nato - X-Industry - Red Sky Alliance2024-03-29T08:04:25Zhttps://redskyalliance.org/xindustry/feed/tag/natoTETRA Radio Vulnerabilitieshttps://redskyalliance.org/xindustry/tetra-radio-vulnerabilities2023-08-05T12:00:00.000Z2023-08-05T12:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}12176559283,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12176559283,RESIZE_400x{{/staticFileLink}}" width="250" alt="12176559283?profile=RESIZE_400x" /></a>Five vulnerabilities, two deemed critical, have been found in the Terrestrial Trunked Radio (TETRA) standard. TETRA is the most widely used police radio communication system outside the US. It is used by fire and ambulance services, transportation agencies, utilities, military, border control, and customs agencies in more than 100 nations globally and by the UN and NATO.</p>
<p>The vulnerabilities were discovered by cybersecurity firm Midnight Blue (Amsterdam, Netherlands) with funding from NLnet as part of the EU NGI0 PET fund. Midnight Blue reverse-engineered the proprietary TETRA Authentication Algorithm (TAA1) and TETRA Encryption Algorithm (TEA) and analyzed them for the first time. In this process, they discovered a series of vulnerabilities called TETRA: BURST.</p>
<p>The firm has announced basic details but will provide full technical details during upcoming security conferences, including Black Hat and DEF CON, in August 2023. “We have spent over two and a half years on our TETRA research, including a coordinated disclosure process that lasted over one and a half years. We will fully disclose our research results and present our work at various conferences throughout the year,” say the researchers.<a href="#_ftn1">[1]</a></p>
<p>The five vulnerabilities are:</p>
<ul>
<li>CVE-2022-24401, critical: allows decryption oracle attacks leading to a loss of confidentiality and authenticity.</li>
<li>CVE-2022-24402, critical: a backdoor in the TEA1 encryption algorithm allows trivial brute-forcing on keys leading to a loss of confidentiality and authenticity.</li>
<li>CVE-2022-24404, high: lack of authentication on AIE, allowing malleability attacks leading to a loss of authentication.</li>
<li>CVE-2022-24403, high: weak obfuscation on radio identities allowing user deanonymization.</li>
<li>CVE-2022-24400, high: a flaw in the authentication algorithm can lead to a loss of authenticity and a partial loss of confidentiality.</li>
</ul>
<p>Midnight Blue calls out the first and third vulnerabilities as of immediate concern. “This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.”</p>
<p>The company also raised concerns over the TEA1 encryption backdoor, which could pose a serious risk to critical infrastructure operators and their industrial control systems (ICS). “By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic for monitoring and controlling industrial equipment. For example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulating railway signaling messages,” Midnight Blue explains. Patches and mitigations (such as the use of E2EE) are specified.</p>
<p>William Wright, CEO of Closed Door Security, commented, “This is an extremely concerning discovery from security researchers. No critical or trivial system should ever be marketed or deployed without continuous and proactive security testing.” It seems that too much reliance on security was placed on the proprietary nature of the TETRA standard.</p>
<p>He points out that since criminals are constantly looking for weaknesses in systems, they can exploit to gain access to data, there is a possibility these bugs have already been discovered and used in the wild. “Furthermore,” he adds, “given the types of industries that rely on TETRA radio communications, this could have given adversaries access to sensitive information that could be extremely dangerous in their hands.”</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> <br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/tetra-radio-standard-vulnerabilities-can-expose-military-comms-industrial-systems/">https://www.securityweek.com/tetra-radio-standard-vulnerabilities-can-expose-military-comms-industrial-systems/</a></p>
<p> </p></div>RomCom at NATOhttps://redskyalliance.org/xindustry/romcom-at-nato2023-07-14T16:00:00.000Z2023-07-14T16:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12148371273,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12148371273,RESIZE_400x{{/staticFileLink}}" width="200" alt="12148371273?profile=RESIZE_400x" /></a>As part of a recently identified cyber operation, the cybersecurity investigators report that a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12. The event takes place in Vilnius, Lithuania. The NATO Summit has on the agenda talks focusing on the war in Ukraine and new memberships in the organization, including Sweden and Ukraine.</p>
<p>RomCom attackers are spoofing trusted software solutions to gain network access. RomCom may be related to the Cuba ransomware and Industry Spy attacks since all three use a similar network configuration link. However, this could also be a distraction for RomCom criminals. Once installed, the RAT can collect information, capture screenshots, and export them to an offsite server.<a href="#_ftn1">[1]</a></p>
<p>Taking advantage of the event, RomCom has created malicious documents likely to be distributed to supporters of Ukraine. It appears to have dry-tested its delivery on 22 June 2023 and a few days before the Command-and-Control (C&C) domain used in the campaign went live. The threat actor likely relied on spear-phishing to distribute one of the malicious documents, relying on an embedded RTF file and OLE objects to initialize an infection chain to harvest system information and deliver the RomCom remote access trojan (RAT).</p>
<p>At one stage in the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina, is exploited for remote code execution (RCE).</p>
<p>According to researchers, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which has been observed connecting to known RomCom infrastructure. Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other collected artifacts, BlackBerry is confident that the RomCom threat actor or members of RomCom is behind the cyber operation.</p>
<p>The nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.</p>
<p>Also tracked as Void Rabisu and Tropical Scorpius and associated with the Cuba ransomware, RomCom was believed to be financially motivated. However, recent campaigns have shown a shift in tactics and motivation, suggesting that the group is likely working for the Russian government.</p>
<p>Since at least October 2022, the threat actor’s RomCom backdoor has been used in attacks targeting Ukraine, including users of Ukraine’s Delta situational awareness program and organizations in Ukraine’s energy and water utility sectors.</p>
<p>Outside Ukraine, RomCom attacks targeted a provincial, local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.</p>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com</p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a><br /> LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></p>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/russia-linked-romcom-hackers-targeting-nato-summit-guests/">https://www.securityweek.com/russia-linked-romcom-hackers-targeting-nato-summit-guests/</a></p></div>RU Attack NATO & EU With Something Newhttps://redskyalliance.org/xindustry/ru-attack-nato-eu-with-something-new2023-04-20T12:00:00.000Z2023-04-20T12:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}11029716076,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11029716076,RESIZE_400x{{/staticFileLink}}" alt="11029716076?profile=RESIZE_400x" width="250" /></a>The Polish government warns that a cyberespionage group linked to Russia's intelligence services targets diplomatic and foreign ministries from NATO and EU member states in an ongoing campaign that uses previously undocumented malware payloads. The group, known in the security industry as APT29, Cozy Bear, and NOBELIUM, is believed to be part of Russia's Foreign Intelligence Service (SVR) and is the group behind the 2020 supply chain attack against software company SolarWinds that led to the compromise of thousands of organizations worldwide.<a href="#_ftn1">[1]</a></p>
<p>See: <a href="https://redskyalliance.org/redshorts2020/4-global-internet-disruptors-russian-gru-hackers-indicted">https://redskyalliance.org/redshorts2020/4-global-internet-disruptors-russian-gru-hackers-indicted</a></p>
<p>In the new attack campaign, discovered and investigated by Poland's Military Counterintelligence Service and the CERT Polska (CERT.PL), the APT29 hackers targeted selected personnel at diplomatic posts with spear phishing emails that masqueraded as messages from the embassies of European countries inviting them to meetings or to collaborate on documents. The emails had PDF attachments that contained links to supposedly external calendars, meeting details, or work files. The links led to web pages that used JavaScript code to decode a payload and offer it for download. This script, which uses an HTML Smuggling technique, served files with .ISO, .ZIP or .IMG attachments.</p>
<p>APT29 has used .ISO files for malware distribution before, but the use of.IMG (disk image) files are a new technique. ISO and IMG files are automatically mounted as a virtual disk when opened in Windows, and the user can access the files within. In this case, the files were Windows shortcuts (LNK) that launched a legitimate executable, loading a malicious DLL.</p>
<p>This technique is known as DLL side-loading and involves attackers delivering an executable file belonging to a legitimate application that is known to load a DLL library with a particular name from the same directory. The attackers must only provide a malicious DLL with the same name to accompany the file. By using a legitimate file to load malicious code in memory, attackers hope to evade detection by security tools that might have that file whitelisted.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/07734-qbot-the-calculator-episode">https://redskyalliance.org/xindustry/07734-qbot-the-calculator-episode</a></p>
<p>The first payload of the attack is a custom malware dropper that the Polish researchers dubbed SNOWYAMBER. This lightweight program collects basic computer information and contacts a command-and-control server hosted on Notion. so, an online workspace collaboration service. The goal of this dropper is to download and execute additional malware, and the researchers have seen the APT29 attackers use it to deploy Cobalt Strike and BruteRatel beacons. Both are commercial post-exploitation frameworks intended for penetration testers but have also found adoption with attackers.</p>
<p>A variant of SNOWYAMBER was detected and reported publicly by Recorder Future in October 2022, but Polish researchers found a new variant with additional anti-detection routines in February 2023. SNOWYAMBER is not the only malware dropper used by APT29. In February 2023, the group was seen using another payload they dubbed HALFRIG that was also used to deploy Cobalt Strike. Instead of downloading it from a Command-and-Control server, it decrypted it from shellcode. In March 2023, the hackers were seen using another tool named QUARTERRIG that shares part of its codebase with HALFRIG.</p>
<p>Using multiple droppers in a relatively short time frame suggests that the attackers are quickly adapting and replacing tools identified by the security community and no longer deliver the same success rate.</p>
<p>"At the time of publication of the report, the campaign is still ongoing and in development," the Polish government said in its advisory. "The aim of publishing the advisory is to disrupt the ongoing espionage campaign, impose an additional cost of operations against allied nations, and enable the detection, analysis, and tracking of the activity by affected parties and the wider cyber security industry."</p>
<p>The list of targets of interest for APT29 includes government and diplomatic entities (foreign ministries, embassies, diplomatic staff, and those working in international locations), international organizations, and non-governmental organizations. While the attacks focused mainly on EU and NATO entities, some targets were also observed in Africa.</p>
<p>The Polish Military Counterintelligence Service and CERT.PL recommend organizations that think they might be a target to implement the following defensive measures:</p>
<ul>
<li>Block the ability to mount disk images on the file system as most users do not need this functionality.</li>
<li>Monitor the mounting of disk image files by users with administrator roles.</li>
<li>Enable and configure attack surface reduction rules.</li>
<li>Configure software restriction policy.</li>
<li>Block the possibility of starting executable files from unusual locations (in particular, temporary directories, %localappdata%, and subdirectories and external media).</li>
</ul>
<p>The Polish government's advisory also includes indicators of compromise that can be used to build detection for the known malware samples.</p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/</li>
<li>Website: https://www. wapacklabs. com</li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.csoonline.com/article/3693252/russian-cyberspies-hit-nato-and-eu-organizations-with-new-malware-toolset.html#">https://www.csoonline.com/article/3693252/russian-cyberspies-hit-nato-and-eu-organizations-with-new-malware-toolset.html#</a></p></div>Killnet & NATOhttps://redskyalliance.org/xindustry/killnet-nato2023-02-13T16:50:00.000Z2023-02-13T16:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10966651484,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10966651484,RESIZE_400x{{/staticFileLink}}" alt="10966651484?profile=RESIZE_400x" width="250" /></a>With many countries assisting Turkey and Syria in earthquake response, hackers are in the process of trying to disrupt the communication processes. The Russian hacktivist collective Killnet has carried out a series of distributed denial of service (DDoS) attacks against NATO, causing temporary disruption to some of the military alliance’s public-facing websites. The Killnet operation had previously said through its closed channel on the encrypted Telegram service that it was initiating attacks against NATO. It also appears to have been soliciting cryptocurrency donations to maintain the attacks.<a href="#_ftn1">[1]</a></p>
<p>A NATO spokesperson confirmed the alliance had briefly come under attack, “NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis and takes cyber security very seriously.”</p>
<p>Speaking at a press conference convened ahead of a meeting of Defence ministers, the NATO secretary general told reporters that the alliance has deployed additional protective measures since 12 February. “The majority of NATO websites are functioning as normal. Some NATO websites are still experiencing availability issues, but our technical teams are working to restore full access,” he said and followed saying that NATO’s classified networks, those used to communicate on active missions and within the alliance’s command structure, were not attacked.</p>
<p>However, according to reports, the cyber-attack may also have affected networks used by NATO’s Strategic Airlift Capability (SAC), a program within NATO that provides military airlift capabilities to 12 member states using Boeing C-17 Globemaster III aircraft. The UK is not part of this unit, although the Royal Air Force does operate C-17s. SAC, which has been flying search and rescue equipment and teams into an airbase in south-eastern Turkey, reportedly found itself unable to communicate with a C-17 in flight due to network disruption, although it is understood it never lost contact with the plane.</p>
<p>Currently the death toll from the 7.8 magnitude earthquake had risen to more than 33,000 in Syria and Turkey. A week after the disaster, hopes of finding any more survivors are fading fast as the relief operation moves from the search and rescue phase to one of support and recovery.</p>
<p>Killnet's attacks on NATO targets will come as little surprise to long-time observers of the cyber element to Russia’s war on Ukraine. Since the early days of the conflict the Kremlin-aligned group has targeted organizations and governments that have supported Ukraine, and recent announcements of more military aid to Kyiv prompted a series of attacks on targets in Germany and the United States. The group’s stock-in-trade DDoS attack is a relatively affordable variety of cyber-attack designed to cause temporary and noisy disruption, rather than damage, to its targets, by flooding their public-facing infrastructure with an overwhelming number of junk requests. As such, NATO will likely have been prepared to be targeted in this way.</p>
<p>Cybereason, said, “The group claiming responsibility for the attack, Killnet, is known best for their use of DDoS as a tool. Building large botnets is significant, but it is also defensible; and resilience can be built. It is in some ways the ‘poor man's’ cyber tool, because it gets a big splash for relatively little investment. “Dogs run in packs, and this is no different. DDoS produces a lot of barking, but the pack isn't that large. Targeting local and state governments is optimizing for the most visibility. If they could do more, they would. At this time, the best assumption is that we are seeing Killnet’s loudest attempt to get attention. However, the world is more-or-less divided for or against Putin, and attacks like this aren't likely to either sow debilitating fear or sway hearts and minds.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.computerweekly.com/news/365530999/Killnet-DDoS-attacks-disrupt-Nato-websites">https://www.computerweekly.com/news/365530999/Killnet-DDoS-attacks-disrupt-Nato-websites</a></p></div>NATO and the Dark Webhttps://redskyalliance.org/xindustry/nato-and-the-dark-web2022-09-05T17:20:32.000Z2022-09-05T17:20:32.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10804163868,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10804163868,RESIZE_400x{{/staticFileLink}}" alt="10804163868?profile=RESIZE_400x" width="250" /></a>Just what is for sale on the Dark Web? According to a published report, the North Atlantic Treaty Organization (NATO) is investigating the leak of data reportedly stolen from a European missile systems firm, which hackers have put up for sale on the Dark Web. The leaked data includes blueprints of weapons used by Ukraine in its current war with Russia. Integrated defense company MBDA Missile Systems, headquartered in France, has acknowledged that data from its systems is a part of the cache being sold by threat actors on hacker forums after what appears to be a ransomware attack.<a href="#_ftn1">[1]</a></p>
<p>Contradicting the cyber actor’s claims in their ads, nothing up for sale is classified information, MBDA said. It added that the data was acquired from a compromised external hard drive, not the company's internal networks. NATO, meanwhile, is "assessing claims relating to data allegedly stolen from MBDA," a NATO official reported. "We have no indication that any NATO network has been compromised," the official said.</p>
<p>MBDA acknowledged in early August 2022 that it was "the subject of a blackmail attempt by a criminal group that falsely claims to have hacked the company's information networks" in a post on its website. According to the post, the company refused to pay the ransom, and thus the data was leaked for sale online.</p>
<p>Threat actors are selling 80GB of stolen data on both Russian and English language forums with a price tag of 15 Bitcoins, which is about $297,279, according to a report from the BBC, which broke the news about the NATO investigation. It has been reported that cybercriminals claim to have already sold data to at least one buyer.</p>
<p>According to the report, NATO is investigating one of the firm's suppliers as the possible source of the breach. MBDA is a joint venture between three key shareholders: AirBus, BAE Systems, and Leonardo. Though the company operates out of Europe, it has subsidiaries worldwide, including MBDA Missile Systems in the United States. The company is working with authorities in Italy, where the breach occurred. MBDA reported $3.5 billion in revenue last year and counted NATO, the US military, and the UK Ministry of Defense among its customers.</p>
<p>Hackers claimed in their ad for the leaked data to have "classified information about employees of companies that took part in the development of closed military projects," as well as "design documents, drawings, presentations, video and photo materials, contract agreements, and correspondence with other companies," according to the BBC.</p>
<p>Among the sample files in a 50-megabyte stash viewed by the BBC is a presentation appearing to provide blueprints of the Land Ceptor Common Anti-Air Modular Missile (CAMM), including the precise location of the electronic storage unit within it. According to the report, one of these missiles was recently sent to Poland for use in the Ukraine conflict as part of the Sky Sabre system and is currently operational.</p>
<p>This might provide a clue about the motive of threat actors; advanced persistent threats (APTs) aligned with Russia began hitting Ukraine with cyberattacks even before the Russian official invasion on 24 February 2022. After the conflict on the ground began, threat actors continued to subject Ukraine to a cyber war to support the Russian military efforts.</p>
<p>The sample data viewed by the BBC also included documents labeled "NATO CONFIDENTIAL," "NATO RESTRICTED," and "Unclassified Controlled Information," according to the report. At least one stolen folder contains detailed drawings of MBDA equipment. The cybercriminals also sent email documents to the BBC, including two marked "NATO SECRET," according to the report. The hackers did not confirm whether the material had come from a single source or more than one hacked source.</p>
<p>Nonetheless, MBDA insists that the verification processes that the company has executed so far "indicate that the data made available online are neither classified data nor sensitive."</p>
<p>This raises the question to all readers, “What data from your company is already for sale on the Dark Web? Interested to find out, please contact us and ask about our RedPane service.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.oodaloop.com/briefs/2022/08/30/nato-investigates-dark-web-leak-of-data-stolen-from-missile-vendor/">https://www.oodaloop.com/briefs/2022/08/30/nato-investigates-dark-web-leak-of-data-stolen-from-missile-vendor/</a></p></div>NATO Approval Comes with a Pricehttps://redskyalliance.org/xindustry/nato-approval-comes-with-a-price2022-08-10T17:34:14.000Z2022-08-10T17:34:14.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10776804683,original{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10776804683,RESIZE_400x{{/staticFileLink}}" width="250" alt="10776804683?profile=RESIZE_400x" /></a>Finland’s parliament website was temporarily shut down on Tuesday, 9 August, following a cyber-attack that coincided with the US’s move to admit the Nordic country to the North Atlantic Treaty Organization (NATO). The Finnish parliament said in a statement on Twitter that a denial-of-service attack hit the parliament’s external websites at around 2:30 pm local time. “The Parliament takes steps to limit the attack together with service providers and the Cybersecurity Center,” the statement said.</p>
<p>On 10 August, the Finnish parliament announced on Twitter that its website had returned to normal the previous evening. The attack against the parliament occurred the same day US President Biden signed a measure backing Finland and Sweden’s admittance into NATO. Biden’s signature makes the US the 23rd NATO country out of 30 members to approve the two Nordic countries’ admission into the alliance.<a href="#_ftn1">[1]</a></p>
<p>The US President called the move a “watershed moment” for the transatlantic alliance, adding that the decision to incorporate Finland and Sweden into NATO is “for the greater security stability…of the world. He added, “At a moment when Putin’s Russia has shattered peace and security in Europe when autocrats are challenging the foundations of a rule-based order, the strength of a transatlantic alliance and America’s commitment to NATO is more important than it’s ever been.” The announcement on 9 August was at an event attended by the ambassadors of Finland and Sweden.</p>
<p>Last week, the US Senate voted 95-1 to approve the resolution, with every member of the Democratic caucus and most Republicans voting in support. Finland and Sweden applied for NATO membership in May of this year, a move many thoughts prompted Russia’s invasion of Ukraine in February. </p>
<p>A week ago, the Finnish news agency STT said it took some of its systems offline following a malicious cyber-attack. STT reported investigating the possibility of an information leak, with the STT CEO saying the organization had been in touch with the authorities since the breach. It is not uncommon for hackers to attack media organizations. Last year Norwegian media company Amedia suffered a cyber-attack that shut down its computer systems, preventing the publication of its newspapers. The STT's managing editor said the agency has been upping its preparedness to deal with potential cyber-attacks. "Over the past six months, we have become increasingly aware that we may be targeted. We've taken note of attacks on agencies like ours throughout Europe. In that sense, this was expected," he said. Finnish authorities have warned of an increased cyber-attack risk since Russia invaded Ukraine in February 2022.</p>
<p>In May, the Finnish Transport and Communications Agency Traficom warned that Finland's NATO membership application could increase cybersecurity threats from Russia. This warning came after the websites of Finland's defense and foreign affairs ministries were hit by denial of service attacks in April 2022, coinciding with Ukrainian President Zelensky's address to the Finnish Parliament.<a href="#_ftn2">[2]</a></p>
<p>Following Sweden’s decision to join NATO, the country’s prime minister Magdalena Andersson expressed concerns of possible cyber retaliation from Russia. “There could be the possibility of cyberattacks, hybrid attacks, and other measures, but it’s all up to them,” she said, adding that the decision to join NATO is best for her country’s security.</p>
<p>Experts have warned that Russia could potentially use its cyber arsenal against Finland and Sweden and say it is likely that it chooses to launch small-scale and unsophisticated types of cyberattacks, including distributed denial-of-service attacks and website defacement, as a form of protest against the expansion. Brace yourselves, there may be more to come. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://thehill.com/policy/technology/3595917-finlands-parliament-hit-with-cyberattack-following-us-move-to-admit-the-country-to-nato/">https://thehill.com/policy/technology/3595917-finlands-parliament-hit-with-cyberattack-following-us-move-to-admit-the-country-to-nato/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://yle.fi/news/3-12556939">https://yle.fi/news/3-12556939</a></p></div>What Took So Long?https://redskyalliance.org/xindustry/what-took-so-long2022-04-12T15:42:37.000Z2022-04-12T15:42:37.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}10359900282,RESIZE_1200x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10359900282,RESIZE_400x{{/staticFileLink}}" width="250" alt="10359900282?profile=RESIZE_400x" /></a>A spokesman from the United States said on 07 April 2022 that it had secretly removed malware from computer networks around the world in recent weeks, a step to pre-empt Russian cyberattacks and send a message to President Vladimir V. Putin of Russia. The actions, made public by Attorney General Merrick B. Garland, comes as U.S. officials warn that Russia could try to strike American critical infrastructure including financial firms, pipelines and the electric grid in response to the sanctions that the United States has imposed on Moscow over the war in Ukraine.</p>
<p>The malware enabled the Russians to create “botnets” networks of private computers that are infected with malicious software and controlled by the G.R.U., the intelligence arm of the Russian military. But it is unclear what the malware was intended to do, since it could be used for everything from surveillance to destructive attacks. An USA spokesman said that the United States did not want to wait to find out. Armed with secret court orders in the United States and the help of governments around the world, the Justice Department and the F.B.I. disconnected the networks from the G.R.U.’s own controllers. “Fortunately, we were able to disrupt this botnet before it could be used,” Mr. Garland said. The court orders allowed the F.B.I. to go into domestic corporate networks and remove the malware, sometimes without the company’s knowledge.</p>
<p>President Biden has repeatedly said he would not put the U.S. military in direct conflict with the Russian military, a situation he has said could lead to World War III. That is why he refused to use the U.S. Air Force to create a no-fly zone over Ukraine or to permit the transfer of fighter jets to Ukraine from NATO air bases. Biden’s hesitance does not appear to extend to cyberspace. The operation that was revealed showed a willingness to disarm the main intelligence unit of the Russian military from computer networks inside the United States and around the world. It is also the latest effort by the Biden administration to frustrate Russian actions by making them public before Moscow could attack.</p>
<p>Even as the United States works to prevent Russian attacks, some American officials fear Mr. Putin may be biding his time in launching a major cyber operation that could strike against the American economy. American officials say, the primary Russian cyber actions have been directed at Ukraine including “wiper” malware designed to cripple Ukrainian government offices and an attack on a European satellite system called Viasat. The details of the satellite attack, one of the first of its kind, are of particular concern to the Pentagon and American intelligence agencies, which fear it may have exposed vulnerabilities in critical communications systems that the Russians and others could exploit.</p>
<p>The Biden administration has instructed critical infrastructure companies in the United States to prepare to fend off Russian cyberattacks, and intelligence officials <a href="https://www.reuters.com/article/ukraine-crisis-russia-cyber-britain-idINL2N2VY104">in Britain</a> have echoed those warnings. And while Russian hackers have sometimes preferred to quietly infiltrate networks and gather information, researchers said that recent malware activity in Ukraine demonstrated Russia’s increasing willingness to cause digital damage.</p>
<p> </p>
<p>See: <a href="https://redskyalliance.org/xindustry/dhs-warns-of-russian-cyber-attack">https://redskyalliance.org/xindustry/dhs-warns-of-russian-cyber-attack</a></p>
<p> </p>
<p>“They are engaged in a cyberwar there that is pretty intense, but it is targeted,” said Tom Burt, a Microsoft executive who oversees the company’s efforts to counter major cyberattacks and <a href="https://www.nytimes.com/2022/02/28/us/politics/ukraine-russia-microsoft.html">shut down an attack in Ukraine</a> during the opening of the war. Security experts suspect that Russia may be responsible for other cyberattacks that have occurred since the war began, including on Ukrainian communications services, although investigations into some of those attacks are ongoing.</p>
<p> </p>
<p>In January 2022, as diplomats from the United States prepared to meet with their Russian counterparts in an attempt to avoid military conflict in Ukraine, Russian hackers already were putting the finishing touches on a new piece of destructive malware. The code was designed to delete data and render computer systems inoperable. In its wake, the malware left a note for victims, taunting them about losing information. Before U.S. and Russian representatives met for a <a href="https://www.nytimes.com/2022/01/18/us/politics/russia-ukraine-blinken.html">final attempt at diplomacy</a>, hackers had already begun using the malware to attack Ukrainian critical infrastructure, including government agencies responsible for food safety, finance and law enforcement.</p>
<p>Adam Meyers, the senior vice president for intelligence at CrowdStrike, who analyzed the malware used in the January 2022 attacks and linked the group to Russia, said the group intended to cause damage and aid Russian military objectives. “It’s a relatively new group, clearly purpose-built with a disruptive capability in mind,” Mr. Meyers said. “The emergence of it is a progression of a continued demand from Russian forces for cyber operational support.”</p>
<p>Another attack occurred on 24 February 2022, the day that Russia invaded Ukraine, when hackers knocked Viasat offline. The attack flooded modems with malicious traffic and disrupted internet services for several thousand people in Ukraine and tens of thousands of other customers across Europe, Viasat said <a href="https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/">in a statement</a>. The attack also spilled over into Germany, disrupting operations of wind turbines there. Viasat said that the hack remained under investigation by law enforcement, U.S. and international government officials and Mandiant, a cybersecurity firm that it hired to look into the matter, and it did not attribute the attack to Russia or any other state-backed group.</p>
<p> </p>
<p>According to senior U.S. officials said all evidence suggested Russia was responsible, and <a href="https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/">security researchers at SentinelOne</a> said the malware used in the Viasat attack was similar to code that has been linked to the G.R.U. The United States has not formally named Russia as the source of the attack but is expected to do so as soon as several allies join in the analysis.</p>
<p> </p>
<p>In late March 2022 a cyberattack again disrupted communications services in Ukraine. This time, the attack focused on Ukrtelecom, a telephone and internet service provider, knocking the company’s services offline for several hours. The attack was “an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia,” <a href="https://twitter.com/netblocks/status/1508465391244304389">according to NetBlocks</a>, a group that tracks internet outages. Ukrainian officials believe that Russia was most likely responsible for the attack, which has not yet been traced to a particular hacking group. “Russia was interested in cutting off communication between armed forces, between our troops, and that was partially successful in the very beginning of the war,” said Victor Zhora, a top official at Ukraine’s cybersecurity agency, the State Service of Special Communications and Information Protection. Ukrainian officials said Russia had also been behind <a href="https://www.nytimes.com/2022/04/05/us/politics/ukraine-russia-hackers.html">attempts to spread disinformation</a> about a surrender.</p>
<p> </p>
<p>In the United States, officials fear similar cyberattacks could hit critical infrastructure companies. Some executives said they hoped the federal government would offer funding for cybersecurity. </p>
<p> </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a> </li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a> </li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://republicbroadcasting.org/news/u-s-says-it-secretly-removed-malware-worldwide-pre-empting-russian-cyberattacks/">Republic Broadcasting Network » U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks</a></span></p>
<p> </p></div>Achtung! Germany Warns Against Kasperskyhttps://redskyalliance.org/xindustry/achtung-germany-warns-against-kaspersky2022-03-25T12:45:48.000Z2022-03-25T12:45:48.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10237187095,RESIZE_192X{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10237187095,RESIZE_192X{{/staticFileLink}}" width="187" alt="10237187095?profile=RESIZE_192X" /></a>For years, cyber threat professionals have warned against installing Kaspersky on any computer. Now, German cybersecurity agency BSI on 16 March 2022 urged consumers not to use anti-virus software made by Russia's Kaspersky, warning the firm could be implicated in hacking assaults amid Russia's war in Ukraine. Russia's military and intelligence activities in Ukraine, and its threats to EU and NATO allies, particularly Germany, mean there is "a considerable risk of a successful IT attack", the Federal Cyber Security Authority (BSI) said in a statement.</p>
<p>"A Russian IT manufacturer can itself carry out offensive operations, can be forced to attack target systems against its will, or be itself spied on as a victim of a cyber operation without its knowledge, or be misused as a tool for attacks against its own customers," the agency warned. Companies and operators of critical infrastructure are particularly vulnerable but individuals could also be hit, the BSI said, inviting anyone in doubt to contact it for advice.</p>
<p>The United States banned government agencies from using Kaspersky software as early as 2017. Kaspersky has always rejected accusations that it works with the Kremlin. But its business was badly hit by the US ban, which came into effect at a time when the company's software was installed on hundreds of millions of computers worldwide.</p>
<p>The Moscow-based company, however, noted that it had shifted its cyber-threat-related data processing infrastructure to the Swiss city of Zurich in 2018 and that its data services and engineering practices have been subjected to independent third-party assessments. Cyber threat analysts continue to be concerned about potential back doors and Trojans that could be activated sometime in the future.</p>
<p>In March 2022, Eugene Kaspersky, CEO of the namesake company, struck a neutral tone, hoping that negotiations between Ukraine and Russia would lead to "a compromise," to distance the organization from being branded as siding with Russia. "We believe that peaceful dialogue is the only possible instrument for resolving conflicts," Kaspersky tweeted on 1 March. "War isn't good for anyone."</p>
<p>Military and cyber specialists fear that Russia's invasion of Ukraine could lead to an outbreak of cyberattacks a "cyber Armageddon" which would have major consequences for civilians in both countries and also globally, through a spillover effect. A worst-case scenario has so far been avoided, as the attacks observed appear to be contained in their impact and geographical scope.</p>
<p>Germany has in recent years repeatedly accused Russia of cyber espionage attempts.</p>
<p>The most high-profile incident blamed on Russian hackers to date was a cyberattack in 2015 that paralyzed the computer network of the lower house of parliament, the Bundestag, forcing the entire institution offline for days while it was fixed.</p>
<p>Russia denies being behind such activities and Putin declined to comment for this media report.<a href="#_ftn1">[1]</a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/germany-warns-against-russias-kaspersky-anti-virus-software">https://www.securityweek.com/germany-warns-against-russias-kaspersky-anti-virus-software</a></p></div>Cybersecurity Defense Policy for NATO 2021https://redskyalliance.org/xindustry/cybersecurity-defense-policy-for-nato-20212021-06-25T20:41:24.000Z2021-06-25T20:41:24.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}9145176696,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9145176696,RESIZE_180x180{{/staticFileLink}}" width="150" alt="9145176696?profile=RESIZE_180x180" /></a>The US and its NATO allies endorsed a new cybersecurity defense policy during President Biden's visit this week with member states in Brussels, according to the official summit communique. NATO members agreed that the organization's Article 5 provision which states that an attack on one member nation is an attack on all could now be applied to cyber threats. But NATO would make any decisions to invoke Article 5 in response to a cyber incident on a "case-by-case basis," the communique notes. Article 5 has only been invoked once by NATO following Sept. 11, 2001, terrorist attacks on the US.</p>
<p>In endorsing this new cybersecurity defense policy, NATO noted that ransomware attacks and other threats to critical infrastructure in the US and across Europe can cause significant harm to member states and that new actions are needed to address these and other issues.</p>
<p>"Reaffirming NATO's defensive mandate, the alliance is determined to employ the full range of capabilities at all times to actively deter, defend against and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law," the communique states. "We reaffirm that a decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis."</p>
<p>The NATO cyber defense policy came as President Biden prepares to meet Russian President Vladimir Putin in Geneva on Wednesday. The two leaders are expected to discuss national security and economic issues, including a series of ransomware and other cyberattacks in the US that appeared to originate in Russia.<a href="#_ftn1">[1]</a></p>
<p>"I will tell you this: I’m going to make clear to President Putin that there are areas where we can cooperate, if he chooses," Biden said during a press conference after NATO released its final communique. "And if he chooses not to cooperate and acts in a way that he has in the past, relative to cybersecurity and some other activities, then we will respond. We will respond in kind." Providing Putin with a “No-Hack List” was a juvenile act for the President, All Hacks Against All Industries in the USA should have been the only message delivered by the leader of the free world.</p>
<p>Since coming into office in January 2021, the Biden administration has faced several cyber issues related to Russia. On 15 April 2021, the White House formally accused Russia's Foreign Intelligence Service, or SVR, of carrying out the SolarWinds supply chain attack that led to follow-on attacks on about 100 companies and nine U.S. federal agencies.</p>
<p>In response, the Biden administration issued sanctions against the Russian government as well as individuals and businesses that allegedly assisted in the SolarWinds attack or interfered in the 2020 US elections. Since then, the administration has turned its attention to a series of ransomware attacks that have targeted companies that support large portions of the nation's critical infrastructure. This includes the 7 May 2021 attack on Colonial Pipeline Co., which the FBI says was connected to the cybercriminal organization DarkSide, which is suspected of operating from inside Russia.</p>
<p>On 31 May 2021, JBS - one of the world's largest meat processors, revealed that it had been hit by a ransomware attack. The FBI said it traced the incident to REvil, also known as Sodinokibi a Russian-speaking cyber gang.</p>
<p>See: <a href="https://redskyalliance.org/xindustry/dr-evil-does-not-work-for-the-revil-gang">https://redskyalliance.org/xindustry/dr-evil-does-not-work-for-the-revil-gang</a></p>
<p>In a recent opinion piece printed in The Washington Post, Dmitri Alperovitch, chairman of the Silverado Policy Accelerator and the former CTO of CrowdStrike, and Matthew Rojansky, director of the Wilson Center’s Kennan Institute, wrote that Biden should inform Putin about US capabilities for countering these types of attacks, pointing to the FBI recovering $2.3 million of the $4.4 ransom paid by Colonial Pipeline Co.</p>
<p>"After the Colonial attack, American officials announced that they were able to access the hackers’ digital wallet and recover most of the ransom. Biden administration officials have said there are 'parallels' between cybercrime and terrorism, and that 'all options are on the table to deal with the threat," Alperovitch and Rojansky wrote.</p>
<p>The Biden administration is also pushing other countries to do more to fight back against cyberattacks. The Group of Seven, aka G-7, leaders announced an agreement to counter ransomware attacks that calls for greater cooperation between governments and businesses. The agreement also demands that Russia do more to curb the criminal activity within its borders, according to the White House.</p>
<p>"The international community both governments and private sector actors - must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that states address the criminal activity taking place within their borders," the Biden administration notes in a statement.</p>
<p>While Biden and US allies were laying the groundwork for the Putin summit, the Russian president was busy laying out his own agenda. Putin indicated he would consider handing over Russian cybercriminals to the United States if the US does the same for Moscow. "If we agree to extradite criminals, then, of course, Russia will do that, we will do that, but only if the other side, in this case, the United States, agrees to the same and will extradite the criminals in question to the Russian Federation," Putin said, according to Reuters. A major question would remain, what will define Putin’s definition of a “Criminal” for the USA or Russia?</p>
<p>Asked about Putin’s comment that Moscow would be willing to hand over cybercriminals to the United States if Washington reciprocates, Biden described it as “potentially a good sign of progress," USA Today reports. But national security adviser Jake Sullivan subsequently clarified that Biden was not saying he is going to exchange such criminals with Russia, saying, "This is not about exchanges or swaps, or anything like that," and that "cybercriminals will be held accountable in America because they already are."</p>
<p>Red Sky Alliance is in New Boston, NH, USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p> </p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.govinfosecurity.com/nato-endorses-cybersecurity-defense-policy-a-16878">https://www.govinfosecurity.com/nato-endorses-cybersecurity-defense-policy-a-16878</a></p></div>Social Media Disinformation Targeting NATOhttps://redskyalliance.org/xindustry/social-media-disinformation-targeting-nato2021-05-13T16:55:55.000Z2021-05-13T16:55:55.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}8925820866,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8925820866,RESIZE_400x{{/staticFileLink}}" width="250" alt="8925820866?profile=RESIZE_400x" /></a>An ongoing disinformation campaign called "Ghostwriter," which leverages compromised social media accounts is targeting several NATO member countries in Europe. Ghostwriter is attempting to undermine confidence in the defensive organization as well as spread discord in Eastern Europe. Researchers who uncovered the campaign in July 2020, have now documented an additional 20 incidents related to the cyber operation, including at least one earlier in 2021. </p>
<p>The Ghostwriter campaign is primarily aimed at citizens of Poland, Lithuania, and Latvia, researchers report. The operation is mainly designed to undermine confidence in NATO operations in Eastern Europe as well as generate opposition to the deployment of soldiers from other countries, including the US and Canada.<a href="#_ftn1">[1]</a> </p>
<p>The disinformation campaign has spread to parts of Western Europe, including Germany, where reports surfaced in local news media last March about spear-phishing attacks that targeted members of that country's Parliament. The group behind the campaign uses website compromises, spoofed emails, and social media posts from "inauthentic personas," according to the report. Those behind the campaign have also deployed phishing emails laced with malware in an attempt to harvest credentials.</p>
<p>"Certainly anti-US narratives are getting mixed up in this, but the campaign itself is very much focused on undermining perceptions of the US and NATO in these local communities, specifically Eastern European countries," says FireEye's senior manager for information operations analysis. "Just because it's local right now in Eastern Europe does not mean that we should not be concerned by it because these types of tactics are readily deployable elsewhere. So, it's always possible that this actor or perhaps another will seek to use the same type of tactics in Western European countries or even in the US."</p>
<p>Researchers attribute at least part of this campaign to an attack group that has not been previously documented; who is labeled as UNC1151. "We now also assess with high confidence that UNC1151, a suspected state-sponsored cyberespionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter activity," according to a research report. It appears that UNC1151 has been in operation since at least 2017.</p>
<p>Analysts say that it has not tied UNC1151 to a particular nation-state. And it says that another attack group may be involved in some aspects of this particular influence operation. "You could have a kind of technical group that's conducting intrusion operations, and at the same time there's another entity that believes a good use of these attacks is standing up fake social media profiles or altering blogs to publish a certain kind of narrative," an analyst says.</p>
<p>The report says the group behind the campaign likely stole credentials for Facebook and Twitter accounts so they could use the accounts to send disinformation posts. For example, several accounts belonging to politicians in Poland was taken over between October 2020 and January and then used to discredit the country's government. "The incidents also touched on some consistent themes: two involved the dissemination of compromising photos of officials and people with whom they are associated, two falsely implicated the respective officials as criticizing female activists and one falsely claimed that an official wanted to renounce her affiliation with the [Law and Justice] party," according to the report.</p>
<p>In October 2020, the FireEye researchers found fake news articles written in both English and Polish that pushed a narrative that NATO was preparing for a war with Russia and that Poland, Latvia and Lithuania would become battlegrounds. "In addition to spreading this narrative via a fabricated article published to multiple websites, including sites used in previous Ghostwriter operations, links to that article were also disseminated via posts by multiple compromised social media accounts belonging to Polish officials," researchers note. "We observed overlaps between this operation and some of the Polish social media compromises."</p>
<p>The global vice president for security research at New Net Technologies (NNT), says this type of disinformation campaign can sow doubts about the motives of various governments and institutions. "The vector used by UNC1151 is particularly insidious, as they are trying to exploit accounts of trusted sources to spread that different narrative," NNT says. "The really bad part of this approach is that - even if some of those account takeovers are discovered and the story about them being compromised is told - one question remains in the public. That question is: What is the truth?"</p>
<p>Red Sky Alliance has been collecting, analyzing, and documenting cyber threats for 9+ years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org">https://redskyalliance.org</a> at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com</p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><strong><br /> Weekly Cyber Intelligence Briefings</strong>:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/ghostwriter-disinformation-campaign-targets-nato-allies-a-16481">https://www.bankinfosecurity.com/ghostwriter-disinformation-campaign-targets-nato-allies-a-16481</a></p></div>NATO report warns of China’s plans for the future of the Internethttps://redskyalliance.org/xindustry/nato-report-warns-of-china-s-plans-for-the-future-of-the-internet2020-04-20T15:37:59.000Z2020-04-20T15:37:59.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}4471525345,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}4471525345,RESIZE_400x{{/staticFileLink}}" width="250" alt="4471525345?profile=RESIZE_400x" /></a>A new NATO report exposes Chinese government leaders plan to push through standardization of a new Internet architecture which will broaden the threat landscape, destabilize security and privacy, and fragment the world wide web. First proposed at the United Nations International Telecommunication Union (ITU) conference in September 2019, the plans call for a replacement to the current TCP/IP model, dubbed “New IP.” China is being led by Huawei, its state-run communications company, and the communist Chinese government itself. This is one more example of China pushing their own agenda on the 193 nation members of the UN.<a href="#_ftn1">[1]</a> Red Sky Alliance has reported extensively on China in the past. </p>
<p>The Chinese Internet plan claims that TCP/IP is broken, incapable of supporting IoT advances, space-terrestrial communications, and lack other innovations in development, such as holographic communications. China also points to security vulnerabilities in the current model and claimed its new model provides “ubiquitous, universal and a better protocolled system” that will provide improved security and a higher trust level for the Internet.</p>
<p>This important NATO report, supported by Oxford Information Labs (Oxil), expresses skepticism of the Chinese plans. China is effectively “creating a perception of necessity” for its new Internet model when in truth, TCP/IP is far from broken. In fact, it has adapted consistently well to every IT challenge it has encountered. The New IP model for a Decentralized Internet Infrastructure (DII) will undermine security and embed “fine-grained controls in the foundations of the network,” ultimately putting more control into the hands of the ISPs. The result of these new protocols would place this Internet infrastructure in the hands of the Chinese government.</p>
<p>The new IP also includes plans for an object identifier resolution system to replace the current Domain Name System (DNS), presumably to improve performance, stability, privacy and security. But Oxil researchers state that, “The use of alternate technologies for identification on the Internet and the DNS would lead to less predictability in cyberspace and new questions around norms and governance.” And from an international view, this is not good. It also criticizes the New IP plans for distributed ledger technology (DLT), which China claims is necessary to counter overt centralization of Internet architecture, in the hands of IANA, CAs and other bodies. This has more to do with control, than cooperation.</p>
<p>In the Chinese model, governments are likely to have control over the DLT, thus enabling mass surveillance, Oxil argues. “It is not uncommon for language of ‘trust’ to replace ‘security’ in Chinese DII-related discussions. This is concerning because it indicates that the principle of ‘security by design’ at least in the Western context is not being adopted in DII’s development. In the long-term this could negatively impact cybersecurity globally,” the NATO report claimed.<a href="#_ftn2">[2]</a></p>
<p>Chinese plans are being pushed through at an ITU level, with Oxil and other UN delegates expressing alarm at the speed of such radical changes are being proposed, and the negative impact of global standardization. China’s Internet will “increase the threat landscape by introducing new security uncertainties across the stack” and provide authoritarian governments everywhere with a new model for controlling its populations and cultures. </p>
<p>The fragmentation of the global Internet into national, government-run “intrAnets,” will also undermine the predictability of cyberspace and NATO’s ability to protect and defend its networks. The report warns, “a proliferation of alternate Internet technologies will increase the Internet’s threat landscape, decrease predictability, and potentially destabilize existing and future norms for responsible state behavior in the online environment.” With China on the hot-seat because of the COVID-19 pandemic, others will be taking a hard look at China’s proposed “new” Internet. By the way: Russia is considering a similar internal country centric “Internet.”</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> Interested in a RedXray demonstration or subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/redxray">https://www.wapacklabs.com/redxray</a> </p>
<p><strong> </strong></p>
<p><strong>Reporting: </strong><a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></p>
<p><strong>Website: </strong><a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></p>
<p><strong>LinkedIn: </strong><a href="https://www.linkedin.com/company/wapacklabs/">https://www.linkedin.com/company/wapacklabs/</a></p>
<p><strong>Twitter: </strong><a href="https://twitter.com/wapacklabs?lang=en">https://twitter.com/wapacklabs?lang=en</a></p>
<p><strong> </strong></p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.infosecurity-magazine.com/news/nato-warns-new-authoritarian/">https://www.infosecurity-magazine.com/news/nato-warns-new-authoritarian/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.ft.com/content/c78be2cf-a1a1-40b1-8ab7-904d7095e0f2">https://www.ft.com/content/c78be2cf-a1a1-40b1-8ab7-904d7095e0f2</a></p></div>