russian hacking

who-are-the-two-major-hackers-russia-just-received-in-a-prisoner-swap?

Who are the two major hackers Russia just received in a prisoner swap?

hackers, prisoner swap, prisoners, russia, russian hacking, Security / /

friends in high places —

Both men committed major financial crimes—and had powerful friends.

Who are the two major hackers Russia just received in a prisoner swap?

Getty Images

As part of today’s blockbuster prisoner swap between the US and Russia, which freed the journalist Evan Gershkovich and several Russian opposition figures, Russia received in return a motley collection of serious criminals, including an assassin who had executed an enemy of the Russian state in the middle of Berlin.

But the Russians also got two hackers, Vladislav Klyushin and Roman Seleznev, each of whom had been convicted of major financial crimes in the US. The US government said that Klyushin “stands convicted of the most significant hacking and trading scheme in American history, and one of the largest insider trading schemes ever prosecuted.” As for Seleznev, federal prosecutors said that he has “harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court.”

What sort of hacker do you have to be to attract the interest of the Russian state in prisoner swaps like these? Clearly, it helps to have hacked widely and caused major damage to Russia’s enemies. By bringing these two men home, Russian leadership is sending a clear message to domestic hackers: We’ve got your back.

But it also helps to have political connections. To learn more about both men and their exploits, we read through court documents, letters, and government filings to shed a little more light on their crimes, connections, and family backgrounds.

Vladislav Klyushin

In court filings, Vladislav Klyushin claimed to be a stand-up guy, the kind of person who paid for acquaintances’ medical bills and local monastery repairs. He showed, various letters from friends suggested, “extraordinary compassion, generosity, and civic and charitable commitment.”

According to the US government, though, Klyushin made tens of millions of dollars betting for and against (“shorting”) US companies by using hacked, nonpublic information to make stock trades. He was arrested in 2021 after arriving in Switzerland on a private jet but before he could get into the helicopter that would have taken him to a planned Alps ski vacation.

Klyushin never met his father, he said, a man who drank “excessively” and then was killed during a car theft gone bad when Klyushin was 14. Klyushin’s mother was only 19 when she had him, and the family “occasionally had limited food and clothing.” Klyushin tried to help out by joining the workforce at 13, but he managed to graduate high school, college, and even graduate school, ending up with a doctorate.

After various jobs, including a stint at the Moscow State Linguistic University, Klyushin took a job at M-13, a Moscow IT company that did penetration testing and “Advanced Persistent Threat emulation”—that is, M-13 could be hired to act just like a group of hackers, probing corporate or government cybersecurity. Oddly enough for an infosec company, M-13 also offered investment advice; give them your money and fantastic returns were promised, with M-13 keeping 60 percent of any profits it made.

This was not mere puffery, either. According to the US government, the M-13 team “had an improbable win rate of 68 percent” on its stock trades, and it “generated phenomenal, eight-figure returns,” turning $9 million into $100 million (“a return of more than 900 percent during a period in which the broader stock market returned just over 25 percent,” said the government).

But Klyushin and his associates were not stock-picking wizards. Instead, they had begun hacking Donnelly Financial and Toppan Merrill, two “filing agents” that many large companies use to submit quarterly and annual earning reports to the Securities and Exchange Commission. These reports were uploaded to the filing agents’ systems several days before their public release. All the M-13 team had to do was liberate the files early, read through them, and buy up stocks of companies that had overperformed while shorting stocks of companies that had underperformed. When the reports went public a few days later and the markets responded to them, the M-13 team made huge returns. Klyushin himself earned several tens of millions of dollars between 2018 and 2020.

To avoid consequences for this flagrantly illegal behavior, all Klyushin had to do was stay in Russia—or, at least, not visit or transit through a country that might extradite him to the US—and he could keep buying up yachts, cars, and real estate. That’s because Russia—along with China and Iran, the largest three sources of hackers who attack US targets—doesn’t do much to stop attacks directed against US interests. As the US government notes, none of these governments “respond to grand jury subpoenas and rarely if ever provide the kinds of forensic information that helps to identify cybercriminals. Nor do they extradite their nationals, leaving the government to rely on the chance that an indicted defendant will travel.”

But when you have tens of millions of dollars, you often want to spend it abroad, so Klyushin did travel—and got nabbed upon his arrival in Switzerland. He was extradited to the US in 2021, was found guilty at trial, and was sentenced to nine years in prison and the forfeiture of $34 million. It is unclear if the US government was able to get its hands on any of that money, which was stashed in bank accounts around the world.

Klyushin’s fellow conspirators have wisely stayed in Russia, so with his release as part of today’s prisoner swap, all are likely to enjoy their ill-gotten gains without further consequence. One of Klyushin’s colleagues at M-13, Ivan Ermakov, is said to be a “former Russian military intelligence officer” who used to run disinformation programs “targeting international anti-doping agencies, sporting federations, and anti-doping officials.”

Who are the two major hackers Russia just received in a prisoner swap? Read More »

the-president-ordered-a-board-to-probe-a-massive-russian-cyberattack-it-never-did.

The president ordered a board to probe a massive Russian cyberattack. It never did.

Biz & IT, cyberattack, microsoft, russian hacking, Security, solarwinds, syndication / /
In this photo illustration, a Microsoft logo seen displayed on a smartphone with a Cyber Security illustration image in the background.

This story was originally published by ProPublica.

Investigating how the world’s largest software provider handles the security of its own ubiquitous products.

After Russian intelligence launched one of the most devastating cyber espionage attacks in history against US government agencies, the Biden administration set up a new board and tasked it to figure out what happened—and tell the public.

State hackers had infiltrated SolarWinds, an American software company that serves the US government and thousands of American companies. The intruders used malicious code and a flaw in a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health, and the Treasury Department in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”

The president issued an executive order establishing the Cyber Safety Review Board in May 2021 and ordered it to start work by reviewing the SolarWinds attack.

But for reasons that experts say remain unclear, that never happened.

Nor did the board probe SolarWinds for its second report.

For its third, the board investigated a separate 2023 attack, in which Chinese state hackers exploited an array of Microsoft security shortcomings to access the email inboxes of top federal officials.

A full, public accounting of what happened in the Solar Winds case would have been devastating to Microsoft. ProPublica recently revealed that Microsoft had long known about—but refused to address—a flaw used in the hack. The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the US government vulnerable, a whistleblower said.

The board was created to help address the serious threat posed to the US economy and national security by sophisticated hackers who consistently penetrate government and corporate systems, making off with reams of sensitive intelligence, corporate secrets, or personal data.

For decades, the cybersecurity community has called for a cyber equivalent of the National Transportation Safety Board, the independent agency required by law to investigate and issue public reports on the causes and lessons learned from every major aviation accident, among other incidents. The NTSB is funded by Congress and staffed by experts who work outside of the industry and other government agencies. Its public hearings and reports spur industry change and action by regulators like the Federal Aviation Administration.

So far, the Cyber Safety Review Board has charted a different path.

The board is not independent—it’s housed in the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a top security executive at Google. The board does not have full-time staff, subpoena power or dedicated funding.

Silvers told ProPublica that DHS decided the board didn’t need to do its own review of SolarWinds as directed by the White House because the attack had already been “closely studied” by the public and private sectors.

“We want to focus the board on reviews where there is a lot of insight left to be gleaned, a lot of lessons learned that can be drawn out through investigation,” he said.

As a result, there has been no public examination by the government of the unaddressed security issue at Microsoft that was exploited by the Russian hackers. None of the SolarWinds reports identified or interviewed the whistleblower who exposed problems inside Microsoft.

By declining to review SolarWinds, the board failed to discover the central role that Microsoft’s weak security culture played in the attack and to spur changes that could have mitigated or prevented the 2023 Chinese hack, cybersecurity experts and elected officials told ProPublica.

“It’s possible the most recent hack could have been prevented by real oversight,” Sen. Ron Wyden, a Democratic member of the Senate Select Committee on Intelligence, said in a statement. Wyden has called for the board to review SolarWinds and for the government to improve its cybersecurity defenses.

In a statement, a spokesperson for DHS rejected the idea that a SolarWinds review could have exposed Microsoft’s failings in time to stop or mitigate the Chinese state-based attack last summer. “The two incidents were quite different in that regard, and we do not believe a review of SolarWinds would have necessarily uncovered the gaps identified in the Board’s latest report,” they said.

The board’s other members declined to comment, referred inquiries to DHS or did not respond to ProPublica.

In past statements, Microsoft did not dispute the whistleblower’s account but emphasized its commitment to security. “Protecting customers is always our highest priority,” a spokesperson previously told ProPublica. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners.”

The board’s failure to probe SolarWinds also underscores a question critics including Wyden have raised about the board since its inception: whether a board with federal officials making up its majority can hold government agencies responsible for their role in failing to prevent cyberattacks.

“I remain deeply concerned that a key reason why the Board never looked at SolarWinds—as the President directed it to do so—was because it would have required the board to examine and document serious negligence by the US government,” Wyden said. Among his concerns is a government cyberdefense system that failed to detect the SolarWinds attack.

Silvers said while the board did not investigate SolarWinds, it has been given a pass by the independent Government Accountability Office, which said in an April study examining the implementation of the executive order that the board had fulfilled its mandate to conduct the review.

The GAO’s determination puzzled cybersecurity experts. “Rob Silvers has been declaring by fiat for a long time that the CSRB did its job regarding SolarWinds, but simply declaring something to be so doesn’t make it true,” said Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity firm, who co-authored a Harvard Kennedy School report outlining how a “cyber NTSB” should operate.

Silvers said the board’s first and second reports, while not probing SolarWinds, resulted in important government changes, such as new Federal Communications Commission rules related to cell phones.

“The tangible impacts of the board’s work to date speak for itself and in bearing out the wisdom of the choices of what the board has reviewed,” he said.

The president ordered a board to probe a massive Russian cyberattack. It never did. Read More »

microsoft-network-breached-through-password-spraying-by-russian-state-hackers

Microsoft network breached through password-spraying by Russian-state hackers

Biz & IT, kremlin, microsoft, russian hacking, Security / /
Microsoft network breached through password-spraying by Russian-state hackers

Getty Images

Russia-state hackers exploited a weak password to compromise Microsoft’s corporate network and accessed emails and documents that belonged to senior executives and employees working in security and legal teams, Microsoft said late Friday.

The attack, which Microsoft attributed to a Kremlin-backed hacking group it tracks as Midnight Blizzard, is at least the second time in as many years that failures to follow basic security hygiene has resulted in a breach that has the potential to harm customers. One paragraph in Friday’s disclosure, filed with the Securities and Exchange Commission, was gobsmacking:

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.

Microsoft didn’t detect the breach until January 12, exactly a week before Friday’s disclosure. Microsoft’s account raises the prospect that the Russian hackers had uninterrupted access to the accounts for as long as two months.

A translation of the 93 words quoted above: A device inside Microsoft’s network was protected by a weak password with no form of two-factor authentication employed. The Russian adversary group was able to guess it by peppering it with previously compromised or commonly used passwords until they finally landed on the right one. The threat actor then accessed the account, indicating that either 2FA wasn’t employed or the protection was somehow bypassed.

Furthermore, this “legacy non-production test tenant account” was somehow configured so that Midnight Blizzard could pivot and gain access to some of the company’s most senior and sensitive employee accounts.

As Steve Bellovin, a computer science professor and affiliate law prof at Columbia University with decades of experience in cybersecurity, wrote on Mastodon:

A lot of fascinating implications here. A successful password spray attack suggests no 2FA and either reused or weak passwords. Access to email accounts belonging to “senior leadership… cybersecurity, and legal” teams using just the permissions of a “test tenant account” suggests that someone gave that test account amazing privileges. Why? Why wasn’t it removed when the test was over? I also note that it took Microsoft about seven weeks to detect the attack.

While Microsoft said that it wasn’t aware of any evidence that Midnight Blizzard gained access to customer environments, production systems, source code, or AI systems, some researchers voiced doubts, particularly about whether the Microsoft 365 service might be or have been susceptible to similar attack techniques. One of the researchers was Kevin Beaumont, who has had a long cybersecurity career that has included a stint working for Microsoft. On LinkedIn, he wrote:

Microsoft staff use Microsoft 365 for email. SEC filings and blogs with no details on Friday night are great.. but they’re going to have to be followed with actual detail. The age of Microsoft doing tents, incident code words, CELA’ing things and pretending MSTIC sees everything (threat actors have Macs too) are over — they need to do radical technical and cultural transformation to retain trust.

CELA is short for Corporate, External, and Legal Affairs, a group inside Microsoft that helps draft disclosures. MSTIC stands for the Microsoft Threat Intelligence Center.

Microsoft network breached through password-spraying by Russian-state hackers Read More »