Malcolm Nance - The Plot to Hack America

On the evening of April 9, 2015 at 10:00 pm the French TV channel TV5 Monde experienced a cyberattack that resulted in the suspension of their broadcast, as hackers infiltrated their internal systems and social media profiles. First, the website crashed, then emails went down. 48Helene Zemmour, digital director for the station said it all went down in a “synchronized manner.” CNN reported, “Shortly after the beginning of the attack our internal computer system fell and other programs followed.”

The defaced pages were relabeled by the Cyber Caliphate with “Je Suis ISIS” tagged on them, recalling to the pro-Charlie Hebdo rally cry, “Je Suis Charlie.” However, the fake Cyber Caliphate website was in fact on a server with an IP belonging to APT28. Security firms picked up on this and the consensus began to develop that suggested the attack was that of a nation-state actor. Due to a combination of notable similarities to APT28, Cyber Caliphate was ruled out as the attacker. The threat was beyond the capabilities of the ISIS’s hacker wannabees.

In more practical terms, Wassim Nasr, on France24, noticed the Arabic of the claims was barely real Arabic. On France 24, he pointed out improper use of the language in several areas, notably in the Bismillah phrases common from ISIS where “and” was used in a manner no Arabic speaker would. 49They most likely came from Google Translate. Unwitting ISIS-affiliated groups still took credit for the attack and their fan boys attribute it to the Cyber Caliphate Army.

The channel and social media accounts were reclaimed by the next afternoon. TV5 director Yves Bigot said the security had been recently checked. One CNN anchor even said, “once again terrorism has targeted freedom of expression.”

On May 20, 2015, APT28 hit the German Bundestag and started to steal data from servers after launching the Sofacy malware on the systems. After the attack, the Bundestag director Horst Risse advised the other staff to avoid opening files or links via email. 50In August 2015, APT28 launched a spear-phishing effort at EFF, the Electronic Frontier Foundation. The group attempted to use email to lure targets to a spoofed site at “electronicfrontierfoundation.org”. The official site for EFF is at “eff.org”. Oracle fixed the Java zero-day. 51

On July 21, 2016, on the eve of the Olympic games in Rio De Janiero, the World Anti-Doping Agency or WADA recommended banning the entirety of Russian athletes from the 2016 Olympic games. 52WADA believed that there was a systematic national effort to use and conceal illegal doping agents from the agency. WADA reached a compromise with the Russian Olympic team in which 70 percent of Russian athletes could participate, though 110 could not. Although it appeared that the matter was resolved, the CYBER BEARS unloaded on WADA with a massive FANCY BEAR spear-phishing campaign.

On August 15, 2016, stakeholders in WADA were notified of an email campaign aiming to spear-phish the members by getting them to click bogus websites that looked like official WADA portals. The watering hole domains had been recently purchased on August 8, 2016 along with additional domains not used in the strikes, but perhaps held for future targeting. The domains were registered to the users as if they were in Riva, Latvia. The URLs were “wada-awa.org” and “wada-arna.org,” which were not affiliated with the organization.

FireEye and ThreatConnect 53have tied APT28 to the WADA attack. 54However, as with the DNC, the TV5Monde, and the Warsaw Stock Exchange hacks, this one was suddenly claimed by someone else. In this case the claim emanated from a Twitter account named “Anonymous Poland” and the handle @anpoland. Like Guccifer 2.0, this new Twitter channel had no back history, suggesting it was a sock puppet account created just for the operation.

Targets of the attack included athlete Yuliya Stepanova, who had her emails hacked after she stepped forward as a whistleblower on the Russian doping scandal. She personally drew the ire of Putin who referred to her as a “Judas.” It wasn’t surprising that Russian authorities would want to retaliate as they have long shown a state interest in the success of their athletes, even if by banned or controversial methods. Grigory Rodchenkov was director of an anti-doping lab that helped Russian athletes cheat WADA controls. Rodchenkov claims that a Russian intelligence officer was assigned to observe his lab to find out what happened to athlete urine samples. 55

Numerous other Russian hacks struck government, diplomatic, and civilian websites in the U.S. as well. In December 2014, Russian hackers breached the account of a well-known U.S. military correspondent. As a result, the attackers took the contact information from that breach and went on to attack fifty-five other employees of a major U.S. newspaper. 56In January, 2015 three popular YouTube bloggers interviewed President Barack Obama at the White House. Four days later they were targets of a Gmail phishing attack.

In October of 2014, some White House staffers received an email with a video attachment of a zip file with an executable file. “Office Monkeys” was the title and it featured not only a video clip of a chimpanzee with suit and tie, it also featured the CozyDuke toolkit from APT29 equipped to open up the exploits necessary to get to the intended data.

The White House attack came as a result of a similar breach at the State Department just weeks before. In that case a staffer clicked on a fake link in an email referring to “administrative matters.” 57The resulting data gained at the State Department allowed attackers to map out an approach to White House attack vectors. The White House breach resulted in unclassified but perhaps sensitive information being compromised, including emails of President Barack Obama’s schedule. 58

The CYBER BEARS also conducted spear-phishing campaign on the U.S. Joint Chiefs, aimed at the U.S. military’s joint staff. The entry malware was disguised as coworker emails. The resulting breach shut the system down for ten days, during which time four thousand staffers were offline.

An example of the extent of the FSB and GRU covert cyber collection and exploitation was the exposure of what was most likely a Russian State Security & Navy Intelligence covert operation to monitor, exploit and hack targets within the central United States from Russian merchant ships equipped with advanced hacking hardware and tools. The US Coast guard boarded the merchant ship SS Chem Hydra and in it they found wireless intercept equipment associated with Russian hacking teams. Apparently the vessel had personnel on board who were tasked to collect intelligence on wireless networks and attempt hackings on regional computer networks in the heartland of America. 59

Berzerk Bear, VooDoo Bear, Boulder Bear:CrowdStrike identified a group that has been active since 2004 as “Berzerk Bear” and tied the group to Russian Intelligence Services. The aim of this group is information theft, 60and it has shown a flexibility to write tools appropriate to its mission. Berzerk Bear was active during the 2008 Russo-Georgian conflict, acting against Georgian websites. However, without extensive reports detailing the attacks, it is hard to tie these names to a larger matrix of attacks that are chronicled by malware tracking firms.

CyberBerkut:The group known as CyberBerkut is different than the APT threats from the Russians. These Pro-Russians from Ukraine have been launching their anti-Ukrainian DDoS attacks since 2014. In addition to DDos attacks, CyberBerkut employs data exfiltration and disinformation to attack its target. 61Although the group’s attacks have largely been aimed at discrediting the Ukrainian government, it has also been noted that CyberBerkut only aims its attacks at members of NATO. They have a website and have been quasi-public in a manner resembling Anonymous. They have even engaged in conspiracy theories related to the murder of James Foley by posting a staged video meant to resemble the famous video with Jihadi John and Foley.