Connect with us

Intelligence

Turla: Spying tool targets governments and diplomats

MD Staff

Published

on

A cyberespionage campaign involving malware known as Wipbot and Turla has systematically targeted the governments and embassies of a number of former Eastern Bloc countries. Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long term monitoring operations using Trojan.

Turla (which is known by other vendors as Uroboros, Snake, and Carbon). It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks.

Turla provides the attacker with powerful spying capabilities. Configured to start every time a computer starts, once the user opens a Web browser it opens a back door that enables communication with the attackers. Through this back door, the attackers can copy files from the infected computer, connect to servers, delete files, and load and execute other forms of malware, among other capabilities.

The group behind Turla has a two-pronged attack strategy that involves infecting victims through spear phishing emails and watering hole attacks. The watering hole attacks display competent compromise capabilities, with the attackers compromising a range of legitimate websites and only delivering malware to victims visiting from pre-selected IP address ranges. These compromised websites deliver a payload of Trojan.Wipbot. It is highly likely that Wipbot is then used as a downloader to deliver Turla to the victim.

Victims
While infections initially appeared to be spread over a range of European countries, closer analysis revealed that many infections in Western Europe occurred on computers that were connected to private government networks of former Eastern Bloc countries. These infections appear to have transpired in the embassies of these countries.  

Analysis of infections revealed that the attackers were heavily focused on a small number of countries. For example, in May of 2012, the office of the prime minister of a former Soviet Union member country was infected. This infection spread rapidly and up to 60 computers at the prime minister’s office were compromised.

Another attack saw a computer at the embassy to France of a second former Soviet Union member infected in late 2012. During 2013, infections began to spread to other computers linked to the network of this country’s ministry of foreign affairs. In addition, its ministry of internal affairs was also infected.  Further investigation uncovered a systematic spying campaign targeted at its diplomatic service. Infections were discovered at embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany.

At least five other countries in the region were targeted by similar attacks. While the attackers have largely focused on the former Eastern Bloc, a number of other targets were also found. These included the ministry for health of a Western European country, the ministry for education of a Central American country, a state electrical authority in the Middle East, and a medical organization in the US.

Prior to publication, Symantec notified all relevant national authorities, such as Computer Emergency Response Centers (CERTs) that handle and respond to Internet security incidents.

Attack vectors
The group behind Turla uses spear phishing emails and watering hole attacks to infect victims. Some of the spear phishing emails purported to come from a military attaché at a Middle Eastern embassy and had an attachment masquerading as the minutes of meetings. Opening the attachment resulted in Trojan.Wipbot being dropped on to the victim’s computer. It is believed that Wipbot may be the delivery mechanism for Turla as they share several similarities in code and structure.

Since September 2012, the group has compromised at least 84 legitimate websites to facilitate watering hole attacks. Websites owned by a number of different governments and international agencies were among those compromised by the attackers.

Visitors to these sites were being redirected to Web servers where a ‘fingerprinting’ script was executed. This script collected some identifying information about the visitor’s computer. This phase of the campaign appeared to serve as an intelligence trawl, gathering information about what browsers and plugins website visitors were using, which would help identify which exploits would work best against them.

The next phase of the operation was highly targeted, with servers then configured to drop Wipbot only to IP addresses associated with intended targets. In one instance, the malware delivered was disguised as a Shockwave installer bundle. Wipbot was then used to gather further information about the infected computer. If the attackers deemed the victim of interest, it appears likely that a second back door (Trojan.Turla) with far greater capabilities was downloaded on to the victim’s computer.

Wipbot appears to act as a reconnaissance tool, while Turla is used to maintain a long term presence on the victim’s computer. Analysis conducted by Symantec has found several technical connections between Wipbot and Turla which indicates the same group or larger organization wrote both pieces of code.

Turla
Symantec has been tracking the activities of the group behind Turla for a number of years. The identity of the attackers has yet to be established, although timestamps from activity associated with the attacks indicate that most activity occurs during the standard working day of the UTC +4 time zone.

Turla is an evolution of an older piece of malware, Trojan.Minit, which has been in operation since 2004. The current campaign is the work of a well-resourced and technically competent attack group that is capable of penetrating many network defenses. It is focused on targets that would be of interest to a nation state, with spying and theft of sensitive data among its objectives.

Symantec protection
Symantec has the following detection in place for the malware used in these attacks:

AV

    Trojan.Turla
    Trojan.Wipbot

IPS

    System Infected: Trojan.Turla Activity
    System Infected: Trojan.Turla Activity 2

Continue Reading
Comments

Intelligence

Risks to Global Businesses from New Era of Epidemics Rival Climate Change

MD Staff

Published

on

The World Economic Forum, in collaboration with the Harvard Global Health Institute, today released a white paper that details why and how the business community should contribute more to manage the threat and impact of infectious disease on societies.

Outbreak Readiness and Business Impact: Protecting Lives and Livelihoods across the Global Economy describes the business risk posed by a new era of epidemic risk, which can no longer be thought of exclusively in terms of rare but devastating events like global influenza pandemics. The white paper offers recommendations to help companies more appropriately understand risks, reduce exposure and act on opportunities for public-private cooperation to optimally prepare for and mitigate these risks.

The Forum’s Global Risks Report 2019, released earlier this week, describes a world vulnerable to increasing naturally emerging infectious disease threats and risks posed by revolutionary new biotechnologies. Despite considerable progress, the world remains ill-prepared to detect and respond to outbreaks and is not prepared to respond to a significant pandemic threat. While medical and public health advances allow us to better contain the morbidity and mortality effect of epidemics, our collective vulnerability to the societal and economic impacts of infectious disease crises appears to be increasing.

“Outbreaks are a top global economic risk and – like the case for climate change – large companies can no longer afford to stay on the sidelines. Business leaders need to better understand expected costs of epidemics, mitigate these costs and strengthen health security more broadly,” said Vanessa Candeias, Head of the System Initiative on Shaping the Future of Health and Healthcare and Member of Executive Committee at the World Economic Forum.

While potentially catastrophic outbreaks may occur only every few decades, highly disruptive regional and local outbreaks are becoming more common and pose a major threat to lives and livelihoods. Recent years have seen nearly 200 epidemic events per year. This trend is only expected to intensify due to increasing trade, travel, population density, human displacement, deforestation and climate change. Further, the number and diversity of epidemic events (e.g. influenza, Ebola, Zika, yellow fever, SARS, MERS-CoV and antibiotic-resistant bacteria, among other threats) have been increasing over the past 30 years.

“For individual businesses, developing a better understanding of infectious disease risks and how they can be managed has clear financial benefits. For policy-makers, the better that businesses manage such risks, the more resilient the overall economy will be. Moreover, when business leaders are more aware of what’s at stake, maybe there will be a different dialogue about global health – from being a topic that rarely touches the radar screen of business leaders to being a subject worthy of attention, investment and advocacy,” said Peter Sands, Research Fellow at the Harvard Global Health Institute and Executive-Director of the Global Fund to Fight AIDS, Tuberculosis and Malaria.

Although rarely emphasized in businesses’ risk considerations, recent work on pandemics quantifies how massive the potential economic losses from infectious disease outbreaks can be and how they can extend far beyond the original outbreak’s footprint.

  • Using data from the influenza pandemics of the 20th century, a report by the Commission on a Global Health Risk Framework for the Future estimated the annualized impact of influenza pandemics at roughly $60 billion, more than doubling previous estimates.
  • Work by Fan, Jamison and Summers that includes statistical value of life years lost revises the annualized figure upward to $570 billion total. For context, this amount is on the same order of magnitude as the $890 billion annual impact of climate change estimated by the Intergovernmental Panel on Climate Change.
  • Estimates indicate that the 2014-2016 Ebola outbreak in West Africa cost $53 billion, and the 2015 MERS outbreak in South Korea cost $8.5 billion. According to the World Bank, only 39% of the economic losses are associated with effects on infected individuals, with the bulk of the costs resulting from healthy people’s change of behaviour as they seek to avoid infection.

While predicting where and when the next outbreak will occur is still an evolving science, it is possible to identify factors that make companies vulnerable to financial losses from infectious disease events. Factors such as the geographic location of a company’s workforce, customer base and supply chain, and the nature and structure of its business, can help inform estimates of its vulnerability to disease outbreaks.

One threat is disease and its uncertainty; and another is the fear of disease itself or uninformed panic. As seen in past epidemics, health-related misinformation can spread as fast as viruses to undermine or disrupt the overall medical response efforts.

Effective readiness for outbreaks requires reliable, trusted public-private partnership, especially in locations where government capacities are constrained by lack of trust as well as resources. By proactively fostering public-private cooperation at local levels, businesses can help mitigate the potentially devastating human and economic impacts of epidemics, while protecting the interests of their employees and commercial operations.

In addition to the report, the research team has produced a prototype corporate infectious disease risk dashboard, meant to enable companies to visualize estimates of expected costs to their business associated with infectious disease outbreaks.

At the World Economic Forum Annual Meeting 2019 in Davos next week, the Forum and its partners will advance activities to strengthen public-private cooperation for global health security in areas of vaccines; data science; travel; communications; and supply chain and logistics.

Continue Reading

Intelligence

The old and new techniques of Dezinformatsjia

Giancarlo Elia Valori

Published

on

Disinformation – i.e. what the Soviet intelligence services called Dezinformatsjia – is at the origin of the phenomenon that we currently define – with oversimplification -fake news, spread to support or not voters’ or consumers’ specific choices, obviously both nationally and internationally. Nowadays the “political market” is globalized exactly like the market of goods and services and hence all the tools available to a country and to its political elite need to be used.

Certainly the intelligence agencies’ room for manoeuvre is currently much wider than it was at the time of the Cold War. Hence many mass manipulation techniques, which in the past were specifically political, are now also commercial, behavioral, cultural, scientific or pseudo-scientific. They are closely interwoven and currently the electoral or political manipulation operations often stem from commercial marketing techniques.

Dezinformatsjia, however, is always a “weak to strong” operation, i.e. a series of strategic and information actions that try to prevent the use of force by those who are tactically superior.

Those who have not enough missiles targeted against the enemy,  or have not the maximum military efficiency, faces the opponent with psychological and propaganda techniques, which cost less and – by their very nature -do not trigger a conventional military countermove by the enemy against whom they are targeted. However they can trigger an equal and opposite disinformation by the target country.

These are all “ironic” operations, in the etymological sense of the word. Irony comes from the Greek word eironèia, i.e. “fiction, dissimulation, or to say the opposite of what you think”.

Just think of the great demonstrations against “Euromissiles” in the early 1980s -not foreseen by the Soviets, which put a strain on the huge intelligence network of the Warsaw Pact in Europe – or of the myth of the opening to dissent in the era of Khrushchev’s “thaw”. Or just think – as maintained by Anatoly Golytsin, the former KGB officer who defected to the USA – of the schisms between the USSR and Mao’s China, or of the transformation of the Komintern into Kominform, in which also Yugoslavia secretly participated, even after the famous schism between Tito and Stalin.

According to Golytsin, a senior KGB officer, all the divisions within the Communist world were a huge and very long sequence of fake news. Westerners never believed him, but the predictive power of his book, New Lies for Old, published in the USA in 1984, is still extraordinary.

He foresaw the “liberalization” of the Soviet system and even its collapse, so as to be later reborn in a new guise. All true, until today.

But what is really Dezinformatsjia, i.e. the technique that is at the origin of fake news and of all current psychopolitical operations?

For the KGB experts, disinformation is linked to the criterion of “active operations” (aktivinyyemeropriatia), i.e. the manipulation and control of mass media; the actual disinformation, both at written and oral levels; the use of Communist parties or covert organizations. In this case, just think of all the organizations “for peace” or for friendship “among peoples”, as well as of radio and TV broadcasts.

“Active measures” even include kompromat, i.e. the “compromising material”, as well as damaging and disparaging information about Western agents or politicians’ involvement in sex, illegal and drugs affairs. This information is collected and used strategically across all domains, with a view to creating negative publicity.

An active kind of measure that we have recently seen at work against President Trump. Nevertheless it has been implemented by his fellow countrymen, who, however, do not seem to be very skillful in the art of desinformatsjia.

It should be recalled, however, that currently a fundamental technique is to manipulate the opponents’ economies or to support guerrilla groups or terrorist organizations.

Manipulation of economies through statistical data or governments’ “covert” operations on stock markets, while support for terrorist groups, even those far from the State ideology, is provided through an intermediary that may be another State or a large company, or through bilateral financial transactions outside markets.

The Red Brigades, for example, initially trained in Czechoslovakia by passing through the Austrian woods at the border, owned by the Feltrinelli family.

When the publisher Giangiacomo Feltrinelli was found dead near an Enel trellis in Segrate, but long before the Italian police knew who had died on that trellis, the Head of the KGB center in Milan hastily went to report to the Soviet embassy in Rome.

Many friendly and enemy States, however, used right-wing and left-wing terrorism against the Italian Republic.

The goal was clear: to destroy or annihilate a dangerous economic competitor, especially in Africa and in the East.

Dezinformatsjia, however, was institutionally targeted against what the Soviets called “the primary enemy”, namely the United States.

Under Stalin’s power – who was dialectically “superseded” by Khrushchev, always in contrast with true innovators – “active measures” also included assassination.

I do not rule out at all that, in particular cases, this tradition has been recovered even after the death of the so-called “little father”.

As we can see, “active measures” -namely Dezinformatsjia – still has much to do with contemporary world.

If we only talk about fake news, we cannot understand why it is spread, while if it is interpreted in the framework of the old – but still topical – disinformation strategy, everything gets clearer.

In the Soviet regulations of the 1960s, every KGB foreign branch had to devote at least 25% of its forces to “active measures”, while each residence had an officer specifically trained at Dezinformatsjia.

It should be noted that, in 1980, CIA estimated the total cost of “active measures” at 3 billion US dollars, at least.

It was the real struggle for hegemony that the USSR was fighting, considering that the missile, nuclear and conventional balance of the two forces on the field did not permit a real military clash.

However, the result of the final clash would have been very uncertain.

Nowadays every State produces fake news, as well as ad hoc opinion movements, and spreads agents of influence in the media, in universities, businesses and governments.

Hence the globalization of disinformation, not simply fake news, is the phenomenon with which we really have to deal.

During the Cold War, the Soviet apparata spread the fake news of the CIA and FBI involvement in the assassination of John F. Kennedy, while the East German apparata often spread news about Western politicians being members of Nazi hierarchies or about the pro-Nazi sympathies of Pope Pius XI.

It should also be noted that Andropov, who was elected General Secretary of the CPSU in 1982, had been the Head of the KGB First Chief Directorate, precisely the one that coordinated and invented all “active measures”.

At the time, Western newspapers were filled with news about Andropov as a “modernizer”, a reader of the American literature classics and a jazz lover.

Was it Dezinformatsjia? Obviously so, but no one answered that question, thus raising expectations – among the NATO European Member States’ peoples – about a sure “democratization” of the Soviet Union in the future.

Andropov, however, secretly believed that the United States would unleash a nuclear war in the short term against the USSR. Hence this was the beginning of a long series of Dezinformatsjia hard operations right inside the United States.

Nevertheless, following the rules of “active measures”, they were not specifically targeted against the US military and political system, but against other targets apparently unrelated to the primary aim: the US responsibility for the (impossible) creation of the AIDS virus or – as the Soviet Dezinformatsjia always claimed – the “unclear” role played by CIA and FBI in the assassinations of J.F. Kennedy, Martin Luther King or even the death of Elvis Presley.

A specific product for each public.

Hence a fake storytelling is created – not a series of objective data – around a theme that is instead real, so as to reach the goal of a generic defamation of the primary enemy, where there is always a “bad guy” (obviously the US government and its Agencies) and a “good guy”, that is the American people that must be freed from the bad guy holding them prisoner.

According to the theories of the great Russian scholar of myths, tribal rituals, folktales and fairy storytelling, V.I. Propp, whose text “Morphology of the Folktale” was published in Leningrad in 1928, this is exactly one of the primary narrative elements of the folktale.

As in the case of  KGB “active operations”, Propp’s scheme envisages some phases of construction of the myth or of the folktale: 1) the initial balance, i.e. the phase in which everything is devoid of dangers; 2) the breaking of the initial balance and hence the creation of the motive for the subsequent action; 3) the vicissitudes of the hero, who is the one who “restores order” after the natural twists and turns; 4) the restoration of balance, namely the conclusion.

Hence the mythical and fairy mechanism concerns the archetypes of the human psyche, as described by Carl Gustav Jung.

This is the reason why, despite their evident counter factuality, propaganda constructions work well and last well beyond the time for which they were thought and designed.

Active operations are modeled on the natural parameters with which the human mind works. When well done, said operations do not use abstract theories, cultural or sectoral models. They speak to everyone, because they act on the unconscious.

It is no coincidence that currently the archetypal branding – i.e. the marketing system based on the 12 Jungian archetypes – is increasingly widespread.

It was created in 2001, several years after the fall of the USSR and in the phase in which the New World Order was strengthening.

Propp’s four elements work just as an “active measure”, based on four categories: 1) mastery and stability; 2) belonging; 3) change; 4) independence.

It is easy to verify how these four categories of modern marketing (and of the archetypal tale) fully apply  both to disinformation operations, which can often favor one of the four elements compared to the others, and to the actual political marketing.

Hence politics, intelligence services’ propaganda and marketing currently work on the basis of the same deep psychic mechanisms.

In the Soviet tradition, there is also a certain tendency to use Ivan Pavlov’s psychology in the field of intelligence.

Pavlov developed the theory of “conditioned reflexes”, i.e. the psychic mechanism that is produced by a conditioning stimulus.

The experiment of the dog and the bell is, in fact, well-known and needs no elaboration.

It should be noted, however, that the conditioned reflex is triggered precisely when the food announced by the sound of the bell is no longer there, while the dog shows all the typical reactions of the animal in the presence of food.

Here, the “active measures” of disinformation create a conditioned reflex by connecting a country, a leader or a political choice to something universally negative which, however, has nothing to do with the primary object.

This connection becomes instinctive, automatic, obvious and almost unconscious.

Just think of the automatism – once again artfully created – between the Italian intelligence services and the so-called “strategy of tension”.

The goal of perfect Dezinformatsjiais to create a Pavlovian conditioned reflex that works immediately and naturally as a Freudian “complex”.

Nevertheless, with a view to being successful, every fake news or message that is part of an “active measure” must have at least a grain of truth – otherwise it immediately appears as an opinion or ideology, which is soon rejected by the subject.

This means they can be discussed and maybe accepted rationally, but the “active measure” must mimic an immediate, natural and pre-rational reaction. Otherwise it becomes traditional propaganda or part of an open debate, exactly the opposite of what it has to do.

Hence the message must be processed with extreme care to reach the goal of any disinformation operation: to convey in the public “enemy” and / or in its ruling classes a message that – when well done – fits perfectly and unknowingly into the communication mechanisms of the “enemy”.

Western experts call this procedure “weaponization of information” or “fabrication of information”.

Nowadays, however, all information is distorted by the manipulation about the aims it must achieve – just think of the Italian and European debate on immigration from Africa.

Hence also the West uses the weaponization of information- but, probably, it still uses it badly.

Hence we will never witness the end of fake news – which  have always existed – but simply its refinement as real natural “states of mind” or, more often, as immediate reactions, such as those connected to a conditioned reflex artfully created.

In this case, there is no longer difference between reality and imagination.

Fake news as fiction – we could say.

If this is the new battlefield of psywar, it will be good for Italy – even autonomously from the NATO center that deals with “strategic information” – to equip itself with a structure, within the intelligence agencies, developing and carrying out specific disinformation operations.

For example, with reference to the Italian companies operating abroad, to Italy’s general image in the rest of Europe and to its action in Africa or in the rest of the world.

Continue Reading

Intelligence

The third way between war and diplomacy

Sajad Abedi

Published

on

The American presidents all asked the CIA when they arrived at the White House, “What should they do with it?” Often they underestimated the CIA’s analysis. These analyzes described a complex world and they said the process of events was ambiguous.

Evaluation, hypothesis, probability. The White House never praised such literature. The White House often preferred analyzes that were within the framework of its political intentions and intentions. On the other hand, the White House has been increasingly inclined to publicly disclose some of the information collected by the services, due to the persistent desire to attract people from their big decisions.

Instead, the presidents were heavily pushed by the secret power that the CIA possessed. The covert activities, as a “third way” between war and diplomacy, heavily attracted them. All of them have implemented programs in secret to stealthily influence the process. All of them were trying to keep their apps in use. Despite the scandals, the political and diplomatic problems caused by secret activities, none of them questioned the necessity and effectiveness of this instrument in foreign policy.

These covert measures began to expand slightly in the 1950s, at a time when the CIA’s invincible myth was formed. CIA officers, who found such actions as a source of prominence and privilege, did everything to cultivate them. This myth derives from a special cultural sign: Americans as a nation have a very positive image. America considers itself to be a nation that succeeds; it is a winner who challenges ahead of them through his will and technology. The CIA is responsible for this sweeping spirit in Washington.

The slogan of the CIA has long been: “The agency can do it.” Therefore, the opponents of power would not be taken into consideration because the United States needed shadow warriors to protect the country from the Soviet threat, without anyone having much to know about it. This era of trust ended in the process of deconstruction and after disclosure of the “internal” spy activities of the CIA. So the great age of complexity began, which brought fantasies and other conspiracy theories. The CIA takes ugly signs into a dangerous, rogue and out-of-control organization. But Robert Gates states: “The CIA is nothing more than a presidential organization. Every time this organization has faced trouble, it was due to the mission that the president ordered. »

In any case, this is the image of America in a world that has suffered the most pain and suffering from this country. The fact that the United States has an agency like the CIA is necessarily a two-tail razor.

The press and the Congress, in spite of the fundamental belief in the effectiveness of the CIA, served as two powerful guardian dogs to oversee the agency in the service of the president. The dynamics of American democracy, as well as the strong attachment to the constitution and individual freedoms, have made the CIA the “most transparent” intelligence service in the world. The contradiction is that the Americans know more about the secret activities (activities that are definitely the most secret and sensitive activities) to the total CIA performance. Perhaps even more are than the overall performance of other institutions, including the State Department or the Ministry of Health.

Sept. 11 attacks occur and shake the sense of security and invincibility that the United States has plunged into. Since then, US soil is no longer a haven, and the attack has the same effect as Pearl Harbor’s attack. The outcomes of the Iraq war are being added to the most fundamental reorganization in the US intelligence community since about sixty years ago. Information services acquire new authority, many other services are formed, and some of the old networks are weakened or even destroyed, the need to focus more on the powers of information services is felt.

These changes are so far as the United States is creating a CIA over the previous organization. The new goal is to give Americans a unique look at the services. The new organization will focus it’s analyze on the analysis. That’s why we can bet that in the future less than the CIA’s inability to anticipate important events. On the other hand, because of the new reformation of the new head of the American intelligence apparatus, and the CIA has become the agency responsible for all the secret activities, it can be assumed that the CIA will (slightly) head over the next few years will be kept.

The tension between interventionism and the previous doctrine of isolationism has led Americans to redefine the intelligence system as the “last line of defense”. In some respects, this device is the beginning and end of its power; and since the CIA has seen its strength in its mission of being as close as possible to the American enemies, that’s why today it still maintains this precious position.

The CIA actually has an almost inescapable position in the imagination as well as the American political system. The organization gives all its actors the confidence that someone, something, America is intertwined with international affairs, and its influence on the four corners of the world shines.

Continue Reading

Latest

Trending

Copyright © 2018 Modern Diplomacy