Australia: Cyber attacks on elections growing amid concern for Australia's political parties:
New research says Russia is the most prolific state actor engaging in online interference against democratic elections, followed by China, which has significantly increased its cyber arsenal over the past two years, while Iran and North Korea are also offenders. ...Australia has experienced a wave of cyber attacks from a sophisticated state-based actor this year…...All four countries have tried to interfere in the 2020 United States presidential election, using a combination of cyber attacks and online disinformation campaigns.
Washington Post: Federal investigators find evidence of previously unknown tactics used to penetrate government networks
For days, it has been clear that compromised software patches distributed by a Texas-based company, SolarWinds, were central to Russian efforts to gain access to U.S. government computer systems. But Thursday’s alert from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said evidence suggested there was other malware used to initiate what the alert described as “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
……………………………………………………………………………………..
https://www.washingtonpost.com/business/technology/government-warns-new-hacking-tactics-russia/2020/12/17/bba43fd8-408c-11eb-a402-fba110db3b42_story.html
Federal investigators find evidence of previously unknown tactics used to penetrate government networks
Craig Timberg and Ellen Nakashima
Dec. 17, 2020 at 4:03 p.m. EST
Federal investigators reported Thursday on evidence of previously unknown tactics for penetrating government computer networks, a development that underscores the disastrous reach of Russia’s recent intrusions and the logistical nightmare facing federal officials trying to purge intruders from key systems.
For days, it has been clear that compromised software patches distributed by a Texas-based company, SolarWinds, were central to Russian efforts to gain access to U.S. government computer systems. But Thursday’s alert from the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said evidence suggested there was other malware used to initiate what the alert described as “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
While many details remained unclear, the revelation about new modes of attack raises fresh questions about the access that Russian hackers were able to gain in government and corporate systems worldwide.
The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.”
The U.S. government has not publicly blamed Russia for the hacks, but U.S. officials speaking privately say that Russian government hackers were behind the operation. Moscow has denied involvement.
The alert cited a blog post this week from Volexity, a Reston, Va.-based cybersecurity company, about repeated intrusions into an unnamed think tank that, according to the company, took place over several years without being detected. The attackers, who are described using a pseudonym in the Volexity post, gained access to the think tank’s networks using “multiple tools, backdoors, and malware implants” and exploited a vulnerability in Microsoft’s Exchange Control Panel software, which is central to the company’s email services.
In a statement, Microsoft said, “This is an ongoing investigation into an advanced and sophisticated threat actor that has several techniques in their toolkit. We have not identified any Microsoft product or cloud service vulnerabilities in the recent attacks.”
Only the last of three separate intrusions against the think tank, in June and July, involved a corrupted patch from SolarWinds, suggesting an aggressive, persistent hacking team with sophisticated tactics at its disposal.
The Department of Energy and the National Nuclear Security Administration, which manages the country’s nuclear weapons stockpile, were also breached, officials said Thursday, joining a growing list of agencies reported in recent days to have been hacked by the Russians and that are central to U.S. national security and other core government functions. They include the State, Treasury, Commerce and Homeland Security departments, as well as the National Institutes of Health.
Politico first reported the breaches at the Energy Department and NNSA
An Energy Department spokeswoman, Shaylyn Hynes, said that at this point, the investigation has found that the malware has been isolated to business networks and has not affected the department’s “mission essential national security functions,” including at the NNSA.
Thousands of private companies worldwide also were potentially affected, many in sensitive industries, after they uploaded software patches that were infused with malware, reportedly by Russia’s foreign intelligence service, known as the SVR.
Russian hack was ‘classic espionage’ with stealthy, targeted tactic
Purging the intruders and restoring security to affected networks could take months, some experts say, because the hackers moved rapidly from the initial intrusions through the corrupted software patches to collect and deploy authentic system credentials, making discovery and remediation far more difficult. Closing the digital back doors initially created by the Russians will not suffice because they appear to have stolen keys to an unknown number of official doorways into federal and private corporate systems, according to investigators at FireEye, a cybersecurity firm that also was hacked.
On Monday, Microsoft and FireEye diverted the channel the Russians used to send commands to systems that download the corrupted patch, causing the malware to shut down. But that does not help those organizations whose networks the Russians have deeply penetrated.
The intruders into the U.S.-based think tank in each case were searching for email from particular targets, according to Steven Adair, president of Volexity. Only the Exchange vulnerability was Microsoft-related, but through it, the hackers were able to act as system administrators for the think tank’s network.
“If you can exploit it, it’s a pretty direct way into somebody’s infrastructure, with pretty high-level access,” Adair said.
Meanwhile, the SolarWinds issue continues to vex federal officials. The agency that runs the Department of Defense’s sprawling communications network downloaded a poisoned SolarWinds update that potentially exposed the agency’s network to the Russian hackers, according to U.S. officials, who, like others, spoke on the condition of anonymity because of the matter’s sensitivity.
U.S., Britain and Canada say Russian cyberspies are trying to steal coronavirus vaccine research
It is unclear whether the hackers used their access to the Defense Information Systems Agency to steal any data from the department’s networks, the officials said. So far, there is no evidence they have, but the investigation is in its early stages, they said.
“We’re just at the front end of figuring out the points of contact and what might have been left behind,” said one U.S. official. “We’re taking it very seriously. We don’t know as much as we’d like to know. We’ll keep going till we do.”
DISA is the department’s information technology nerve center. Besides running its own network, which houses billions of dollars of contracts and computer network designs, it runs the Defense Department’s unclassified intranet, which serves 4 million to 5 million personnel around the globe, including contractors and troops in combat zones.
A defense official acknowledged Thursday that “our software supply chain experienced a cyber attack to their systems.”
But Vice Adm. Nancy A. Norton, commander of the Joint Force Headquarters for the Department of Defense Information Network, said in a statement, “To date, we have no evidence of compromise” of the network. The department defines a “network compromise” as “a known or suspected exposure of the DOD network to an unauthorized person.”
Downloading the infected patch likely exposed DISA to the adversary, said Greg Touhill, a retired Air Force brigadier general and the federal government’s chief information security officer from 2016 to 2017. “SolarWinds was a hugely powerful platform that we leveraged in the DOD. If I were still in uniform, I would assume breach.”
Experts were skeptical of the notion that the Russians would gain access to a Defense Department network — especially one as sensitive as DISA — and not exploit it over many months of presumed access.
“DOD is one of the top priority targets for Russian intelligence,” said Dmitri Alperovitch, a cybersecurity expert and executive chairman of the Silverado Policy Accelerator think tank. “I can’t imagine a situation where, given an opportunity like this, they would not take advantage of it to get inside, roam around and try to steal as much sensitive data as they could related to force structure and readiness, weapons systems, and other issues of strategic concern to them.”
The Russian hackers are known for their stealth and ability to dwell at length inside compromised networks undetected. “My biggest concern would be if you’ve got an advanced adversary that has been in the network for a long time,” said Jack Wilmer, until August the Pentagon’s chief information security officer, who has no independent knowledge of the incident. “It may be very difficult to get them out and to be assured of the fact they’re no longer there.”
At this point the National Security Agency, which is part of the Defense Department and operates the largest electronic surveillance capability in the world, is not thought to be compromised. Classified networks, in any case, are “air-gapped” or cut off from the open Internet and not likely to be at high risk, officials said.
So disturbing have the events been that national security adviser Robert C. O’Brien rushed back from a trip to Europe on Tuesday afternoon to coordinate the government response to the hacks.
On Monday, the National Security Council convened an emergency meeting of agencies under a 2016 presidential order to address coordination on a “significant cyber event,” according to an official. Key agencies present were the FBI, Department of Homeland Security and Office of the Director of National Intelligence.
President-elect Joe Biden said in a statement Thursday that he is seeking to learn as much as he can about the breaches. As president, he said, he will work with allies to impose costs on those responsible for such actions. “I will not stand idly by in the face of cyber assaults on our nation,” he said.
…………………………………………………………
Cyber attacks on elections growing amid concern for Australia's political parties
By Anthony Galloway
October 28, 2020 — 8.00pm
State actors are increasingly launching cyber attacks and disinformation campaigns to interfere in elections, as one Australian MP calls for political parties to be considered "critical infrastructure" so they can better fend off the attacks.
New research says Russia is the most prolific state actor engaging in online interference against democratic elections, followed by China, which has significantly increased its cyber arsenal over the past two years, while Iran and North Korea are also offenders.
Australia has experienced a wave of cyber attacks from a sophisticated state-based actor this year.
All four countries have tried to interfere in the 2020 United States presidential election, using a combination of cyber attacks and online disinformation campaigns.
Australian intelligence agencies found China was responsible for a cyber attack on Federal Parliament and its three main political parties last year, but kept the finding secret to avoid souring trade relations with Beijing.
The Australian government also suspects China was probably behind a series of cyber raids this year on all levels of government, industry and critical infrastructure, including hospitals, local councils and state-owned utilities.
New research by the Australian Strategic Policy Institute has identified 41 elections and seven referendums around the world between January 2010 and October 2020 where cyber-enabled foreign interference was identified, finding there has been a significant uptick over the past three years.
The report, released on Wednesday night, finds there is often a clear geopolitical link between the interfering state and its target, saying "these actors are targeting states they see as adversaries or useful to their geopolitical interests".
It recommends that political parties and governments identify where there are vulnerabilities and develop a plan for resisting both cyber attacks and disinformation operations.
Last week, US intelligence agencies revealed Russia and Iran have obtained some US voting registration information and were attempting to foment unrest leading up to the presidential election.
Voters in at least four battleground states received spoof emails, which claimed to be from the far-right group Proud Boys, warning "we will come after you" if the recipients didn’t vote for Trump.
In a speech to parliament on Wednesday night, the Opposition's assistant cyber security spokesman Tim Watts said the attacks were a "salutary warning for Australia".
"These attacks are part of an accelerating trend, in which nation state hackers target IT systems of non-governmental democratic institutions in an effort to interfere in another country’s democratic process," Mr Watts said.
"Australia is currently unprepared for cyber-attacks on democratic institutions outside government."
The Opposition spokesman on cyber affairs, Tim Watts, says political parties need more support to fend off cyber attacks.
While the Australian government does classify the IT systems of Parliament House and the Australian Electoral Commission as critical infrastructure, Mr Watts said other organisations targeted in last year's attack, such as political parties, are not.