Home Tags European country

Tag: European country

​Low-financed startups could find a home in the eastern European country, where overheads and salaries are a quarter of those in San Francisco.
Offering open-use terms, near real-time access, and APIs, Finland's electricity grid operator says it's the first European country to open up national electricity data.
Cheer up, Europe, love.

Cyberwar might never happen European enterprises are teaming with information security agencies and governments to run a pan-European cyberwar readiness exercise today. Cyber Europe 2016 - which involves thousands of experts from all 28 EU Member States, Switzerland and Norway - is being co-ordinated by European Union security agency ENISA.
It's the fourth exercise of its type, and the most complex and wide-ranging to date.
Such exercises typically focus on responding to DDoS attacks and malware but Cyber Europe 2016 will encompass a far wider range of threats and ancillary crisis management problems, as a statement by ENISA explains. Cyber Europe 2016 paints a very dark scenario, inspired by events such as the blackout in a European Country over Christmas period1 and the dependence on technologies manufactured outside the jurisdiction of the European Union.
It also features the Internet of Things, drones, cloud computing, innovative exfiltration vectors, mobile malware, ransomware, etc. The exercise will focus on political and economic policies closely related to cybersecurity.

This also takes into account new processes and cooperation mechanisms contained in the Network and Information Security (NIS) Directive.

For the first time, a full scenario was developed with actors, media coverage, simulated companies and social media, bringing in the public affairs dimension associated with cyber crises, so as to increase realism to a level never seen before in cybersecurity exercises. Infosec experts from more than 300 organisations, including national and governmental cybersecurity agencies, ministries, EU institutions as well as internet and cloud service providers and cybersecurity software and service providers are taking part in the pan-European incident response exercise. Preparation work has been doing on for six months in the run-up to main event this week, which started on Thursday and culminates today. The whole exercise is designed to forge links that can come in handy during a real crisis as well as developing best practice for ensuring business continuity and, ultimately, safeguarding e-commerce in Europe.

This effort is more than justified, according to securocrats. “Computer security attacks are increasingly used to perform industrial reconnaissance, lead disinformation campaigns, manipulate stock markets, leak sensitive information, tamper with customer data, sabotage critical infrastructures,” ENISA argues. Cyber Europe is organised every two years by ENISA, the EU Agency for Network and Information Security, which describes its latest edition as the largest cybersecurity exercise in the world (see high budget promo trailer below). Results from the latest edition are due to be publicly released next year, following analysis by ENISA and the Member States. “Detailed lessons learned will be shared with the participants to the exercise in order to establish a list of actions to improve cybersecurity in Europe,” ENISA explains. “It is expected that many of the findings of the exercise are useful for the implementation of the NIS Directive and the work of the CSIRT Network, and the European cyber cooperation platform.” The Cyber Europe motto is “stronger together”.

Despite Brexit, the UK is participating in the exercise (and likely will in future, given the strategic importance of cybersecurity, though this is uncertain). “All 28 European Union Member States participate in the exercise, as well as two European Free Trade Association member states: Norway and Switzerland,” as ENISA explains in an FAQ.
Bootnote 1 A reference to the BlackEnergy attacks against three Ukrainian electricity utilities last December.
An attendee at the first day of the Democratic National Convention protests the DNC's treatment of Bernie Sanders, as hinted at by e-mails exposed by an alleged Russian hack.Chip Somodevilla , Getty News Images reader comments 150 Share this story The well-timed leak of e-mails from the Democratic National Committee, following a long-running breach of the DNC's network, is a masterful piece of information warfare.

The leak may only be the beginning of an effort to shape the US presidential election, or it may be a backup plan triggered by the exposure of the long-running breach.

But the hacking of the DNC and the direct targeting of Hillary Clinton are only parts of a much larger operation by Russia-based hackers who have breached a number of US government networks. Evidence collected by the security firm CrowdStrike and forensic work by Fidelis point to the breach being caused by two "threat groups" associated with Russian intelligence organizations.

A pair of reports published in June by SecureWorks suggests that the same threat groups conducted phishing campaigns against the e-mail addresses of the DNC.

The same attackers targeted the addresses of Clinton campaign staffers, political consultants, journalists, and current and former members of the military, among others. At a minimum, this suggests that the DNC breach was part of a larger intelligence collection operation.

The leaked data from the DNC breach, however, may have been intended to create chaos and uncertainty around the election.

But why would the Russian government open that can of worms? It's possible that this fits into a larger Russian strategy aimed at splintering NATO and countering what Russia has seen over the past decade as encroachment by the West on Russia's national interests. This sort of activity fits well into a larger picture of Russian state-sponsored and state-aligned information operations, including destructive cyber-attacks and intelligence collection.

And the forensic evidence from the DNC breach fits right in with other recent operations by Russian hackers against US targets. Bear Facts Two specific malware families tied to Russian hackers were identified in CrowdStrike's analysis of the DNC breach.

CrowdStrike identified them as "Fancy Bear" and "Cozy Bear." Fancy Bear is the malware family tied to "Operation Pawn Storm" and other recent breaches targeting members of the media, US and NATO allied military organizations, government agencies, embassies, and defense contractors, as well as Russian political dissidents and opposition political parties. The Fancy Bear/Pawn Storm attacks date back to 2004.

They were originally focused on NATO-connected military and government organizations.
In many cases, the attacks used a fake Outlook Web Access login page to collect a victim's login credentials. The other malware, Cozy Bear (aka CozyDuke) first emerged in 2011.

Cozy Bear was involved in network intrusions on the unclassified networks of the White House, the Joint Chiefs of Staff, and the State Department.

The JCS hack occurred, reportedly, via a spear phishing attack via e-mail.

The phishing was disguised as a communication from a financial institution commonly used by members of the military.

Also typically installed by a phishing attack, the Cozy Bear implant is a combination of remote access backdoor, keylogger, screenshot capturer, and password stealer.
It can also be used to remote-install other malware on the victim's Windows computer.
If Cozy Bear captures the right credentials, it can connect to other systems and spread laterally through a network. As SecureWorks researchers investigated the latest iteration of the Pawn Storm malware in mid-2015, their analysis led to a set of domains, all registered with the same e-mail. One of those domains was a lookalike domain that spoofed a Google URL.

The domain was spotted by a researcher in a report from the phishing attack tracking site Phishtank.com.

The domain was associated with an IP address at a hosting service in Romania. "The phishing URL looked interesting because it was passing through a lot of parameters," said Tom Finney of SecureWorks.

Those parameters included a specific encoded Google account name. "At almost the same time that the Phishtank user submitted that URL, they also submitted a Bit.ly short link," Finney added. "So we opened that short link and saw it was directing to the original phishing URL." Enlarge / The fake Google login page associated with the Bit.ly links used in the phishing campaign SecureWorks tracked. Phishtank.com Using Bit.ly's application interface, SecureWorks researchers were able to search for all the short links associated with the domain in question. "The short links were all connected to one user, and going from that one domain we had a whole heap of short links," Finney said. "Each resolved to having coded in them the e-mail address and account details of an individual—they were creating short links for each target." Tracking the generation of the URLs, Finney said that it became clear that the attackers were systematically accessing a list of e-mail addresses for a specific subset of targets on a daily basis. "In May and June [of 2015], when [the attackers] were creating these short links every day, it was quite industrial," he said, "suggesting there was quite an organization behind it—there were some significant resources being thrown at this.
It gave me the impression looking at the data that someone was following a tasking, because you would have a day where they would target military attachés—say every mil attaché that they could find that was based in Ankara, for example, and the next day it would be military attachés in some other European country.
It was very systematic in that respect." Between October 2015 and May 2016, SecureWorks researchers analyzed a total of 8,909 Bitly links, targeting 3,907 Google accounts—some of them individual Gmail accounts and others associated with organizational Google Apps accounts.

A large portion of the links, identified by SecureWorks through open source searches, belonged to people who would have been of interest in regard to Russia’s military involvement in eastern Ukraine. "For example," the SecureWorks researchers wrote in a post, "the e-mail address targeted by the most phishing attempts (nine) was linked to a spokesperson for the Ukrainian prime minister. Other targets included individuals in political, military, and diplomatic positions in former Soviet states, as well as journalists, human rights organizations, and regional advocacy groups in Russia." Another large group of the Gmail accounts targeted were those of current and former US and allied military members.

That group included people who worked for defense contractors, US and European politicians and government employees, and authors and journalists.
Some of these were discovered through open source searches by SecureWorks because the addresses had been published somewhere on the Web and pulled into a database. However, a large portion of them were not found in an open search, suggesting they had been either harvested from other compromised accounts or had been found through some other breach. Phishing for pols But as the links continued to be generated, a new type of target emerged.

Between March and April of 2016, an analysis of the URLs showed the phishing URL was used in tailored versions for 108 e-mail addresses tied to the Clinton campaign's hillaryclinton.com Google Apps account.

Those addresses included the campaign's national political director, finance director, director of strategic communications, director of scheduling, director of travel, traveling press secretary, and travel coordinator. Of the 108 e-mail addresses, 42 were not "open source," suggesting they had been acquired from another intelligence source. There were also links created that targeted 16 DNC e-mail addresses, including two belonging to a DNC secretary-emeritus and one belonging to the communications director.

And 26 personal Gmail accounts tied to the DNC and Hillary for America, including Clinton's director of speechwriting and a deputy director of DNC Chair Debbie Wasserman Schultz, were also targeted. There's no direct evidence that these phishing attempts, four of which were apparently clicked on according to analysis of Bit.ly, were directly tied to the DNC breach.

The DNC stopped using Google as a mail provider at some point.

But it is likely that some form of the phishing attack was used to drop the breach malware onto the DNC network. Both of these malware threats could have been on DNC's network for months before they were discovered.

The question that remains is why the attackers decided to leak what they had found instead of continuing to collect intelligence.

Finney said that it's possible that the e-mails were leaked only after the breach had been discovered as part of a disinformation operation.

The bad actors wanted to throw doubt on who actually hacked DNC and to make it look like a "hacktivist" did it. The document released under the identity "Guccifer 2.0" appears to be a poorly constructed disinformation play, as Ars has reported previously. Much of the metadata associated with the documents points to a Russian (or at least Russian-speaking) actor being behind them.

The fact that the Guccifer dump happened after the intrusion was detected and had been attributed by CrowdStrike to Russia lends credence to the idea that the leaks were a hurried response to the intrusion being exposed. But Michael Buratowski of Fidelis, the firm that performed the forensic analysis of the malware found at DNC, thinks the timing of the release of the e-mails shows intent to create chaos. "I do think that with what's been going on with the election cycle, it makes a lot of sense that this opportunity would be used... it's hard to speculate on what specific outcome [the attackers] were going for, but if nothing else, the amount of turmoil that [they've] created is pretty impactful with just the little bit of e-mail that's come out so far." Game of Pwns While the Fancy Bear and Cozy Bear threats have been identified in the past primarily as a means of intelligence collection, Russian attackers have gone for disruptive attacks before. Previous attacks have targeted Ukraine's power grid, Estonia's government and financial institutions, and government websites and systems in Georgia, culminating with the 2008 conflict over South Ossetia.

As with the DNC hack, it's difficult to tie those attacks to any specific organization in Russia.

But all evidence suggests they were done for the benefit of the Russian government. And disruption falls in line with Russian military and political doctrine.
Information warfare—including cyber attacks, "soft" cyber-like social media propaganda and disinformation, and the implication of the ability to inflict political and economic damage on potential or actual adversaries—is an integral part of Russian military doctrine.
Information warfare also factors into the Russian military-political concept of "containment"—preventing a potential adversary from attacks on Russia or threatening Russia's interests. Ever since Estonia, Latvia, and Lithuania joined the NATO alliance in 2004 (along with Bulgaria, Slovenia and Slovakia) the Russian government has often stated that NATO's activities have threatened Russia's strategic interests.

The alignment of Ukraine with the West and recent tensions with Turkey over the downing of a Russian strike fighter over Syria are among the many factors that have added to Russia's belief that the US and NATO pose a direct threat to Putin's idea of Russian interests. Lieutenant Colonel Petteri Lalu, head of the Concepts & Doctrine Division of the Finnish Defence Research Agency (FDRA), noted in a recent paper on Russian military theory that these sorts of "information operations" are seen as part of shaping "inter-state conflicts" regardless of whether they actually escalate to a military conflict.
In fact, they're seen as a way to preempt possible military conflict. "Information operations, which can be non-military or military, are proceeding throughout the conflict, i.e. continuously," Lalu wrote. "In this sense, discussions on whether the term information war or warfare can be used before a clearly verified armed attack or an imminent threat of such an attack takes place, do sometimes sound unpractical." Information warfare like the DNC breach fits into what the Soviet military theoretician Mikhail Tukhachevsky called "deep battle"—"influencing the enemy simultaneously throughout the whole depth of its territory." The main approach Russia has taken in information operations, Lalu noted, "has been breaking the unity of the target audience." Through its news media, through covert information operations, through use of social media (including Wikileaks and possibly fake Twitter accounts spewing populist/nationalist propaganda in various countries that the Russian government senses are vulnerable), and through hacking, Russia could seek to break the unity of NATO countries and undermine its military readiness. Maybe the DNC e-mail leak was an attempt to snatch some strategic value out of what would otherwise have been a relatively fruitless (and embarrassing) intelligence collection mission.

But if Putin's government did in fact calculate a benefit from throwing a stick into the spokes of the Democratic presidential convention, there may be a lot more surprises in store.