CIA Concludes Russia was behind NotPetya

This week the CIA revealed that they belive it was Russia behind the NotPetya attacks that hit in June 2017. They used an attack vector know as a “Watering Hole”. This method infects a website in which they know their targets will be visiting.

In the case of NotPetya the website was a Ukrainian site that deployed updates for tax and accounting software. One the malware had been deployed it appeared to be a ransomware attack. But unlike WannaCry , NotPetya wiped and erased all information on the infected system. This means the attacker where not after money. It was a disruptive nuance attack that could have potently erased a large amount of sensitive data.

There has been increasing tension between Russia and Ukraine and considering that Russia has increased it level of aggression in recent months it comes as no surprise that they have begun lunching cyber attacks on this scale.



PLA Unit 61398 – Who are they?

PLA Unit 61389 are the chinese cyber-warfare unit, although there is very little published about their clandestine operations. In a county as secretive as China, it is to be expected that they would keep this group relativity secretive.

In 2013 an american security firm Mandiant released a report highlighting PLA Unit 61398, and suspects them for launching attacks on the US. Their targets are not only governmental and federal organisations, but also private sector businesses.

The types of attacks carried out by this group range from advanced persistent threats to the deployment of malware. It is hard to find an accurate figure on the numbers of attacks carried out by this group, as they wish to remain secretive. It is understandable that China’s offensive cyber unit does not want to take credit for every attack they have carried out.

That being said they have been accused of a number of attacks over the years. There is speculation around the groups involvement in Operation Shady Rat, this attack is said to have affected more than 70 organisations including the United Nations and US Government.
There are also other reports that suggest that the number of organisations that had been attacked by this group is in the thousands. Through further investigation it appeared as if most of these attack are carried out during working hours in Beijing’s time zone, although this is not concrete evidence it allows for further speculation of the attackers location. And due to the sum what regimented hours these attackers are carried out in, lead me to believe that although it could be a well structure group of hackers it is much more likely that this organisation if official or governmental.

Will anymore of the activities carried out by this group hit the head lines or will it all mealy remain speculation and accusations?



Why WannaCry Killed Ransomware

When WannaCry hit the affect it had on such a wide range of individuals was almost unprecedented. And the aftermath as a result has had a detrimental effect on future ransomware.

An attack on this scale not only brought a huge amount of media attention, but unlike many other virus attacks WannaCry became a house hold name. Not only was it effecting ATM machines and the NHS but other companies were forced to send staff home as they were unable to operation do to the virus.

Although the total amount paid to the attacker is still unclear, it is much less than it should have been. Due to security researchers speedy response many users effected were able to avoid paying the hefty ransom. Unfortunately for any would be cyber criminals, WannaCry appears to have killed ransomware as a viable option of attack.

Because of the publicity received by WannaCry, people were made aware of these types of attacks. And security vendors such as Bitdefender soon implemented an anti-ransomware feature into their products. This features stops unauthorised applications making changes to the computer in areas they have not been given permission to.

I personally feel that if WannaCry had not have effected so many across the globe then ransomware would still be a relatively effective method of cyber-crime. But due to people’s awareness becoming greater and security vendors taking action. There are numerous sites on the internet offering guides of how to ‘defend’ against a ransomware attack, and the most common tip is to make regular backups. This method relays on the back up remains unaffected by the virus, but ultimately would alow for the user to restore their system and avoid paying the fee.

Another solution that I have seen online is to use cloud based services such as OneDrive and Google Drive. If a users personal data is backed up to a cloud service then in the event of a ransomware attack it will agin remain unaffected.

Granted the solutions mentioned are not the best method for a larger organisation as a cloud based services could potentially be unviable depending on the size of the organisation. And to have a complete back up of every system within a large business is again not the easier thing to achieve.

While there maybe be future ransomware attacks, hopefully the number affected this time around will be significantly less than WannaCry. And my hope would be that with the increased publicity around ransomware individuals and organisation have taken the steps and precautions to protect them self and their systems from an attack of these natures.

Who are the Fancy Bears?

In recent years there have been a number of different Hacktivism groups that have been floating around the news and the depth of the internet.

And while everyone has their own opinion of the actions carried about by these groups, some of them appear to have more depth to them than others.

The Fancy Bear group are some what of an enigma in regard to Hacktivism. Although their manifesto appears to offer a very clear and somewhat understandable objective.

“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport. ”

From the initial outset the Fancy Bear group appears to be only after one thing, and that is making sport clean and fair. And in recent years a huge amount of doping in sports has been in the tabloids. Making their objectives relatable and arguably, in the public interest.

But why would a group that appears to want to make sport clean and fair, have alleged ties to the Russian Government. And why have they been accused of a number of hacks that do not appear to related to sports in the slightest.

The list below is attacks carried out by the Fancy Bear group that appear to have much greater political motivation than a group who just want to clean up sports.

  • German Attack (2014)
    • The Fancy Bear group are alleged to have carried out a 6 month cyber-attack on the German parlement that began in December 2015.
    • There is also further speculation that the Fancy Bears are also responsible for a spear phishing campaign that targeted members of the German Parlement.
    • There was a perceived threat to the coming 2017 German election as the information acquired during the attacks might have led to manipulation of the general publics options before the vote.
  • French Television Hack (April 2015)
    • In  april 2015 there was a large-scale cyber-attack aimed at a French TV network TV5Monde. While initially the attack appeared to have been carried out by a group connected to the Islamic State.
      But these claims where soon dismissed by the French cyber-agency. They believed the attack had been carried out by the APT 28 group, other wise know as the Fancy Bears.
  • R00t9B Report (May 2015)
    • In May 2015 a Cyber Security Firm Root9B published a report on the Fancy Bears. The report stated that they had discovered targeted spear phishing attacks targeting financial institutions.
      United Bank for Africa, Bank of America, TD Bank and the UAE Bank were all targeted. Although security journalist Brian Krebs argued that the attacks may have come from Nigerian phishers.
  • EEF spoof, White House and NATO attack (August 2015)
    • The Fancy Bears are also known to have used a number of zero-day exploits in 2015. Their attacks initially targeted the Electronic Frontier Foundation and then the White House and NATO. Again a spear phishing campaign was also used to direct emails to a fake URL.
  • Democratic National Committee (2016)
    • The Fancy Bears also carried out yet another spear phishing attack, this time on the Democratic National Committee in early 2016. The attack was carried out by phishing emails from 2008. Once the older accounts had been compromised the group was able to retrieve an up to date contact list with current members email addresses.
    • It was CrowdStrike that reported the Fancy Bears involvement in the attack. Although a sole actor then came forward to take credit for the entire attack.
  • Ukrainian Artillery (2014-2016)
    • A report from CrowdStrike also presumes that between 2014 and 2016 the Fancy Bears launched a cyber-attack on the Ukrainian military. The attack was carried out using Malware on Android devices.
    • The Malware was a compromised versions of an app used to control the targeting for the D-30 Howitzer artillery. They used the X-Agent spyware.
  • Windows zero-day (October 2016)
    • In 2016 Google’s Threat Analysis Group released a zero-day vulnerability in Microsoft Windows. This was later acknowledged by Microsoft Executive Vice President of the Windows Device Group Terry Myerson. The published a blog post acknowledged that the vulnerability had effected Adobe Flash and down-level Windows Kernal. It was Microsoft that suggested the Fancy Bears had been responsible for the attack. This was referenced by the use of Microsoft’s in-house name for the Fancy Bears ‘STRONTIUM’.
  • Dutch Ministries (February 2017)
    • More recently in February of 2017 the Dutch Security Services stated that the Fancy Bears had attempted several attacks, with the goal of gaining access to te Dutch ministries.
  • German and French Elections (2016-2017)
    • A group of researchers from the group Trend Micro published a report in 2017, it contained information regarding attempts made by the Fancy Bear group to phish people associated with both the German and French elections. They carried out the attack by creating fake email servers and then sending phishing emails with links to malware.

Source: Wikipedia, BBC News

Although the 9 attacks listed above are not all of the attacks that have been carried out by the Fancy Bears. They are the attacks that have no association with the world of sports and doping.

And while the hacks relating to sports could be seen as something of a cover to dismiss some of the accusations that the Fancy Bears Report to the Kremlin. This has been floating round for a while, and when you think about a couple of the names the group have previously gone by, Threat Group-4127 sounds not only military but very aggressive.

Could it be that as with a number of elections that appear to have been tampered with that the Russian Government are also attempting to control sports. Or could it be to get back at being banned from global events such as the Olympic games.

Could that have been the trigger for the Fancy Bears to go after the rest of the world in an attempt to fight the system so to speak. I personally belive this to be the case, and although the Russians may not want to be directly associated with the Fancy Bears it is hard to ignore their choice of targets.