Alexander Anosov, the general director of the satellite company Dozor-Teleport CJSC and the first deputy general director of its parent company, Amtel-Svyaz, told a Russian information technology news outlet that the company was indeed infiltrated, and that preliminary information suggested that “infrastructure on the side of the cloud provider was compromised,” according to a Google translation.

ComNews, the publication that reported Anosov’s confirmation, reported that it “may take up to to weeks to restore the network to full operation.” The story did not offer additional detail to the severity or scale of the attack but said more information would be published on Monday.

News emerged late Wednesday into Thursday that the company had been targeted by a group claiming affiliation to the PMC Wagner, the private military company run by Victor Prigozhin. Along targeting the company and leaking nearly 700 files, the hackers defaced several websites and put up Wagner-related messages and a video.

Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank, tweeted Thursday that “Wagner’s involvement is very unlikely,” and that it looked “like Ukrainian false flag trolling.”

The Wagner group did not respond to a request for comment and has not posted about the alleged connection to the hack in its widely followed Telegram channel. In the days since Prigozhin led his private military on an uprising and threatened to kill the head of the Russian military, his company, which includes the notorious Internet Research Agency troll factory, has faced major setbacks. Prigozhin announced the “liquidation” of Patriot Media, his company that had “dozens” of “news” sites, Meduza reported Friday.

The article also implied that the company was targeted because it uses a Latin-alphabet “Z” in its name, rather than the Cyrillic “З”. Anosov said that the company’s use of the “Z” could lead some to think that it works with the Russian Ministry of Defense. The symbol “Z” has become a symbol of the Russian invasion of Ukraine.

Sean Townsend, a spokesperson for the loose collective of hackers and various hacking groups in Ukraine known as the Ukrainian Cyber Alliance, tweeted screenshot of text from one of the files dumped by the hackers shows multiple references to its work with the Ministry of Defense.

The file, which is a spreadsheet titled “stations,” also shows that the Moscow-based company has infrastructure in the occupied areas of Ukraine, including near the Zaporizhzhia Nuclear Power Station, Townsend told CyberScoop Friday.

The post Russian telecom confirms hack after group backing Wagner boasted about an attack appeared first on CyberScoop.

“The DoZor satellite provider (Amtel group of companies), which serves power lines, oil fields, military units of the Russian Defense Ministry, the Federal Security Service, the pension fund and many other projects, including the northern merchant fleet and the Bilibino nuclear power plant, went to rest,” the group’s first message read, according to a translation. “Part of the satellite terminals failed, the switches rebooted, the information on the servers was destroyed.”

The hackers also claimed to have defaced four seemingly unconnected Russian websites with messaging supportive of the Wagner private military company, the Russian mercenary group that made international headlines last weekend as it marched toward Moscow in an astonishing uprising that challenged the power of Russian President Vladimir Putin, before the group stopped short.

The group’s leadership was relocated to Belarus, a staunch Russian ally. Yevgeny Prigozhin, the head of Wagner, also created and funded the Internet Research Agency, a troll farm that the U.S. government sanctioned for its role in the sweeping Russian election interference operations targeting the 2016 U.S. presidential elections and then the 2018 elections.

Belarusian President Aleksandr Lukashenko said he argued against Putin’s contemplation of killing Prigozhin for leading the uprising, and instead brokered the deal to send Prigozhin to Belarus.

The message posted to the defaced websites showed the Wagner insignia, along with a message about the uprising and its results. “We agreed to a peaceful solution because we achieved the main thing — we showed our capabilities and full social approval of our actions,” the message read, according to a Google translation. “But what do we see instead? The current military leadership has not been removed from office, criminal cases have not been closed … You kicked us out of the NWO zone, out of Russia, but you can’t kick us out of the network.”

“We take responsibility for hacking,” the message continued. “This is just the beginning, more to come.”

The group posted a link to a zip file containing 674 files, including pdfs, images and documents. On Thursday morning, the group also posted three files that appear to show connections between the FSB and Dozor, and the passwords Dozor employees were to use to verify that they were dealing with actual FSB representatives, with one password valid for every two months in 2023, according to a Google translation.

Doug Madory, the director of internet analysis for Kentik, told CyberScoop Thursday that Dozor’s connection to the internet went down at about 10 p.m. ET Wednesday and remains unreachable. One of the routes the company uses was switched to Amtel-Svyaz, Dozor’s Moscow-based parent company.

Amtel-Svyaz could not be reached for comment.

The Wagner Group could not be reached for comment.

Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank, tweeted Thursday that “Wagner’s involvement is very unlikely,” and that it looked “like Ukrainian false flag trolling.”

Shakirov told CyberScoop in an online message that “the whole hack and leak looks very real, but it’s not something Wagner does. They don’t have a motive now & no history of such attacks.”

The post Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group appeared first on CyberScoop.

Today, there’s a similar awakening among the scientists and researchers behind advancements in artificial intelligence. If AI really poses an extinction threat to humankind — as many in the field claim — many experts in the field are examining how efforts to limit the spread of nuclear warheads might control the rampant spread of AI.

Already, OpenAI, the world’s leading AI lab, has called for the formation of “something like” an International Atomic Energy Agency — the global nuclear watchdog —  but for AI. United Nations Secretary General Antonio Guterres has since backed the idea, and rarely a day goes by in Washington without one elected official or another expressing a need for stricter AI regulation. 

Early efforts to control AI — such as via export controls targeting the chips that power bleeding-edge models — show how tools designed to control the spread of nuclear weapons might be applied to AI. But at this point in the development of AI, it’s far from certain that the arms control lessons of the nuclear era translate elegantly to the era of machine intelligence.

Arms control frameworks for AI 

Most concepts of controlling the spread of AI models turn on a quirk of the technology. Building an advanced AI system today requires three key ingredients: data, algorithms and computing power — what the researcher Ben Buchanan popularized as the “AI Triad.” Data and algorithms are essentially impossible to control, but only a handful of companies build the type of computing power — powerful graphics processing units — needed to build cutting-edge language models. And a single company — Nvidia — dominates the upper end of this market. 

Because leading AI models are reliant on high-end GPUs — at least for now — controlling the hardware for building large language model offers a way to use arms control concepts to limit proliferation of the most powerful models. “It’s not the best governance we could imagine, but it’s the best one we have available,” said Lennart Heim, a researcher at the Centre for the Governance of AI, a British nonprofit, who studies computing resources. 

U.S. officials have in recent months embarked on an experiment that offers a preview of what an international regime to control AI might look like. In October, the U.S. banned the export of high-end GPUs to China and the chip making equipment necessary to make the most advanced chips, attempting to prevent proliferation of advanced AI models to China. “If you look at how AI is currently being governed,” Heim said, “it’s being governed right now by the U.S. government. They’re making sure certain chips don’t go to China.” 

Biden administration officials are now considering expanding these controls to lagging-edge chips and limiting Chinese access to cloud computing resources, moves that would further cut Beijing off from the hardware it needs to build competitive AI models.

While Washington is the driving force behind these export controls, which are aimed at ensuring U.S. supremacy in microelectronics, quantum computing and AI, it also relies on allies. In restricting the flow of chips and chipmaking equipment to China, the U.S. has signed up support from other key manufacturers of such goods: the Netherlands, Japan, South Korea and Taiwan.

By virtue of their chokehold on the chips used to train high-end language models, these countries are showing how the spread of AI models might be checked via what for now are ad hoc measures that might one day be integrated into an international body.

But that’s only one half of the puzzle of international arms control. 

Carrots and sticks 

In the popular imagination, the IAEA is an organization primarily charged with sending inspectors around the world to ensure that peaceful nuclear energy programs aren’t being subverted to build nuclear bombs. The less well-known work of the agency facilitates the transfer of nuclear science. Its basic bargain is something like this: sign up to the Nuclear Non-Proliferation Treaty, pledge not to build a bomb and the IAEA will help you reap the benefits of peaceful nuclear energy. 

“That’s the big reason that most states are enthusiastic about the IAEA: They’re in it for the carrots,” said Carl Robichaud, who helps lead the existential risk and nuclear weapons program at Longview Philanthropy, a nonprofit based in London. “They show up in Vienna in order to get assistance with everything from radiotherapy to building nuclear power plants.”

Building an international control regime of this sort for AI requires considering how to first govern the spread of the technology and then how to make its benefits available, argues Paul Scharre, the executive vice president and director of studies at the Center for a New American Security in Washington. By controlling where advanced AI chips go and who amasses them, licensing the data centers used to train models and monitoring who is training very capable models, such a regime could control the proliferation of these models, Scharre argued.

Countries that buy into this arrangement would then gain easier access to very capable models for peaceful use. “If you want to access the model to do scientific discovery, that’s available — just not to make biological weapons,” Scharre said.

These types of access controls have grown more feasible as leading AI labs have abandoned the open source approach that has been a hallmark of the industry in recent years. Today, the most advanced models are only available via online apps or APIs, which allows for monitoring how they are used. Controlling access in this way — both to monitor use and to provide beneficial access — is essential for any regime to control the spread of advanced AI systems, Scharre argued. 

But it’s not clear that the economic incentives of participating in such a regime translate from the world of nuclear arms control to AI governance. Institutions like the IAEA help to facilitate the creation of capital and knowledge intensive nuclear energy industries, and it’s unclear whether similar hurdles exist for AI to incentivize participating in an arms control regime.

“I like the idea of an international agency that helps humanity benefit more equitably from AI and helps this technology reach and help everyone. It’s not clear right now that there is market failure as to why that wouldn’t happen,” Robichaud said.

It’s also not clear that access controls can be maintained in the long run. Unlike nuclear weapons, which are fairly large physical devices that are difficult to move around, AI models are just software that can be easily copied and spread online. “All it takes is one person to leak the model and then the cats out of the bag,” Scharre said.

That places an intense burden on AI labs to keep their products from escaping the lab — as has already occurred — and is an issue U.S. policymakers are trying to address.

In an interview with CyberScoop, Anne Neuberger, a top White House adviser on cybersecurity and emerging technology, said that as leading AI firms increasingly move away from open source models and seek to control access, the U.S. government has carried out defensive cybersecurity briefings to leading AI firms to help ensure that their models aren’t stolen or leaked.

What are we trying to prevent? 

When AI safety researchers speak of the potentially existential threat posed by AI — whether that be a flood disinformation or the development of novel biological weapons — they are speculating. Looking at the exponential progress of machine learning systems in the past decade, many AI safety researchers believe that if current trends hold, machine intelligence may very well surpass human intelligence. And, if it does, there’s reason to think machines won’t be kind to humans. 

But that isn’t a sure thing, and it’s not clear exactly what catastrophic AI harms the future holds that need to be prevented today. That’s a major problem for trying to build an international regime to govern the spread of AI. “We don’t know exactly what we’re going to need because we don’t know exactly what the technology is going to do,” said Robert Trager, a political scientist at the University of California, Los Angeles, studying how to govern emerging technology. 

In trying to prevent the spread of nuclear weapons, the international community was inspired by the immense violence visited upon Hiroshima and Nagasaki. The destruction of these cities provided an illustration of the dangers posed by nuclear weapons technology and an impetus to govern their spread — which only gained momentum with the advent of more destructive thermonuclear bombs. 

By contrast, the catastrophic risks posed by AI are theoretical and draw from the realm of science fiction, which makes it difficult to build the consensus necessary for an international non-proliferation regime. “I think these discussions are suffering a little bit from being maybe ahead of their time,” said Helen Toner, an AI policy and safety expert at the Center for Security and Emerging Technology at Georgetown University and who sits on OpenAI’s board of directors.

If 10 or 20 years from now, companies are building AI systems that are clearly reaching a point where they threaten human civilization, “you can imagine there being more political will and more political consensus around the need to have something quite, quite strong,” Toner said. But if major treaties and conventions are the product of tragedy and catastrophe, those arguing for AI controls now have a simple request, Toner observes: “Do we have to wait? Can we not skip that step?”

But that idea hasn’t broken through with policymakers, who appear more focused on immediate risks, such as biased AI systems and the spread of misinformation. Neuberger, the White House adviser, said that while international efforts to govern AI are important, the Biden administration is more focused on how the technology is being used and abused today and what steps to take via executive order and congressional action before moving to long-term initiatives.

“There’s a time sequence here,” Neuberger said. “We can talk about longer term efforts, but we want to make sure we’re focusing on the threats today.”

In Europe, where EU lawmakers are at work on a landmark AI Act, which would limit its use in high-risk contexts, regulators have taken a similarly skeptical approach toward the existential risks of AI and are instead focusing on how to address the risks posed by AI as it is used today.

The risk of extinction might exist, “but I think the likelihood is quite small,” the EU’s competition chief Margrethe Vestager recently told the BBC. “I think the AI risks are more that people will be discriminated [against], they will not be seen as who they are.”

Long-term control 

Today’s leading AI models are built on a foundation of funneling ever more data into ever more powerful data centers to produce ever more powerful models. But as the algorithms that process that data become more efficient it’s not clear that ever more powerful data centers — and the chips that power them — will be necessary. As algorithms become more efficient, model developers “get better capability” for “less compute,” Heim from the Centre for the Governance of AI explains. In the future, this may mean that developers can train far more advanced models with less advanced hardware.

Today, efforts to control the spread of AI rest on controlling hardware, but if having access to the most advanced hardware is no longer essential for building the most advanced models, the current regime to control AI crumbles.

These shifts in training models are already taking place. Last year, researchers at Together, an open source AI firm, trained a model known as GPT-JT using a variety of GPUs strung together using slow internet speeds — suggesting that high-performing models could be trained in a decentralized manner by linking large numbers of lagging-edge chips. And as publicly available, ever more capable open source models proliferate, the moat separating AI labs from independent developers continues to narrow — or may disappear altogether.  

What’s more, arguments about the role of algorithmic efficiency making compute less relevant don’t account for entirely new approaches to training models. Today’s leading models rely on a compute-intensive transformer architecture, but future models may use some entirely different approach that would undermine efforts today to control AI models, Toner observes. 

Moreover, arms control experts observe that past efforts to control the spread of dangerous weapons should force a measure of humility on any policymaker trying to control the spread of AI. In the aftermath of World War II, President Truman and many of his key aides, ignoring their scientific advisers, convinced themselves that it would take the Soviet Union decades to build an atomic bomb — when it only took the Kremlin five years. And in spite of export controls, China succeeded in building “2 bombs and 1 satellite” — an atomic bomb, a thermonuclear bomb and a space program. 

That history makes Trager, the political scientist, skeptical about “grand visions for what export restrictions can do.” 

With private companies currently conducting the most advanced AI research, efforts to control the technology have understandably focused on managing industry, but in the long run, military applications may be far more concerning than commercial applications. And that does not bode well for arms control efforts. According to Trager, there is no example in history of major powers “agreeing to limit the development of a technology that they see as very important for their security, and for which they don’t have military substitutes.”

But even if arms control frameworks are imperfect vessels for regulating AI, arms control regimes have evolved over time and grown more stringent to deal with setbacks. The discovery of Iraq’s nuclear program in the 1990s, for example, spurred the creation of additional protocols to the Non-Proliferation Treaty. 

“We’re 80 years into the nuclear age, and we haven’t had a detonation in wartime since 1945 and we only have nine nuclear-armed states,” Robichaud from Longview Philanthropy argues. “We’ve gotten lucky a few times, but we’ve also built the systems that started off really weak and have gotten better over time.” 

The post Does the world need an arms control treaty for AI? appeared first on CyberScoop.

Within minutes, images of top Mujahedeen-e-Khalq leaders appeared on the channel, along with the message of “Death to Khameni Raisi,” the supreme leader of Iran. The Iranian exile group commonly known as MEK has long opposed the Iranian government and advocated for its overthrow. Within a half hour of the original message, a screenshot of an internal presidential document was also posted on Telegram, the first of what has grown to more than 100 related to the office of the president of Iran and other major government agencies.

The documents include diplomatic correspondence, floor plans Iranian president’s office and other officials’ offices and detailed network topology diagrams of various government networks along with associated IP addresses. The leak also included documents that appeared to be related to the country’s nuclear program and reportedly details of officials routing money through Chinese banks and other apparent sanctions-evasions activities. In addition to defacing multiple government websites, the hackers claimed to have gained control over 120 servers and databases, the government’s server management networks and access to more than 1,300 computers connected to the presidency’s internal network, according to a post on the MEK website in the hours after the attack went public.

The group claimed to have stolen “tens of thousands of classified, top secret and secret documents,” according to the post from the MEK, which has not officially claimed any connection to the GhyamSarnegouni. Likewise, the hackers have not claimed to have ties to MEK or any other political group or organization.

The Iranian government called the hack “fake,” and said website updates and maintenance — caused as the defaced sites were returned to the previous content — was the reason for any site outages. But outside experts agreed the documents, and the hack, were likely legitimate.

The scale of intrusion and leak would present a major national security dilemma for any country and send officials and politicians scrambling to find the culprits, identify the vulnerabilities and prosecute the hackers. But, so far, the Iranian government’s reaction — other than saying the leaked documents are fake — isn’t public.

Over the past several years in Iran, a patchwork of hacking groups have sprung up with various aims, political motives and ambitions — and it’s nearly impossible to know for certain who is behind each one of them. Some operations appear to be designed to expose Iranian government secrets or support opposition groups, while others target Israel and the U.S. While Iran has long been an active participant in the cyber domain, in the past few years its internal and external attacks have gained new potency and become more public visible since 2020, such as when hackers with suspected links to the Iranian government targeted water treatment systems in Israel.

Looking to stir up trouble inside Iran, a growing number of groups have taken aim at the current government. These include groups such as Black Reward, Tapandegan and Lab Dookhtegan. Another group known as Predatory Sparrow, which has possible ties to Israel, targeted steel mills with alleged ties to the Islamic Revolutionary Guard Corps (IRGC), posting a video after an apparent breach that showed what appeared to be the inside of an industrial facility.

The U.S. government and American tech companies have long accused the Iranian government of hiding behind hacktivist personas to carry out hack and leak operations and destructive attacks on targets around the world. A May 2023 report from Microsoft details more than a dozen hacktivist personas with links to either the IRGC or the Iranian Ministry of Intelligence, many thought operated by Emennet Pasargad, a U.S. government-sanctioned Iranian cyber group. That same organization is thought to have been involved with a sprawling plan to interfere with the 2020 U.S. election, according to the U.S. Department of Justice.

Homeland Justice, an Iranian front group according to researchers with Mandiant and also multiple western governments, hacked multiple Albanian government systems in July 2022, stealing data and wiping systems with faux ransomware, in response to Albania’s hosting of the MEK. Albania, a NATO member, cut diplomatic ties with Iran over the attack. The U.S. government sanctioned Iran’s Ministry of Intelligence over the attacks, and the U.S. Cyber National Mission Force deployed what it said was its first-ever defensive cyber operation in response to the Iranian-linked attacks.

“We’ve observed multiple cyber groups in action,” said Nariman Gharib, a U.K.-based Iranian opposition activist and independent cyber espionage investigator. “One focuses on human rights, unmasking the darker side of the regime, while another specializes in cyber operations, exposing the regime’s cyber tactics. There’s also a group dedicated to sabotage. They execute their task with efficiency in executing disruptive attacks and [GhyamSarnegouni] is that group.”

Indeed, the latest hack claimed by GhyamSarnegouni involving highly sensitive government documents takes the role that hackers and hacktivists are playing in Iran’s internal politics to a new level, experts say, given the depth of information accessed, which touches on aspects of not only the office of Iranian President Ebrahim Raisi, and correspondence related to multiple sensitive agencies.

The hack is “one of the worst cases that has been publicly discussed and people are aware of about the compromise of classified documents and information from a government network,” said Hamid Kashfi, an independent security consultant originally from Iran, formerly a consultant for Trail of Bits and Immunity, who has uncovered multiple malicious Iranian government cyber activities over the years.

“What’s scary, if I was an Iranian government entity, or someone in charge of [assessing the situation] is what they’re not releasing and what they’re not exposing,” he said. “Because that’s a huge pile of A-plus grade intel and very interesting and very useful information for any government to be able to access.”

The attack is the fourth major hack and leak operation claimed by GhyamSarnegouni, a group that seemed to come out of nowhere in January 2022 when it claimed to have been behind the hacking and disruption of Iran’s national broadcast service. The attack included the broadcast of the faces of the long-missing Massoud Rajavi, and his wife Maryam Rajavi — the leaders of the MEK, which has been variously characterized by detractors as a cult and was, until 2012, deemed a terrorist organization by the U.S. government — and calls for the murder of Iran’s supreme leader, as well as destructive malware to damage equipment.

The MEK sharply disputes that it’s anything other than an opposition political movement, and has said the Iranian government is taking active steps to discredit the group, including by, in some cases, fabricating stories about members’ treatment.

Subsequent attacks tied to the group include the June 2022 hack of more than 5,000 municipal CCTV cameras in Tehran, and the early May 2023 hack of the Iranian Ministry of Foreign Affairs, which included more than 200 defaced websites and the publication of a trove of sensitive internal government files.

GhyamSarnegouni did not respond to a message sent via Instagram, where it also posts images of documents and other messages.

The recently leaked government documents are appearing against the backdrop of the U.S. and Iran getting closer to an agreement that the New York Times reported would ease sanctions on the country, release some imprisoned Americans, cease attacks on American contractors in Syria and Iraq and cap uranium refinement at 60% purity. After the presidential office hack first became public, an expert in Iranian cybersecurity told CyberScoop that embarrassing breaches of this nature seem to mirror major geopolitical developments, including progress on the nuclear deal.

“Any time we are at the middle of the conversation that this nuclear negotiation might lead somewhere, might end somewhere, you will see somehow, either by Israeli or by some hacking group or something like that, some kind of information being publicized regarding Iran nuclear program,” said Amir Rashidi, the director of internet security and digital rights at the Miaan Group, an Iranian digital and human rights organization.

Kashfi said whoever is behind the hack has “demonstrated access to communications [letters] between different government agencies and the presidential office.” The purpose of the system that the posted materials are coming from, he said, is to have secure, encrypted communications between disparate agencies and offices for a particular purpose, not mundane communications.

“If they have access and dumped one classified letter from that system, it means that they have had access to dump all of it,” he said.

He doesn’t expect whoever is behind the attack to post everything they have, given the immense intelligence and operational value at stake. Although the attackers are so far displaying technical abilities beyond the reach of any “random activist group,” it’s not clear whether it’s a state intelligence service, a hired mercenary group, or unaffiliated individuals are behind the attack.

Kashfi noted that it’s far too early to tell who is behind the group. But one data point, he said, supports the idea that it is not MEK. Some of the file names, and even some of the way certain words are used in the messaging “is not in a way that a native [Farsi] speaker would use.”

“Non-native speakers would easily overlook this,” he said. “But if you look at the context of it, you would notice that if it’s actually someone from MEK that’s supposed to be Iranian or a native speaker, they wouldn’t name files like this. It more looks like someone is receiving and processing this information and then doing the PR for the group through this Telegram channel.”

Simin Kargar, a doctoral researcher at Johns Hopkins University who tracks human rights and cybersecurity matters related to Iran, views the group’s activity in the context of the larger cyber tit-for-tat involving Iran and its adversaries, whether Israel, the U.S. or others in the region. The group has aggressively promoted MEK symbols and messaging from its inception, she said, and over time, the MEK “has come to own this, whether or not there is an actual relation between the MEK as an organization and this hacktivist group.”

MEK has a history of exposing highly sensitive Iranian secrets, she added, most notably revealing Iran’s nuclear program in a press conference in 2002. While not directly cyber related, the revelations foreshadowed a scenario whereby MEK gained supporters among hawkish American policy makers looking to find ways to undermine the Iranian government, most notably during the Trump years when several officials interacted directly with MEK.

During that period Kargar’s research showed a “surge of MEK activities” on social media promoting some of the Trump administration’s most hawkish anti-Iran messaging. Fast forward to the current era with a plethora of hacktivist groups sharing Iranian data, some of whom also promote MEK messaging, and it’s clear that something is going on, she said.

“Speculations in the background about who these groups might be, and who they might be connected to, has always involved some sort of connection with the MEK,” she said. “Because they definitely have the motivation and interest to either pull something like this off independently, or being fed with intelligence in this domain, and then kind of using that, packaging that in a way that serves their purposes.”

In a statement provided to CyberScoop, the MEK said there’s no proof any hack occurred from its camp in Albania, “let alone that it is naive to hack from a known center.” 

Additionally, the materials seem to be the work of insiders in Iran, the statement said, with access to them “possible only with direct access to the regime’s devices inside the country. Many documents revealed are way outside the Internet domain.”

Whether the group is connected to the MEK or not, its activities are having consequences for the exiled group. Albanian police raided MEK camp Ashraf-3 June 20 in an action that left dozens injured and one man dead. The police seized 150 “computer devices allegedly linked to prohibited political activities,” the Associated Press reported.

Authorities raided the camp as part of an Albanian government investigation into alleged provocation of war, illegal interception of computer data, interference in data and computer systems, equipment misuse, and for the MEK being a “structured criminal group,” the Albanian news outlet Politiko reported the next day. The investigation began May 18 based on news articles reporting on the early May hack of the Iranian Ministry of Foreign Affairs, according to the story. Albanian authorities also cited the June 2022 hack on the Tehran municipal CCTV system in the search warrant.

“In July 2022, Albania was subjected to the most serious cyber-attack sponsored by the Islamic Republic of Iran, which caused massive damage to Albania’s digital infrastructure and interrupted the provision of public services and documents — 95% of which are offered only online — for months,” the Albanian embassy wrote in an email to CyberScoop. “In response, the Albanian Government severed diplomatic relations with the Islamic Republic of Iran and since then, we have received numerous threats, always related to the MEK presence in Albania.”

Albania “cannot tolerate that our territory be used to engage in illegal, subversive and political activity against other countries, as has allegedly been the case with the MEK,” the email read. “Humanitarian protection does not provide the MEK with special immunity before the law. MEK members are just as liable to be investigated and prosecuted for crimes committed in the territory of the Republic of Albania as any other individual, be they citizens, residents, refugees, or — as is the case with the MEK — individuals enjoying humanitarian protection from the Government of Albania.”

According to the MEK’s statement, roughly 1,200 Albanian police arrived at the camp the morning of June 20, and the majority of the people at the camp were unaware of the court order related to the hack investigation. Aggressive police actions caused “residents to protest,” the statement read, resulting in Albanian police injuring more than 100 people and leading to the death of one man after he was pepper sprayed, according to the statement. 

Albanian authorities seized 200 computers, the statement added. “There is nothing illegal in them; we are apprehensive that the information contained in these computers fall into the hands of the Iranian regime, with families and relatives of the residents in Iran put in danger.”

Updated June 27, 2023: This story has been updated to include comment provided to CyberScoop by the MEK after publication, and to reflect that the MEK disputes any characterization implying it is a “cult.”

The post The potent cyber adversary threatening to further inflame Iranian politics appeared first on CyberScoop.

“The activity is still very high,” said Victor Zhora, a top Ukrainian cybersecurity official told CyberScoop via online chat Thursday.

Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, which is responsible for the defense of Ukrainian government systems, said that pro-Russian hackers are focused on Ukrainian service providers, media and critical infrastructure, as well as collecting data from government networks. Zhora said his team is expecting the pace of pro-Russian operations to pick up.

But it is far from clear that these operations are making a meaningful difference to Russian forces in Ukraine, and some of these operations appear geared toward creating the impression of widespread hacking activity even when they aren’t successful.

On Friday morning, the pro-Russian hacktivist group Killnet claimed to have hit key European financial institutions, including IBAN and SWIFT, which are used to facilitate banking transactions. But there was no indication that they had actually disrupted them.

By midday Friday there was no evidence that any attacks had taken place. The European Central Bank noted that its systems were running normally. A representative for Swift told CyberScoop that it, too, was running without issue. IBAN did not immediately respond to a request for comment.

Separately on Friday, a pro-Russian hacking group claiming to operate out of Ukraine and known as Beregini, posted what appeared to be a document prepared in April by U.S. Defense Department officials describing efforts by the international coalition supporting Ukraine to speed up deliveries of air defense systems.

The document bore the “CUI” classification, denoting that it was “controlled, unclassified information,” and appears to have been prepared for the Ukraine Defense Contact Group, which coordinates international assistance for the defense of Ukraine.

Though CyberScoop could not verify the document’s authenticity, its publication by Beregini is indicative of how hack-and-leak operations — or creating the appearance of them — has become a key tool in the information domain of the conflict.

A Defense Department spokesperson told CyberScoop the agency could not confirm the veracity of the document.

Against this backdrop, state-backed Russian hackers continue to conduct operations in Ukraine. On Wednesday, Microsoft identified what it described as a new hacking unit within Russia’s military intelligence (GRU) that it dubbed “Cadet Blizzard,” which carries out a range of cyber operations, including destructive malware attacks, hack-and-leak operations and intelligence collection.

On Thursday, researchers with the Symantec Threat Hunter Team, detailed attacks carried out by a group it tracks as Shuckworm — also known as Gamaredon – targeting Ukrainian security services, military and government organizations. “The attackers repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more,” Symantec said.

Sean Townsend, a spokesperson for the loose collective of hackers and various hacking groups in Ukraine known as the Ukrainian Cyber Alliance, told CyberScoop this week that since the Russian invasion the GRU has made “noticeable changes in tactics,” including greater coordination and attention given to hacking groups serving as fronts, such as Zarya, Hacknet and Solntsepek.

Groups such as these are either fronts for state activity or conduits through which government-operated hacking campaigns push information to the wider world.

In the run-up to and during the Russian invasion, Ukraine has been the site of prolific cyber operations as a means for intelligence collection, information operations, and, occasionally, in conjunction with kinetic attacks. The recent flurry of activity is just the latest in this busy cyber operations space — made up of hackers working for governments, in support of governments and, at times, on their own.

Over the course of the conflict, these groups have shifted their targeting, Townsend said. Last summer, for instance, many pro-Russian hacking groups sought to intercept the exchange of intelligence between Ukraine and its allies. Over the winter, their operations focused more on targets in Central Europe. Starting this spring, they’ve shifted more toward utilizing front groups.

“They apparently realize that their usual method of communication simply doesn’t work,” Townsend said.

Fifteen months into the current phase of the war, government intelligence agencies and private sector research teams are getting better at distinguishing between the various pro-Russian hackers at work in Ukraine, said Tom Hegel, a senior threat researcher with SentinelLabs. Activity that might have been lumped under a wider umbrella in the early days of the war can be better parsed and analyzed now, he said.

While pro-Russian hacking operations during the early days of the conflict had what Hegel called a “spray and pray” quality to them, today’s operations are more strategic while the pace of activity remains consistent. As operations are increasingly carried out through front groups, high-powered and deeply resourced actors— known as APTs within the cybersecurity industry — may be supporting those efforts.

The post Pro-Russian hackers remain active amid Ukraine counteroffensive appeared first on CyberScoop.

Posing as ransomware, the malware worked in two stages: First, it would overwrite the master boot record with a ransom note, pointing victims to a bitcoin wallet and demanding a relatively paltry $10,000 to recover corrupted files. Then it would download and deploy file corrupter malware, targeting files in particular directories to be overwritten. But the operation was a ruse: There was no way to recover the files.

Two days after the malware was deployed, Microsoft researchers published an analysis of the destructive tool, dubbing it WhisperGate. By May, officials in Ukraine, the United States and the United Kingdom attributed the attack to units working under Russian Main Intelligence Directorate (GRU).

A year later, Microsoft researchers have determined that the unit behind that attack is an active and distinct group within the GRU, responsible for website defacements, destructive attacks, cyber espionage and hack-and-leak operations. In a report published Wednesday, Microsoft concludes that a group it is calling “Cadet Blizzard” is behind a wave of attacks since February 2023 targeting not only Ukraine, but also NATO member states providing military assistance to Ukraine.

Wednesday’s report for the first time identifies the activity as distinct and novel from other GRU-affiliated cyber operations, which includes the group widely tracked as Sandworm and believed to be responsible for multiple attacks on Ukraine’s electric grid in recent years. Hacking operations linked to the GRU are considered among the most destructive and potent in the Russian-affiliated hacking ecosystem.

“The emergence of a novel GRU affiliated actor, particularly one which has conducted destructive cyber operations likely supporting broader military objectives in Ukraine, is a notable development in the Russian cyber threat landscape,” the researchers said Wednesday, while noting that the group’s attacks are generally less successful than more sophisticated and prolific Russian hacking groups, such as Sandworm.

Russian hacking groups have either refrained from or failed to carry out spectacular cyber attacks targeting Ukrainian critical infrastructure as part of the Kremlin’s attempt to overthrow the government in Kiev. But Russian hacking groups have nonetheless remained active in the conflict, carrying out attacks to wipe Ukrainian computer systems and carry out information operations — the type of action that is emblematic of Cadet Blizzard.

Dating to at least 2020, Cadet Blizzard’s activity includes attacks around the world — in Europe, Latin America and Central Asia — with a particular focus on government services, law enforcement, nonprofits/NGOs, IT service providers and emergency services, the researchers said. The group has consistently targeted IT and software providers, the researchers added, given that one successful attack can lead to multiple downstream compromises.

Microsoft characterizes the group as a conventional network operator that works without bespoke malware or tooling. “Unlike other Russian-affiliated groups that historically prefer to remain undetected to perform espionage, the result of at least some notable Cadet Blizzard operations are extremely disruptive and are almost certainly intended to be public signals to their targets to achieve the larger objective of destruction, disruption, and possibly, intimidation,” the researchers noted.

Cadet Blizzard’s activity overlaps with other cyber operations that “may have a broader scope or a nexus outside of Russia,” including connections to a group Microsoft tracks as Storm-0587, denoting an unattributed activity. That group is linked to malware known as SaintBot, a downloader that can be configured to deliver nearly any other payload. Cadet Blizzard also has support from “at least one private sector enabler organization within Russia,” the researchers noted.

The group uses a hacktivist front called “Free Civilian” to publish and share stolen data, according to the report. Free Civilian posted and leaked stolen Ukrainian government data from various sources on its website in January 2022 ahead of the invasion. The organizations whose data was leaked “strongly correlated to multiple Cadet Blizzard compromises earlier in 2022,” the researchers said, suggesting “that this forum is almost certainly linked to Cadet Blizzard.”

On Feb. 21, 2023, the Free Civilian launched a Telegram channel. The next day, a post in Russian began: “Hello, long time no see,” followed by promises of data from a range of Ukrainian government agencies and a message mocking Ukraine’s Cyber Police and its security service.

The channel has continued to post stolen data and references to stolen data, including as recently as April 26. The channel had just more than 1,300 subscribers as of Wednesday, with most posts “getting at most a dozen reactions as of the time of publication,” the researchers said, “signifying a low user interaction.”

A separate private channel likely operated by the group offers access to stolen data. The administrators of that channel have to manually approve requests to join, and as of Wednesday the channel had 779 members.

The post Microsoft identifies new hacking unit within Russian military intelligence appeared first on CyberScoop.

While the exact consequences of the attack remain unclear, a statement on Infotel’s website confirmed that “as a result of a massive hacker attack” company “network equipment was damaged” and that the firm is working to restore access, according to a Google translation.

The attack on Infotel, which appears to have begun Thursday, comes on the heels of a long-awaited Ukrainian counter-offensive. The Cyber Anarchy Squad — a Ukrainian hacking group active since last year’s invasion of Ukraine — took credit for the attack. The group posted to its Telegram channel what appeared to be Infotel network diagrams and a screenshot from inside an Infotel official’s email.

“Acidify the soil, fill the ground with concrete,” the group wrote in a message posted to Telegram, according to a Google translation. “All their infrastructure is destroyed, nothing alive is left there.”

Administrators of the Cyber Anarchy Squad’s Telegram channel did not immediately return a request for comment.

The attack may have caused disruptions to the Russian banking system. The Ukrainian news outlet Economichna Pravda reported that as a result of the attack, “the main banks of Russia and credit organizations throughout the Russian Federation do not have access to banking systems and cannot make payments.” An unconfirmed report posted to LiveMap — an online service that tries to geolocate online reports — suggested that banking services were at least partially inaccessible to customers on Thursday.

According to Infotel’s website, the company is an authorized access provider to an automated communication system between Russia’s central bank and Russian credit institutions.

CyberScoop could not confirm the extent of the attack’s effects on the Russian banking system, and Infotel did not return a request for comment on Friday.

This week’s counter-offensive, in which Ukrainian armed forces are beginning to use heavy weaponry supplied by Western allies to reclaim territory from Russian forces, has been accompanied by attacks on Russian websites. According to Ukrainska Pravda, multiple Russian websites have been hacked and defaced in the last week to show support for the Ukrainian military and the counteroffensive.

Sean Townsend, a spokesperson for the loose collective of hackers and various hacking groups in Ukraine known as the Ukrainian Cyber Alliance, told CyberScoop in an online chat that it is his understanding that “Infotel was wiped, including servers (backups too) and core routers (configs reset, firmware erased).” Townsend added that Infotel JSC “cannot bring up the BGP routing” — which internet service providers use route internet traffic — and added that “I expect that they will (spend) no less than a week to restore the service at minimal level.”

Infotel’s network went down at roughly 11:00 UTC (7 am ET) Thursday, according to Doug Madory, the director of internet analysis at the network monitoring firm Kentik. As of Friday afternoon, Infotel’s network remains down, Madory said.

According to Townsend, Infotel took a snapshot of its website from the Internet Archive and is currently hosting it on a third-party provider.

The post Ukrainian hackers target telecom firm connected to Russian central bank appeared first on CyberScoop.

“The Russian authorities have uncovered a new fact of the US special services using American IT companies for global surveillance of US and other countries’ citizens,” a statement posted to the Russian Ministry of Foreign Affairs read Thursday.

The Russian Federal Security Service, known more commonly as the FSB, said in its own announcement that it “uncovered a reconnaissance action by American intelligence services” after detecting “anomalies … specific only to users of Apple mobile phones and are caused by the operation of previously unknown malicious software (VPO) that uses software vulnerabilities provided by the manufacturer.”

The agency claims that “several thousand” phones were infected belonging to domestic Russian users as well as phones registered “with diplomatic missions and embassies in Russia, including the countries of the NATO bloc and the post-Soviet space, as well as Israel, SAR and China, were revealed.”

The statement said the situation “testifies to the close cooperation of the American company Apple with the national intelligence community, in particular the US NSA, and confirms that the declared policy of ensuring the confidentiality of personal data of users of Apple devices is not true.”

In a statement to CyberScoop, an Apple spokesperson said, “we have never worked with any government to insert a backdoor into any Apple product and never will.”

Also Thursday, a team of researchers from Kaspersky — the Russian-founded cybersecurity company that maintains distinct legal entities across the world, operating in 200 countries and territories — published new research describing an “ongoing” zero-click iMessage exploit in the iPhone iOS that allows attackers to run code on phones with root privileges, implement a set of commands for collecting system and user information, and allows for the running of arbitrary code.

The researchers discovered what they call “Operation Triangulation” while analyzing network traffic for Kaspersky’s own corporate Wi-Fi network dedicated for mobile devices, it said.

“While monitoring the network traffic of our own corporate Wi-Fi network using the Kaspersky Unified Monitoring and Analysis Platform (KUMA), we discovered a previously unknown mobile APT campaign targeting iOS devices,” the company said in a page dedicated to the Operation Triangulation. “The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data.”

The company added that it was an ongoing investigation that requires analyzing a “substantial” amount of information. “Given the complexity of the attack, we are confident that we are not the only target, and invite everyone to join the research,” Kaspersky said.

A Kaspersky spokesperson told CyberScoop Thursday that the company is aware of the Russian government’s announcement. “Although the attacks look similar, we are unable to verify this as we don’t have technical details on what has been reported by the FSB so far.”

In response to questions from CyberScoop, Apple noted only that Kaspersky does not make any claim the vulnerability it discovered would work beyond iOS 15.7. The current Apple iPhone operating system is 16.5.

Yet, an official notice from the Russian Computer Emergency Response Team cited Kaspersky’s report in an alert published Thursday.

“The political piece of this puzzle is the most interesting,” said Oleg Shakirov, a cyber policy expert and consultant at the Moscow-based PIR Center think tank.

Kaspersky isn’t likely to formally attribute the attack, he said, but “as far as the FSB is concerned, there is really no pressure on them to provide more evidence to the public. If they believe in Apple’s involvement, this can already be used to justify restrictions on the use of iPhones and other products by government officials (which has already been reported) as well as by others, for instance those working in critical information infrastructure sectors.”

Shakirov added that “we don’t see a lot of substantiated accusations from Russia about U.S. cyber activities. Many vague accusations or claims without much backing. So today’s story, if it’s indeed related to the United States, is quite remarkable.”

In March, the Russian government banned some government officials from using iPhones over “concerns that the devices are vulnerable to Western intelligence agencies,” Reuters reported at the time. But as of Thursday as many as 30% of Russian presidential administration employees used iPhones for personal work, Kremlin spokesperson Dmitry Peskov said, according to The Moscow Times.

The NSA declined to comment on Thursday for this story.

Updated June 1, 2023: This story was updated after publication to reflect that the National Security Agency declined a request for comment. The story has also been updated to include a response from Apple.

The post Russian government accuses Apple of colluding with NSA in iPhone spy operation appeared first on CyberScoop.

The materials posted to a Telegram channel Monday by a group called “GhyamSarnegouni” (“Rise to Overthrow”) include alleged diplomatic correspondence, floor plans for the offices and sleeping quarters of the Iranian president and other top government offices, detailed network topologies for sensitive Iranian government networks and more.

“The hack is legit,” said Amin Sabeti, the founder of the Computer Emergency Response Team in Farsi, which focuses on Iranian cybersecurity issues. Amir Rashidi, the director of internet security and digital rights at the Miaan Group, an Iranian digital and human rights organization, also told CyberScoop that the files “seem legitimate,” perhaps obtained by someone with insider access.

While the documents could reveal previously non-public details, Rashidi said many of the Iranian government’s activities exposed in the documents are already well known and discussed.

“None of this information is really crazy critical,” Rashidi said, other than perhaps the floor plans and some of the other more technical details. It’s more that it’s “embarrassing,” he added, noting that the information seems to confirm what was largely known about how the Iranian government operates. The material also reportedly includes internal information about nuclear expansion within the country, according to Iran International news.

The embarrassing hack landed days before news emerged that Iran had resolved two outstanding issues with the International Atomic Energy Agency related to enriched uranium, which the Associated Press characterized as “[easing] pressure slightly on Tehran.” Rashidi said that although there’s no firm connection to this specific hack, it’s curious how often major leaks occur in conjunction with any progress on nuclear issues.

“Any time we are at the middle of the conversation that this nuclear negotiation might lead somewhere, might end somewhere, you will see somehow, either by Israeli or by some hacking group or something like that, some kind of information being publicized regarding Iran nuclear program,” Rashidi said.

Iran’s permanent mission to the United Nations did not return a request for comment from CyberScoop sent Wednesday.

A government spokesperson told an Iranian news outlet Monday that several presidential sites were temporarily down due to technical issues related to a new version of the website, and denied “rumors” about the hacking, the state-backed Iranian Students’ News Agency reported. The Islamic Republic News Agency reported that the president’s office called the documents “fake.”

GhyamSarnegouni emerged on Telegram on Jan. 26, 2022, and is one of many anti-Iranian government groups online purporting to hack Iranian government systems as a form of protest. From its early days, its messaging has echoed the prominent Iranian opposition group Mojahedin-e Khalq (MEK), Rashidi said, suggesting an affiliation of some kind.

On May 29, GhyamSarnegouni posted a simple message: “The entire highly protected internal network of the executioner president’s institution in Tehran was captured and out of reach,” according to a Google translation.

Over the next three hours the group posted new files, images and videos every few minutes. Around the same time, a post appeared on the MEK website titled “Iranian dissidents take over high-security servers of regime presidency.” The post attributed the hack to GhyamSarnegouni and said that multiple websites linked to President Raisi were defaced along with the exfiltration of what would be highly sensitive documents and materials, according to the MEK’s post.

Multiple websites were altered to include the image of two MEK leaders — Massoud Rajavi and his wife Maryam — the Times of Israel reported Monday.

The group responsible for the attack claimed it gained control of 120 servers connected to the president’s internal network and central databases, access to and control of more than 1,300 computers on the network, security footage of the network’s communication hardware and “access to systems of the classified internal communications to the presidency and the government,” according to the post on the MEK website.

Additional materials allegedly obtained by the hackers, according to the MEK, included: Classified and encrypted internal messages, “tens of thousands of classified, top secret, and secret documents,” floor plans and building designs of the president’s office and sleeping quarters and detailed information on the internet network diagrams and equipment, including IP addresses, for facilities associated with the president as well as other top government leaders and institutions, including the interior and intelligence ministries and the Basij, a militia under the Iranian Revolutionary Guard.

Earlier in May, GhyamSarnegouni claimed to have hacked the Iranian foreign ministry servers and defaced multiple websites. In that case as well, websites were defaced and pictures posted of MEK leaders, and a news story about the hack appeared on the MEK website. In October, a separate group called Black Reward claimed credit for the hack-and-leak of emails related to the country’s nuclear program, which the group said was in response to the Iranian government’s murder of Mahsa Amini and the subsequent crackdown on protesters there.

“The islamic republic has become the first dictatorship to become open source,” said Sabeti, the Computer Emergency Response Team founder. “The amount of leaked data literally has opened source the regime.”

The post Iranian dissidents’ claim of presidential hack likely legitimate, experts say appeared first on CyberScoop.

Group-IB dubbed the group “Dark Pink” in a January analysis and said it likely represented an “entirely new [advanced persistent threat] group” targeting a range of organizations across the Asia-Pacific region, and one in Europe, to steal corporate data and other high-value secrets. Additional research has revealed an additional five victims, expanding its operations to Belgium, Brunei and Thailand, the researchers said Wednesday.

Along with the expanded operations, the campaign’s operators have updated their tools and data exfiltration methods in operations as recent as this month, the researchers said, a sign “that the group shows no signs of slowing down.”

Group-IB has linked the campaign to attacks on 13 organizations to date across nine countries: Vietnam, Bosnia and Herzegovina, Cambodia, Indonesia, Malaysia, Philippines, Belgium, Thailand and Brunei. Targeted organizations include military bodies, government ministries and an educational institution, the company said.

Group-IB has not attributed the campaign, but in January the Chinese security firm Anheng Hunting Labs linked the activity — which it tracks as the “Saaiwc Group” — to an unnamed southeast Asian country. A March analysis from EclecticIQ noted some metadata that pointed to China, but said there was a lack of conclusive proof and characterized it as a “low confidence” attribution.”

The latest research shows that the campaign’s operators have modified their KamiKakaBot malware — which is designed to steal sensitive information and data from targeted systems — in apparent efforts to obfuscate static analysis.

Dark Pink has also demonstrated new exfiltration methods. Previous research revealed that stolen data was sent to a Telegram chat in a zip archive, and also stolen using email or publicly available cloud services such as Dropbox, the researchers said. In a recent attack, however, the group exfiltrated data using the Webhook[.]site service, which can be used for legitimate data communication and testing purposes, but also abused to facilitate illicit data transfers.

That Dark Pink has added new victims in new countries in operations that remain ongoing suggests “the threat actors geography could be broader than initially thought,” the Group-IB researchers said. “The fact that two attacks were executed in 2023 indicates that Dark Pink remains active and poses an ongoing risk to organizations. Evidence shows that the cybercriminals behind these attacks keep updating their existing tools in order to remain undetected.”

The post Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign appeared first on CyberScoop.