cybersecurity

May 6, 2019 – Symantec determines China used the same NSA hacking tools that were later dumped by the Shadow Brokers

The server room at Symantec in Culver City, Calif. The company provided the first evidence that Chinese state-sponsored hackers had acquired some of the National Security Agency’s cybertools before other hackers. (Credit: Michal Czerwona/The New York Times)

“Chinese intelligence agents acquired National Security Agency hacking tools and repurposed them in 2016 to attack American allies and private companies in Europe and Asia, a leading cybersecurity firm has discovered. The episode is the latest evidence that the United States has lost control of key parts of its cybersecurity arsenal.

Based on the timing of the attacks and clues in the computer code, researchers with the firm Symantec believe the Chinese did not steal the code but captured it from an N.S.A. attack on their own computers — like a gunslinger who grabs an enemy’s rifle and starts blasting away.

The Chinese action shows how proliferating cyberconflict is creating a digital wild West with few rules or certainties, and how difficult it is for the United States to keep track of the malware it uses to break into foreign networks and attack adversaries’ infrastructure.

The losses have touched off a debate within the intelligence community over whether the United States should continue to develop some of the world’s most high-tech, stealthy cyberweapons if it is unable to keep them under lock and key.

The Chinese hacking group that co-opted the N.S.A.’s tools is considered by the agency’s analysts to be among the most dangerous Chinese contractors it tracks, according to a classified agency memo reviewed by The New York Times. The group is responsible for numerous attacks on some of the most sensitive defense targets inside the United States, including space, satellite and nuclear propulsion technology makers.

Now, Symantec’s discovery, unveiled on Monday, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although  there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.

But Symantec’s discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016. (Read more: The New York Times, 5/06/2019)

The Clinton campaign suggests that some emails released by WikiLeaks could be forgeries, but experts have found no evidence of this.

Tim Kaine appears on CNN's "State of the Union" on October 9, 2016. (Credit: CNN)

Tim Kaine appears on CNN’s “State of the Union” on October 9, 2016. (Credit: CNN)

Since October 7, 2016, WikiLeaks has been publishing an average of about 2,000 emails from Clinton campaign chair John Podesta every day. Podesta and the Clinton campaign has admitted his account got hacked, but they have suggested that some of the emails could be forgeries. For instance, on October 9, 2016, Democratic vice presidential candidate Tim Kaine said in a CNN interview, “I don’t think we can dignify documents dumped by WikiLeaks and just assume they are all accurate and true. Anybody who hacks in to get documents is completely capable of manipulating them.”

However, Politico reports, “Clinton’s team hasn’t challenged the accuracy of even the most salacious emails… And numerous digital forensic firms told Politico that they haven’t seen any proof of tampering in the emails they’ve examined — adding that only the hacked Democrats themselves could offer that kind of conclusive evidence.”

Laura Galante (Credit: Bloomberg News)

Laura Galante (Credit: Bloomberg News)

Laura Galante, a director of the cybersecurity company FireEye, says, “It’s very hard to go verify what is true and what’s not. Even the victims of the accounts that are getting exposed are having a hard time.”

Politico also comments, “Experts have warned for months about the possibility that the document leaks may eventually include a sprinkling of falsehoods to stoke their impact, noting that Russian and Soviet intelligence services had long used such techniques against their enemies.” The US government alleges that the Russian government has been behind some recent hacking of US political entities.

A WikiLeaks spokesperson dismisses claims some of the emails are fake. “Standard nonsense pushed by those who have something to hide. WikiLeaks has won a great many awards for its journalistic work and has the best vetting record of any media organization. … In fact, it’s completely legitimate to everyone in the journalism industry that [the emails] are exactly as we say they are, which is why everyone is running with them.”

Thomas Rid (Credit: Kings College, London)

Thomas Rid (Credit: Kings College, London)

However, some experts point out that hackers could have tampered with emails before giving them to WikiLeaks, or they may choose to only selectively hand over emails that promote a certain political agenda.

Thomas Rid, a cybersecurity researcher and professor, says, “Of course it would be more effective for [the Russians] not to undermine the credibility of WikiLeaks in any way by altering documents. But if we look at their past behavior, that is certainly something that has been considered and actually done in the past.” (Politico, 10/12/2016)

September 20, 2016 – A House IG investigation finds Imran Awan made ‘unauthorized access’ to congressional servers

Imran Awan (Credit: Bonnie Jo Mount/Washington Post)

“The Department of Justice found “no evidence” that former Democratic IT aide Imran Awan violated cybersecurity laws, prosecutors said Thursday, but the House of Representatives’ internal watchdog reported that the Pakistani native made “unauthorized access” to congressional servers.

Prosecutors said police interviewed approximately 40 witnesses, reviewed relevant communications and examined a number of related devices, but couldn’t find anything they could charge Imran with regarding cybersecurity. Details of the investigation were included in a plea deal with Imran surrounding unrelated bank fraud.

But a pair of presentations by House Inspector General Theresa Grafenstine detail a number of rules Imran and his family allegedly broke surrounding cybersecurity rules. The watchdog is a past chair of ISACA, an international IT association.

Grafenstine found that Imran made “unauthorized access” to congressional servers in a way that suggested he was trying to “conceal” his activity and that his unusual activity suggested a server could be used for “nefarious purposes.”

A source allowed The Daily Caller News Foundation to review and transcribe the IG’s PowerPoint presentation, but was not given a copy for fear that metadata could reveal the source’s identity.

Below is that transcription in full.

Page one of the House Inspector General's report on Imran Awan.

Page two of the House Inspector General's report on Imran Awan.

Page three of the House Inspector General's report on Imran Awan.

(Read more: The Daily Caller. 7/09/2018)

“Less than 20 people” had access to Clinton’s private server.

Cooper shakes hands with Representative Chaffetz after the hearing. (Credit: public domain)

Cooper shakes hands with Representative Chaffetz after the hearing. (Credit: CSpan)

Justin Cooper worked with Bryan Pagliano to manage Clinton’s private server while she was secretary of state. When Cooper testifies before a Congressional committee on this day, he is asked by Representative Jason Chaffetz (R), “[H]ow many people had access to the server?”

He replies, “There were two people who had some administrative rights, myself and Mr. Pagliano. I can’t off the top of my head tell you exactly how many users there were over the lifetime of the server, but it was less than 20 people.”

He also mentions, “The only remote access login to the server was for myself and Mr. Pagliano.”

At other points in his testimony, he says that most of the users were members of former President Bill Clinton’s staff and/or Clinton Foundation employees. Cooper doesn’t have a security clearance and its probable that most of the others with access to the server don’t have security clearances either. (US Congress, 9/13/2016)

In July 2016, FBI Director James Comey claimed that Clinton gave between three and nine people without a security clearance access to the server, but he may be defining “access” in a different manner than Cooper.

Justin Cooper was an administrator of Clinton’s private server and yet had no security clearance; Clinton apparently wasn’t asked about this.

Justin Cooper appears before the House Oversight and Government Affairs Committee on September 13, 2016 (Credit: Alex Wong / Getty Images)

Justin Cooper appears before the House Oversight and Government Affairs Committee on September 13, 2016. (Credit: Alex Wong / Getty Images)

Justin Cooper worked with Bryan Pagliano to manage Clinton’s private server while she was secretary of state. But while Pagliano was a State Department employee, Cooper was an aide to former President Bill Clinton as well as a Clinton Foundation employee. When Cooper testifies before a Congressional committee on this day, he is asked by Representative Jason Chaffetz (R) if he had a security clearance while he was helping to manage the server.

He replies, “No, I did not have a security clearance.”

He mentions that he worked in the White House from 2000 to 2001, but he is not asked if he had a security clearance in those years. However, he mentions that he wasn’t involved in handling classified information at that time.

Chaffetz also asks him, “You had access to the server the entire time you were working for the Clintons?”

He answers, “Yes I had access to the server.”

He also mentions that both he and Pagliano had remote access, which means they could have accessed Clinton’s emails over the Internet at any time. (US Congress, 9/13/2016)

Curiously, the FBI Clinton email investigation’s final report, released earlier in September 2016, doesn’t mention Cooper’s lack of a security clearance. Nor is it mentioned in the summary of Clinton’s July 2016 FBI interview, which is made public in early September 2016 as well, if Clinton knew Cooper had no security clearance when she hired him and continued to pay him for managing the server. (Federal Bureau of Investigation, 9/2/2016)

Clinton is “concerned” about Russian election-rigging in Trump’s favor.

Clinton holds an in-flight press conference on September 5, 2016. (Credit: Andrew Harnik / The Associated Press))

Clinton holds an in-flight press conference on September 5, 2016. (Credit: Andrew Harnik / The Associated Press))

Clinton comments about allegations of Russian hacking of US political entities: “I’m really concerned about the credible reports about Russian government interference in our elections … The fact that our intelligence professionals are now studying this, and taking it seriously… raises some grave questions about potential Russian interference with our electoral process.”

Clinton voices suspicions that Republican presidential nominee Donald Trump’s could be colluding with Russia: “We’ve never had the nominee of one of our major parties urging the Russians to hack more… I think it’s quite intriguing that this activity has happened around the time Trump became the nominee… I often quote a great saying that I learned from living in Arkansas for many years: If you find a turtle on a fence post, it didn’t get there by itself.” (Politico, 9/5/2016)

 

Obama claims the US has “had problems with cyber intrusions from Russia.”

US President Obama and Russian President Vladimir Putin meet at the G-20 summit in China.

Obama and Putin have a pull-aside meeting at the G20 Summit in China on September 5, 2016. (Credit: Hamari Web)

Obama and Putin have a pull-aside meeting at the G20 Summit in China on September 5, 2016. (Credit: Hamari Web)

When Obama is questioned by reporters about accusations that Russia has been behind the hacking of US political entities, he answers: “I will tell you’ve had problems with cyber intrusions from Russia in the past and from other countries in the past.”

He adds, “the goal is not to duplicate in the cyber area the cycle of escalation,” and his intent is “instituting some norms so that everybody’s acting responsibly.” (The Hill, 9/5/2016)

The FBI was unable to confirm hackers broke into Clinton’s system, but it cites an inability to gather enough evidence to do so.

The FBI Clinton email investigation’s final report, released on this day, states, “FBI investigation and forensic analysis did not find evidence confirming that Clinton’s email server systems were compromised by cyber means.” (Elsewhere in the report, it is mentioned that one email account on the server appears to have been broken into by hackers.)

A generic sample of what an attempted hack would look like in the log data. (Credit: public domain)

But the report goes on to state, “The FBI’s inability to recover all server equipment and the lack of complete server log data for the relevant time period limited the FBI’s forensic analysis of the server systems. As a result, FBI cyber analysis relied, in large part, on witness statements, email correspondence, and related forensic content found on other devices to understand the setup, maintenance, administration, and security of the server systems.”

Elsewhere in the report, it is noted that the FBI was unable to recover any of 13 the BlackBerry mobile devices Clinton used while or shortly after her tenure as secretary of state, a laptop containing a back-up of her emails was lost, the server most recently containing her emails was wiped with BleachBit software, the server used for her first two months in office was also lost, hard drive back-ups made were also lost, and so on.  (Federal Bureau of Investigation, 9/2/2016)

At the conclusion of the FBI’s investigation on July 5, 2016, FBI Director James Comey said there was no “direct evidence” Clinton’s email account had been successfully hacked. But the next day, the New York Times reported, “both private experts and federal investigators immediately understood his meaning: It very likely had been breached, but the intruders were far too skilled to leave evidence of their work.”

Putin denies that Russia was involved in the DNC hack.

Russian President Vladimir Putin says in an interview about accusations of Russian government in the hacking of Democratic National Committee (DNC) emails: “Listen, does it even matter who hacked this data? The important thing is the content that was given to the public …. There’s no need to distract the public’s attention from the essence of the problem by raising some minor issues connected with the search for who did it. … But I want to tell you again, I don’t know anything about it, and on a state level Russia has never done this.”

However, an internal probe conducted by CrowdStrike Inc. traced the source of the hack to two Russian hacking groups connected with Russian intelligence, “Cozy Bear” and “Fancy Bear.”

John Lewis (Credit: public domain)

James Lewis (Credit: public domain)

James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, claims that Russia has engaged in state hacking in the past and that Putin’s denials are “not credible.”

Putin continues: “You know how many hackers there are today? They act so delicately and precisely that they can leave their mark — or even the mark of others — at the necessary time and place, camouflaging their activities as that of other hackers from other territories or countries. It’s an extremely difficult thing to check, if it’s even possible to check. At any rate, we definitely don’t do this at a state level.” (Bloomberg News, 9/1/2016)

It is alleged that Clinton’s lawyers used a computer program to make sure her deleted emails couldn’t be recovered.

Since late 2014, when Clinton and her lawyers deleted over 31,000 of Clinton’s emails from when she was secretary of state, it has been unclear if the emails were simply deleted or “wiped,” meaning deliberate steps were taken to make sure they couldn’t be recovered later.

160825GowdyFoxNews

Trey Gowdy appears with Martha MacCallum on Fox News on August 25, 2016. (Credit: Fox News)

In an interview, Representative Trey Gowdy (R) says that, “[Clinton] and her lawyers [Cheryl Mills, David Kendall, and Heather Samuelson] had those emails deleted. And they didn’t just push the delete button; they had them deleted where even God can’t read them. They were using something called BleachBit. You don’t use BleachBit for yoga emails or bridemaids emails. When you’re using BleachBit, it is something you really do not want the world to see.”

160825BleachBitLogo

BleachBit Logo (Credit: public domain)

BleachBit is computer software whose website advertises that it can “prevent recovery” of files. Politico notes that if Gowdy is correct, this would be “further proof that Clinton had something to hide in deleting personal emails from the private email system she used during her tenure as secretary of state.” It is not explained how Gowdy might know this, but his comments come only a few days after the FBI gave raw materials about their Clinton email investigation to Congress. (Politico, 8/25/2016)

Gowdy’s claim contradicts what FBI Director James Comey said on July 5, 2016 when he announced that he would not recommend charging Clinton with any crime. At that time, Comey stated, “we found no evidence that any of the additional work-related emails were intentionally deleted in an effort to conceal them. Our assessment is that, like many email users, Secretary Clinton periodically deleted emails or emails were purged from the system when devices were changed.” (Federal Bureau of Investigation, 7/5/2016)

Within hours of Gowdy’s comments, BleachBit updates their website to say: “Last year when Clinton was asked about wiping her email server, she joked, ‘Like with a cloth or something?’ It turns out now that BleachBit was that cloth, according to remarks by Gowdy.” The website also notes, “As of the time of writing BleachBit has not been served a warrant or subpoena in relation to the investigation. … The cleaning process [of our program] is not reversible.” (BleachBit, 8/25/2016)

On September 2, 2016, the FBI’s final report on their Clinton email investigation will be released, and it will be revealed that BleachBit was used on Clinton’s server in late March 2015. (Federal Bureau of Investigation, 9/2/2016)