NSA warns of ongoing Russian hacking campaign against U.S. systems

By Christopher Bing

(Reuters) – The U.S. National Security Agency on Thursday warned government partners and private companies about a Russian hacking operation that uses a special intrusion technique to target operating systems often used by industrial firms to manage computer infrastructure.

“This is a vulnerability that is being actively exploited, that’s why we’re bringing this notification out,” said Doug Cress, chief of the cybersecurity collaboration center and directorate at NSA. “We really want… the broader cybersecurity community to take this seriously.”

The notice is part of a series of public reports by the spy agency, which is responsible for both collecting foreign intelligence and protecting Defense Department systems at home, to share actionable cyber defense information.

Cress declined to discuss which business sectors had been most affected, how many organizations were compromised using the Russian technique, or whether the cyber espionage operation targeted a specific geographic region.

The NSA said the hacking activity was tied directly to a specific unit within Russia’s Main Intelligence Directorate, also known as the GRU, named the Main Center for Special Technologies. The cybersecurity research community refers to this same hacking group as “Sandworm,” and has previously connected it to disruptive cyberattacks against Ukrainian electric production facilities.

Secretary of State Mike Pompeo also called out the same GRU unit in February for conducting a cyberattack against the country of Georgia.

A security alert published by the NSA on Thursday explains how hackers with GRU, Russia’s military intelligence, are leveraging a software vulnerability in Exim, a mail transfer agent common on Unix-based operating systems, such as Linux. The vulnerability was patched last year, but some users have not updated their systems to close the security gap.

“Being able to gain root access to a bridge point into a network gives you so much ability and capability to read email, to navigate across and maneuver through the network,” said Cress, “so it’s more about the danger we’re trying to help people understand.”

(Reporting by Christopher Bing; Editing by Dan Grebler)

Hacking group claims to offer cyber-weapons in online auction

Cyber coder

By Joseph Menn

(Reuters) – Hackers going by the name Shadow Brokers said on Monday they will auction stolen surveillance tools they say were used by a cyber group linked to the U.S. National Security Agency.

To arouse interest in the auction, the hackers released samples of programs they said could break into popular firewall software made by companies including Cisco Systems Inc, Juniper Networks Inc and Fortinet Inc.

The companies did not respond to request for comment, nor did the NSA.

Writing in imperfect English, the Shadow Brokers promised in postings on a Tumblr blog that the auctioned material would contain “cyber weapons” developed by the Equation Group, a hacking group that cyber security experts widely believe to be an arm of the NSA. [http://reut.rs/2aVA7LD]

The Shadow Brokers said the programs they will auction will be “better than Stuxnet,” a malicious computer worm widely attributed to the United States and Israel that sabotaged Iran’s nuclear program.

Reuters could not contact the Shadow Brokers or verify their assertions. Some experts who looked at the samples posted on Tumblr said they included programs that had previously been described and therefore were unlikely to cause major damage.

“The data [released so far] appears to be relatively old; some of the programs have already been known for years,” said researcher Claudio Guarnieri, and are unlikely “to cause any significant operational damage.”

Still, they appeared to be genuine tools that might work if flaws have not been addressed. After examining the code released Monday, Matt Suiche, founder of UAE-based security startup Comae Technologies, concluded they looked like “could be used.”

Other security experts warned the posting could prove to be a hoax. The group said interested parties had to send funds in advance of winning the auction via Bitcoin currency and would not get their money back if they lost.

The auction will end at an unspecified time, Shadow Brokers said, encouraging bidders to “keep bidding until we announce winner.”

(Editing by Cynthia Osterman)