Your Source for Leaks Around the World!

Archive for the ‘Hacking’ Category

UNITEDRAKE: The Shadow Brokers Leak NSA Malware Manual from August Dump

In Archive, Hacking, NSA, Shadow Brokers on September 7, 2017 at 12:11 PM

PDF (2MB)

The Shadow Brokers – the hacker group behind the ongoing leaks of NSA tools and exploits – released their September 2017 communique yesterday. In it they detail upcoming prices and changes to their monthly dump service, stating the leaks will now be semi-monthly continuing until at least November 15, and that September’s will contain exploits.

More interestingly for non-subscribers, at the bottom of the post is a MEGA link containing “Files, Signed Message, Manual to August Dump.” The manual – titled “UNITEDRAKE Version 4.6.1” – appears to have been altered by an open source graphics program and then re-saved as a PDF. Classification markings have been removed and the company listed on the manual is fake.

UNITEDRAKE is a modular malware described as a “fully extensible remote collection system designed for Windows targets.”

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information, with clients planted on target machines that send information to a server over the internet.

The existence of UNITEDRAKE first came to light in 2013 as part of a series of classified NSA documents leaked by Edward Snowden and in a catalog of NSA hacking tools leaked by a second source, which revealed it was used by the NSA alongside other pieces of malware to infect millions of computers around the world.

By using “plugins”, UNITEDRAKE can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

via emptywheel:

The way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In 2015 cybersecurity and anti-virus provider Kaspersky released a report on the “Equation Group”, who The Shadow Brokers originally attributed the leak to and has been tied to NSA’s Tailored Access Operations (TAO) elite hacking unit. Kaspersky discovered UNITEDRAKE malware – which they dub EQUATIONDRUG and GRAYFISH in their report – on customer machines in over 30 countries including Iran, Russia, China, US, and UK, in sectors ranging from government, military, finance, energy, and media.

OTHER CODENAMES IN UNITEDRAKE MANUAL:

FOXACID

PUZZLECUBE

BLUISHDEFER

SOLARTIME
JUSTVISITING
FOGGYBOTTOM
SALVAGERABBIT
WISTFULTOLL (ANT Catalog)
INFOSPYDER
KILLSUIT
SQUASHCHUNKY
THERMALDIFFUSION
WHITESPYDER

BEIGETHICKET
DAYTONSUNDAY
GROK
KRISPYKREME
NETPSPYDER
STOWAGEWINK
SULPHURWRITE

FLEWAVENUE

HEAVENSLEW

FELONYCROWBAR

DOGROUND

DICEDEALER

Examining Hacked Emails From US State Dept’s Top Russian Intel Official Robert Otto

In Archive, Hacking, Russia, State Dept, USA on July 18, 2017 at 1:25 AM

Robert Otto (image via emails)

via Johnnie Walker (h/t to @codefiscal for link):

Perhaps you know that the U.S. State Department has a direct bearing on the agenda formation not only at home but throughout the world.

Now you can make sure it’s true. Let me show you the correspondence between the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance Agency Robert P. Otto and his colleagues, CIA officers and other intelligence agencies, as well as representatives of mainstream media, NGOs, international funds and think tanks.

With the respect for privacy I’ve deleted his correspondence with his wife and relatives. The rest of emails will give evidence of who is responsible for different information campaigns, the so-called mythmaking and essentially engaged in the promotion of “American values” throughout the world.

DOCUMENT CACHE CAN BE DOWNLOADED HERE

ForeignPolicy:

The State Department did not confirm or deny the authenticity of the emails. “The Department of State is well aware that malicious actors often target email accounts of government and business leaders across the United States. As a matter of policy, we do not discuss specific attempts or incidents,” a State Department spokesman said.

But the official’s expertise in Russian politics and organized crime makes him a significant target.

“He’s probably the top intelligence guy in the entire U.S. government on Russia. He knows more than anybody about what’s going on there,” said one source whose correspondence with the official was revealed in the hack.

The official’s emails were primarily conversations among Russia experts in government, including the intelligence community, exchanging articles, newsletters, and thoughts on current events. The official corresponded frequently with other Russia experts in academia and the think-tank world.

While several of his colleagues contacted by FP said they were unaware of the hack, they were not surprised, given recent events.

According to a second source whose correspondence showed up in the hacked emails, at least one other Russia expert was recently hacked — an Australian academic with a history of government service, although the emails appear not to have been released.

There’s no evidence proving Russian hackers targeted the official, but the first media outlet to pick up on the hack was an obscure website in Crimea (NewsFront), which published specific emails and provided a link to the cache. A former employee of the news agency had claimed in an article that the website is financed by the Russian secret service, and its topics assigned by top political leadership in Moscow.

A Donetsk, Ukraine-based editor for the website, who declined to provide his name, said allegations of Russian government funding were untrue and “funny.”

———————————————————————————————————————————

LeakSource has only analyzed mostly emails containing attachments so far, looking for any confidential documents or information that is not intended for distribution. If you are searching through the documents as well, please comment here or tweet to me any additional details you find newsworthy.

 

Click to Enlarge

Click to Enlarge

  • Email from Toby Gati, former United States Assistant Secretary of State for Intelligence and Research, questioning why there was no American interpreter at G-20 Obama/Putin meeting

Click to Enlarge

 

  • Email between Dan Goldberg (unable to confirm position but I believe it is in Defense Dept.) and Robert Otto, analyzing fashion sense of a young Vladimir Putin:

Click to Enlarge

  • Email between Wayne Allensworth and Robert Otto re: a report of a fake document claiming American government is paying a Russian activist to leak information saying top Russian officials are gay. Allensworth seems to insinuate that rumors about Putin are common in Moscow’s gay community:

Click to Enlarge

  • What I believe is a previously unpublished photo of Sen. John McCain and Vladimir Milov, former Deputy Energy Minister of the Russian Federation and president of the Institute of Energy Policy think-tank:

h/t to @steemwh1sks: “Someone converted the leaked U.S. State Department e-mails to pdf, sorted by keyword. Posted on reddit”:

PDFs Matching “Clinton”

https://www.scribd.com/document/353850851/Clinton-1

https://www.scribd.com/document/353850860/Clinton-2

https://www.scribd.com/document/353850867/Clinton-3

https://www.scribd.com/document/353850856/Clinton-4

https://www.scribd.com/document/353850868/Clinton-5

https://www.scribd.com/document/353850871/Clinton-6

https://www.scribd.com/document/353850875/Clinton-7

https://www.scribd.com/document/353850866/Clinton-8

PDFs Matching “Trump”

In this next section, I searched for 534 emails which mentioned “TRUMP” and extracted the PDFs without the articles in such a distracting way.

https://www.scribd.com/document/353854712/Trump1

https://www.scribd.com/document/353854711/Trump2

https://www.scribd.com/document/353854705/Trump3

https://www.scribd.com/document/353854703/Trump4

https://www.scribd.com/document/353854707/Trump5

https://www.scribd.com/document/353854708/Trump6

https://www.scribd.com/document/353855238/Trump7

https://www.scribd.com/document/353855230/Trump8

https://www.scribd.com/document/353855245/Trump9

https://www.scribd.com/document/353855241/Trump-10

https://www.scribd.com/document/353855234/Trump-11

https://www.scribd.com/document/353855225/Trump12-pdf

PDFs Matching “Veselnitskaya”

In this section, I found a handful of emails matching the Trump Lawyer that should have a second look.

https://www.scribd.com/document/353856170/Veselnitskaya1

PDFs Matching “Magnitskiy”

In this section, I found 93 emails matching Magnitskiy, which is connected to the Trump lawyer.

https://www.scribd.com/document/353856542/Magnitskiy1

https://www.scribd.com/document/353856577/Magnitskiy2

PDFs Matching “Podesta”

https://www.scribd.com/document/353857003/Podesta-Clinton

PDFs Matching “Lynch”

https://www.scribd.com/document/353858422/Lynch

PDFs Matching “Eric Holder”

https://www.scribd.com/document/353858572/Holder1-pdf

PDFs Matching “DNC”

https://www.scribd.com/document/353864582/Dnc

PDFs Matching “McCain”

https://www.scribd.com/document/353866545/McCain

PDFs Matching “Manafort”

https://www.scribd.com/document/353868118/Manafort

PDFs Matching “Soros”

https://www.scribd.com/document/353868611/Soros

PDFs Matching “Uranium”

https://www.scribd.com/document/353869252/Uranium1

PDFs Matching “Samochornov” (Veselnitskaya’s unnamed translator)

https://www.scribd.com/document/353869492/Samochornov

Contacts – Cross reference with Wikileaks Intelligence :

https://icwatch.wikileaks.org/

https://pastebin.com/1kgxCigKh

https://pastebin.com/s6PP2bR2

NotPetya Ransomware Hackers Surface Asking $250K for Master Key, Decrypt Test File as Proof

In Archive, Hacking on July 6, 2017 at 1:22 PM

07/05/2017

Lorenzo Franceschi-Bicchierai & Joseph Cox/Motherboard (1)(2):

In an unexpected twist on Tuesday, the hackers gave their first sign of life since the attack.

At 10:10 PM UTC, the hackers emptied the bitcoin wallet they were using to receive ransom payments, moving more than $10,000 to a different wallet. A few minutes earlier, the hackers also sent two small payments to the bitcoin wallets of Pastebin and DeepPaste, two websites that let people post text online and are sometimes used by hackers to make announcements.

At 9:23 PM UTC, and 9:20 PM UTC, around 11 minutes and 12 minutes before the hackers made the two donations, someone claiming to be behind NotPetya posted an announcement on DeepPaste and Pastebin.

The authors of the announcement asked for 100 bitcoin (roughly $256,000 at the time of writing) in exchange for the private key that supposedly decrypts any file encrypted with the NotPetya ransomware. Curiously, the authors didn’t provide a bitcoin address where to send the payment, but did publish a link to a dark web chatroom where people could contact them.

In an interview in the chatroom, someone purporting to be one of the hackers told Motherboard that the price was so high because it’s for the key “to decrypt all computers.”

“Are you interested in my offer?” they asked, offering to decrypt one file for free to prove they were legitimate. So we asked Anton Cherepanov, a researcher from cybersecurity company ESET, to send us a file encrypted with NotPetya. Cherepanov said he ran the malware on a virtual machine and sent us two files: a normal Word document containing information about Microsoft software, and the same file encrypted with NotPetya. The version of the file encrypted with NotPetya contained gibberish when opened in a word processor.

Around two hours after we provided the hackers with the encrypted file, they sent us the decrypted file, which matched the original, clean Word document.

This suggests the hackers do indeed have a key capable of unlocking files infected with NotPetya.

Both Cherepanov and Matthieu Suiche said that there are bugs in the ransomware that might prevent hackers from decrypting files larger than 1MB. (The file we sent the hackers was around 200KB.) Motherboard sent the hackers an additional file, but by that time the hackers had become unresponsive. Multiple other journalists noted on Twitter that the hackers did not respond to their questions.

Separately from this test, Cherepanov and a security researcher known as MalwareTech, both of whom have analyzed NotPetya, said that the hackers in the chatroom proved that they have access to NotPetya code. The hackers used the NotPetya private encryption key to sign the announcement they published on Pastebin and DeepPaste on Tuesday.

“They have key, so must be same people,” Cherepanov told Motherboard in an online chat.

Hacking Team Hacked: 400GB Data Dump of Internal Documents/Emails/Source Code from Notorious Spyware Dealer

In Archive, Hacking, Hacking Team, Malware, Surveillance, WikiLeaks on July 7, 2015 at 9:07 AM

hacked-team

07/05-09/2015

The controversial Italian surveillance company Hacking Team, which sells spyware to governments all around the world, including agencies in Ethiopia, Morocco, the United Arab Emirates, as well as the US Drug Enforcement Administration, has been seriously hacked.

Hackers have made 400GB of client files, contracts, financial documents, and internal emails, some as recent as 2015, publicly available for download.

What’s more, the unknown hackers announced their feat through Hacking Team’s own Twitter account.

hacked-team

Torrent Links:
https://mega.nz/#!Xx1lhChT!rbB-LQQyRypxd5bcQnqu-IMZN20ygW_lWfdHdqpKH3E
http://infotomb.com/eyyxo.torrent
Mirror:
https://ht.transparencytoolkit.org/
Source Codes:
https://github.com/hackedteam?tab=repositories

Last year, a hacker who only went by the name “PhineasFisher” hacked the controversial surveillance tech company Gamma International, a British-German surveillance company that sells the spyware software FinFisher. He then went on to leak more than 40GB of internal data from the company, which has been long criticized for selling to repressive governments.

hacking-team-finfisher-hack

That same hacker has now claimed responsibility for the breach of Hacking Team, that sells a similar product called Remote Control System Galileo.

Lorenzo Franceschi-Bicchierai/Motherboard:

On Sunday night, I reached out to the hacker while he was in control of Hacking Team’s Twitter account via a direct message to @hackingteam. Initially, PhineasFisher responded with sarcasm, saying he was willing to chat because “we got such good publicity from your last story!” referring to a recent story I wrote about the company’s CEO claiming to be able to crack the dark web.

Afterwards, however, he also claimed that he was PhineasFisher. To prove it, he told me he would use the parody account he used last year to promote the FinFisher hack to claim responsibility.

“I am the same person behind that hack,” he told me before coming out publicly.

The hacker, however, declined to answer to any further questions.

The leak of 400GB of internal files contains “everything,” according to a person close to the company, who only spoke on condition of anonymity. The files contain internal emails between employees; a list of customers, including some, such as the FBI, that were previously unknown; and allegedly even the source code of Hacking Team’s software, its crown jewels.

——————————————————————————————————————————————————————————————————-

HIGHLIGHTS:

——————————————————————————————————————————————————————————————————-


Download Spreadsheet


Download Spreadsheet

——————————————————————————————————————————————————————————————————-


Download Spreadsheet

——————————————————————————————————————————————————————————————————-

Screenshot shows an email dated 2014 from Hacking Team’s founder and CEO David Vincenzetti to another employee. In the email, titled “Yet another Citizen Lab attack,” Vincenzetti links to a report from the online digital rights research center Citizen Lab, at the University of Toronto’s Munk School of Global Affairs, which has exposed numerous cases of abuse from Hacking Team’s clients.

hacking-team-citizen-lab

Hacking Team has never revealed a list of its clients, and has always and repeatedly denied selling to sketchy governments, arguing that it has an internal procedure to address human rights concerns about prospective customers.

The email about Citizen Lab is filed in a folder called “Anti HT activists.”

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

via Thomas Fox-Brewster/Forbes:

In-depth notes on the level of exploitation across a number of Android devices, from the likes of Samsung, HTC and Huawei. It appears the exploits weren’t always successful in accessing voice or texts on phones.

Hacking Team operations manager Daniele Milan’s email from January indicated some imminent features in Hacking Team’s tools included “physical infection of BitLocker protected disks”, thereby bypassing the much-used Microsoft disk encryption technology, as well as “extraction of information from pictures posted on Facebook and Twitter”. It will also soon be able to “capture of documents edited using Google Docs or Office 365”, the roadmap suggested.

Another email from Milan, dated 15 May, indicated the security-focused messaging application Wickr was on the target list too, thanks to a request from the US government. “I had a call this morning with an agent from Homeland Security Investigations [a body within the Department of Homeland Security], and he told me he got some requests to intercept suspects using this application, Wickr… we may want to keep an eye on it and eventually evaluate to add support.”

via Dan Goodin/ArsTechnica:

Another document boasts of Hacking Team’s ability to bypass certificate pinning and the HTTP strict transport security mechanisms that are designed to make HTTPS website encryption more reliable and secure. “Our solution is the only way to intercept TOR traffic at the moment,” the undated PowerPoint presentation went on to say.

Elsewhere, the document stated: “HTTPS Everywhere enforces https and could send rogue certificates to the EFF SSL Observatory.” HTTPS Everywhere is a browser extension developed by the Electronic Frontier Foundation that ensures end users use HTTPS when connecting to a preset list of websites. The statement appears to be a warning that any fraudulent certificates Galileo relies on could become public if used against HTTPS Everywhere users when they have selected an option to send anonymous copies of HTTPS certificates to EFF’s SSL Observatory database.

——————————————————————————————————————————————————————————————————-

Renowned cryptographer Bruce Schneier: “The Hacking Team CEO, David Vincenzetti, doesn’t like me:”

In another [e-mail], the Hacking Team CEO on 15 May claimed renowned cryptographer Bruce Schneier was “exploiting the Big Brother is Watching You FUD (Fear, Uncertainty and Doubt) phenomenon in order to sell his books, write quite self-promoting essays, give interviews, do consulting etc. and earn his hefty money.”

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

Lorenzo Franceschi-Bicchierai/Motherboard:

After suffering a massive hack, the controversial surveillance tech company Hacking Team is scrambling to limit the damage as well as trying to figure out exactly how the attackers hacked their systems.

But the hack hasn’t just ruined the day for Hacking Team’s employees. The company has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned.

“They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.

Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said.

A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data.

It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source.

In a series of tweets on Monday morning, which have been since deleted, Pozzi said that Hacking Team was working closely with the police, and warned everyone who was downloading the files and commenting on them.

“Be warned that the torrent file the attackers claim is clean has a virus,” he wrote. “Stop seeding and spreading false info.”

The future of the company, at this point, it’s uncertain.

Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard.

It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts.

Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely.

The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about.

To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.

Hacking Team did not answer to repeated requests for comment, both to its US spokesperson Eric Rabe as well as directly to its office in Milan, Italy.

——————————————————————————————————————————————————————————————————-

When asked about the identity of the person or group who carried out the attack, Rabe indicated that he believed the attack was the work of a nation state or a criminal gang, and not the work of an activist as many have speculated:

“Doing our own forensics here, we think this was a very sophisticated attack, and certainly not the work of an amateur. The press seems to take the view that this was some sort of human rights activist but I think that is far from certain and it could easily have been criminal activity or some government activity,” adding that “this is almost certainly an international crime”.

When it was pointed out that if a government or criminal group was behind the attack then posting all the information online seems a strange move, Rabe said: “I am not sure why anybody would do that, but part of the effort here was to disrupt our operations as much as possible so I think that would be a motive for many different people.”

When asked if this could be the work of one of Hacking Team’s competitors such as UK-based Gamma International or Israeli NSO Group, Rabe said: “I think that is unlikely” though he admitted that just like everyone else he was speculating.

While some media reports have suggested the company is working with the Italian police to investigate the attack, Rabe says that all he will say is that the company is “working with law enforcement” reiterating that this was an international attack.

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

——————————————————————————————————————————————————————————————————-

*This post will be continuously updated as there is much more new information emerging. Post anything you find in the comments below and I will add them to the article. LAST UPDATE: 07/13/2015 @ 8PM EST

——————————————————————————————————————————————————————————————————-

Related Links:

WikiLeaks SpyFiles on HackingTeam

To Protect and Infect: The Militarization of the Internet – Claudio Guarnieri, Morgan Marquis-Boire, Jacob Appelbaum @ 30c3

Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide

USG Questionnaire for National Security Positions

In Archive, China, Hacking, InfoSec, OPM, USA on June 8, 2015 at 8:08 PM

via OPM.gov

PDF

Related Links:

OPM to Notify Employees of Cybersecurity Incident

U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say

China Calls U.S. Hacking Accusations ‘Irresponsible and Unscientific’

Data Hacked from U.S. Government Dates Back to 1985: U.S. Official

U.S. Was Warned of System Open to Cyberattacks

Hacking as Offensive Counterintelligence

What’s In a Background Investigation, Anyway?

Gibbs: When You Gain Security Clearance,Taken Into Room Filled with Photos of Convicted Spies

%d bloggers like this: