Dents in major cybercrime gang
With help from Eric Geller, Martin Matishak and Cristiano Lima
YOU’RE FIN-ISHED — European police have arrested three alleged senior members of the FIN7 hacking group, which was responsible for a string of major breaches at companies like Saks Fifth Avenue, Whole Foods and Chipotle, the DOJ announced Wednesday. In unsealing the indictments against the three Ukrainian nationals, U.S. officials described the arrests as a major step in one of the largest cybercrime cases in history.
Story Continued Below
“We are under no illusion that we have taken this group down altogether, but we have made a significant impact,” said Annette Hayes, the U.S. attorney for the western district of Washington, at a DOJ press conference.
Jay Tabb, special agent in charge of the FBI’s Seattle Field Office, said the FIN7 case was one of the FBI’s three biggest active hacking cases “in terms of loss, the number of victims, the global reach of it, and the size of the [cybercriminal] organization.” Two of the three alleged hackers remain overseas, while the third has already been extradited.
FIN7 is one of the best-known cybercrime gangs, famous for using malware known as Carbanak to steal to open a backdoor into its targets’ systems. In a report published in sync with DOJ’s announcement, the security firm FireEye described FIN7 as innovative and highly successful.
“FIN7’s use of Carbanak is particularly notable due to their use of creative persistence mechanisms to launch the backdoor,” the company’s researchers wrote. In addition, FIN7 hackers have continuously redesigned Carbanak and their other tools to slip past antivirus software. Their spearphishing emails are also unusually high-quality. “Their phishing has often exploited urgent, high value business matters tailored to their chosen targets,” FireEye explained. “At individual stores, managers were contacted about lost items or sent a ‘receipt’ claiming overcharging.”
HAPPY THURSDAY and welcome to Morning Cybersecurity! Your MC host normally doesn’t care for parades, but perhaps I’ll make an exception. Send your thoughts, feedback and especially tips to [email protected], and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
POKING AROUND — A group of hackers is trying to access control systems at the nation’s electric utilities, in addition to its other targets in the U.S., Middle East, Europe and Asia. But while it is targeting these sensitive networks, “there is no current indication the group has the capability of destructive [industrial control system] attacks including widespread blackouts like those in Ukraine,” according to the security firm Dragos, which published a report on the group today. For now, Dragos said, the group has only been able to conduct “initial access operations” — intrusions into business systems, rather than control systems, “to prepare the way for later potential ICS events.”
The hacking team, which Dragos dubbed Raspite, uses infected websites to trick victim into opening a connection to its servers. Once it gains access, it steals Windows login credentials from across the compromised network. Raspite “uses common techniques,” Sergio Caltagirone, Dragos’s director of threat intelligence, said in a statement, “which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better.” Symantec reported on the group’s operations last month, saying it was “targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017.” No firm has linked Raspite to a government yet, but Caltagirone said that “generally threats focused on industrial control are state-sponsored due to the inherent risk, limited financial gain, and potential blow back from the operations.”
DEFENSE BILL TO TRUMP — The Senate on Wednesday easily approved and sent to President Donald Trump a compromise $717 billion defense policy bill that makes several changes to U.S. digital policy. The final vote on the fiscal 2019 National Defense Authorization Act, H.R. 5515 (115), was 87-10. The president is expected to sign it. The compromise bill affirms the authority of the Defense secretary to conduct clandestine military activities and operations in cyberspace, and greelights the president to direct U.S. Cyber Command to take steps to counter Russia, China, Iran and North Korea in cyberspace. The measure also calls to establish a “Cyberspace Solarium Commission” — a 13-member panel to develop a strategic approach to protecting and defending U.S. interests online. The policy blueprint additionally requires the mandates the Pentagon chief to notify lawmakers in the event of a data breach that exposes the personal information of service members and makes Cyber Command responsible for defending the military’s information network.
I SEE WHAT YOU DID THERE — U.S. Cyber Command carefully weighed issues of attribution and political fallout as it launched offensive operations against the Islamic State’s digital infrastructure, according to documents obtained by MotherBoard. “Develop,” “Distribute,” “Disseminate,” and “Defend,” states one slide obtained via the Freedom of Information Act, detailing the goals of the campaign, which was previously reported as being titled Operation Glowing Symphony. Among other things, the documents indicate the tactics Cyber Command planned to use, the level of certainty that ISIS wouldn’t strike back at the Department of Defense’s Information Network and the legal ramifications of breaking into technology housed by ally nations.
MAJOR DOWNVOTE — Unknown actors hacked Reddit and stole a 2007 archive of the site’s data, including hashed passwords and private messages, along with some current users’ email addresses, the company announced Wednesday. “Between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” wrote Reddit Chief Technology Officer Christopher Slowe. In a sign of the hackers’ sophistication, they intercepted the employees’ two-factor authentication codes over SMS. The company learned of the hack on June 19 and spent the intervening weeks investigating the extent of the breach. Slowe wrote that Reddit was contacting affected users and resetting their passwords. The exposure of current email addresses is significant because it could let the hackers link Reddit accounts — many of which are pseudonymous — with their owners’ real identities.
FACEBOOK WON’T FILL SECURITY VACANCY — From our friends at Morning Tech: A day after making its first acknowledgment of a coordinated election interference campaign on its platform since 2016 race, Facebook confirmed the departure of chief security officer Alex Stamos, who is joining Stanford University. But despite the exit of one of its top executives at the forefront of the battle against misinformation, the company does not plan to fill his vacancy. “We expect to be judged on what we do to protect people’s security, not whether we have someone with a certain title,” said spokesman Jay Nancarrow. “We are not naming a new CSO, since earlier this year we embedded our security engineers, analysts, investigators and other specialists in our product and engineering teams to better address the emerging security threats we face.” The company added that it would continue to evaluate its security needs going forward.
About that propaganda announcement: While the company earned high marks from lawmakers for proactively thwarting this latest meddling campaign, officials remain skeptical of Facebook’s decision to not attribute the efforts “to any specific group or to any country.”
“I think attribution always is an issue here, but, you heard, there was no doubt from any of the five experts that testified this morning that this was russian activity,” Sen. Mark Warner told Tech’s Ashley Gold. Following the revelation on Tuesday, numerous officials named the Kremlin as the culprit, even though the company said it did not find evidence to back up that claim.
ATTACKS ON RUSSIA — A phishing campaign has targeted at least 400 industrial organizations across a range of sectors, most of them in Russia, with the goal of stealing money, according to research out Wednesday from Kaspersky Lab. “When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used, banking clients, etc. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments,” Kaspersky found. The company didn’t identify the attackers, although it noted they had a command of the Russian language.
RECENTLY ON PRO CYBERSECURITY — Senate Republicans voted down a proposal to direct another $250 million to states for election security. … The Senate tweaked a “minibus” spending bill. … “The National Institutes of Standards and Technology has issued new guidance on fortifying the cybersecurity of smartphones and tablets linked to EHRs.”
TWEET OF THE DAY — This could easily have been avoided.