors a ransom and has already engaged with security experts and reported the incident to the police.

Unfortunately, the system and data restoration process isn't going smoothly, and CloudNordic says many of its customers have lost data that appears to be irrecoverable.

"Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic's IT team and external experts have been working intensively to assess the damage and determine what could be recovered," reads CloudNordic's statement (machine translated)

"Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us."

Both public notices include instructions on recovering websites and services from local backups or Wayback Machine archives.

Given the situation, the two hosting service providers previously recommended that heavily impacted customers move to other providers, such as Powernet and Nordicway.

Hitting at the right moment​

The hosting company's statements revealed that some of the firm's servers had been infected by ransomware despite being protected by firewalls and antivirus.

During a data center migration, those servers were connected to the broader network, allowing the attackers to access critical administrative systems, all data storage silos, and all backup systems.

Next, the attackers encrypted all server disks, including primary and secondary backups, corrupting everything without leaving a recovery opportunity.

CloudNordic says that the attack was limited to encrypting data, and the collected evidence does not indicate that any data on the machines was accessed or exfiltrated. That said, there's no evidence of a data breach.

Danish media reports that the attacks have impacted "several hundred Danish companies" who lost everything they stored in the cloud, including websites, email inboxes, documents, etc.

Martin Haslund Johansson, the director of Azerocloud and CloudNordic, stated that he does not expect customers to be left with them when the recovery is finally completed.

Targeting hosting providers is a tactic used by ransomware gangs in the past as it causes large-scale damage and creates many victims in a single attack.

Due to the number of victims, providers will be under a lot of pressure to pay a ransom to restore their operations and potentially avoid lawsuits from customers who lost their data.

In 2017, a similar attack led a South Korean hosting provider to pay a $1 million ransomware demand to recover its customers' data.

More recently, Rackspace suffered a Play ransomware attack on its hosted Microsoft Exchange services that led to email outages for many of its customers.

Hosting firm says it lost all customer data after ransomware attack

Danish hosting firms CloudNordic and AzeroCloud have suffered ransomware attacks, causing the loss of the majority of customer data and forcing the hosting providers to shut down all systems, including websites, email, and customer sites.

www.bleepingcomputer.com

 

[Bogeyman]

Russian and North Korean Cyberattack Infrastructure Converge: New Hacking Data Raises National Security Concerns​

In the wake of a historic arms meeting between Kim Jung-un and Vladimir Putin, on-chain data reveals disturbing information: Democratic People’s Republic of Korea (DPRK)-linked hacking groups are increasing their use of Russia-based exchanges known to launder illicit crypto assets.

This development comes as independent sanctions monitors are raising alarms about North Korea’s evolving tactics in cyber warfare. A forthcoming United Nations report warns that DPRK is using increasingly sophisticated cyberattacks to fund its nuclear missile programs, with “state-sponsored” hacking groups targeting cryptocurrency and financial exchanges worldwide.

Chainalysis data shows that $21.9 million in cryptocurrency stolen from Harmony Protocol was recently transferred to a Russia-based exchange known for processing illicit transactions. Additionally, Chainalysis has evidence that shows that DPRK entities have been using Russian services, including this exchange, for money laundering since 2021. This latest action marks a significant escalation in the partnership between the cyber underworlds of these two nations.


The Chainalysis Reactor graph below shows some of the movement of stolen Harmony funds to the Russian exchange.

Not only does this revelation signify a potent alliance between North Korean and Russian cybercriminal actors, but it also presents challenges for global authorities. Russia’s notoriously uncooperative stance toward international efforts by law enforcement makes the prospect of recovering stolen funds sent to Russian exchanges particularly grim. While the types of mainstream centralized exchanges North Korean hackers have previously relied upon typically cooperate, Russia’s exchanges and law enforcement agencies have a track record of non-compliance, significantly reducing the chance of asset recovery.

What North Korean crypto hacking totals reveal for 2023​

While the shift in laundering strategy illuminates new complexities, hacking activities associated with DPRK in general show a paradoxical trend as we approach the end of the third quarter. According to Chainalysis data, the value of stolen cryptocurrency associated with DPRK groups currently exceeds $340.4 million this year, compared to over $1.65 billion in stolen funds reported in 2022.

While North Korea-linked hackers are on pace to steal much less cryptocurrency than they did last year, it’s important to acknowledge that the catastrophically high figures from 2022 created an unusually high bar to surpass.

With the total amount of cryptocurrency stolen estimated at $3.54 billion, DPRK continues to be an incubator for hacking activities and remains one of the largest active threats in the cybercrime landscape.

North Korea-linked groups still account for 29.7% of cryptocurrency stolen via hacks this year, though not as high a share as 2022.

Lessons from 2022: North Korean cyberthreats still loom​

Although it may be tempting to view the reduction in the total value of hacked funds as a marker of progress, we must remember that 2022 set a dismally high benchmark. Last year was characterized by a number of high profile hacks, several of which involved the notorious hacker collective Lazarus Group. The most noteworthy of those attacks targeted the Ronin Network, a sidechain created for the popular play-to-earn game Axie Infinity. The impact of the breach was significant, accounting for $600 million of the total funds stolen. The fact that this year’s numbers are down is not necessarily an indicator of improved security or reduced criminal activity – although we do hope that increased code audits are helping.

In reality, we are only one large hack away from crossing the billion-dollar threshold of stolen funds for 2023. Things move quickly online — a major attack could materialize overnight. Both government bodies and organizations must remain vigilant to defend against the rising complexities and stakes of crypto crime.

Combatting blockchain-based crime​

While the cross-border nature of cryptocurrencies can make it easier for actors within rogue nations to collaborate, the blockchain itself offers significant investigative advantages for law enforcement agencies.

Unlike conventional financial systems, which can hide illicit activity behind intricate layers of shell companies and uncooperative banking jurisdictions, blockchain technology is transparent by design. Chainalysis equips authorities with powerful tools to interpret transaction data. This allows them to trace the flow of funds to target and dismantle cybercrime operations from their core.

International efforts are intensifying to shore up cybersecurity and enhance cooperation among nations in countering crypto-related hacks and broader cybercrime. Far from being a black hole of criminality, blockchain can serve as a valuable ally in maintaining the security and integrity of global financial systems.

Russian and North Korean Cyberattack Infrastructure Converge: New Hacking Data Raises National Security Concerns - Chainalysis

Chainalysis data shows a concerning collaboration between North Korean and Russian cybercriminals. DPRK-linked hacking groups are using a Russian exchange for laundering illicit crypto assets, posing significant challenges for global law enforcement.

www.chainalysis.com

 

[Bogeyman]

U.S. and Japanese Agencies Issue Advisory about China Linked Actors Hiding in Router Firmware​

The National Security Agency (NSA), U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) are releasing the joint Cybersecurity Advisory (CSA) “People’s Republic of China-Linked Cyber Actors Hide in Router Firmware” about the activities of BlackTech cyber actors.

BlackTech, also known as Palmerworm, Temp. Overboard, Circuit Panda, and Radio Panda, has targeted government, industrial, technology, media, electronics, and telecommunication sectors. As a multinational threat linked to the People’s Republic of China (PRC), the actors have demonstrated capabilities in modifying router firmware without detection.

The CSA details tactics, techniques, and procedures (TTPs) used by BlackTech actors to compromise international subsidiaries, as well as recommended detection and mitigation techniques to defend against this threat. The CSA also highlights the need for multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential compromise.

“Cyber actors look for the easiest way into their targeted network, like a thief checking vehicles for unlocked doors,” said Rob Joyce, NSA Cybersecurity Director. “Raising awareness of this malicious activities helps with not only hardening our defenses, but also those of our international allies, critical infrastructure, and private sector organizations. We need to keep these actors out of our networks.”

As indicated in the CSA, the BlackTech actors target network routers typically used at remote branch offices to connect to corporate networks. The actors have compromised several Cisco routers using variations of TTPs to conceal configuration changes, hide commands, disable logging, and pivot between international subsidiaries’ and domestic headquarters’ networks.

Some of the TTPs mentioned in the CSA and used by this actor group include modifying router firmware to establish backdoors and persistence, pivoting using internal routers, and living off the land tactics to blend in with normal operating system and network activities to evade endpoint detection and response (EDR) products. BlackTech has also used a range of custom malware to target Windows, Linux, and FreeBSD operating systems.

"Subsidiaries of multinational corporations are attractive targets for threat actors," said Joyce. "The security of these subsidiaries' IT environments are sometimes overlooked, posing a significant risk for the critical systems of their international partners. We need to continue to be vigilant and work together across international industry and government to effectively implement best practices to secure vital IT environments."

The authoring agencies recommend implementing the mitigations in the CSA to detect malicious activities and protect devices from being compromised by BlackTech actors.

U.S. and Japanese Agencies Issue Advisory about China Linked Actors Hiding in Router Firmw

The National Security Agency (NSA), U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity and Infrastructure Security Agency (CISA), Japan National Police Agency (NPA), and Japan National

www.nsa.gov

 

[Bogeyman]

NATO investigating breach, leak of internal documents​

NATO is investigating claims by a politically motivated hacktivist group that it breached the defense alliance’s computer systems, which, if confirmed, would mark the second time in the last three months that the group known as SiegedSec has broken into NATO systems.

SiegedSec, a cybercrime group with a history of politically-motived attacks, claimed on its Telegram channel on Saturday that it had stolen roughly 3,000 NATO documents and posted six screenshots allegedly showing access to various NATO web pages. The group claimed the 3,000 stolen files total more than nine gigabytes of data.

“NATO cyber experts are actively addressing incidents affecting some unclassified NATO websites,” a NATO official told CyberScoop Tuesday. “Additional cyber security measures have been put in place. There has been no impact on NATO missions, operations and military deployments.”

In July, SiegedSec posted a link to roughly 700 files stolen from the NATO Community of Interest Cooperation Portal, an unclassified information sharing and collaboration site maintained by the international agency.

At the time, NATO confirmed to CyberScoop that it was reviewing the matter. On Tuesday, the NATO official declined to comment on the status of that investigation.

According to SiegedSec’s message Saturday, files from the attack come from the Joint Advanced Distributed Learning platform, the NATO Lessons Learned Portal, the Logistics Network Portal, the Communities of Interest Cooperation Portal and the NATO Standardization Office. CyberScoop was not able to independently confirm the authenticity of the files but is reporting on SiegedSec’s claim given its track record of purported attacks against NATO.

Hacking groups supportive of the Russian government, such as Killnet, have in recent months posted files online claimed to have been stolen from NATO, which has taken on a key role in coordinating aid to Ukraine following Russia’s invasion. But SiegedSec claims no affiliation with a state and has cited its attacks on Russian targets as evidence of its independence.

In a message posted alongside its breach of NATO in July, SiegedSec said the attack had “nothing to do with the war between Russia and Ukraine” and said it was “a retaliation against the countries of NATO for their attacks on human rights.”

SiegedSec emerged as a group on Telegram in April of 2022 and quickly began sharing data and files it claimed had been stolen from organizations around the world. In the summer of 2022, the group claimed attacks on state websites in Kentucky and Arkansas over those states’ legislative efforts to limit access to abortion. In July, the group claimed to have targeted multiple satellite receivers and industrial control systems “particularly in states banning gender affirming care.”

After those attacks, a SiegedSec representative told CyberScoop that they consider themselves “more blackhat than hacktivists.” Money “is not our main goal,” the person said. “Most of the time we just want to have fun and destroy stuff.”

More recently the group has claimed connections with other cybercrime groups or channels that advertise financially-motivated extortion activity and has also promoted a channel selling what it says is access to compromised government email accounts and other platforms to enable fraudulent emergency data requests, which can be used to obtain private information on people from various social media platforms.

NATO investigating breach, leak of internal documents

A politically motivated hacking group known as SiegedSec claims to have breached NATO systems and leaked a cache of documents online.

cyberscoop.com

 

[Bogeyman]

Duke Energy disconnects CATL batteries from Marine Corps base over security concerns​

U.S. utility company Duke Energy said on Wednesday it had disconnected large-scale batteries made by Chinese company CATL (300750.SZ) from North Carolina Marine Corps base Camp Lejeune after lawmakers and experts raised concerns about the battery supplier's close links to China's ruling Communist Party.

A number of Republican and Democratic lawmakers have sounded the alarm over potential security threats posed by Chinese storage batteries, arguing the U.S. risks building a critical dependency on its top rival for the devices that may have cyber vulnerabilities and put energy grids at risk.

Duke Energy used the CATL batteries in its facility leased at Camp Lejeune, according to an April press release. That spurred criticism from a group of more than two dozen Republican lawmakers led by Senator Marco Rubio, who last week wrote Secretary of Defense Lloyd Austin asking him to "immediately reverse" the installation of the batteries.

Duke Energy has since met with lawmakers, including North Carolina Representative Greg Murphy, about the issue.

"Some concerns about this project have been raised, and, as a result, Duke Energy disconnected these batteries as we work to address these questions," the company told Reuters in a statement.

But it added that the system was designed with "security in mind" and that the batteries "were not connected in any way to Camp Lejeune's network or other systems."

The company did not say when the batteries were disconnected or how long they would remain offline.

CATL told Reuters in a statement that accusations about its batteries posing espionage threats were "false and misleading" and that its products had passed security reviews by U.S. authorities.

Its energy storage products sold to the U.S. contained only "passive" devices, which were not equipped with communication interfaces, the company said.

Liu Pengyu, spokesperson for China's embassy in Washington, said China "always opposes the U.S. side politicizing trade and investment cooperation."


The U.S. Department of Defense did not respond immediately to a request for comment.

CONCERNS OVER CHINESE BATTERIES​

The deployment of such utility-scale battery energy storage systems (BESS) is increasing rapidly in the U.S. as sources of renewable energy come online. Much of that capacity will likely come from Chinese suppliers, which are leaders in the technology and stand to benefit from U.S. renewable energy tax credits.

Democratic Senators Mark Warner and Joe Manchin in November urged the Department of Energy to prioritize U.S.-developed energy storage technologies in the face of China's "near-monopoly" over battery production, which they said poses "substantial defense and economic security vulnerabilities."

"Disconnecting systems supported by the Chinese Communist Party is common sense, especially when it comes to securing our military bases," Rubio told Reuters following Duke Energy's statement.

Such systems require frequent remote operation and telecommunications equipment connected to the batteries could be vulnerable to hacking attempts, say experts.

An October 2022 DOE report highlighted risks associated with grid-connected battery storage systems, warning that attackers have shifted focus to suppliers of hardware and software, seeking to "add backdoor capabilities that permit unauthorized access and control."

In worst case scenarios, experts say coordinated attacks could knock out energy grids. The U.S. intelligence community's 2023 threat assessment said China is likely capable of launching cyberattacksthat would disrupt critical infrastructure services within the U.S. intended to induce societal panic and interfere with the deployment of U.S. forces in a period of conflict.

Craig Singleton, a China expert at the Foundation for Defense of Democracies, warned in an October report that CATL's founder and top shareholder, Zeng Yuqun, is closely tied to China's ruling Communist Party, and serves as a vice chairman of the All-China Federation of Industry and Commerce, a trade group under the party's United Front Work Department, which carries out Beijing's agenda overseas.

"The company's corporate connections and leadership links to China's party-state serve as structured channels through which Beijing can exert influence and control over the company's personnel, operations, and data," Singleton said.

CATL said it met its disclosure obligations as a publicly traded company and noted its investors included Western firms such as JP Morgan Chase (JPM.N) and UBS (UBSG.S).

Republican Representative Austin Scott has sought language in the sweeping 2024 annual defense spending bill that would bar the Pentagon from purchasing or using battery technology made by CATL and other Chinese suppliers.

CATL has announced deals to supply batteries for commercial energy projects around the country, including in Texas and Nevada.

Mike Casey, director of the National Counterintelligence and Security Center (NCSC), which coordinates with the U.S. private sector over security threats, said companies should think twice before installing Chinese batteries.

"We encourage power companies interested in using these industrial battery energy storage systems from China to think beyond the short-term cost savings they may realize and consider the potential long-term vulnerabilities and how to mitigate them – which could end up being costlier," Casey told Reuters.

Duke Energy disconnects CATL batteries from Marine Corps base over security concerns

U.S. utility company Duke Energy said on Wednesday it had disconnected large-scale batteries made by Chinese company CATL from North Carolina Marine Corps base Camp Lejeune after lawmakers and experts raised concerns about the battery supplier's close links to China's ruling Communist Party.

www.reuters.com

 

[Bogeyman]

China’s CATL denies ‘espionage threat’ accusations​

Electric-vehicle battery maker’s technology disconnected from US military base



The world’s biggest electric-vehicle battery maker has hit back against accusations that it poses a national security threat after the Chinese company’s technology was cut off from a US military base. “Accusations about CATL batteries posing espionage threats are false and misleading,” said the company in a statement on Thursday.

“Our products have passed rigorous safety and security reviews including those by US authorities and businesses.” The battery maker’s statement follows an open letter on Friday from Republican senator Marco Rubio and other lawmakers to US defence secretary Lloyd Austin, which alleged CATL was close to the Chinese leadership and that its presence on a US military base in North Carolina was “inexcusable”. “The CCP’s pattern of espionage leaves little room for doubt that CATL products pose a threat to national security at any base where they are installed,” said the letter.

Duke Energy, a US utility company, said on Wednesday it had disconnected CATL batteries on the military base, Marine Corps Base Camp Lejeune, as a result of the concerns. CATL, one of the groups behind China’s rapid shift towards EVs and renewable technology, is the latest company hit by rising geopolitical tensions between the US and China, which has cast a chill over business relations on both sides of the Pacific. In July, CATL reported total revenue of Rmb189bn ($26.6bn) for the first half of 2023, posting year-on-year growth of 67.5 per cent.

EV batteries accounted for more than 70 per cent of the total amount. But sales of storage batteries are rapidly increasing, said the company, without disclosing a number.

The company denied the accusations, adding that the energy storage products it sells to the US are “not equipped with communication interfaces that may enable CATL to control the sold products”. CATL said it has a large western investor base, including companies such as JPMorgan Chase and UBS. A representative of CATL also said “we respect the actions of our end customers”.

In its statement, Duke Energy said the CATL batteries it used “were not connected in any way to Camp Lejeune’s network or other systems” and that they acted “solely as an energy storage device and were connected to Duke Energy’s system with our robust network security and safeguards fully in place”. It added: “As an American energy company, we welcome the ability to use American manufactured batteries.

Given the rapidly increasing demand for electricity, we support more domestic manufacturing to help expand energy resources in the United States and accelerate the energy transition”. Duke Energy expanded its battery storage capabilities in North Carolina in late March and has begun commercial operation of the state’s largest battery system, according to a previous statement from the company.

China’s CATL denies ‘espionage threat’ accusations

Electric-vehicle battery maker’s technology disconnected from US military base

www.ft.com

 

[Bogeyman]

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard​

The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium. As part of our ongoing commitment to responsible transparency as recently affirmed in our Secure Future Initiative (SFI), we are sharing this update.

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.

This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.

As we said late last year when we announced Secure Future Initiative (SFI), given the reality of threat actors that are resourced and funded by nation states, we are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is simply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster. We will act immediately to apply our current security standards to Microsoft-owned legacy systems and internal business processes, even when these changes might cause disruption to existing business processes.

This will likely cause some level of disruption while we adapt to this new reality, but this is a necessary step, and only the first of several we will be taking to embrace this philosophy.

We are continuing our investigation and will take additional actions based on the outcomes of this investigation and will continue working with law enforcement and appropriate regulators. We are deeply committed to sharing more information and our learnings, so that the community can benefit from both our experience and observations about the threat actor. We will provide additional details as appropriate.

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

msrc.microsoft.com

 

[Bogeyman]

N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says​

The National Security Agency buys certain logs related to Americans’ domestic internet activities from commercial data brokers, according to an unclassified letter by the agency.

The letter, addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications.

Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly.

It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people’s knowledge and consent about where it would end up and for what purpose it would be used.

In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that “internet metadata” — logs showing when two computers have communicated, but not the content of any message — “can be equally sensitive” as the location data the F.T.C. is targeting.

He urged intelligence agencies to stop buying internet data about Americans if it was not collected under the standard the F.T.C. has laid out for location records.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Mr. Wyden wrote.

A representative for the national intelligence director, Avril D. Haines, did not respond to a request for comment.

The N.S.A. made its specific disclosure under pressure in a letter that its departing director, Gen. Paul M. Nakasone, sent last month to Mr. Wyden. In November, the senator placed a hold on President Biden’s nominee to be the next agency director, Lt. Gen. Timothy D. Haugh, to prevent the Senate from voting on his confirmation until the agency publicly disclosed whether it was buying the location data and web browsing records of Americans.

In the letter, General Nakasone wrote that his agency had decided to reveal that it buys and uses various types of commercially available metadata for its foreign intelligence and cybersecurity missions, including netflow data “related to wholly domestic internet communications.”

Netflow data generally means internet metadata that shows when computers or servers have connected but does not include the content of their interactions. Such records can be generated when people visit different websites or use smartphone apps, but the letter did not specify how detailed the data is that the agency buys.

Asked to clarify, an N.S.A. official provided a statement that said that the agency purchases commercially available netflow data for its cybersecurity mission of trying to detect, identify and thwart foreign hackers. It stressed that “at all stages, N.S.A. takes steps to minimize the collection of U.S. person information,” including by using technical means to filter it.

The statement added that it limited its netflow data to internet communications in which one side is a computer address inside the United States “and the other side is foreign, or where one or both communicants are foreign intelligence targets, such as a malicious cyberactor.”

​

While General Nakasone also acknowledged that some of the data the N.S.A. purchases is “associated with electronic devices being used outside — and, in certain cases, inside — the United States,” he said that the agency did not buy domestic location information, including from phones or internet-linked cars known to be in the country.

Mr. Wyden, a longtime privacy advocate and surveillance skeptic who has access to classified information as a member of the Senate Intelligence Committee, has proposed legislation that would bar the government from purchasing data about Americans that it would otherwise need a court order to obtain.

In early 2021, he obtained a memo revealing that the Defense Intelligence Agency buys commercially available databases containing location data from smartphone apps and had searched it several times without a warrant for Americans’ past movements. The senator has been trying to persuade the government to publicly disclose more about its practices.

The correspondence with Mr. Wyden, a portion of which was redacted as classified, strongly suggested that other arms of the Defense Department also buy such data.
Law enforcement and intelligence agencies outside the Defense Department also purchase data about Americans in ways that have drawn mounting scrutiny. In September, the inspector general of the Department of Homeland Security faulted several of its units for buying and using smartphone location data in violation of privacy policies. Customs and Border Protection has also indicated that it would stop buying such data.

Another letter to Mr. Wyden, by Ronald S. Moultrie, the under secretary of defense for intelligence and security, said that acquiring and using such data from commercial brokers was subject to various safeguards.
He said the Pentagon used the data lawfully and responsibly to carry out its various missions, including detecting hackers and protecting American service members. There is no legal bar to buying data that was “equally available for purchase to foreign adversaries, U.S. companies and private persons as it is to the U.S. government,” he added.
But in his own letter to Ms. Haines, Mr. Wyden urged intelligence agencies to adjust their practices, pointing to the Federal Trade Commission’s recent crackdown on companies that sell personal information.
This month, the F.T.C. banned a data broker formerly known as X-Mode Social from selling locational data as part of a first-of-its kind settlement. The agreement established that the agency considers trading location data — which was collected without the consent of consumers that it would be sold to government contractors for national security purposes — to be a violation of a provision of the Federal Trade Commission Act that bars unfair and deceptive practices.
And last week, the F.T.C. unveiled a proposed settlement with another data aggregator, InMarket Media, that bars it from selling precise location data if it did not fully inform customers and obtain their consent — even if the government is not involved.

While the N.S.A. does not appear to buy data that includes location information, Mr. Wyden argued that internet metadata can also reveal sensitive things — like whether a person is visiting websites about counseling related to topics like suicide, substance abuse or sexual abuse, or other private matters, such as if someone is seeking mail-order abortion pills.
In his letter, he wrote that the action against X-Mode Social should be a warning to the intelligence community and asked that Ms. Haines “take action to ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.”

N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says

The disclosure comes amid congressional scrutiny and a Federal Trade Commission crackdown on commercial data brokers.

www.nytimes.com

 

[Bogeyman]

US disabled Chinese hacking network targeting critical infrastructure​

The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, according to two Western security officials and one person familiar with the matter.
The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters.

The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the U.S. election in November, but because ransomware wreaked havoc on Corporate America in 2023.
The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities.

While the Volt Typhoon campaign initially came to light in May 2023, the hackers expanded the scope of their operations late last year and changed some of their techniques, according to three people familiar with the matter.
The widespread nature of the hacks led to a series of meetings between the White House and private technology industry, including several telecommunications and cloud commuting companies, where the U.S. government asked for assistance in tracking the activity.

Such breaches could enable China, national security experts said, to remotely disrupt important facilities in the Indo-Pacific region that in some form support or service U.S. military operations. Sources said U.S. officials are concerned the hackers were working to hurt U.S. readiness in case of a Chinese invasion of Taiwan.
China, which claims democratically governed Taiwan as its own territory, has increased its military activities near the island in recent years in response to what Beijing calls "collusion" between Taiwan and the United States.

The Justice Department and FBI declined to comment. The Chinese embassy in Washington did not immediately respond to a request for comment.

When Western nations first warned about Volt Typhoon in May, Chinese foreign ministry spokesperson Mao Ning said the hacking allegations were a "collective disinformation campaign" from the Five Eyes countries, a reference to the intelligence sharing grouping of countries made up of the United States, Canada, New Zealand, Australia and the UK.

Volt Typhoon has functioned by taking control of swaths of vulnerable digital devices around the world - such as routers, modems, and even internet-connected security cameras - to hide later, downstream attacks into more sensitive targets, security researchers told Reuters. This constellation of remotely controlled systems, known as a botnet, are of primary concern to security officials because they limit the visibility of cyber defenders that monitor for foreign footprints in their computer networks.
"How it works is the Chinese are taking control of a camera or modem that is positioned geographically right next to a port or ISP (internet service provider) and then using that destination to route their intrusions into the real target," said a former official familiar with the matter. "To the IT team at the downstream target it just looks like a normal, native user that's sitting nearby."
The use of so-called botnets by both government and criminal hackers to launder their cyber operations is not new. The approach is often used when an attacker wants to quickly target numerous victims simultaneously or seeks to hide their origins.

https://www.reuters.com/world/us/us-disabled-chinese-hacking-network-targeting-critical-infrastructure-sources-2024-01-29/

 

[Bogeyman]

MIVD reveals Chinese espionage methods in the Netherlands​

The Military Intelligence and Security Service (MIVD) has exposed Chinese cyber espionage in the Netherlands. The agency discovered advanced Chinese malware that makes this possible. A Chinese state actor is responsible for this. The MIVD determines this based on its own intelligence.


China uses this type of malware for espionage on computer networks. The malware is used in systems (FortiGate) of the Fortinet company. Allows computer users to work remotely. Fortinet provides this cybersecurity worldwide.
The MIVD found the malware on a separate computer network in the armed forces last year. This was used for unclassified Research and Development (R&D). Because this system was self-contained, it did not cause damage to the Defense network.
“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren. “In this way we increase international resilience against this type of cyber espionage.”
The MIVD shares information about the incident and the characteristics of the malware on the website of the National Cyber Security Center (NCSC). This allows users of the FortiGate system to determine whether they have become a victim. They can also take measures to defend themselves.

Backdoor​

The malware found installed a 'backdoor' by taking advantage of a known vulnerability in FortiGate devices. The MIVD publication therefore does not describe any new vulnerability in all FortiGate devices.

Information for users​

The MIVD asks organizations that find this malware to report to the NCSC. This way, the Chinese espionage campaign can be countered.

MIVD onthult werkwijze Chinese spionage in Nederland

De Militaire Inlichtingen- en Veiligheidsdienst (MIVD) heeft Chinese cyberspionage in Nederland blootgelegd. De dienst ontdekte geavanceerde Chinese malware die dit mogelijk maakt. Een Chinese statelijke actor is hiervoor verantwoordelijk. Dit stelt de MIVD op basis van eigen inlichtingen vast.

www.defensie.nl

 

[Bogeyman]

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure​

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA

www.cisa.gov

 

[Bogeyman]

Director Wray's Remarks at the Munich Security Conference​

Christopher A. Wray
Director
Federal Bureau of Investigation

Munich, Germany

February 15, 2024

Remarks as prepared for delivery
It’s an honor to join all of you here today.
For the past decade, this conference has given leaders from around the world and throughout industry, academia, and government the chance not just to talk about some of the biggest challenges we face—in other words, to share the bad news about the threats we’re all seeing—but also to discuss the solutions we’ve identified for overcoming those threats—to share the good news about our way forward.
So, I’m going to do a little of both and take you through what we at the FBI are seeing—both the good and the bad. And because a speaker should always be kind to his audience, I’m going to start with the good news.

What Success Looks Like
As everyone in this room knows, today’s threat environment is constantly evolving—and it’s more severe and more complex than ever before. That’s especially true when it comes to the battles being waged in cyberspace. But the good news is, we’ve learned what success looks like—because we’ve lived it, together.
For the past several years, the Bureau has been laser-focused on what I consider one of our most valuable tools, and the core of our cyber strategy, leading joint, sequenced operations, conducted with our partners—many of whom are in this room today—and designed to maximize impact on our adversaries.
And I want to take a moment to reflect on and highlight some of those successes.
I’m talking about things like Operation Medusa, a joint, sequenced operation that included using sophisticated technical means to force Snake—the Russian FSB’s most sophisticated malware—to effectively cannibalize itself. We took down Snake in over 50 countries with the help of our U.S. and more than half a dozen foreign partners.
Another example: the year-and-a-half-long campaign we waged—with our European partners—to hack the hackers of Hive, ransomware group targeting hospitals, schools, and emergency services, whose servers and websites we seized and shut down—and whose victims we saved from tens of millions in ransom payments.
Or how about the joint, sequenced operation that dismantled Genesis Market? Where working with our law enforcement counterparts in a dozen nations, we accomplished our biggest takedown ever of criminals dealing in stolen digital credentials.
And just this morning, we announced yet another success, Operation Dying Ember, where working with our U.S.—and, again, worldwide law enforcement partners—we ran a court-authorized technical operation to kick the Russian GRU off well over a thousand home and small business routers, and lock the door behind them, killing the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world, including America and its allies in Europe.
With these operations, and many more like them, we’ve set our sights on all the elements that we know from experience make criminal organizations tick: their people—a term we define broadly to include not just ransomware administrators and affiliates, but their facilitators, like bulletproof hosters and money launderers; their infrastructure; their servers, botnets, etc.; and their money, the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates, and lease infrastructure.
Because we don’t just want to hit them—we want to hit them everywhere it hurts, and put them down, hard.

Importance of Global Partnerships
Now, you might have noticed a common theme as I rattled off those successes, and that’s how heavily we rely on our partners—both at home and overseas—to get the job done. Because as everyone here knows, none of us can go it alone.
The bad guys aren’t constrained by international borders, so we shouldn’t be, either.
At the Bureau, we’ve been doubling down in particular on our work with the private sector, in their capacity as victims of cyberattacks, of course, because the mission of the FBI always has been—and always will be—victim-centric—but also as integral partners, who can share valuable information about threats and trends, and, increasingly, join in our operations themselves.
Of course, our closest partners remain our intelligence and law enforcement colleagues in the U.S. and abroad. And I firmly believe one of the things that gives us a competitive advantage over our adversaries—authoritarians, criminals, and the toxic blend of the two—is that in those agencies we have real partners, partners who collaborate, not because they have to, but because they want to, out of shared values and a shared commitment to the rule of law.
To keep those partnerships strong, the FBI relies on our global presence.
Our broad, international footprint includes nearly a hundred satellite offices, providing coverage for more than 180 countries, territories, and islands around the world. And within many of those offices, our dedicated and quickly-expanding cadre of cyber assistant legal attachés work side-by-side with their host-nation counterparts to combat cyber threats—and I mean side-by-side literally. Often at desks in our partners’ space, right next to them, our Cyber Action Team and a host of experts also stand ready to deploy to critical cyber incidents at a moment’s notice as they did not long ago when they helped a NATO ally determine a cyberattack targeting critical public infrastructure had originated in Iran.
When you put all of that together, you’ll find we’ve got a pretty formidable arsenal that arms our partnerships and enables the joint, sequenced operations that represent success across the world.

The China Threat
So, that’s the good news—and I’d love to be able to stop there and tell you I’ve only got good news to share. But that’s not really what people expect when they invite the FBI Director to speak—and I’d hate to disappoint you all today.
So, let’s get to the bad news.
The bad news is that while all of us have gotten a lot better at working together to combat the cyber threat, our adversaries have also been improving exponentially—and the world has become more dangerous than ever.
It won’t surprise any of you to hear that chief among those adversaries is the Chinese government, which has continued to attack the economic security, national security, and sovereignty of rule-of-law nations worldwide. The cyber threat posed by the Chinese government is massive. China’s hacking program is larger than that of every other major nation, combined. And that size advantage is only magnified because the PRC uses AI—built in large part on stolen innovation and stolen data—to improve its hacking operations, including to steal yet more AI tech and data.
But the PRC cyber threat is made even more harmful by the way the Chinese government combines cyber means with traditional espionage and economic espionage, foreign malign influence, election interference, and transnational repression. In other words, the CCP is throwing its whole government at undermining the security of the rule-of-law world. It’s hitting us indiscriminately, like in the so-called “Hafnium” Microsoft Exchange hack, where the PRC compromised managed service providers, hitting tens of thousands of victims.
And not just in the United States, but in countries all over the world.
You’ll note a theme here, in the tools Beijing uses, and who it uses them against China doesn’t partner—it bullies and it bullies targets at every level—from individuals, to businesses and organizations, to governments. The PRC uses cyber as one of its means to that end.
Your country won’t toe Beijing’s line, and insists on standing up for freedom of association and expression, or for your partners?
You might just find illegal PRC police stations in your territory, or MSS officers in China threatening your free-thinking students’ grandparents back home. You might find your companies harassed and hacked, targeted by a web of corporate CCP proxies. You might also find PRC hackers lurking in your power stations, your phone companies, etc., poised to take them down when they decide you stepped too far out of line, and that hurting your civilian population suits the CCP. And that targeting of our critical infrastructure is something I want to take a minute to address.
It’s certainly not anything new.
In fact, China-sponsored hackers pre-positioned for potential cyberattacks against U.S. oil and natural gas companies way back in 2011. But these days, it’s reached something closer to a fever pitch. What we’re seeing now, is China’s increasing buildout of offensive weapons within our critical infrastructure, poised to attack whenever Beijing decides the time is right.
Take, for instance, persistent PRC access the U.S. found in our critical telecommunications, energy, water, and other infrastructure. China-sponsored hackers known as Volt Typhoon were hiding inside our networks, lying in wait for the moment China might choose to use their access to hurt American civilians. And while many of you may have seen the Volt Typhoon story as one about the PRC targeting the United States, in fact their targets spanned the globe—which shouldn’t be surprising, because in hack after hack, for years, we’ve seen the PRC hitting our partners around the world.

Now working with our partners, the FBI was able to shut down Volt Typhoon’s access through yet another one of those joint, technical operations we talked about a few minutes ago.
But there’s a lot more PRC cyber threat—in a lot more places—out there. And we’re only going to be able to battle back effectively if we do it together. Of course by “we,” I’m referring to rule-of-law nations united against criminality and abuse. I know there are some representatives of the CCP walking around town. But I don’t mind them knowing we’re onto them.

Other Cyber Threats
Of course, everyone here is well aware China is not the only adversary we’re up against.
Russia, Iran, and North Korea are also determined to use cyber means to take aim at things we all hold sacred—our freedoms, prosperity, and democratic norms.
Take for instance, the 2022 cyberattack by an Iranian-sponsored group on a children’s hospital in the United States, one that showed a callous—and, frankly, despicable—disregard for the safety of the most vulnerable among us.
Or consider Russia’s continued targeting of critical infrastructure—including underwater cables and industrial control systems both in the United States and around the world. For instance, since its unprovoked invasion of Ukraine, we’ve seen Russia conducting reconnaissance on the U.S. energy sector. And that’s a particularly worrisome trend because we know that once access is established, a hacker can switch from information gathering to attack—quickly and without notice.
After all, Russia has made murder, rape, and mayhem its stock in trade.
So, no one should question its continuing willingness to launch destructive cyberattacks before and during military conflict.

Conclusion
There’s no doubt we’re up against daunting threats, and adversaries growing more sophisticated and dangerous every day.
That’s the bad news.
But everyone in this room—across government, academia, and the private sector—has the opportunity to stand together. And we’ve proven what we can accomplish together when we do.
That’s the good news.
We can make joint use of our collective expertise, capabilities, and authorities. And we should remember and capitalize on what sets us apart from our adversaries—our mutual trust, our shared values, and our desire to work together to keep people safe. That is how we’re going to stay ahead of the cyber threat. And at the FBI, we’re honored to stand alongside you in this fight.

https://www.fbi.gov/news/speeches/director-wray-s-remarks-at-the-munich-security-conference

 

[Bogeyman]

‘Major Chinese hack’ on Foreign Office urgently investigated by UK spies​

Anonymous dump of internal files said to be from a Shanghai-based surveillance company shows a list of targets in Whitehall​

A major Chinese data leak has revealed apparent evidence of an industrial-scale attempt to hack UK government departments and other Western targets.

The anonymous dump of internal files, purportedly from a Shanghai-based commercial surveillance company, shows a list of targets in Whitehall, including the Foreign Office.

The documents, which are all in Mandarin, are currently being assessed with urgency by UK intelligence agencies, i can reveal.

It is unclear who is behind the leak or the alleged hacking attempts, but if confirmed it would be the latest example of Chinese attempts to infiltrate the UK government.

A list of UK targets from the Chinese hack includes Whitehall departments and think tanks.

Sam Dunning, director and founder of UK-China Transparency, told i the leak “ appears to be genuine”.

He said: “The leak highlights how the Chinese Communist Party has nourished a industrial hacking ecosystem in China, where cyber privateers compete with one another to hoover up foreign data for the state.”

i has attempted to verify the documents, including identifying and contacting the alleged CEO of the surveillance company, which is called iSOON.

The documents allege iSOON has been contracted as a hacker-for-hire by the Chinese state, attacking high-profile targets such as Nato and the UK’s National Crime Agency.

Established in 2010, iSOON – otherwise known as Axun – claims to provide security consulting,including attack and defence cyberspace strategy. It has provided national training programmes on network security and received commendations from Chinese Communist Party (CCP) for its contributions.

One of the ‘battery packs’ hackers allegedly use to remotely infiltrate mobile phones

In 2019 the firm was selected as one of the first units installed by China’s Cyber Security Bureau at the Ministry of Public Security.

The leak shows a list of several UK government departments – including the Cabinet Office, Home Office, and Foreign Office – with a question from an unknown client if the Chinese firm can “take it down”.

Apparent iSOON employee chat files in the leak mention planned hacks on UK government agencies, think tanks and charities, such as Chatham House and Human Rights Watch.

The alleged files show hackers found a vulnerability in a Foreign Office system, which had been identified as a priority target. Speaking with a fixer for an unknown client in Chongqing – a city in Sichuan province administered by the Chinese government – an iSOON employee asks: “What did you say was needed from the people interested in the UK? Is the Foreign Office their priority?”

The fixer replies, saying it’s the “first choice” and they will “definitely buy it if we secure it.” The iSOON employee then says they have identified a zero-day vulnerability – a weakness that has been found but is not yet fixed – in the Foreign Office systems and they can have the data in two weeks.

UK intelligence agencies are currently verifying and analysing the documents. A UK intelligence source told i that several agencies were currently working to translate the leak, check its authenticity, and patch any potential vulnerabilities it exposes in UK infrastructure.

The leak was anonymously posted on GitHub, where it was picked up and shared by Azaka Sekai, a Taiwanese security researcher.

The trove of documents includes presentations from the Chinese firm detailing its intrusive spyware capabilities.

These include social media spying tools for monitoring Chinese dissenters, malware for various platforms including Microsoft Exchange and Apple, and devices disguised as battery packs to infiltrate mobile phones using a shared Wi-Fi connection.

iSOON claims it can target Android and iOS devices to obtain a large amount of information, including GPS data, contacts, media files, and real-time recordings.

The documents also show the tools the firm used to monitor personal information using Chinese social media platforms such as Weibo, Baidu and WeChat. Another file listed “confidential” names, dates of birth, job title, and security classification. The names on the list were all recorded as being Chinese nationals.


In an attempt to verify the documents, i ran tests to analyse some of the images included in the leak. One screenshot shows a link used to transfer documents, images or videos using an encrypted and secure platform. Another shows the email address of a professor at Chiang Mai University.

Many of the profile images in the screenshots of conversations are of animals or cartoons, something not uncommon on Chinese social media. Profile images that do feature people’s faces were too low-quality and small to run through a reverse image search – a type of search that detects whether an image has been previously uploaded online.

Attempts by i to contact the owner of the iSOON website via email and Skype have not yet received a response.

Details of iSOON’s capabilities with infiltrating Windows

'Major Chinese hack' on Foreign Office urgently investigated by UK spies

Anonymous dump of internal files said to be from a Shanghai-based surveillance company shows a list of targets in Whitehall

inews.co.uk