Posts Tagged ‘hacking group’
Thursday, June 27, 2013 @ 07:06 PM gHale
The suspected China-based hackers known as the “Comment Crew” labeled in the Mandiant report appear to be back in the saddle.
In February, the group’s activity was a focal point in a report from computer security vendor Mandiant.
Mandiant’s report said a specific Chinese military unit called “61398” waged a seven-year hacking spree that compromised 141 organizations. The report added to other long-running research from security companies and organizations into suspected state-sponsored hacking.
The Comment Crew laid low for a while following the report but is back hacking again, said Alex Lanstein, senior researcher for FireEye.
“They took a little breather, and they started back up,” Lanstein said.
Following the attention in February, the group stopped using much of its command-and-control infrastructure. Instead, they started from scratch, directing malware at new targets.
“We didn’t see them take control of any of the systems they had previously compromised,” Lanstein said. “They started fresh with a whole new round of attacks.”
The group, while skilled, has made mistakes, many of which Mandiant picked up. Continuing analysis of the Comment Crew’s methods also revealed another mistake the group made, which conceivably makes it easier to link together attacks to a single source.
Lanstein said FireEye found the Comment Crew made an error when compiling their malicious software programs. When an application, including malware, ends up written in a programming language, the developer must compiled it, or translate it into machine-readable code.
In some instances, the Comment Crew forgot to remove the name of their particular coding project, called “Moonclient,” evident when a program decompiled, or reverted back to its original programming language.
Lanstein said the error showed “you are dealing with humans on the other side of the keyboard,” who are prone to make mistakes. “This is a mistake made over and over again,” he said.
FireEye decided to release information on the error since so much had already released on the Comment Crew, and it would make little difference now for computer security researchers tracking them since their tactics have changed.
“It’s more difficult to track them now,” Lanstein said.
Monday, September 10, 2012 @ 05:09 PM gHale
One or more insiders with high-level access may have assisted the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company, Saudi Aramco, last month, according to a published report.
The attack using a computer virus known as Shamoon against the world’s biggest oil company, Saudi Aramco, is one of the most destructive cyber strikes conducted against a single business.
Shamoon spread through the company’s network and wiped computers’ hard drives clean. Saudi Aramco said office computers suffered damage and the attack did not affect systems software that might hurt technical operations.
The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country that banned open dissent.
“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination in the published report.
Hackers from a group called “The Cutting Sword of Justice” claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco’s computers, and have threatened to release secrets. No one has published any documents so far.
In addition to hitting Saudi Aramco, Shamoon also struck Qatar’s RasGas, the second largest LNG producer in the world, said sources at the CIA in an ISSSource report.
“The virus hit Aramco and Qatari RasGas. In both cases, it knocked out computer workstations and corporate web sites,” the sources said.
Saudi Aramco declined to comment. “Saudi Aramco doesn’t comment on rumors and conjectures amidst an ongoing probe,” it said.
The hacking group that claimed responsibility for the attack described its motives as political.
In a posting on an online bulletin board the day they wiped the files, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain.
Saudi Aramco, which supplies about a tenth of the world’s oil, has hired at least six firms with expertise in hacking attacks, bringing in dozens of outside experts to investigate the attack and repair computers, the sources said in the published report.
According to analysis of Shamoon by computer security firm Symantec, the way the virus gets into networks may vary, but once inside it tries to infect every computer in the local area network before erasing files to render PCs useless.
“We don’t normally see threats that are so destructive,” Liam O Murchu, who helped lead Symantec’s research into the virus, said. “It’s probably been 10 years since we saw something so destructive.”
The state-run oil company, whose 260 billion barrels of crude oil alone would value it at over 8 trillion dollars, or 14 times the market value of Apple Inc., appeared well protected against break-in attempts over the Internet, according to people familiar with its network operations.
Yet those sources say such protections could not prevent an attack by an insider with high-level access.
The design of Shamoon is to attack ordinary business computers. It does not belong to the category of sophisticated cyber warfare tools, like the Stuxnet virus that attacked Iran’s nuclear program in 2010 – which target industrial control systems and can paralyze critical infrastructure.
Tuesday, January 24, 2012 @ 03:01 PM gHale
Once again, it bears repeating, if a hacker targets a specific organization, he will get in. That is what happened with a new hacking group called TeamHav0k, which launched an operation called “#OP XSS” where they try to find cross-site scripting (XSS) vulnerabilities in major websites.
They found them.
A Pastebin document showed sites such Verizon, Huffington Post, European Organization for Nuclear Research (CERN), Electronic Arts (EA), IGN and The New York Times contain design flaws.
Some education institutions also contained XSS security holes, including University of Illinois, Harvard, Yale and Rockefeller University.
Telecom company Verizon, media hosting company ImageShack, value calculator and traffic estimator tool StatShow, Major League Gaming, and Dr Pepper complete the list.
Even though XSS vulnerabilities are among the most common ones found in commercial websites, this doesn’t mean they’re not dangerous. Cyber criminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of Internet users.
Fortunately, some web browsers protect their customers against these attacks. For instance, Internet Explorer 8 and Internet Explorer 9 display a warning message to reveal a modified page to prevent cross-site scripting.
Google Chrome also mitigates the attack, but Opera and Mozilla Firefox fail to do so, leaving their users exposed.
As a word of caution, websites need to continuously work to secure their domains against these common flaws. Because of the large numbers of visitors they have each day, hackers could end up using them for malicious purposes.
Monday, August 1, 2011 @ 03:08 PM gHale
A British teenager accused of acting as spokesman for computer hacking groups LulzSec and Anonymous is now out on bail – and not allowed to use the Internet.
Jake Davis, 18, faces charges after his arrest last week at his home on Scotland’s Shetland Islands.
Police said he mounted a cyber attack on Britain’s Serious Organized Crime Agency.
Davis used the online nickname Topiary and acted as a spokesman for the two hacktivist groups, linked to attacks on Britain’s National Health Service, Sony Corp., The Sun newspaper and other targets, police said.
Davis appeared Monday at City of Westminster Magistrates’ Court in London. Judge Howard Riddle ordered him released on bail — on condition he not use the Internet — until a court appearance Aug. 30.
Hacking arrests continue to rise as 16 people now faces charges after their arrests in the U.S. in connection with cyber attacks by the Anonymous group, the U.S. Department of Justice said.
An indictment filed last week in San Jose, Calif., names 14 people accused of conspiring to intentionally damage protected computers at PayPal last December in retribution for PayPal suspending WikiLeaks’ account to prevent supporters from donating to the whistleblower site. The arrests occurred in Alabama, Arizona, California, Colorado, the District of Columbia, Florida, Massachusetts, Nevada, New Mexico, and Ohio, the Justice Department said. The defendants will make initial appearances in federal courts in their areas.
In two separate indictments, a Sarasota, Fla., police busted a man on charges of intentionally damaging a protected computer for accessing the Web site of InfraGard Tampa Bay, an FBI partner, in June. The complaint said he released instructions on how to exploit the Web site.
Another man faces charges in Las Cruces, N.M., for stealing confidential business information from AT&T servers and posting it publicly in April, police said. The defendant, who works as a customer support contractor for AT&T at outsource provider Convergys, faces charges of accessing a protected computer without authorization for downloading thousands of documents, applications, and other files and then posting them on the Internet, the indictment said.