Thursday, July 11, 2024

The most notorious state sponsored hacker groups your gorvenment must be aware of!


 As conventional conflicts between great powers have been deterred by the threat of mutually assured nuclear holocaust, cyber warfare has been slowly taking their place in the global arena. Now, some groups of state-sponsored threat actors are coming into the spotlight.


With countless covert cyber espionage and sabotage attacks launched to steal sensitive data and cripple an opponent’s infrastructure and defense systems, state-sponsored hacking operations are now regarded as the biggest threat to government institutions and organizations alike.


Attacks by state-sponsored actors are not made exclusively against servers in dusty government offices, nuclear facilities, and military bases, however. Dissidents, political opponents, and nonprofits, as well as private companies that include public institutions as their clients, are just as likely to be targeted by state-backed hacker groups.


These are some of most dangerous groups that have been a major headache for both policymakers and security researchers.

State-sponsored hacker groups are generally referred to as advanced persistent threats (APTs) by security researchers. Some companies simply assign them a number. Others have different naming conventions, referring to groups backed by different states as different animals, e.g. Iran’s calling card is a kitten.


As a consequence, one threat actor group can go by several nicknames: for example, FireEye calls Cozy Bear ‘APT29’, while other companies refer to the group as Cozy Bear, CozyDuke, or The Dukes.


So, with that in mind, let’s take a look at the world's most dangerous bears, dragons, and kittens.


Cozy Bear (APT29)

Lazarus Group (APT38)

Double Dragon (APT41)

Fancy Bear (APT28)

Helix Kitten (APT34)

Cozy Bear (APT29)


Allegiance: Russia

Active since: 2008

Best known for: 2015 attack on the Pentagon, FireEye hack (allegedly), SolarWinds hack (allegedly), COVID-19 vaccine data theft

Cozy Bear (not to be confused with Fancy Bear, Venomous Bear, or Voodoo Bear) is a name that is widely known among both security experts and the media.


What makes Cozy Bear special? Well, allegedly playing a key part in Russian attempts to influence the 2016 US presidential elections, for one. From its suspected inception back in 2008, the group has targeted many organizations, including governments, think tanks, telcos, energy companies, even cybersecurity firms, in patterns that likely point towards methods of operation mainly employed by state security services. After all, Cozy Bear is one of two state-sponsored hacker groups that researchers have long since believed is linked to GRU, Russia’s premier military intelligence service.


In fact, if expert suspicions are correct, Cozy Bear might prove the most dangerous state-sponsored hacker group to wreak havoc on companies and government institutions in 2020.


The group's second (alleged) massive hit last year was FireEye - a leading security company that counts multiple US federal agencies and the better part of the Forbes Global 2000 list among its clients.


In December 2020, the security firm confessed that it had been hacked by undisclosed assailants, with its proprietary adversary simulation toolkit stolen. Officially, FireEye is still mum about who is to blame for the intrusion. However, sources say it was a Russia-backed hacker outfit. Namely, Cozy Bear. The impact of the FireEye hack is difficult to understate, showing that state-sponsored attackers, given enough time and resources, can breach any organization, even those previously thought unassailable.


But as with most of 2020’s nasty surprises, that wasn’t the end of it.


Shortly after the FireEye hack, news hit that the Texas-based IT giant SolarWinds was the subject of a cyberattack. It appears that the attackers broke into SolarWinds’ systems and injected malicious code into an update for the company's software system "Orion," which spread to more than half of Solarwinds’ 33,000 clients, including Fortune 500 companies and multiple US government departments (Department of Treasury, Commerce, and Homeland Security among them).


What’s even worse, the breach went undetected for months, and the attackers could have exfiltrated data in the highest echelons of the US government, including the US military and the White House.


According to the Washington Post, Cozy Bear was identified as the hacker group responsible for the attack. Its impact even prompted the US Cybersecurity and Infrastructure Security (CISA) agency to issue an emergency directive about the breach.


So, is Cozy Bear the most dangerous state-sponsored hacker group of all time? Maybe. Was it the scariest in 2020? Definitely.


Lazarus Group (APT38)

Allegiance: North Korea

Active since: 2010

Best known for: Operation Troy, WannaCry attack, COVID-19 vaccine data theft

Lazarus, also known as Zinc, Hidden Cobra, and North Korea’s sole profitable enterprise, is a notorious hacker group backed by the Pyongyang regime. North Korea has been investing significant resources in its cyberwarfare capabilities, and it shows. Lazarus Group has been linked to some of the most high-profile cyberattacks in recent years, including the infamous WannaCry ransomware attack in 2017 that infected more than 300,000 devices across the planet, making untold amounts of money in ransoms for the rogue state regime.


Since the unit’s inception in 2010, Lazarus’ cyberattacks have become increasingly sophisticated and destructive, mostly targeting financial institutions such as banks and fintech companies.


According to security experts, the state-sponsored group is being run akin to an espionage operation, carefully infiltrating targets over time, learning the ins and outs of the systems they compromise, and striking from the shadows when the victims least expect it.


The group’s latest large-scale raid involved attacks on a pharmaceutical company and a government health ministry in an attempt to steal COVID-19 vaccine data. Experts at Kaspersky suspect that the hackers stole the data from the pharmaceutical firm by deploying the Bookcode malware in a supply-chain attack via another company, while the ministry’s servers were compromised by installing wAgent, a sophisticated fileless malware program that fetches additional malicious payloads from a remote server.


This level of sophistication leads experts to believe that the North Korean hacking group will continue to evolve and pose even more danger in 2021 and beyond.


Double Dragon (APT41)

Allegiance: China

Active since: 2012

Best known for: Massive global hacking campaign in 2020

Double Dragon, aka Cicada, is a Chinese state-sponsored espionage group by day that’s also known to dabble in financially motivated cybercrime for personal gain by night. The group’s activities have been traced back to 2012 and have included espionage operations against 14 different countries, including the US and the UK.


Since its first sightings by security experts, Double Dragon has been observed conducting a wide range of operations. These include supply-chain attacks and data exfiltration, as well as the use of complex proprietary tools.


The group’s highly sophisticated targeting techniques and particularly offensive methods of operation distinguish them from other state-sponsored groups, making them a double (dragon) threat to contend with.


Apart from directly attacking government institutions, Double Dragon is also targeting private companies in the travel and telecommunications industries in order to access data they can use for surveillance operations.


For example, the group will steal reservation information, call data recordings and text messages to track high-ranking foreign government officials, as well as dissidents closer to home.



However, espionage is not the group’s only forte: it’s not called Single Dragon for a reason.


According to FireEye, Double Dragon “also conducts explicit financially motivated activity, which has included the use of tools that are otherwise exclusively used in campaigns supporting state interests." In other words, the group uses top-notch espionage tools to steal money for themselves “outside of their normal day jobs.”


In 2020, Double Dragon was one of the most prolific hacker groups, attempting to exploit vulnerabilities in hardware, as well as continuing to target government institutions in multiple countries and companies across dozens of industries.


However, it seems that the group’s ‘quantity over quality’ approach could be its downfall.


APT 41 members picture in an FBI wanted poster

In September 2020, the US identified and charged 5 members of the group in a case that was part of a larger US crackdown against Chinese cyber-espionage efforts.


Did this operation hurt the state-sponsored group? Definitely. Will this spell the end of Double Dragon? Probably not.


Fancy Bear (APT28)

Allegiance: Russia

Active since: 2005

Best known for: 2016 DNC and Podesta leaks, attacks on anti-doping agencies in 2019


Fancy Bear (not to be confused with Cozy Bear, Venomous Bear, or Voodoo Bear) gained notoriety following reports of the group’s involvement in the Great DNC Hack of 2016, as well as a series of cyberattacks on Emmanuel Macron's campaign websites in the run-up to the 2017 French Presidential elections. Ever since, the cybersecurity community has been observing the group’s attacks far beyond the US and Western Europe.


Fancy Bear has a long history of committing sophisticated phishing attacks against high-value targets in the news media, dissident movements, the defence industry, and foreign political parties.


Their usual MO involves using email domains to trick their would-be victims into believing that the elaborate phishing emails produced by the group are coming from legitimate sources.


For example, when trying to hack Macron’s presidential campaign, the group used email domains that looked almost identical to that of his party’s official website, en-marche.fr. Fancy Bear used these domains to launch phishing campaigns similar to those that tricked senior officials in the US Democratic Party into giving away their email account credentials to the hackers.


The group’s extensive operations against victims in the political and defense sectors seem to mirror the strategic interests of the Russian government, which strongly points to an affiliation with the country’s military intelligence service, GRU.


According to CrowdStrike, Fancy Bear “has dedicated considerable time to developing their primary implant known as XAgent, and to leverage proprietary tools and droppers such as X-Tunnel, WinIDS, Foozer and DownRange.” And judging from the results, it seems that their implant has been rather effective.


In 2020, the group has allegedly conducted dozens of cyberattacks against multiple US federal agencies. While seemingly less successful than their counterparts from Cozy Bear, Fancy Bear remains a constant thorn in the backside for many cybersecurity firms and government institutions across the world.


Helix Kitten (APT34)

Allegiance: Iran

Active since: 2007

Best known for: The 2013 New York Dam hack, attacks on the Australian Parliament House in 2019

Contrary to the other countries in this list, Iran seems to be increasingly utilizing contract hackers to conduct the regime’s offensive operations. Such ‘freelancers’ can hail from different countries and backgrounds, and may or may not be ‘true believers’ of the regime they’re working for.


Helix Kitten (also known as OilRig and APT34), however, is suspected to be one of the few groups of dedicated local operators working on behalf of the Iranian government.


Security experts believe that the group conducts most of its operations in the Middle East, targeting financial, energy, chemical, telecom, and other industries, as well as government institutions in countries seen by Iran as competitors to its regional dominance, such as Saudi Arabia and the UAE.


The use of communications infrastructure in Iran, as well as the “timing and alignment with the national interests” of the Iranian regime also lead experts to assess that Helix Kitten is not a bunch of freelancers from all over the world.


However, just like Double Dragon, the group also seems to be running projects ‘on the side’ by launching independent cybercrime campaigns by using attack toolkits provided by their employer.


In April 2019, Helix Kitten was dealt a major blow after a series of leaks on Telegram that exposed the names, tools, and activities of the hacker group. In the leak, ten individuals from Helix Kitten were publicly named, with three employed by Iran’s Ministry of Intelligence, and the others working at the Iranian cybersecurity company Rahacrop. This was seen as a coup de grâce to the notorious group, with its activities seemingly ceasing for the remainder of the year.

However, the rumors of Helix Kitten’s death appear to have been exaggerated, as the group seemed to continue its attacks well into 2020, wreaking havoc across the Middle East and South Asia.


Tuesday, July 9, 2024

Alshabaab claims to have attacked the Bariire base that was recently handed over to SNA

 


Alshabaab claims to have attacked the newly handed-over bases in Bariire village today; ATMIS forces transferred this base to the  control of SNA. The Alshabaab claims that the SNA commander at this base was killed in the assault.


Let us all team up to fight terrorism.

M23 finalises training for cadres and recruits

 



The prime minister of Ethiopia Abiy Ahmed is in Port Sudan to meets with General Abdel Fattah


 The prime minister of Ethiopia Abiy Ahmed arrives in Port Sudan and meets with General Abdel Fattah al-Burhan the military commander who has for years been the de facto leader of Sudan.


Ethiopia is trying to resolve the conflict by reaching out to the two warring parties to engage in peaceful dialogue. Sudan's war impacted the Horn of Africa.

Abdulkadir Mumin, the head of the ISIS affiliate in Somalia is still alive despite being declared dead in an airstrike in May this year.

 




Abdulkadir Mumin, the head of the ISIS affiliate in Somalia is alive, sources say following a U.S. drone strike that targeted him on May 31 in the country's Northeastern Federal State of Puntland.


In 2016, the U.S. declared him a specially designated global terrorist, saying that he posed a significant risk of committing acts of terrorism that threaten the security of U.S. nationals or the national security, foreign policy, or economy of the U.S

Has Magloire Paluku joined the M23?

  Several sources claim that the Congolese journalist, Magloire Paluku may have joined the M23 rebellion. This information is also confirmed by the movement of M23 : "He is here with us, like many other Congolese who are joining us", declared Willy NGOMA , military spokesperson of M23 . Shortly before, the journalist was advisor to the National Minister of Culture and Arts, Furaha Katungu of the UNC.


CLICK ON THE LINK BELOW TO READ OUR  EARLIER INTELLIGENCE STORY BELOW,MANY MAY HAVE JOINED M23

M23 dedicated the whole of June for the search of key figures in support of their rebellion

 


ATMIS troops stationed at Billis Qoqani Forward Operating Base (FOB) and Somali Security Forces (SSF) conducted a free medical camp for vulnerable people in the community.


 The beneficiaries were thankful for the support of ATMIS KDF troops. The medicamp forms part of ATMIS’ Civil-Military Cooperation (CIMIC) Initiatives to strengthen relations between the military and local communities.





In a similar development ,the ATMIS Sector 4 Commander, Col. Said Waberi Harour, chaired a high-level security meeting to assess the security and humanitarian situation in Beletweyne, following the handover of Orhasan Forward Operating Base (FOB) to the Somali National Armed Forces (SNAF).

The meeting, held at Sector 4 HQ, agreed to intensify joint patrols and share intelligence to deter Al-Shabaab attacks on civilians.

In attendance were Djibouti National Defence Force (DNDF) 1stBattalion Commander (DNDF), Lt. Col. Mohamed Hassan Abdallah; senior SNAF personnel, officials from the Hiran region administration and officers from Somali Police Force (SPF).






Richard Todwong, the Secretary General of Uganda's ruling party, the National Resistance Movement, has confirmed that his brother, Major Opiyo Patrick, was killed on Sunday, July 7, 2024 in Somalia, between Buulo Nagad and Ceel Wareego Lower Shabelle region.

 Photo late Major Opio(RIP)




In a statement released on Monday, ATMIS said, "a joint ATMIS-UPDF and SNAF, logistics convoy was hit by a command wire, Improvised Explosive Device (IED) on Sunday along the Mogadishu-Buffow-Barawe route."

"The attack claimed two lives and injured personnel from both ATMIS and SNAF. All casualties have been evacuated to medical facilities."

ATMIS offered a heartfelt condolences to the families of the deceased and prayed for a quick recovery to the injured.

"The incident strengthens our resolve to support peace and security efforts in Somalia," ATMIS stated.

The deceased include Maj Opio Awany, ;brother of the ruling National Resistance Movement (NRM) Secretary General, Richard Todwong.

Captain Ibrahim Ssekito, the UPDF Battle Group Information Officer, confirmed Maj. Patrick Opio Awany's death and said three UPDF soldiers were injured in the attack which occurred at 1:00pm on Sunday, July 7, 2024 between Buulo Nagad and Ceel Wareego, Lower Shabelle in Somalia.

“He was a convoy commander. Al-Shabaab laid an Improvised Explosive Device (IED) against his convoy which hit his vehicle and killed him,” Capt. Ssekito said.”

He said the ill-fated convoy was carrying logistics and that Maj. Awany who was part of the Motorised Infantry Brigade of the UPDF, died on the spot.

On Monday, Todwong who is currently attending a public Service Leaders' introspection retreat for Ministers, Permanent Secretaries, and NRM top leadership, at the National Leadership Institute (NALI) in Kyankwanzi, took to X-platform to mourn his brother.

“I celebrate my brother, Maj. Opio Patrick Awany. Your dedication to protecting our country was your code and you approached your duty with unmatched passion. You bravely faced countless battles in the Central African Republic, Eastern Democratic Republic of Congo (DRC) and Somalia,” Todwong said.

He revealed his brother’s life, “was tragically cut short on Sunday morning as you served our continent Africa. May your legacy endure to inspire more heroes. We will forever hold you in our hearts, Patrick. You were a true patriot.”

This attack comes in the wake of a directive by the ATMIS that the troop contributing countries engage in a drawdown that will see the numbers of soldiers deployed to back up Somali National Force reduced and some operations handed back to Federal Government of Somalia Forces.

LET US ALL TEAM UP TO FIGHT TERRORISM





 

watch the video of the full proceedings from UN security council on the war in North Kivu

click on the video below to watch

watch the video


M23 concetrating reinforcements for the assault on Goma.Residents alert the DRC gorvenment of a planned attack on Goma


 According to a resident of Rumangabo in the territory of Rutshuru on the Rutshuru-Goma road, several vehicles carrying M23 soldiers crossed Rubare last night towards Kibumba at the gate of the city of Goma.


“An attack on the city of Goma is being prepared,” warns this Congolese.


“This Monday, July 8, 2024 at 9:30 p.m., 5 FUSO brand vehicles and 2 JEEPs full of M23/RDF from Rutshuru center have just crossed here in Rumangabo in the direction of Kibumba,” he testified.


At the beginning of July, civil society in the Nyiragongo territory around the city of Goma, alerted of a plan by Rwanda to attack the city of Goma after the elections in Rwanda 🇷🇼 .


“We are alerting the Congolese authorities to Rwanda's plan to attack the city of Goma just after the current elections in Rwanda,” alerted Mambo Kawaya, from Nyiragongo civil society.