Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Broad New Hacking Attack, Command Center in Germany

Com­ment: a “broad” new hack­ing attack, involv­ing Chi­na but cen­tered in Ger­many, has pen­e­trat­ed the data­bas­es of numer­ous cor­po­ra­tions. In FTR #699, we exam­ined Ger­man anx­i­ety about U.S. cozi­ness with Chi­na. Fol­low­ing the hack­ing attack (ear­li­er this year) on Google, among oth­er firms, rela­tions between the U.S. and Chi­na became strained. Oba­ma is now meet­ing with the Dalai Lama, whose coun­sel he had pre­vi­ous­ly shunned.

Might the hack­ing attacks have been a Ger­man gam­bit to effect dis­tance between the U.S. and the Peo­ple’s Repub­lic of Chi­na?

“Broad New Hack­ing Attack Detect­ed” by Siob­han Gor­man; Wall Street Jour­nal; 2/18/2010.

Hack­ers in Europe and Chi­na suc­cess­ful­ly broke into com­put­ers at near­ly 2,500 com­pa­nies and gov­ern­ment agen­cies over the last 18 months in a coor­di­nat­ed glob­al attack that exposed vast amounts of per­son­al and cor­po­rate secrets to theft, accord­ing to a com­put­er-secu­ri­ty com­pa­ny that dis­cov­ered the breach.

A glob­al hack­ing offen­sive has bro­ken into U.S. com­pa­nies and gov­ern­ment agen­cies. Cyber attacks could soon be seen as a nation­al secu­ri­ty threat, WSJ exec­u­tive edi­tor Jer­ry Seib tells the News Hub.

The dam­age from the lat­est cyber­at­tack is still being assessed, and affect­ed com­pa­nies are still being noti­fied. But data com­piled by NetWit­ness, the close­ly held firm that dis­cov­ered the breach­es, showed that hack­ers gained access to a wide array of data at 2,411 com­pa­nies, from cred­it-card trans­ac­tions to intel­lec­tu­al prop­er­ty.

The hack­ing oper­a­tion, the lat­est of sev­er­al major hacks that have raised alarms for com­pa­nies and gov­ern­ment offi­cials, is still run­ning and it isn’t clear to what extent it has been con­tained, NetWit­ness said. Also unclear is the full amount of data stolen and how it was used. Two com­pa­nies that were infil­trat­ed, phar­ma­ceu­ti­cal giant Mer­ck & Co. and Car­di­nal Health Inc., said they had iso­lat­ed and con­tained the prob­lem.

Start­ing in late 2008, hack­ers oper­at­ing a com­mand cen­ter in Ger­many got into cor­po­rate net­works by entic­ing employ­ees to click on con­t­a­m­i­nat­ed Web sites, email attach­ments or ads pur­port­ing to clean up virus­es, NetWit­ness found.

In more than 100 cas­es, the hack­ers gained access to cor­po­rate servers that store large quan­ti­ties of busi­ness data, such as com­pa­ny files, data­bas­es and email.

They also broke into com­put­ers at 10 U.S. gov­ern­ment agen­cies. In one case, they obtained the user name and pass­word of a sol­dier’s mil­i­tary email account, NetWit­ness found. A Pen­ta­gon spokesman said the mil­i­tary did­n’t com­ment on spe­cif­ic threats or intru­sions.

At one com­pa­ny, the hack­ers gained access to a cor­po­rate serv­er used for pro­cess­ing online cred­it-card pay­ments. At oth­ers, stolen pass­words pro­vid­ed access to com­put­ers used to store and swap pro­pri­etary cor­po­rate doc­u­ments, pre­sen­ta­tions, con­tracts and even upcom­ing ver­sions of soft­ware prod­ucts, NetWit­ness said.

Data stolen from anoth­er U.S. com­pa­ny point­ed to an employ­ee’s appar­ent involve­ment in crim­i­nal activ­i­ties; author­i­ties have been called in to inves­ti­gate, NetWit­ness said. Crim­i­nal groups have used such infor­ma­tion to extort sen­si­tive infor­ma­tion from employ­ees in the past.

The spy­ware used in this attack allows hack­ers to con­trol com­put­ers remote­ly, said Amit Yoran, chief exec­u­tive of NetWit­ness. NetWit­ness engi­neer Alex Cox said he uncov­ered the scheme Jan. 26 while installing tech­nol­o­gy for a large cor­po­ra­tion to hunt for cyber­at­tacks.

That dis­cov­ery points to the grow­ing num­ber of attacks in recent years that have draft­ed com­put­ers into cyber armies known as botnets—intrusions not blocked by stan­dard antivirus soft­ware. Researchers esti­mate mil­lions of com­put­ers are con­script­ed into these armies.

“It high­lights the weak­ness­es in cyber secu­ri­ty right now,” said Adam Mey­ers, a senior engi­neer at gov­ern­ment con­trac­tor SRA Inter­na­tion­al Inc. who reviewed the NetWit­ness data. “If you’re a For­tune 500 com­pa­ny or a gov­ern­ment agency or a home DSL user, you could be suc­cess­ful­ly vic­tim­ized.”

Dis­clo­sure of the attack comes on the heels of Google Inc.‘s alle­ga­tion that it and more than 20 oth­er com­pa­nies were breached by Chi­nese hack­ers. This oper­a­tion appears to be more far-reach­ing, infil­trat­ing some 75,000 com­put­ers and touch­ing 196 coun­tries. The high­est con­cen­tra­tions of infect­ed com­put­ers are in Egypt, Mex­i­co, Sau­di Ara­bia, Turkey and the U.S.

NetWit­ness, based in Hern­don, Va., said it was shar­ing infor­ma­tion with the com­pa­nies infect­ed. Mr. Yoran declined to name them. The com­pa­ny pro­vides com­put­er secu­ri­ty for U.S. gov­ern­ment agen­cies and com­pa­nies. Mr. Yoran is a for­mer Air Force offi­cer who also served as cyber secu­ri­ty chief at the Depart­ment of Home­land Secu­ri­ty.

Besides Mer­ck and Car­di­nal Health, peo­ple famil­iar with the attack named sev­er­al oth­er com­pa­nies infil­trat­ed, includ­ing Para­mount Pic­tures and soft­ware com­pa­ny Juniper Net­works Inc.

Mer­ck said in a state­ment that one com­put­er had been infect­ed. It said it had iso­lat­ed the attack and that “no sen­si­tive infor­ma­tion was com­pro­mised.”

Car­di­nal said it removed the infect­ed com­put­er from its net­work. Para­mount declined to com­ment. Juniper’s secu­ri­ty chief, Bar­ry Greene, would­n’t speak about any spe­cif­ic inci­dents but said the com­pa­ny worked aggres­sive­ly to counter infec­tions.

NetWit­ness, which does exten­sive work for the U.S. gov­ern­ment and pri­vate-sec­tor clients, said it was shar­ing its infor­ma­tion with the Fed­er­al Bureau of Inves­ti­ga­tion. The FBI said it received numer­ous alle­ga­tions about poten­tial com­pro­mis­es of net­work sys­tems and respond­ed prompt­ly, in coor­di­na­tion with law-enforce­ment part­ners.

The com­put­ers were infect­ed with spy­ware called ZeuS, which is avail­able free on the Inter­net in its basic form. It works with the Fire­Fox brows­er, accord­ing to com­put­er-secu­ri­ty firm Secure­Works. This ver­sion includ­ed a $2,000 fea­ture that works with Fire­Fox, accord­ing to Secure­Works.

Evi­dence sug­gests an East­ern Euro­pean crim­i­nal group is behind the oper­a­tion, like­ly using some com­put­ers in Chi­na because it’s eas­i­er to oper­ate there with­out being caught, said NetWit­ness’s Mr. Yoran.

There are some elec­tron­ic fin­ger­prints sug­gest­ing the same group was behind a recent effort to dupe gov­ern­ment offi­cials and oth­ers into down­load­ing spy­ware via emails pur­port­ing to be from the Nation­al Secu­ri­ty Agency and the U.S. mil­i­tary, NetWit­ness’s Mr. Yoran said.

That attack was described in a Feb. 5 report from the Depart­ment of Home­land Secu­ri­ty, which said it was issu­ing an alert to the gov­ern­ment and oth­er orga­ni­za­tions to “pre­vent fur­ther com­pro­mis­es.”

A DHS offi­cial said that ZeuS was among the top five report­ed tools for mal­ware infec­tions.


One comment for “Broad New Hacking Attack, Command Center in Germany”

  1. In addi­tion to being a use­ful secu­ri­ty update on what appears to be a shock­ing­ly wide­spread vul­ner­a­bil­i­ty in a mas­sive num­ber of smart­phones, this has got toe be one of the great­est mar­ket­ing pitch­es for the sale of new brand new smart­phones ever:

    UPDATE 1‑UN warns on mobile cyber­se­cu­ri­ty bugs in bid to pre­vent attacks

    Sun Jul 21, 2013 1:37pm EDT

    * UN’s ITU to issue advi­so­ry to near­ly 200 nations

    * Advi­so­ry is on risk iden­ti­fied by Ger­man researchers

    * Researchers devel­op remote attack on mobile SIM cards

    * Researchers say at least 500 mil­lion phones vul­ner­a­ble

    By Jim Fin­kle

    BOSTON, July 21 (Reuters) — A Unit­ed Nations group that advis­es nations on cyber­se­cu­ri­ty plans to send out an alert about sig­nif­i­cant vul­ner­a­bil­i­ties in mobile phone tech­nol­o­gy that could poten­tial­ly enable hack­ers to remote­ly attack at least half a bil­lion phones.

    The bug, dis­cov­ered by Ger­man firm, allows hack­ers to remote­ly gain con­trol of and also clone cer­tain mobile SIM cards.

    Hack­ers could use com­pro­mised SIMs to com­mit finan­cial crimes or engage in elec­tron­ic espi­onage, accord­ing to Berlin’s Secu­ri­ty Research Labs, which will describe the vul­ner­a­bil­i­ties at the Black Hat hack­ing con­fer­ence that opens in Las Vegas on July 31.

    The U.N.‘s Gene­va-based Inter­na­tion­al Telecom­mu­ni­ca­tions Union, which has reviewed the research, described it as “huge­ly sig­nif­i­cant.”

    “These find­ings show us where we could be head­ing in terms of cyber­se­cu­ri­ty risks,” ITU Sec­re­tary Gen­er­al Hamadoun Touré told Reuters.

    He said the agency would noti­fy telecom­mu­ni­ca­tions reg­u­la­tors and oth­er gov­ern­ment agen­cies in near­ly 200 coun­tries about the poten­tial threat and also reach out to hun­dreds of mobile com­pa­nies, aca­d­e­mics and oth­er indus­try experts.

    A spokes­woman for the GSMA, which rep­re­sents near­ly 800 mobile oper­a­tors world­wide, said it also reviewed the research.

    “We have been able to con­sid­er the impli­ca­tions and pro­vide guid­ance to those net­work oper­a­tors and SIM ven­dors that may be impact­ed,” said GSMA spokes­woman Claire Cran­ton.

    Nicole Smith, a spokes­woman for Gemal­to NV, the world’s biggest mak­er of SIM cards, said her com­pa­ny sup­port­ed GSMA’s response.

    “Our pol­i­cy is to refrain from com­ment­ing on details relat­ing to our cus­tomers’ oper­a­tions,” she said.


    Crack­ing SIM cards has long been the Holy Grail of hack­ers because the tiny devices are locat­ed in phones and allow oper­a­tors to iden­ti­fy and authen­ti­cate sub­scribers as they use net­works.

    Karsten Nohl, the chief sci­en­tist who led the research team and will reveal the details at Black Hat, said the hack­ing only works on SIMs that use an old encryp­tion tech­nol­o­gy known as DES.

    Nohl said he con­ser­v­a­tive­ly esti­mates that at least 500 mil­lion phones are vul­ner­a­ble to the attacks he will dis­cuss at Black Hat. He added that the num­ber could grow if oth­er researchers start look­ing into the issue and find oth­er ways to exploit the same class of vul­ner­a­bil­i­ties.

    The ITU esti­mates some 6 bil­lion mobile phones are in use world­wide. It plans to work with the indus­try to iden­ti­fy how to pro­tect vul­ner­a­ble devices from attack, Touré said.

    Once a hack­er copies a SIM, it can be used to make calls and send text mes­sages imper­son­at­ing the own­er of the phone, said Nohl, who has a doc­tor­ate in com­put­er engi­neer­ing from the Uni­ver­si­ty of Vir­ginia.

    “We become the SIM card. We can do any­thing the nor­mal phone users can do,” Nohl said in a phone inter­view.

    “If you have a Mas­ter­Card num­ber or Pay­Pal data on the phone, we get that too,” if it is stored on the SIM, he said.

    The new­ly iden­ti­fied attack method only grants access to data stored on the SIM, which means pay­ment appli­ca­tions that store their secrets out­side of the SIM card are not vul­ner­a­ble to this par­tic­u­lar hack­ing approach.

    Yet Nohl warned that when data is stored out­side of a SIM card it could fall vic­tim to a large range of oth­er already known vul­ner­a­bil­i­ties, which is what has prompt­ed the indus­try to put pay­ment infor­ma­tion on SIMs in the first place.


    The mobile indus­try has spent sev­er­al decades defin­ing com­mon iden­ti­fi­ca­tion and secu­ri­ty stan­dards for SIMs to pro­tect data for mobile pay­ment sys­tems and cred­it card num­bers. SIMs are also capa­ble of run­ning apps.

    Nohl said Secu­ri­ty Research Labs found mobile oper­a­tors in many coun­tries whose phones were vul­ner­a­ble, but declined to iden­ti­fy them. He said mobile phone users in Africa could be among the most vul­ner­a­ble because bank­ing is wide­ly done via mobile pay­ment sys­tems with cre­den­tials stored on SIMs.

    All types of phones are vul­ner­a­ble, includ­ing iPhones from Apple Inc, phones that run Google Inc’s Android soft­ware and Black­Ber­ry Ltd smart­phones, he said.


    Posted by Pterrafractyl | July 22, 2013, 12:04 pm

Post a comment