Cyber Security Intelligence

Twitter< Follow on Twitter>

February Newsletter #4 2015

NSA Surveillance Software Infecting Thousands of Computers Worldwide ?

A sophisticated spying campaign infected tens of thousands of computers worldwide with surveillance software, some embedded in hard drives, according to a report from a cybersecurity company that points toward the US National Security Agency.

The malware was found in 30 countries, including Iran, Russia, China, Afghanistan and Pakistan, and targeted governments and diplomatic institutions, military, Islamic activists and key industries such as telecommunications, aerospace, energy, financial institutions and oil and gas, Kaspersky Lab Inc., a Moscow-based cybersecurity company, said in a report released recently.

The group's ability to infect hard-drive firmware "exceeds anything we have ever seen before," the company said. Kaspersky named the perpetrators the Equation Group.

Kaspersky didn't explicitly identify the group as being affiliated with the NSA. 'However', said Costin Raiu, director of Kaspersky's global research and analysis team, "to achieve this level of sophistication you need a lot of resources and money. We are not seeing any kind of obvious financial theft associated with this operation so they have to be nation-state sponsored."

It used malware that was later found to be part of the Stuxnet computer worm, used in 2010 to cripple Iran's nuclear program is widely believed to have been deployed by Israel and the NSA.
US intelligence agencies use techniques identified in the report, such as implanting malware on hard-drive firmware, to go after a limited number of high-value targets judged to be a threat to national security, according to two US officials who weren't authorized to speak on the record.

Snowden Leak

The NSA intensified its communications surveillance programs after the September 11th 2001 terrorist attacks on New York and Washington. Some details were disclosed in classified documents leaked by fugitive former contractor Edward Snowden, unleashing an international uproar. Congress has considered but failed to pass legislation to curb the NSA's collection of bulk telephone calling and other electronic data.

The Equation Group is "one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen," Kaspersky said.

There are several other ways the group infects computers, including through CD-ROMs, USB sticks and Web-based exploits, Kaspersky said in the report. The most sophisticated weapon in the group's arsenal, however, is the ability to infect the hard drives. Kaspersky said the spy code was found in products made by Western Digital Technologies Inc., Samsung Electronics Co. and Seagate Technology Plc.

Western Digital is reviewing the technical findings of the report and takes "such threats very seriously," said a company spokesman, Steve Shattuck, in an e-mail. "Prior to the report, we had no knowledge of the described cyber-espionage program," he said.

Clive Over, a spokesman for Seagate, said the company has no specific knowledge of any third parties accessing its drives.

Computer products also appeared to be intercepted while being shipped and implanted with malware, Kaspersky said. A little-known unit within the NSA known as Tailored Access Operations has covertly intercepted computers, routers and software being shipped in order to install spying tools allowing for the secret surveillance of targets, according to one document leaked by Snowden.

Who are the most notorious hacking groups?

The hacking group known as Lizard Squad has been making quite a nuisance of itself, claiming responsibility for both an attack on the Malaysia Airlines website, that resulted in users being redirected to a page bearing the headline "404 – plane not found", and an alleged DDoS attack on Facebook that temporarily took the website offline.

Facebook has denied being hacked, claiming the 40-minute outage was due to a change that affected its configuration systems. Meanwhile, Malaysia Airlines assured customers and clients that its website had not been hacked, and that only the domain name – – had been temporarily redirected to another site.

Lizard Squad is a group of hackers that has gained notoriety for attacking a number of major technology companies including Sony, Microsoft and Facebook. The group first came to the world's attention in August 2014 when it began attacking a range of online games, including League of Legends and Destiny. This was followed by more high-profile attacks on Sony's Playstation Network and Microsoft's Xbox Live in August and December.

Lizard Squad appears to have a particular vendetta against Sony. In August 2014, for example, Lizard Squad tweeted a threat against an airliner on which Sony's president of online entertainment was travelling. The plane ended up making an emergency landing. The group also claims to have affiliations with the Islamic State (ISIS). During the Malaysia Airlines website attack, it described itself as the "Cyber Caliphate" (the hacking wing of Islamic State). It also planted the ISIS flag on Sony's servers in August.

While the motivation behind Lizard Squad's attacks may appear to be political, however, the main purpose is to publicise the group's hacking tool, known as Lizard Stresser. It is thought the link to ISIS could therefore be a ploy to get more coverage by the media.

Anonymous is perhaps the most notorious of all hacker groups. It is a decentralised online community of tens of thousands of anonymous 'hacktivists', who use their combined computer skills to attack and bring down websites as a form of protest. The group became known for a series of attacks on government, religious, and corporate websites. It has attacked the Pentagon, threated to take down Facebook, threatened Los Zetas, the Mexican drug cartel, and declared war on Scientology.

In 2010, Anonymous launched Operation Payback, after several companies including Visa, MasterCard and PayPal refused to process payments to WikiLeaks. It also publicly supported the Occupy Wall Street movement in 2011, attacking the website of the New York Stock Exchange.

Since 2009, dozens of people have been arrested for involvement in Anonymous cyber attacks, in countries including the US, UK, Australia, the Netherlands, Spain, and Turkey. Anonymous generally protests these prosecutions and describes these individuals as martyrs to the movement.

LulzSec (an abbreviation of Lulz Security) was originally formed as a spinoff from Anonymous, following the HBGary Federal hack in 2011. It consisted of seven core members, and its motto was: "Laughing at your security since 2011". The group's first attack was against, leaking several passwords, LinkedIn profiles, and the names of 73,000 X Factor contestants. It went on to compromise user accounts from Sony Pictures in 2011, and take the CIA website offline in the same year.

LulzSec gained attention due to its high profile targets and the taunting messages it posted in the aftermath of its attacks. Some experts characterized its attacks as closer to Internet pranks than serious cyber-warfare, but the group itself claimed to be capable of stronger attacks.

In June 2011, LulzSec released a '50 days of Lulz' statement, in which it announced the operation was disbanding. However, the group committed another hack against newspapers owned by News Corporation on 18 July, defacing them with false reports regarding the death of Rupert Murdoch.

The Syrian Electronic Army (SEA) is a group of computer hackers who claim to support the government of Syrian President Bashar al-Assad. It mainly targets political opposition groups and Western websites including news organisations and human rights groups.

Digital Future: UK Government is preparing for Robot Takeover

A report released today by the House of Lords Select Committee on Digital Skills has called on the incoming government to take seriously the threat of robots to the British economy. The report, Make or Break: The UK's Digital Future warns that automation could put 35% of UK jobs at risk over the next 20 years. Workers at most risk include those working in transport, logistics, administration, sales and construction. Taxi and bus drivers were signaled out as being at risk from driver-less car technology.

The Committee notes that for net job loss on a large scale to be avoided, a substantial number of more skills-intensive jobs will have to be able to be created:

"In the past, workers have adapted to technological revolutions by acquiring new skills. To manage the coming transition successfully, an overhaul of the skills of the entire population is crucial."

UK announces the creation of the 77th battalion, a cyber unit for soldiers familiar with social media

The documents leaked by Edward Snowden demonstrate that the NSA and its allies are now preparing for future dominance in cyberspace. The cyberspace is a strategic domain for modern warfare, for this reason, the British Government has decided to create a new cyber unit composed of cyber experts, so-called "Facebook Warriors", which will "wage complex and covert information and subversion campaigns".

According to the Financial Times, the new cyber unit will be named the 77th battalion due to a historical significance.

"The original Chindits [77th battalion] were a guerrilla unit led by the swashbuckling British commander Major General Orde Wingate, one of the pioneers of modern unconventional warfare. They operated deep behind Japanese lines in Burma between 1942 and 1945 and their missions were often of questionable success." reported the Financial Times.

The group will use social networks like Facebook and Twitter to monitor their opponents, the information they produce and to run PSYOPs.

The British army will assign more than 1,500 specialists to the new troop that will use popular social networks to spread disinformation, run intelligence operations and disclose real war truths.

The 77th battalion will reportedly begin its activity in April 2015. The decision of the British Government to create the 77th battalion cyber unit follows a similar initiative of other governments that are using social networks to run cyber espionage campaigns, spread disinformation or influence the human sentiment about specific topics.

As reported by the Guardian, both the Israeli and US army have already dedicated internal staff to psychological operations run through social networks. An Israel Defense Force spokesperson revealed that the IDF used 30 different social media sites in several different languages during Operation Cast Lead in an effort to "engage with an audience we otherwise wouldn't reach."

Understanding digital intelligence from a British Perspective

Opinion by Matthew Waid

The Snowden revelations revealed much that was never intended to be public. But to understand them they must be seen in their context, of a dynamic interaction over the last few years between the demand for intelligence on the threats to society and the potential supply of relevant intelligence from digital sources. All intelligence communities, large and small, and including those hostile to our interests, have been facing this set of challenges and opportunities.

First let's look at the challenge of meeting insistent demands for secret intelligence. For the UK this is, for example, to counter cyber security threats and provide actionable intelligence about the identities, associations, location, movements, financing and intentions of terrorists, especially after 9/11, as well as dictators, insurgents, and cyber, narco and other criminal gangs. The threats such people represent are real and in many respects are getting worse and spreading.

These demands for intelligence have coincided with a digital revolution in the way we communicate and store information. The Internet is a transformative technology, but is only viable because our personal information can be harvested by the private sector, monetized and used for marketing. So the digital age is able to supply intelligence about people, for example by accessing digital communications, social media and digital databases of personal information. And for intelligence communities, new methods of supply call forth new demands from the police and security authorities that could not have been met before the digital age. And their insistent demands for intelligence to keep us safe call forth ever more ingenious ways of extracting intelligence from digital sources.

For the democracies (but not for others such as the Russians and Chinese), there is an essential third force in operation: applying the safeguards needed to ensure ethical behaviour in accordance with modern views of human rights, including respect for personal privacy. For the UK, the legal framework for GCHQ is given in:

The Intelligence Services Act 1994 Article 3 confers on GCHQ the functions of intelligence-gathering and information assurance with the sole purposes of national security, prevention and detection of serious crime and safeguarding the economic well-being of the UK from actions of persons overseas; Article 4 relates to obtaining and disclosing information.

The Regulation of Investigative Powers Act 2000 outlines the powers of the Secretary of State to issue a warrant to make interception legal

The Human Rights Act 1998 including incorporating a 'necessity and proportionality' test to everything GCHQ does.

Like some elementary experiment in mechanics the resultant of these forces of demand, of supply and of legal constraints and public attitudes will determine the future path of our intelligence communities.

Into that force field blundered the idealistic Edward Snowden, the Wikileaks-supporting information campaigners Poitras and Greenwald, plus a posse of respectable journalists.
Some are tempted to see Snowden as a whistleblower. But he certainly did not meet the three essential conditions for a legitimate whistleblower as far as the UK is concerned. He did not expose UK wrongdoing, he did not exhaust his remedies before going public, and he did not act proportionately by stealing and leaking so many secrets (including 58,000 British intelligence top-secret documents) to make his main case against the US National Security Agency's collection of metadata on the communications of US citizens.

Close examination has shown that there is no scandal over illegal interception, or other unlawful intelligence activity, by GCHQ. The three elements of the 'triple lock' on GCHQ's activities – the Foreign Secretary's authorisations, the oversight by the Parliamentary Intelligence and Security Committee (ISC), and the legal compliance by the independent UK Interception Commissioner and the independent Investigative Powers Tribunal – have each separately concluded everything GCHQ does is properly authorized, and legally properly justified including under Article 8 of the European Human Rights convention regarding personal privacy.

The documents from these different oversight bodies are well worth reading for the unparalleled detail they provide into how interception by the UK authorities is authorized, carried out and audited so as to be always within the law:

The Home Secretary has also described her role in authorizing legal interception of UK communications, including by GCHQ, here.

The inescapable conclusion from these documents is that GCHQ operates entirely within the law, including the 1998 Human Rights Act and therefore the European Charter of Human Rights in respect of freedom of expression and personal privacy.

What Snowden and his supporters have failed to do therefore is to distinguish bulk access by computers to the Internet, which the US and UK, France, Germany, Sweden and many other nations certainly do have and so-called 'mass surveillance'. Mass surveillance implies observers who are monitoring the population or a large part of it. As the ISC, the UK Interception Commissioner and the IPT confirm, no such mass surveillance takes place by GCHQ; it would be unlawful if it did.

We would be well advised not to have blind trust in the benevolence of any government. 'Trust but verify' should be the motto. With increasingly robust executive, Parliamentary and judicial oversight and publication of the results of their work we can and must ensure those tools will only be used in lawful ways that do not infringe beyond reasonable necessity our right to privacy for personal and family life or impose unconscionable moral hazard.

Cybercrime and the value of personal data

Put simply, the underground economy is a collection of forums, chat rooms and custom-made websites that are all designed to facilitate, streamline and industrialize cybercrime. It's within these communities that cybercriminals gather to trade tools, services and victims' credentials.
There are various ways to obtain credentials. Some options are Phishing attacks, Trojan Horses and hacking into an online company database. Credentials can also be obtained through real-world activities like credit card skimming or infecting point-of-sale devices with malware.

Identity thieves operate with one thing in mind, and that is to make money. Any account type that can be cashed out in order to rake in a profit for the fraudster is a legitimate target. As hackers are always on the lookout to generate new means of income, demand may rise in the underground for new accounts and new credentials over time, which puts users at a constant risk of being targeted.

Android malware fakes phone shutdown then steals data

Next time you turn off your Android phone, you might want take the battery out just to be certain. Security vendor AVG has spotted a malicious program that fakes the sequence a user sees when they shut off their phone, giving it freedom to move around on the device and steal data.

When someone presses the power button on a device, a fake dialog box is shown. The malware then mimics the shutdown animation and appears to be off, AVG's mobile malware research team said in a blog post.

"Although the screen is black, it is still on," they said. "While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user."

The malware requires an Android device to be "rooted," or modified to allow deep access to its software. That may eliminate a lot of Android owners who don't modify their phones. This malware is unlikely to show up in Google's Play Store, since Google tries to block applications that have malicious functions. But it could be a candidate for one of the many third-party app stores with looser restrictions.

Are Cyber War & Cyber Terrorism Insurable?

The frequency of cyber war and terrorism is no longer the risk. The magnitude of the potential damages is the real threat.

It's conceivable that an enemy of the US government could hack a US energy, water, or fuel distribution system causing loss of life, severe physical damage to property, or insurmountable financial damage to a non-government business. In 2007, the Department of Homeland Security conducted the "Aurora Generator Test" involving the turbine of an electricity generator that burst into smoke in the Idaho National Laboratory, ultimately causing failure of the device. Engineers determined that by simply changing the operating cycle of a power generator remotely via computer, the turbines could set fire, eventually destroying the machine. For a public or private company, the concern is whether a cyberattack on the U.S. government causing ancillary damage is insurable under a cyber liability insurance policy. The answer is not black and white.

Although the government's definitions of cyber war and cyber terrorism are limited in scope to attacks on the US government, the government's definitions are a useful resource in analyzing whether a war and terrorism exclusion would apply to bar coverage to a public or private company under a cyber liability policy.

At a cybersecurity insurance workshop hosted by the Department of Homeland Security's National Protection and Programs Directorate, the majority of attendees believed that "catastrophic" cyber risks that the federal government should be responsible for are currently uninsurable. Before denying coverage under a terrorism and war exclusion, carriers must evaluate, among other things, whether: 1) it's clear that an act of terrorism or war has occurred, and 2) a more specific exclusion addressing cyber terrorism or war is included in the policy. Yes, the United States is able to pinpoint the origination of a cyberattack by a foreign enemy, but will cyber liability insurance cover the risk of loss?

This issue has no simple conclusion given the increased frequency and severity of cyberattacks. Courts are faced with the challenge of interpreting whether a war and a terrorism exclusion limits coverage under a cyber liability policy when a foreign enemy attacks the US government, causing damage to a public or private company. If a company has a cyber liability policy, the prudent course of action is to negotiate the inclusion of cyber war and terrorism coverage to avoid the risk of loss from the secondary physical or financial damage to a public or private company caused by a war or terrorist act on the US government

Dramatic Improvement in Intelligence Sharing Because of ISIS

European countries are voluntarily providing the United States with large amounts of information about their citizens, particularly as those citizens attempt to travel, the nation's top counterterrorism official said.

Compared to the summer of 2013, US intelligence professionals have seen a "pendulum swing" in the willingness of European law enforcement to share information with the United States on European citizens, said Nicholas J. Rasmussen, director? of the National Counterterrorism Center, or NCTC, on Wednesday.

Things have turned around since summer 2013, when NSA contractor Edward Snowden first disclosed some of the nations closely kept secrets on surveillance capabilities. Rasmussen said that "the politics are difficult for some of our European partners" but tracking Islamic State fighters, or ISIS, has become a priority.

Rasmussen, before the House Committee on Homeland Security, said that European partners continue to differ form US counterparts on the issue of bulk metadata collection. But European reservations about data sharing in more targeted investigations had "seen a dramatic improvement," particularly in populating the NCTC's database, called the Terrorist Identities Datamart Environment, or TIDE. It is one of the key person-of-interest watch lists that the US and other countries use to track potential or suspected terrorists.

Thanks in part to better collaboration, he said, the Turkish "banned from entry list" now includes 10,000 individuals who are primarily European citizens. Turkey is seen as the most direct route that foreign fighters in Europe use to join ISIS in Iraq and Syria.

More than 20,000 fighters have flocked to Syria and Iraq to join ISIS, including 3,400 from Western countries and 150 Americans, according to previously-submitted written testimony from Rasmussen, first obtained by the Associated Press.

Many security experts and even some Navy SEALs argue that encryption keeps the nation safer from cyber attacks by keeping user information more secure.

Big Money: The US Intelligence Budget

The US intelligence budget has two major components: the National Intelligence Program and the Military Intelligence Program. The National Intelligence Program includes all programs, projects, and activities of the intelligence community as well as any other intelligence community programs designated jointly by the DNI and the head of department or agency, or the DNI and the President.

The MIP is devoted to intelligence activity conducted by the military departments and agencies in the Department of Defense that support tactical US military operations. In addition, other departments and agencies may engage in certain activities related to intelligence for their own mission needs that are not captured here.

The amounts spent from 2007 to 2014 are as follows:

South Africa: Serious about cyberwarfare

Shortly after 9/11, the South African government introduced measures to fight terrorism in the country, including a Bill allowing the monitoring and interception of communications. It became the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica) of 2002. It replaced the Interception and Monitoring Prohibition Act of 1992, which did not deal adequately with technological advances.

Rica regulates interception of communications, including Internet traffic, making it illegal for communications to be intercepted except according to the Act. This provides for a designated judge to issue interception directions requested by the defence force, intelligence services or police, on crime-related or national security grounds and then interception directions are undertaken by the Office of Interception Centres (OIC).

The Act requires all communications networks to be capable of surveillance. It places the obligation on all service providers to assist the state in monitoring and intercepting communications. It obliges service providers to store communication-related information at their own expense. All cellphone users must register their SIM cards and provide proof of residential address and identity numbers.

But, argues Privacy International, the grounds for issuing interception directions are too vague: the judge merely needs to be satisfied there are reasonable grounds to believe an offence has been, is being or will be committed. This may not be constitutional: it allows law enforcement officers to speculate.

There is no provision in the Act for people whose communications have been intercepted to be informed once the investigation is completed, or if the judge turns down the application for an interception.

A key flaw in South Africa's law is lack of public oversight. The public is provided with too little information to monitor whether the Act is achieving its intended results: to fight off genuine threats to national security.

Significantly, the Act does not cover intelligence from foreign signals, or intelligence derived from communication from outside South Africa, whether it passes through or ends in the country. These signals can be intercepted without a direction.

These developments strongly suggest that South Africa is serious about developing its cyberwarfare capabilities, and is willing to put copious resources into this effort, in spite of the dubious reasons for doing so.

Jane Duncan is a professor in the department of journalism, film and television at the University of Johannesburg. This is an edited extract from her new book The Rise of the Securocrats: The Case of South Africa, published by Jacana Media.