From Bellingcat, a deep dive on a GRU hacker, involved in multiple hacking operations. The story underscores and illuminates the fact the GRU is involved in operations against the German parliament, the Bundestag, as well as international organizations such as The Organisation for the Prohibition of Chemical Weapons and the World Anti-Doping Agency.
It is not a “hoax” to say that Russian intelligence has targeted these Western institutions. It’s a reality, as the story of Dmirty Badin shows.
German media report that the German Federal Police has been able to link the 2015 phishing campaign and subsequent data theft to Dmitry Badin, an assumed member of GRU’s elite hacking unit 26165, better known among cyber security analysts as APT28.
The operations linkage to him has reportedly been made based on log analysis and “information from partner services”; however, no specific evidence of how the attribution was made has yet been made public. Dmitry Badin was already on FBI’s wanted list over his alleged involvement in several hacking operations attributed to GRU’s APT28 unit. Among these operations was the hack of the anti-doping organization WADA while it was investigating a doping administration program, as well the DNC hack in the eve of the US presidential elections.
This story comes, not from Western intelligence agencies (which have a vested interest in elevating the threat of Russia) but from the independent Russian media, which has a vested interest in exposing how the country’s opaque authoritarian regime functions.
Here investigative journalist Liliya Yapparova from Meduza explores the hacking collective known as Evil Corp and its founder, Maxim Yakubets, now wanted by the U.S. authorities with a bounty of $5 million on his head.
Meduza investigative journalist Liliya Yapparova discovered that Evil Corp’s hackers belong to the families of high-ranking Russian state bureaucrats and security officials. She also learned more about the Russian intelligence community’s close ties to Maxim Yakubets, whose arrest is now worth $5 million to the United States. And she illuminates the hacker’s obsession with breaking speeding laws in their expensive sports cars.
Last December , the U.S. government formally indicted Yakubters and other alleged members of the Russian hacker group “Evil Corp.” The U.S. government says these men are behind “the world’s most egregious cyberattacks,” causing hundreds of millions of dollars in damages to banks.
Maxim Yakubets’s apartment in Moscow was first searched by Russian law enforcement on November 24, 2010. He was home at the time, as was his first wife. They hadn’t been hard to find: Yakubets used the same email address for his hacking work that he used to get a stroller for their one-year-old son delivered to his address. While the information unearthed during the search was passed on to the American government, Russian officials did not take the criminal case against Yakubets any further.
Multiple sources told Meduza that what happened next was extremely predictable. One FSB veteran whose job involved wrangling hackers said, “If it turns out during the first encounter that they’re just cold, then thos folks don’t live long. The rest start to collaborate.”
The collaboration became personal in 2016 when Yakubets married the daughter of former FSB agent Eduoard Bendersky.
“He’s a former agent but a very influential one to this day, very influential. He has loads of businesses and loads of oil. And his own PMC [private military company] in the Middle East,” said an acquaintance of Bendersky’s who also formerly served in the FSB. To Russian journalists and the public, Bendersky is also known for the extensive influence he has attained through his leading role in Russia’s sport hunting lobby.
But Meduza says Yakubets’ family connection might not be enough to protect him.
An FSB veteran who maintains close ties with the agency told Meduza that the FSB’s K Division, which handles financial crimes, has begun to target Evil Corp despite its government connections. The former agent said the K Division has been searching for a case that will allow it to breed a new general, and Evil Corp fits the bill: In addition to stealing foreign funds, the group has been accused of legalizing stolen money and finding ways to exchange it for cash.
So perhaps both the Russian and U.S. governments Yakubets is a proverbial high value target.
In a nine-count indictment filed in federal court in Atlanta, federal prosecutors alleged that four members of the People’s Liberation Army hacked into Equifax’s systems, stealing the personal data as well as company trade secrets. In a statement announcing the case, Attorney General William P. Barr called their efforts “a deliberate and sweeping instrusion into the private information of the American people.”
The nine-count indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei, were members of the PLA’s 54th Research Institute, a component of the Chinese military. They allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information.
The 2017 breach gave hackers access to the personal information, including Social Security numbers and birth dates, of about 145 million people. Equifax last year agreed to a $700 million settlement with the Federal Trade Commission to compensate victims. Those affected can ask for free credit monitoring or, if they already have such a service, a cash payout of up to $125, though the FTC has warned a large volume of requesters could reduce that amount.
U.S. intelligence agencies and cybersecurity experts have previously identified two components of the People’s Liberation Army that engage in hacking and espionage on behalf of China. They are known as PLA Units 61398 and 61486.
In April 2017, an anonymous group of hackers calling themselves Shadow Brokers published a collection of cyberwar weapons created by the National Security Agency.
Now a group of Russian hackers has published a set of tools commissioned by Russia’s Federal Security Service (FSB), according to the BBC. (The FSB is Russia’s equivalent of the FBI.)
The hack occurred on July 13, 2019. Instead of the main page of the site of the Moscow IT-company “Sitek”, an image of a face appeared with a wide smile and smugly squinting eyes (on the Internet slang – “Yoba-face”). Defacing by replacing the main page of the site, is a common hacker tactic and a demonstration that they were able to access the victim’s data. A snapshot of “Yob-face” appeared in a twitter account registered on the day of the attack.
The material was developed at the request of a Russian military unit.
Most of the non-public projects “Sitec” performed on the order of military unit No. 71330. Experts of the International Center for Defense and Security in Tallinn believe that this military unit is part of the 16th Directorate of the Federal Security Service of Russia, which is engaged in radio-electronic intelligence.
Unlike the Shadow Brokers leak, the Sitek documents are confidential, not classified, according to the BBC.
From the archive, which the BBC Russian Service was able to familiarize with, it follows that “Sitek” performed work on at least 20 non-public IT projects ordered by Russian special services and departments. These papers do not contain state secrets or secrets.
Iranian hackers, suspected of penetrating the phone of Benny Gantz, former Israeli general running for prime minister, have thrown Israeli politics into turmoil. Or maybe Iranian hackers had nothing to do with it.
The story broke last week on Israeli television and was picked up by Haaretz.com
Gantz, who is leading Netanyahu in the polls, held a press conference on Friday evening–highly unusual in Israel–to deny there was any security information on the phone. But the story has shaken up his campaign.
The Shin Bet have told Gantz his phone was hacked by “Iranians.” This is an entirely plausible scenario. A number of former senior figures in Israel’s defense establishment have been targeted by Iranian hackers in recent years, some having their smartphones and computers hacked. But in the murky world of cyberespionage, it is also possible that other players with an interest in the former army chief and up-and-coming Israeli politician could have done so too, masquerading behind an “Iranian signature.”
Iranian hackers are among the most active in the world, and some are believed to act in concert with Iranian intelligence agencies.
But did the Gantz hack come from Iranians? Ha’aretz’s caution is well-advised. To repeat:
it is also possible that other players with an interest in the former army chief and up-and-coming Israeli politician could have done so too, masquerading behind an “Iranian signature.”
According to Times of Israel, Gantz’s Blue and White party “has noted that if the report about Gantz’s phone was accurate, the information could only have come from intelligence agencies or the civilian National Cyber Directorate, all of which are under the Prime Minister’s Office.”
Netanyahu and his Likud party have roundly denied the accusations, saying in a Saturday night campaign video that the attempt to blame the prime minister for the leak was meant “to distract from the fact that the Iranian regime openly supports” Gantz’s candidacy
So Netanyahu is trying smear his rival as a supporter of Iran and using the Iranian hacker narrative to do it. How credible is that?