Tag: cyberwar

The Mystery of Hezbollah’s Deadly Exploding Pagers

[ad_1]

The AP-900 runs on two AAA batteries, which, like any battery, could be induced to explode, but likely not with such force and scale as the explosions depicted in alleged videos of the blasts. If the pagers used by Hezbollah are the AR-924 or another model that runs on lithium-ion batteries, which can cause more dangerous explosions, it’s still unlikely that a regular pager battery alone could produce blasts that could injure multiple people.

“Those explosions aren’t just batteries,” says Jake Williams, vice president of research and development at Hunter Strategy who formerly worked for the US National Security Agency. “Based on the reporting, these pagers were likely interdicted by Israeli authorities and modified with explosives. This highlights the risks of supply chain security, especially in places where technology is harder to ship to.”

Gold Apollo did not immediately respond to WIRED’s request for comment.

Williams points out that such an operation would likely involve operatives on both the tech distribution side and the Hezbollah procurement side. “You compromise the supply chain, but you don’t want thousands of explosive pagers running around Lebanon,” he says. “The mole gets them to exactly the right people.”

Some reports on Tuesday indicate that Hezbollah recently expanded its use of pagers in an attempt to secure communications after other channels had been infiltrated by Israeli intelligence. The Associated Press reported that an anonymous “Hezbollah official” said the group had recently adopted a “new brand” of pagers that “first heated up, then exploded.”

“It’s unlikely that hacking was involved, as it’s likely that explosive material had to be inside the pagers to cause such an effect,” says Lukasz Olejnik, an independent consultant and visiting senior research fellow at King’s College London’s Department of War Studies. “Reports mention the delivery of new pagers recently, so perhaps the delivery was compromised.”

Michael Horowitz, head of intelligence at Middle East and North Africa risk management company Le Beck International, says if the attack is supply-chain-based, then it could have taken years to prepare and involved infiltrating a supplier and placing explosives inside new pagers.

“This is a major security breach, particularly if we’re talking about a charge that was placed inside the devices—which, in my opinion, is the most likely scenario,” Horowitz says. “This would mean that Israel has managed to infiltrate Hezbollah providers to the point of delivering hundreds (if not thousands) of devices used for secured communication.”

The incident comes amid escalations of fighting between Israel and Hezbollah in recent months, raising fears of a full-blown war. In the hours before the explosions on Tuesday, Israel said its war goals would include allowing 60,000 people to return to Northern Israel after they were evacuated following Hezbollah attacks, and it would not rule out military action.

Horowitz says the incident could be a “prelude to a broader offensive” and possibly meant to disrupt Hezbollah’s communications networks. It is likely that replacing a large number of pagers would take some time to organize. Alternatively, Horowitz says, the attack could also have been conducted to show the “scale of Israel’s intelligence penetration.”

“This is a high-value operation that you wouldn’t use just to cause injuries,” Horowitz says.

Even if the blasts were not caused by a cyber-physical attack that induced the pager batteries to explode, it’s still possible that explosives planted in the pagers were detonated using a remote command, possibly even a specially crafted pager message. Some footage appeared to show users checking their pagers right as the explosions occurred, though this could have been coincidental.

The operation could have a psychological impact on Hezbollah given that bombs may have been lurking undetected in such an unassuming device. And though Tuesday’s attacks were notably aggressive, it would not be the first time Israeli intelligence has reportedly planted explosives in electronics.

Updated at 3:25 pm ET, September 17, 2024: Added additional details about potential ways the attack could have been carried out.

Updated at 3:40 pm ET, September 17, 2024: Added additional details about the pager model that may have been used in the attack.

[ad_2]

Lily Hay Newman, Matt Burgess

Source link

September 17, 2024
Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

[ad_1]

Russia’s military intelligence agency, the GRU, has long had a reputation as one of the world’s most aggressive practitioners of sabotage, assassination, and cyber warfare, with hackers who take pride in working under the same banner as violent special forces operators. But one new group within that agency shows how the GRU may be intertwining physical and digital tactics more tightly than ever before: a hacking team, which has emerged from the same unit responsible for Russia’s most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.

A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group known as Cadet Blizzard, Bleeding Bear, or Greyscale—one that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America—is in fact part of the GRU’s Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of two bystanders, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro.

Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators—distinct from those within other GRU units such as Unit 26165, broadly known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, GRU Unit 29155’s more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia’s February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian.

Cadet Blizzard’s identification as a part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they weren’t authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved in. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.”

In addition to the joint public statement revealing Cadet Blizzard’s link to the GRU’s unit 29155, the US Cybersecurity and Infrastructure Security Agency published an advisory detailing the group’s hacking methods and ways to spot and mitigate them. The US Department of Justice indicted five members of the group by name, all in absentia, in addition to a sixth who had been previously charged earlier in the summer without any public mention of Unit 29155.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” the US Justice Department’s assistant attorney general Matthew G. Olsen wrote in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

[ad_2]

Andy Greenberg

Source link

September 5, 2024
The Dangerous Rise of GPS Attacks

[ad_1]

The disruption to GPS services started getting worse on Christmas Day. Planes and ships moving around southern Sweden and Poland lost connectivity as their radio signals were interfered with. Since then, the region around the Baltic Sea—including neighboring Germany, Finland, Estonia, Latvia, and Lithuania—has faced persistent attacks against GPS systems.

Tens of thousands of planes flying in the region have reported problems with their navigation systems in recent months amid widespread jamming attacks, which can make GPS inoperable. As the attacks have grown, Russia has increasingly been blamed, with open source researchers tracking the source to Russian regions such as Kaliningrad. In one instance, signals were disrupted for 47 hours continuously. On Monday, marking one of the most serious incidents yet, airline Finnair canceled its flights to Tartu, Estonia, for a month, after GPS interference forced two of its planes to abort landings at the airport and turn around.

The jamming in the Baltic region, which was first spotted in early 2022, is just the tip of the iceberg. In recent years, there has been a rapid uptick in attacks against GPS signals and wider satellite navigation systems, known as GNSS, including those of Europe, China, and Russia. The attacks can jam signals, essentially forcing them offline, or spoof the signals, making aircraft and ships appear at false locations on maps. Beyond the Baltics, war zone areas around Ukraine and the Middle East have also seen sharp rises in GPS disruptions, including signal blocking meant to disrupt airborne attacks.

Now, governments and telecom and airline safety experts are increasingly sounding the alarm about the disruptions and the potential for major disasters. Foreign ministers in Estonia, Latvia, and Lithuania have all blamed Russia for GPS issues in the Baltics this week and said the threat should be taken seriously.

“It cannot be ruled out that this jamming is a form of hybrid warfare with the aim of creating uncertainty and unrest,” Jimmie Adamsson, the chief of public affairs for the Swedish Navy, tells WIRED. “Of course, there are concerns, mostly for civilian shipping and aviation, that an accident will occur creating an environmental disaster. There is also a risk that ships and aircraft will stop traffic to this area and therefore global trade will be affected.”

“A growing threat situation must be expected in connection with GPS jamming,” Joe Wagner, a spokesperson from Germany’s Federal Office for Information Security, tells WIRED, saying there are technical ways to reduce its impact. Officials in Finland say they have also seen an increase in airline disruptions in and around the country. And a spokesperson for the International Telecommunication Union, a United Nations agency, tells WIRED that the number of jamming and spoofing incidents have “increased significantly” over the past four years, and interfering with radio signals is prohibited under the ITU’s rules.

On the Upswing

Attacks against GPS, and the wider GNSS category, come in two forms. First, GPS jamming looks to overwhelm the radio signals that make up GPS and make the systems unusable. Second, spoofing attacks can replace the original signal with a new location—spoofed ships can, for example, appear on maps as if they’re at inland airports.

Both types of interference are up in frequency. The disruptions—at least at this stage—mostly impact planes flying at high altitudes and ships that can be in open water, not people’s individual phones or other systems that rely on GPS.

[ad_2]

Matt Burgess

Source link

April 30, 2024
A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

[ad_1]

“That’s not nice, and it’s not a good norm,” says Schneider. She says that much of the US government’s slow approach to cyberattacks stems from its care to ensure it avoids unintentionally hitting civilians as well as breaking international law or triggering dangerous blowback.

Still, Schneider concedes that Caceres and Angus have a point: The US could be using its cyber forces more, and some of the explanations for why it doesn’t amount to bureaucracy. “There are good reasons, and then there are bad reasons,” says Schneider. “Like, we have complicated organizational politics, we don’t know how to do things differently, we’re bad at using this type of talent, we’ve been doing it this way for 50 years, and it worked well for dropping bombs.”

America’s offensive hacking has, by all appearances, gotten less aggressive and less nimble over the past half decade, Schneider points out. Starting in 2018, for instance, General Paul Nakasone, then the head of Cyber Command, advocated a “defend forward” strategy aimed at taking cyber conflict to the enemy’s network rather than waiting for it to occur on America’s turf. In those years, Cyber Command launched disruptive hacking operations designed to cripple Russia’s disinformation-spouting Internet Research Agency troll farm and take down the infrastructure of the Trickbot ransomware group, which some feared at the time might be used to interfere in the 2020 election. Since then, however, Cyber Command and other US military hackers appear to have gone relatively quiet, often leaving the response to foreign hackers to law enforcement agencies like the FBI, which face far more legal constraints.

Caceres isn’t entirely wrong to criticize that more conservative stance, says Jason Healey, who until February served as a senior cybersecurity strategist at the US Cybersecurity and Infrastructure Security Agency. He responds to Caceres’ cyberhawk arguments by citing the Subversive Trilemma, an idea laid out in a 2021 paper by the researcher Lennart Maschmeyer: Hacking operations have to choose among intensity, speed, and control. Even in earlier, more aggressive years, US Cyber Command has tended to turn up the dial for control, Healey says, prioritizing it over those other variables. But he notes there may in fact be certain targets—such as ransomware gangs or hackers working for Russia’s no-holds-barred GRU military intelligence agency—who might warrant resetting those dials. “For those targets,” says Healey, “you really can release the hounds.”

P4x Is Dead, Viva P4x

As for Caceres himself, he says he’s not opposed to American hacking agencies taking a conservative approach to limiting their damage or protecting civilians—as long as they take action. “There’s being conservative,” he says, “and then there’s doing fuck all.”

On the argument that more aggressive cyberattacks would lead to escalation and counterattacks from foreign hackers, Caceres points to the attacks those foreign hackers are already carrying out. The ransomware group AlphV’s catastrophic attack on Change Healthcare in February, for instance, crippled medical claim platforms for hundreds of providers and hospitals, effects about as disruptive for civilians as any cyberattack can be. “That escalation is already happening,” Caceres says. “We’re not doing anything, and they’re still escalating.”

Caceres says he hasn’t entirely given up on convincing someone in the US government to adopt his more gloves-off approach. Ditching the P4x handle and revealing his real name is, in some sense, his last-ditch attempt to get the US government’s attention and restart the conversation.

But he also says he won’t be waiting for the Pentagon’s approval before he continues that approach on his own. “If I keep going with this alone, or with just a few people that I trust, I can move a lot faster,” he says. “I can fuck shit up for the people who deserve it, and I don’t have to report to anyone.”

The P4x handle may be dead, in other words. But the P4x doctrine of cyberwarfare lives on.

[ad_2]

Andy Greenberg

Source link

April 4, 2024