Russia, India and other Asian countries targeted by Chinese Hackers

According to the Kaspersky Lab's third quarter report, 10 out of the 24 targeted cyber attacks were organized by groups of Chinese speaking hackers.

Experts at Kaspersky said one of the main targets of these cyber criminals was Russian Federation.  They also have targeted other Asian countries which includes India, Mongolia.

In July, Kaspersky detected a cyber espionage campaign(referred as "IronHusky") targeting Russian and Mongolian government, aviation companies, and research institutes.  The incident happened shortly after both countries conducted talks on cooperation in several projects relating to the Air Defense of Mongolia.

Another cyber attack was discovered targeting the Russia and India.  This attack happened after India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries.  Energy sectors of both countries were targeted with a malicious program named as "H2ODecomposition". 

The experts said that in some case, this malicious software was masquerading as a popular Indian anti-virus solution "QuickHeal".

Kaspersky also noted that Netsarang and CCleaner tools were also targeted by these Chinese-speaking hackers.  The attackers infected the installation packages with a malicious code and hosted on Netsarang distribution site.  Introduction of malicious code into the legitimate software would allow attackers to penetrate the networks of many organizations.

- Christina

Russian Citizen suspected of cybercrime was arrested in Estonia

A 20-year-old Russian IT programmer is suspected of cyber espionage. He was traveling from Estonia to Russia and was detained at the border crossing in Narva.

According to the local media, the Estonian Security Police(KaPo) allowed the suspect to work for some time unhindered, as a result of which he was linked to the Security Service of Russian Federation.

Authorities said that he is a member of the FSB and was preparing a mass cyber attack on the computer systems of the Estonian State Institutions. According to them, the Russians was trying to make some device or computer program with which he can get access to local computer systems.

Elena Vladimirovna, mother of the suspect, told media that it is completely unexpected for her since her son was never seen in any unlawful actions.

"Of course, I hope that everything will end well and we will be able to prove his innocence." Elena was quoted as saying by Local Media Sputnik. "However, the services of a good lawyer cost a lot of money, which I do not have. Perhaps, the Russian embassy will be able to help us in some way, but I will not let my son to Estonia again never"

The Russian Embassy in Estonia is ready to help. The Embassy asked Estonian Foreign Ministry to give permission to meet the arrested person.

A criminal case has been instituted against the suspect under article 233 of the Penal Code of the Republic of Estonia "Non-violent acts of an alien directed against the Republic of Estonia" and article 216 "Preparing a computer crime". He faces up to 15 years in prison, if convicted.

- Christina

Ukrainian Hacker detained for remotely spying on Politicians

A 23 year old Ukrainian Hacker from Kharkiv City detained by the National Police of Ukraine for hacking into personal computers of Ukrainian Citizens and other states.

According to the local press report, the hacker used a malicious software(probably RAT - Remote Access Trojan) to control the victim's computers for almost two years.  It is said he also observed the activities of victims using web camera. The hacker is said to invaded personal life of about 100 people.

A Search and Seizure warrant was executed at the hacker's home, leading to the video recordings of victims and malicious software used in the Cyber espionage.

The motive of the espionage is not clear.  One of the theory says that he received order from some one to target people and got money.  The theory might be true as some of the victims were also members of Ukrainian political parties.

If convicted, the hacker will face up to six years imprisonment.

- Christina

Digital Sleeper Cell: NSA infected 50,000 computer network with data stealing malware

The NSA has infected more than 50,000 computer networks across globe with a malware which is capable of stealing sensitive data from the victim's machine.

According to the report which is based on documents provided by US whistleblower Edward Snowden, the practice called as Computer Network Exploitation (CNE)".

The malware is being referred as "digital Sleeper cell" , it is being controlled by NSA and they can remotely turn it on or off.

The number of infected networks in 2008 is reportedly over 20,000.  By mid of the 2012, the number of infected network is increased to 50k.

UK spies reportedly used fake Linkedin pages to gain access to target network

British Intelligence Agency GCHQ(Government Communications Headquarters ) reportedly tricked employees of mobile communications companies and billing companies with fake Linkedin and Slashdot pages to gain access to their network.

The news was initially reported in the German magazine Der Spiegel based on secret GCHQ documents leaked by NSA whistleblower Edward Snowden.

The first known attack was targeting partly government-owned Belgian telecommunications company Belgacom. 

Once the employees visit the fake pages, the malware surreptitiously installed in the victim's system, it will act as backdoor and gives unauthorized access to Internal networks of Belgacom and its subsidiary BICS. The goal was to gain access to the GRX Router System operated by BICS in order to intercept phone traffic.

Stuxnet worm Created by NSA and Israel, Says Edward Snowden

While it's been widely speculated that the notorious computer worm Stuxnet was the result of partnership between US and Israel, the famous NSA Whistleblower "Edward Snowden" has confirmed it.

Stuxnet was a highly-complex malware discovered in 2010, used as cyber weapon against the Iran's nuclear program.

Snowden answered a few interesting questions in an Interview had with Germany's Der Spiegel Magazine.

When Interviewer asked about the NSA involvement in Stuxnet, Snowden confirmed that saying "NSA and Israel co-wrote it".

When asked about German authorities involvement in NSA surveillance system, Snowden confirmed that saying "Yes, of course. We're 1 in bed together with the Germans the same as with most other Western countries."

Crypted Files in Cyber Espionage

Cryptors are programs which are used for making files FUD(file undetect by antivirus)

The cryptor can make a EXE file not detectable by antivirus. Most cryptors are common and once u buy license can be used to make files undetectable by antivirus.

However antivirus companies keep a tab on almost all cryptors and they keep adding signatures of all the stubs. So cryptors come out with private versions and unique private version of their cryptors.

However portions of their code which they use in public version is reused in private version making it detectable very fast.

There are few cryptors like darksane, fileprotector, aegiscryptor, xprotect and shiekh cryptor which are available from $50-$200 for 6 months license. All these
cryptors give you scanning once you crypt the file. But these scanners are only offline. so even if you get 37/37 FUD and cryptors make tall claim about bypass all known antivirus. These claims are often not true. The scan for FUD you run is using elementscanner which can scan against 43 or 37 antiviruses and show it is FUD.

But often antivirus detects them when they are executed on the machine.

CSPF was approached by a corporate company which had series of cyber espionage attack, we evaluated all the files and found these attacks by spyware(were done using cryptors).

CSPF did a evaluation of these crypted files in run time execution and most of these crypted files get detected in run time. We also evaluated with so called private unique stub written by cryptors almost every single file got detected by kaspersky and nod32 in run time.

J Prasanna Tech CORE, Cyber Security & Privacy Foundation