Hacking Trail Leads to Russia, Experts Say Malicious Code Found at U.S. Firm Where Military Secrets Were Kept
Earlier this year, investigators for Silicon Valley security company FireEye Inc. visited a U.S. firm to determine who, and what, sneaked into the firm’s network harboring military secrets.
There they found what they call a sophisticated cyberweapon, able to evade detection and hop between computers walled off from the Internet. The spy tool was programmed on Russian-language machines and built during working hours in Moscow. FireEye’s conclusion, in a report to be released Tuesday: The cyberspying has a "government sponsor—specifically, a government based in Moscow."
The report is one of four recent assessments by cybersecurity companies, buttressed by reports from Google Inc. and U.S. intelligence agencies, pointing to Russian sponsorship of a skilled hacking campaign dating back to 2007. Targets included NATO, governments of Russia’s neighbors, and U.S. defense contractors Science Applications International Corp. and Academi LLC, the U.S. security firm previously known as Blackwater.
Collectively, the new research offers evidence supporting a view long expressed privately by U.S. officials and American security researchers: Moscow commands the A-team of Internet adversaries.
China, the object of recent U.S. allegations of cyberspying, may hack more often, U.S. officials and researchers say. But Russia hacks better.
"I worry a lot more about the Russians" than China, America’s top spy, Director of National Intelligence James Clapper, said at a University of Texas forum this month, speaking of cyberattacks.
A U.S. official said differentiating between Russian criminal hackers and government hackers is difficult because the government uses cybersurveillance tools created by criminal groups and criminals use tools developed by the government.
For example, U.S. officials still haven’t determined whether the high-profile infiltration of a classified military system in 2008 was carried out by criminals or government hackers because the same surveillance tool was used by both, the U.S. official said.
People with direct knowledge of the investigation said there is no evidence implicating the Russian government in the J.P. Morgan breach.
The Russian embassy didn’t respond to a request for comment.
American complaints about Moscow’s espionage skills come as U.S.-Kremlin relations have hit a post-Cold War low following Russia’s incursion into Ukraine. Although some security firms said they are seeing more activity from Russia-linked attacks these days, U.S. officials say it’s difficult to establish a baseline for Russian-based cyberspying and that finding such attacks is "serendipitous."
FireEye shared its findings earlier this month with The Wall Street Journal, which then found that other security firms and the U.S. government had reached similar conclusions. FireEye also has shared its findings with the government. "Who else benefits from this?" asked Laura Galante, a FireEye manager and former Russia analyst for the U.S. Department of Defense. "It just looks so much like something that comes from Russia that we can’t avoid the conclusion."
FireEye’s Mandiant unit made a name for itself in 2013 when it revealed a Chinese-military hacking group working from an office building in Shanghai. The Justice Department confirmed many of Mandiant’s findings, even naming one of the same hackers, in May when it charged five People’s Liberation Army officers with stealing U.S. trade secrets. FireEye acquired Mandiant for $1 billion in January.
In the case of the Russian-language hackers, researchers inside and outside the government compared notes and believe they are tracking the same group. They dubbed the spy tool described by FireEye "Sofacy."
The company’s investigators said they were caught off guard when they responded to the U.S. firm that had been hacked earlier this year and which held military secrets. The company, which they decline to name, had lost sensitive data, but there were none of the digital fingerprints that Chinese hackers often leave behind, investigators said. Rather, the malware, or malicious code, was littered with spycraft.
The malware program also deployed countermeasures to deter investigators from determining how it worked. It encrypted stolen data and exported it in a way to resemble that victim’s email traffic to better conceal it. FireEye analysts determined the group has been active since at least 2007 and has steadily updated its hacking tools.The malware’s authors also designed it, if needed, to harvest data from machines not connected to the Internet by jumping onto USB thumb drives.
Governments often disconnect computers with highly sensitive information to guard against cyberspies. But government spies in the U.S. and elsewhere have used USB drives to overcome this defense in the past. The Russian hackers used this technique in the 2008 Defense Department intrusion, U.S. officials have said. "These are state-grade weapons," Ms. Galante said.
Sofacy’s authors consistently logged changes to the code between 8 a.m. and 6 p.m. local time in Moscow and St. Petersburg—like an analyst working at a desk, Ms. Galante said. Most of their computers were configured to use Russian, researchers at FireEye and Google found.
Perhaps most telling, researchers say, the hackers deployed the malware almost exclusively in targets of interest to Russia—government networks in the Caucasus and Eastern Europe, U.S. defense contractors and NATO. FireEye found a well-crafted phishing email aimed at a Georgian journalist, purporting to come from an editor at libertarian magazine Reason.
In another phishing attack, the security firm Trend Micro Inc. found the group created fake websites designed to trick employees at Academi into handing over their work email credentials, Tom Kellermann, chief cybersecurity officer said. One of these sites, the slightly misspelled academl.com, was created just weeks after the Russian government accused a firm with links to Academi of sending freelance troops to Ukraine to support the government, according to Internet registration records.
Academi has denied any involvement in Ukraine. A spokeswoman declined to comment.
Trend Micro said the hacking group aimed similar techniques at Science Applications International. A SAIC spokeswoman said the company appeared to have been targeted by hackers creating fake company websites, but blocked the efforts.
Two other computer-security firms with close ties to federal law enforcement, Crowdstrike Inc. and iSight Partners Inc., dubbed the hackers behind the Sofacy malware "Fancy Bear" and "Tsar Team," respectively. Executives at both companies acknowledge the names are references to Russia.
The Google researchers don’t name Russia explicitly in its researchers’ previously unreported memo submitted last month to the Department of Homeland Security and other security professionals. Rather, the 41-page white paper, viewed by the Journal, referred to the hackers as a "sophisticated state-sponsored group" and noted the computers used to craft the cyberweapons were set to work with the Russian language. A Google spokesman confirmed the report’s existence and contents.
After Hours Gainers:
Companies trading higher in after hours in reaction to earnings: TRNX +30.1%, GIGA +15.6%, SANM +15.2%, ANAD +14.3%, RGC +12.2%, GIG +11.1%, IDTI +6.8%, BWLD +6.6%, ALSN +5.8%, UHS +1.5%, AI +0.9%, AMGN +0.9%, HIG +0.5%, CLF +0.1%
Companies trading higher in after hours in reaction to news: RCPT +29.9% (announced positive Phase 2 results for TOUCHSTONE Trial of RPC1063 in ulcerative colitis; study met primary efficacy and all secondary endpoints with statistical significance for patients on 1 mg dose after 8 weeks of treatment), TRNX +28.9% (co and Wright Medical (WMGI) to merge; each share of Wright common stock will be exchanged for 1.0309 ordinary shares of Tornier), MDCO +12.4% (hearing co received a favorable ruling in patent case against Mylan), EROC +11.8% (announced Q3 cash distribution of $0.07 per unit; announces common unit repurchase program of up to $100 mln), APPY +8.9% (announced its pivotal APPY1 Test clinical trial data were presented at ACEP14; APPY1 Test exhibited a sensitivity of 96.9%), WMGI +5.6% (announced receipt of FDA Approvable Letter for Augment Bone Graft; co to merger with Tornier (TRNX)), ANGI +2.1% (Director disclosed purchase of 15000 shares, worth total of $98.4K),
After Hours Losers:
Companies trading lower in after hours in reaction to earnings: AMKR -12.6%, TWTR -10.9%, KN -8.2%, KSS -6.1%, MERU -4.8%, ORC -4.7%, MAS -3.4%, AHGP -2.3%, MTW -2.2%, HLS -2%, CROX -1.7%, AGNC -1.3%, OMI -1.2%, DDR -0.8%, OHI -0.4%, CR -0.3%, PMCS -0.1%
Companies trading lower in after hours in reaction to news: RGLS -5.0% (announced commencement of public offering of common stock), HASI -4.8% (announced public offering of 4 mln shares of common stock),
Closing Market Summary: Key Indices End Little Changed While Commodity-Related Sectors Lag
The stock market began the last week of October on a cautious note. The S&P 500 slipped below its 100-day moving average (1962) and settled lower by 0.2% while the Dow Jones Industrial Average (+0.1%) outperformed throughout the session.
Equity indices faced selling pressure at the start, but the source of the early weakness was isolated to the two commodity-linked sectors that spent the entire session at the bottom of the leaderboard.
The energy sector (-2.0%) suffered from a Goldman Sachs downgrade of several major industry players, which stemmed from expectations that crude oil would trade between $70-$80/bbl. On that note, the energy component fell below the $80/bbl level in the morning, but narrowed its decline to just 0.1% by the pit close ($80.94/bbl). The rebound was assisted by a modest downtick in the Dollar Index (85.53, -0.20), which slipped 0.2%.
Elsewhere, the materials sector (-2.1%) endured broad pressure. Miners lagged with the Market Vectors Gold Miners ETF (GDX 20.11, -0.36) falling 1.8%, while steelmakers faced more aggressive selling. The Market Vectors Steel ETF (SLX 41.99, -1.15) lost 2.7% with Cliffs Natural Resources (CLF 9.22, -0.41) sliding 4.3% ahead of its earnings report.
Interestingly, the two cyclical sectors—and the telecom services space (+1.0%)—were the only groups that didn't settle in the neighborhood of their flat lines. Meanwhile, the remaining seven sectors ended with gains or losses of no more than 0.3%.
Generally speaking, countercyclical sectors held up well with the utilities sector (-0.2%) having the worst showing among the defensively-oriented groups. The rate-sensitive sector ended in-line with the market while the heavily-weighted health care space (+0.1%) registered a slim gain. The advance took place despite weakness in Allergan (AGN 182.33, -1.88) and Merck (MRK 56.45, -1.16), both of which reported earnings this morning. Allergan lost 1.0% despite reporting a bottom-line beat and upbeat Q4 earnings guidance while Merck slumped 2.0% after beating earnings estimates on a 4.3% year-over-year decline in revenue.
Treasuries climbed to highs shortly after the start of the session and spent the day near their best levels of the session. The 10-yr yield ticked down two basis points to 2.26%.
Participation was a bit below recent averages with 741 million shares changing hands at the NYSE floor. The relatively light volume was likely a function of some participants sticking to the sidelines ahead of Wednesday's release of the latest FOMC policy directive.
Economic data was limited to Pending Home Sales for September, which rose 0.3%. This was worse than the 0.5% increase forecast by the consensus, but ahead of last month's unrevised decrease of 1.0%.
Tomorrow, the Durable Orders report for September (consensus 0.6%) will be released at 8:30 ET while the Case-Shiller 20-city Index for August (consensus 5.5%) will cross the wires at 9:00 ET. The day's data will be topped off with the 10:00 ET release of the October Consumer Confidence report (expected 87.2).
* Nasdaq Composite +7.4% YTD * S&P 500 +6.1% YTD * Dow Jones Industrial Average +1.5% YTD * Russell 2000 -3.9% YTD
2014-10-27 15:30:00.5 GMT
--STEVE RHINDS
-0- Oct/27/2014 15:30 GMT