Cyber Counterespionage News

Carberp botnet creator arrested by Russian and Ukrainian authorities

April 5, 2013

Over a year after the arrest of eight of its members in Russia, the alleged leader of the original Carberp botnet ring that stole millions from bank accounts worldwide has been arrested, along with about 20 other members of the ring who served as its malware development team. The arrests, reported by the news site Kommersant Ukraine, were a collaboration between Russian and Ukrainian security forces. The alleged ringleader, an unnamed 28-year-old Russian citizen, and the others were living throughout Ukraine.

Initially launched in 2010, Carberp primarily targeted the customers of Russian and Ukrainian banks and was novel in the way it doctored Java code used in banking apps to commit its fraud. Spread by the ring through malware planted on popular Russian websites, the Carberp trojan was used to distribute targeted malware that modifies the bytecode in BIFIT's iBank 2 e-banking application, a popular online banking tool used by over 800 Russian banks, according to Aleksandr Matrosov, senior malware researcher at ESET. The botnet that spread the malware, which was a variant of the Zeus botnet framework, also was used to launch distributed denial of service attacks.

In February of 2011 the group put its malware on the market, selling it to would-be cybercriminals for $10,000 per kit—but it pulled the kit a few months later.

The activity of the ring appeared to die down after the first eight arrests last year, with Carberp malware detection dropping through last spring. But the developers kept coding and brought the botnet and related malware back to market last December—including a brand new and improved "bootkit" version of the trojan for the asking price of $40,000, according to RSA security researchers. Carberp malware was used as part of the "Eurograbber" botnet system uncovered late last year that went after both PCs and smartphones in its financial fraud campaign, netting more than $47 million for its operators.

by 

http://arstechnica.com/tech-policy/2013/04/alleged-botnet-mastermind-and-his-coders-busted-by-russian-ukranian-security/


Congress quietly restricts ability to purchase Chinese equipment

April 1, 2013

huawei

Congress quietly tucked in a new cyber-espionage review process for U.S. government technology purchases into the funding law signed this week by President Barack Obama, reflecting growing American concerns over Chinese cyber attacks.

The law prevents NASA, and the Justice and Commerce Departments from buying information technology systems unless federal law enforcement officials give their approval.

A provision in the 240-page spending law requires the agencies to make a formal assessment of "cyber-espionage or sabotage" risk in consultation with law enforcement authorities when considering buying information technology systems.


The assessment must include "any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized" by China.

The United States imports about $129 billion worth of "advanced technology products" from China, according to a May 2012 report by the nonpartisan Congressional Research Service.

During a news conference on Thursday, Chinese foreign ministry spokesman Hong Lei urged the United States to abandon the law to help develop relations and trust on both sides.


http://www.reuters.com/article/2013/03/28/us-usa-cybersecurity-espionage-idUSBRE92Q18O20130328

Compromised TeamViewer used during cyber espionage campaign

March 21, 2013

Researchers have unearthed a decade-long espionage operation that used the popularTeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

describe the image

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

"Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections between samples used in different years and campaigns," CrySyS researchers wrote in their report. "Interestingly, the attacks began to gain new momentum in the second half of 2012."

They added: "The attackers surely aim for important targets. This conclusion comes from a number of different facts, including victim IPs, known activities on some targets, traceroute for probably high-profile targets, file names used in information stealing activities, strange paramilitary language of some structures, etc."

The attackers relied on a variety of methods, including the use of a digitally signed version ofTeamViewer that has been modified through a technique known as "DLL hijacking" to spy on targets in real-time. Installation of the compromised program also provides attackers with a backdoor to install updates and additional malware. Both the TeamViewer technique and command servers used in the attack harken back to Sheldon. The TeamSpy operation also relies on more traditional malware tools that were custom-built for the purpose of espionage or bank fraud.

According to Kaspersky, the operators infected their victims through a series of "watering hole" attacks that plant malware on websites frequented by the intended victims. When the targets visit the booby-trapped sites, they also become infected. The attackers also injected malware into advertising networks to blanket entire regions. In many cases, much of that attack code used to infect victims was spawned from the Eleonore exploit kit. Domains used to host command and control servers that communicated with infected machines included politnews.org, bannetwork.org, planetanews.org, bulbanews.org, and r2bnetwork.org.

The discovery of TeamSpy is only the latest to reveal an international operation that uses malware to siphon sensitive data from high-profile targets. The most well-known campaign was dubbed Flame. Other surveillance campaigns include Gauss and Duqu, all three of which are believed to have been supported by a well-resourced nation-state. Last year, researchers also uncovered an espionage campaign dubbed Mahdi.

http://arstechnica.com/security/2013/03/decade-old-espionage-malware-found-targeting-government-computers/