cyber espionage related cybersecurity articles - The Hacker News
The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: cyber espionage

Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide

Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide
February 18, 2020Ravie Lakshmanan
A new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. Dubbed " Fox Kitten ," the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. "We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now," ClearSky researchers said . "The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman." Tying the activities to threat groups APT33, APT34, and APT39, the offensive — conducted using a mix of open source and self-developed tools — also facilitated the groups to steal sensitive information

U.S. Charges Huawei with Stealing Trade Secrets from 6 Companies

U.S. Charges Huawei with Stealing Trade Secrets from 6 Companies
February 14, 2020Ravie Lakshmanan
The US Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI) charged Huawei with racketeering and conspiring to steal trade secrets from six US firms, in a significant escalation of a lawsuit against the Chinese telecom giant that began last year. Accusing Huawei and its affiliates of "using fraud and deception to misappropriate sophisticated technology from US counterparts," the new charges allege the company of offering bonuses to employees who obtained "confidential information" from its competitors. The indictment adds to a list of two other charges filed by the US government last year, including violating US sanctions on Iran and stealing technology from T-Mobile — called Tappy — that's used to test smartphone durability. The development is the latest salvo fired by the Trump administration in its year-long fight against the networking equipment maker, which it deems a threat to national security. "The misappropriated

A Look Into Continuous Efforts By Chinese Hackers to Target Foreign Governments

A Look Into Continuous Efforts By Chinese Hackers to Target Foreign Governments
October 02, 2019Swati Khandelwal
Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems. Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years. Since phishing is more sort of a one-time opportunity for hackers before their victims suspect it and likely won't fall for the same trick again, sophisticated hacking groups have started putting a lot of effort, time and research to design well-crafted phishing campaigns. In one such latest campaign discovered by cybersecurity researchers at Check Point, a Chinese hacking group, known as Rancor , has been found conducting very targeted and extensive attacks against Southeast Asian government entities from December 2018 to June 2019. What's interesting about this ongoing 7-month long campaign is

Russian APT Map Reveals 22,000 Connections Between 2000 Malware Samples

Russian APT Map Reveals 22,000 Connections Between 2000 Malware Samples
September 24, 2019Wang Wei
Though Russia still has an undiversified and stagnant economy, it was one of the early countries in the world to realize the value of remotely conducted cyber intrusions. In recent years, many Russia hacking groups have emerged as one of the most sophisticated nation-state actors in cyberspace, producing highly specialized hacking techniques and toolkits for cyber espionage. Over the past three decades, many high profile hacking incidents—like hacking the US presidential elections , targeting a country with NotPetya ransomware , causing blackout in Ukrainian capital Kiev , and Pentagon breach—have been attributed to Russian hacking groups, including Fancy Bear  (Sofacy), Turla ,  Cozy Bear ,  Sandworm Team  and Berserk Bear. Besides continuously expanding its cyberwar capabilities, the ecosystem of Russian APT groups has also grown into a very complex structure, making it harder to understand who's who in Russian cyber espionage. Now to illustrate the big picture and mak

New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data

New Malware Uses Windows BITS Service to Stealthy Exfiltrate Data
September 09, 2019Mohit Kumar
Cybersecurity researchers have discovered a new computer virus associated with the Stealth Falcon state-sponsored cyber espionage group that abuses a built-in component of the Microsoft Windows operating system to stealthily exfiltrate stolen data to attacker-controlled server. Active since 2012, Stealth Falcon is a sophisticated hacking group known for targeting journalists, activists, and dissidents with spyware in the Middle East, primarily in the United Arab Emirates (UAE). Dubbed Win32/StealthFalcon , named after the hacking group, the malware communicates and sends collected data to its remote command-and-control (C&C) servers using Windows Background Intelligent Transfer Service (BITS). BITS is a communication protocol in Windows that takes unused network bandwidth to facilitate asynchronous, prioritized, and throttled transfer of files between machines in the foreground or background, without impacting the network experience. BITS is commonly used by software up

Powerful FinSpy Spyware Found Targeting iOS and Android Users in Myanmar

Powerful FinSpy Spyware Found Targeting iOS and Android Users in Myanmar
July 10, 2019Swati Khandelwal
One of the most powerful, infamous, and advanced piece of government-grade commercial surveillance spyware dubbed FinSpy —also known as FinFisher —has been discovered in the wild targeting users in Myanmar. Created by German company Gamma International, FinSpy is spying software that can target various mobile platforms including iOS and Android, we well as desktop operating systems. Gamma Group reportedly sells its controversial FinSpy espionage tool exclusively to government agencies across the world, but also gained notoriety for targeting human rights activists in many countries. The FinSpy implant is capable of stealing an extensive amount of personal information from targeted mobile devices, such as SMS/MMS messages, phone call recordings, emails, contacts, pictures, files, and GPS location data. In its latest report published today, Kaspersky researchers revealed a cyber-espionage campaign that involves targeting Myanmar users with the latest versions of FinSpy impl

'Legit Apps Turned into Spyware' Targeting Android Users in Middle East

'Legit Apps Turned into Spyware' Targeting Android Users in Middle East
June 26, 2019Mohit Kumar
Cybersecurity researchers are warning about an ongoing Android malware campaign that has been active since 2016 and was first publicly reported in August 2018. Dubbed " ViceLeaker " by researchers at Kaspersky, the campaign has recently been found targeting Israeli citizens and some other middle eastern countries with a powerful surveillance malware designed to steal almost all accessible information, including call recordings, text messages, photos, videos, and location data—all without users' knowledge. Besides these traditional spying functionalities, the malware also has backdoor capabilities including upload, download, and delete files, record surrounding audio, takeover camera, and make calls or send messages to specific numbers. The malware used in these campaigns was named " Triout " in a report published by Bitdefender in 2018, which is sort of a malware framework that attackers are using to turn legitimate applications into spyware by inject

Sophisticated 'TajMahal APT Framework' Remained Undetected for 5 Years

Sophisticated 'TajMahal APT Framework' Remained Undetected for 5 Years
April 10, 2019Swati Khandelwal
Cybersecurity researchers yesterday unveiled the existence of a highly sophisticated spyware framework that has been in operation for at least last 5 years—but remained undetected until recently. Dubbed TajMahal by researchers at Kaspersky Lab, the APT framework is a high-tech modular-based malware toolkit that not only supports a vast number of malicious plugins for distinct espionage operations, but also comprises never-before-seen and obscure tricks. Kaspersky named the framework after Taj Mahal, one of the Seven Wonders of the World located in India, not because it found any connection between the malware and the country, but because the stolen data was transferred to the attackers' C&C server in an XML file named TajMahal. TajMahal toolkit was first discovered by security researchers late last year when hackers used it to spy on the computers of a diplomatic organization belonging to a Central Asian country whose nationality and location have not been disclosed

Ex-NSA Contractor Pleads Guilty to 20-Year-Long Theft of Classified Data

Ex-NSA Contractor Pleads Guilty to 20-Year-Long Theft of Classified Data
March 29, 2019Mohit Kumar
A former National Security Agency contractor—who stole an enormous amount of sensitive information from the agency and then stored it at his home and car for over two decades—today changed his plea to guilty. The theft was labeled as the largest heist of classified government material in America's history. Harold Thomas Martin III, a 54-year-old Navy veteran from Glen Burnie, abused his top-secret security clearances to stole at least 50 terabytes of classified national defense data from government computers over two decades while working for a number of NSA departments between 1996 and 2016. In August 2016, the FBI arrested Martin at his Maryland home and found "six full bankers' boxes" worth of documents, many of which were marked "Secret" and "Top Secret," in his home and car. At the time of his arrest in August 2016, Martin also worked for Booz Allen Hamilton Holding Corp, the same company that previously employed  Edward Snowden  

Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms
March 28, 2019Swati Khandelwal
An Iran-linked cyber-espionage group that has been found targeting critical infrastructure , energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday. Widely known as APT33 , which Symantec calls Elfin , the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world. Symantec started monitoring Elfin's attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States. Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcar

Researchers Link 'Sharpshooter' Cyber Attacks to North Korean Hackers

Researchers Link 'Sharpshooter' Cyber Attacks to North Korean Hackers
March 04, 2019Mohit Kumar
Security researchers have finally, with "high confidence," linked a previously discovered global cyber espionage campaign targeting critical infrastructure around the world to a North Korean APT hacking group. Thanks to the new evidence collected by researchers after analyzing a command-and-control (C2) server involved in the espionage campaign and seized by law enforcement. Dubbed Operation Sharpshooter , the cyber espionage campaign targeting government, defense, nuclear, energy, and financial organizations around the world was initially uncovered in December 2018 by security researchers at McAfee. At that time, even after finding numerous technical links to the North Korean Lazarus hacking group , researchers were not able to immediately attribute the campaign due to a potential for false flags. Researchers Analysed Sharpshooter's Command Server Now, according to a press release shared with The Hacker News, a recent analysis of the seized code and command

Ex-US Intelligence Agent Charged With Spying and Helping Iranian Hackers

Ex-US Intelligence Agent Charged With Spying and Helping Iranian Hackers
February 14, 2019Swati Khandelwal
The United States Department of Justice has announced espionage charges against a former US Air Force intelligence officer with the highest level of top-secret clearance for providing the Iranian government classified defense information after she defected to Iran in 2013. Monica Elfriede Witt , 39, was a former U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who served the Air Force between 1997 and 2008 and Department of Defense (DOD) as a contractor until 2010. The indictment states that Witt once held the highest level of Top Secret security clearance and had access to details of highly classified counterintelligence operations, real names of sources, and the identities of U.S. intelligence officers. In February 2012, Witt allegedly traveled to Iran to attend an all-expenses-paid "Hollywoodism" conference held by the Iranian New Horizon Organization, which DoJ describes as focused on promoting anti-U.S.

Ecuador to Withdraw Asylum for Wikileaks Founder Julian Assange

Ecuador to Withdraw Asylum for Wikileaks Founder Julian Assange
July 22, 2018Mohit Kumar
After protecting WikiLeaks founder Julian Assange for almost six years, Ecuador is now planning to withdraw its political asylum, probably next week, and eject him from its London embassy—eventually would turn him over to the British authorities. Lenín Moreno, the newly-elected President of Ecuador, has arrived in London this Friday to give a speech at Global Disability Summit on 24 July 2018. However, media reports suggest the actual purpose of the President's visit is to finalize a deal with UK government to withdraw its asylum protection of Assange. According to RT editor-in-chief Margarita Simonyan and the Intercept 's Glenn Greenwald, multiple sources close to the Ecuadorian Foreign Ministry and the President's office have confirmed that Julian Assange will be handed over to Britain in the coming weeks or even days. Julian Assange, 47, has been living in Ecuador's London embassy since June 2012, when he was granted asylum by the Ecuador government after a B

Gaza Cybergang Returns With New Attacks On Palestinian Authority

Gaza Cybergang Returns With New Attacks On Palestinian Authority
July 10, 2018Wang Wei
Security researchers from Check Point Threat Intelligence Team have discovered the comeback of an APT (advanced persistent threat) surveillance group targeting institutions across the Middle East, specifically the Palestinian Authority. The attack, dubbed "Big Bang," begins with a phishing email sent to targeted victims that includes an attachment of a self-extracting archive containing two files—a Word document and a malicious executable. Posing to be from the Palestinian Political and National Guidance Commission, the Word document serves as a decoy to distract victims while the malware is installed in the background. The malicious executable, which runs in the background, act as the first stage info-stealer malware designed for intelligence gathering to identify potential victims (on the basis of what is unclear as of now), and then it accordingly downloads the second stage malware designed for espionage. "While the analysis...discloses the capabilities of

Stolen D-Link Certificate Used to Digitally Sign Spying Malware

Stolen D-Link Certificate Used to Digitally Sign Spying Malware
July 09, 2018Swati Khandelwal
Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from Taiwanese tech-companies, including D-Link, to sign their malware and making them look like legitimate applications. As you may know, digital certificates issued by a trusted certificate authority (CA) are used to cryptographically sign computer applications and software and are trusted by your computer for execution of those programs without any warning messages. However, malware author and hackers who are always in search of advanced techniques to bypass security solutions have seen been abusing trusted digital certificates in recent years. Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer

New Malware Family Uses Custom UDP Protocol for C&C Communications

New Malware Family Uses Custom UDP Protocol for C&C Communications
June 26, 2018Wang Wei
Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia. According to researchers from Palo Alto , the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia. However, in previous years, threat actors behind KHRAT Trojan were allegedly linked to a Chinese cyber espionage group, known as DragonOK. While monitoring the C&C infrastructure associated with KHRAT trojan, researchers identified multiple variants of these two malware families, where PLAINTEE appears to be the latest weapon in the group's arsenal that uses a custom UDP protocol to communicate with its remote command-and-control server. To deliver both PLAINTEE and DDKONG, attackers use spear phishing messages with different inf

Chinese Hackers Carried Out Country-Level Watering Hole Attack

Chinese Hackers Carried Out Country-Level Watering Hole Attack
June 14, 2018Swati Khandelwal
Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers from Kaspersky Labs, who have attributed these attacks to a Chinese-speaking threat actor group called LuckyMouse . LuckyMouse, also known as Iron Tiger, EmissaryPanda, APT 27 and Threat Group-3390, is the same group of Chinese hackers who was found targeting Asian countries with Bitcoin mining malware early this year. The group has been active since at least 2010 and was behind many previous attack campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors. This time the group chose a national data center as its target from an unnamed country in Central Asia in an attempt to gain "access to a wide range of government

APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware

APT Hackers Infect Routers to Covertly Implant Slingshot Spying Malware
March 09, 2018Swati Khandelwal
Security researchers at Kaspersky have identified a sophisticated APT hacking group that has been operating since at least 2012 without being noticed due to their complex and clever hacking techniques. The hacking group used a piece of advanced malware—dubbed Slingshot —to infect hundreds of thousands of victims in the Middle East and Africa by hacking into their routers. According to a 25-page report published [ PDF ] by Kaspersky Labs, the group exploited unknown vulnerabilities in routers from a Latvian network hardware provider Mikrotik as its first-stage infection vector in order to covertly plant its spyware into victims' computers. Although it is unclear how the group managed to compromise the routers at the first place, Kaspersky pointed towards WikiLeaks Vault 7 CIA Leaks , which revealed the ChimayRed exploit , now available on GitHub , to compromise Mikrotik routers. Once the router is compromised, the attackers replace one of its DDL (dynamic link libraries)

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware
February 07, 2018Swati Khandelwal
Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems. Dubbed Operation PZChao , the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States. Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group— Iron Tiger . However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency. The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, si
Exclusive Offers

Cybersecurity Newsletter — Stay Informed

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.