Archive for the ‘Iran – cyber attacks on U.S.’ category

Justice Department charges Iranian hackers with attacks on US cities, companies

November 29, 2018

John Spink | Atlanta Journal-Constitution via AP – Linda Crossland gives directions to a citizen while seated at the City of Atlanta Customer Service Desk with her computer off, in the atrium of City Hall in Atlanta, March 23, 2018. Employees at Atlanta City Hall were handed instructions as they come through the front doors to not turn on computers or log on to their workstations. The action comes as city officials struggled to determine how much sensitive information may have been compromised in a cyberattack.

BY Ellen Nakashima and Devlin Barrett, The Washington Post • November 28, 2018 11:31 am

Source Link: Justice Department charges Iranian hackers with attacks on US cities, companies

{You think Iran will ever do anything for the betterment of mankind…or their own people for that matter? – LS}

WASHINGTON — The Justice Department unsealed charges Wednesday against two Iranian criminal hackers who allegedly used ransomware to hit American hospitals, universities, government agencies and the city of Atlanta, causing tens of millions of dollars in damages.

In all more than 200 victims were affected, more than $6 million in ransom collected and damages exceeded $30 million, officials said. Ransomware encrypts data on affected systems, with an offer to decrypt if a ransom is paid.

This is the first time federal prosecutors are bringing charges against hackers for using ransomware with Bitcoin exchanges, according to officials. Bitcoin exchanges transfer traditional currencies into Bitcoin, or Bitcoin into traditional currencies.

The 25-page indictment charges that the hackers’ scheme was for their own personal profit, and was not government directed.

The defendants, Faramarz Shah Savandi and Mohammad Mehd Shah Mansouri, were charged with conspiring to hack victims between December 2015 and this month. The suspects are believed to be in Iran.

A ransomware called SamSam was used in attacks against Atlanta, the Colorado Department of Transportation and several health care institutions. The ransomware, first identified in 2015, gained prominence after it afflicted Atlanta in March, hobbling computers in the court system, shutting down the Wi-Fi at the international airport, preventing residents from paying their water bills online, and forcing the police for several days to file police reports on paper instead of electronically.

Though Atlanta refused to pay the anonymous hackers $51,000 in ransom, recovering from the attack is estimated to have cost the city’s taxpayers more than $9 million.

The SamSam ransomware was not as well-known as WannaCry, a computer virus paired with ransomware that in May 2017 affected more than 300,000 computers in 150 countries. But in some ways, it is more sophisticated. WannaCry, which U.S. officials said was created by North Korea, spread on the open internet and hit targets indiscriminately.

With SamSam, by contrast, the hackers chose targets that were vulnerable and then infiltrated their networks, pre-positioning the ransomware on key servers before triggering it — a technique that enabled them to inflict maximum damage immediately, according to officials and cybersecurity experts.

SamSam differs from other ransomware because it does not rely on phishing to infiltrate a system, but uses other techniques, including what security officials call brute-force attacks to guess weak passwords.

But it shares one key attribute with WannaCry, said cyber experts. Both utilize a potent cyber tool developed by the National Security Agency that was breached and wound up on the open internet: EternalBlue. The “exploit,” as hackers call it, takes advantage of a software flaw in some Microsoft Windows operating systems, helping attackers gain access to those computers.

Although Microsoft, after being notified by the NSA, issued a patch for the flaw in March 2017, many companies around the world and some in the United States failed to update their machines and fell victim to WannaCry last year.

The hackers who developed SamSam at some point incorporated EternalBlue into the malware. “SamSam was far more potent with EternalBlue,” said Jake Williams, founder of the cybersecurity company Rendition Infosec. “Their capabilities increased dramatically with it.”

Other ransomware has also used EternalBlue, showing how these exploits, once released, can be picked up by anyone — criminals or nation states. And it has raised questions about how agencies such as the NSA protect their hacking tools.

Iran attacks, cyber edition, Power Line

November 5, 2015

Iran attacks, cyber edition, Power LineScott Johnson, November 5, 2015

Jay Solomon reports in today’s Wall Street Journal: “U.S. Detects Flurry of Iranian Hacking” (accessible via Google here). The Israel Project’s Omri Ceren takes note and comments in an email message (with the usual footnotes!) that I thought readers would find of interest:

The WSJ revealed last night that there has been a “surge” in Iranian cyber attacks against U.S. officials, journalists, and activists who work on Iran. At least some of the attacks have been successful.

The attacks were launched using the laptop of American-Iranian businessman Siamak Namazi, who was arrested and imprisoned in mid-October. It appears the Revolutionary Guard Corps (IRGC) seized Namazi’s computer, made him log into Outlook or Gmail or whatever program he uses, and then sent malware-infected emails to people in his contact list, who then opened up those emails. The Journal had previously published hints of the story: last week the outlet reported “Iranian intelligence agents ransacked [Namazi’s] family home in Tehran and confiscated his computer, and have since been launching cyber attacks on some of his email contacts” [a]. Journalist Robin Wright subsequently revealed she and State Department officials were among those targeted from the confiscated computer [b]. This new Journal story reveals that the cyber-offensive is widespread and that “Obama administration personnel… have had their computer systems hacked.”

The full article…runs almost 1,500 words. Background on some of the angles:

U.S. politics (sanctions) — “Lawmakers have called for the White House to ramp up sanctions on the IRGC… ‘Iran’s threatening behavior will worsen if the administration does not work with Congress to enact stronger measures to push back, including… targeted pressure against Iran’s Revolutionary Guard,’ Sen. Mark Kirk… said Friday” — Lawmakers are talking about a policy menu that has three tiers of potential targets: (1) Just the IRGC personnel involved in Namazi’s arrest, e.g. by having the Treasury Dept. tag them as Specially Designated Nationals (SDNs) (2) the entire IRGC, e.g. by having the State Dept. designate the IRGC as a Foreign Terrorist Organization (FTO) [c] (3) Iran’s non-nuclear infrastructure (ballistic missile development, human rights violations, terror promotion, regional expansionism, etc), e.g. by supporting Congress in renewing the Iran Sanctions Act (ISA) of 1996.

Middle East geopolitics (U.S.-Iran entente) — “President Barack Obama and Secretary of State John Kerry have voiced hopes that the Iran nuclear agreement reached in July could spur greater cooperation between Washington and Tehran on regional issues… Iran for the first time took part in international talks aimed at ending the multisided war in Syria” — Foreign Policy revealed last night that Obama personally intervened with the Saudis to allow Iran to take part in those talks [d]. The Associated Press had already assessed over the summer that “coziness” between the Iranians and Obama administration officials was “the new normal” [e]. The Iranian cyber-offensive – plus the arrest of Namazi, plus Iran’s arrest last month of U.S. resident Nizar Zakka, plus the new joint Iranian-Russian military offensive in Syria, plus Iran’s recent launch of a ballistic missile in violation of UNSC resolution 1929, plus this week’s widespread Death to America celebrations throughout Iran [f] – risks making the administration look naive.

U.S. National security (cyber) — “The IRGC has used cyberwarfare against other Iranian-Americans and people tied to them detained in recent years… Computer experts have noted that by hacking a target’s contacts… the number of people associated with that target can grow exponentially” — The Iranians have been spear phishing US government targets for years. In May 2014 a computer security firm revealed the existence of a three year Iranian cyber-campaign – the “most elaborate social-engineering campaign” the researchers had ever seen – targeting U.S. military officials, Congressional staffers, diplomats, lobbyists, journalists, and so on [g]. Last spring the American Enterprise Institute published a report assessing that the then-impending nuclear deal would “dramatically increase the resources Iran can put toward expanding its cyber attack infrastructure” [h].

The WSJ story will get wrapped into the broader debate about the wisdom of the Joint Comprehensive Plan of Action (JCPOA). When the article went live last night Reuters took it to the White House for a response, and got a “no comment” on background [i]. As today rolls along, administration spokespeople will shift more explicitly to the usual line about Iranian aggression: they’ll say that of course they have concerns about Iranian behavior, but the nuclear deal was never premised on Iranian moderation, and they’ll add that they can still respond to Iran with options in theory. They’ll refuse to identify any specific pushback they intend to implement in practice.

That move has been a staple of administration messaging for months, but may not satisfy journalists or lawmakers in the aftermath of the Namazi arrest and cyber attacks. The policy menu outlined by the Kirk letter provides a range of options – SDNs, FTO, ISA – and should allow the White House to work with Congress on a calibrated pushback. At the bottom level it suggests sanctions against the specific IRGC officials in the specific intelligence unit who seized Namazi and used his laptop to hack American officials. Imposing sanctions at that individual level is quite literally the least the White House can do in response.