Tag Archives: FireEye

Fake social media accounts spread pro-Iran messages during U.S. midterms: FireEye

FILE PHOTO: A staff member removes the Iranian flag from the stage after a group picture with foreign ministers and representatives of the U.S., Iran, China, Russia, Britain, Germany, France and the European Union during Iran nuclear talks at the Vienna International Center in Vienna, Austria, July 14, 2015. REUTERS/Carlos Barria

By Christopher Bing

(Reuters) – A network of fake social media accounts impersonated political candidates and journalists to spread messages in support of Iran and against U.S. President Donald Trump around the 2018 congressional elections, cybersecurity firm FireEye said on Tuesday.

The findings show how unidentified, possibly government-backed, groups could manipulate social media platforms to promote stories and other content that can influence the opinions of American voters, the researchers said.

This particular operation was largely focused on promoting “anti-Saudi, anti-Israeli, and pro-Palestinian themes,” according to the report by FireEye.

The campaign was organized through a series of fake personas that created various social media accounts, including on Twitter and Facebook. Most of these accounts were created last year and have since been taken down, the report said.

Spokespersons for Twitter and Facebook confirmed FireEye’s finding that the fake accounts were created on their platforms.

Lee Foster, a researcher with FireEye, said he found some of the fake personas – often masquerading as American journalists – had successfully convinced several U.S. news outlets to publish letters to the editor, guest columns and blog posts.

These writings displayed both progressive and conservative views, the report said, covering topics including the Trump administration’s designation of Iran’s Islamic Revolutionary Guard Corps (IRGC) as a terrorist organization.

“We’re assessing with low confidence that this network was organized to support Iranian political interests,” said Foster. “However, we’re not at the point where we can say who was doing it or where it’s coming from. The investigation is ongoing.”

Before the 2018 midterms election, the nameless group created Twitter accounts that also impersonated both Republican and Democratic congressional candidates. It is unclear if the fake accounts had any effect on their campaigns.

The imposter Twitter accounts often plagiarized messages from the politicians’ legitimate accounts, but also mixed in posts voicing support for policies believed to be favorable to Tehran. Affected politicians included Jineea Butler, a Republican candidate for New York’s 13th District, and Marla Livengood, a Republican candidate for California’s 9th District. Both Livengood and Butler lost in the election.

Livengood’s campaign called the situation “clearly an attempt by bad actors” to hurt her campaign, and noted that Livengood was “a strident opponent of nuclear weapons in Iran.”

Butler could not be immediately reached for comment.

Twitter said in a statement that it had “removed this network of 2,800 inauthentic accounts originating in Iran at the beginning of May,” adding that its investigation was ongoing.

Facebook said it had removed 51 Facebook accounts, 36 Pages, seven Groups and three Instagram accounts connected to the influence operation. Instagram is owned by Facebook.

The activity on Facebook was less expansive than that on Twitter and it appeared to be more narrowly focused, said Facebook head of cybersecurity policy Nathaniel Gleicher. The inauthentic Facebook accounts instead often privately messaged high profile figures, including journalists, policy-makers and Iranian dissidents, to promote certain issues.

Facebook also concluded the activity had originated in Iran.

(Reporting by Christopher Bing; editing by Rosalba O’Brien and Susan Thomas)

Tech firms, including Microsoft, Facebook, vow not to aid government cyber attacks

Silhouettes of mobile users are seen next to a screen projection of Microsoft logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

By Dustin Volz

SAN FRANCISCO (Reuters) – Microsoft, Facebook and more than 30 other global technology companies on Tuesday announced a joint pledge not to assist any government in offensive cyber attacks.

The Cybersecurity Tech Accord, which vows to protect all customers from attacks regardless of geopolitical or criminal motive, follows a year that witnessed an unprecedented level of destructive cyber attacks, including the global WannaCry worm and the devastating NotPetya attack.

“The devastating attacks from the past year demonstrate that cyber security is not just about what any single company can do but also about what we can all do together,” Microsoft President Brad Smith said in a statement. “This tech sector accord will help us take a principled path toward more effective steps to work together and defend customers around the world.”

Smith, who helped lead efforts to organize the accord, was expected to discuss the alliance in a speech on Tuesday at the RSA cyber security conference in San Francisco.

The accord also promised to establish new formal and informal partnerships within the industry and with security researchers to share threats and coordinate vulnerability disclosures.

The pledge builds on an idea for a so-called Digital Geneva Convention Smith rolled out at least year’s RSA conference, a proposal to create an international body to protect civilians from state-sponsored hacking.

Countries, Smith said then, should develop global rules for cyber attacks similar to those established for armed conflict at the 1949 Geneva Convention that followed World War Two.

In addition to Microsoft and Facebook, 32 other companies signed the pledge, including Cisco, Juniper Networks, Oracle, Nokia, SAP, Dell and cyber security firms Symantec, FireEye and Trend Micro.

The list of companies does not include any from Russia, China, Iran or North Korea, widely viewed as the most active in launching destructive cyber attacks against their foes.

Major U.S. technology companies Amazon, Apple, Alphabet and Twitter also did not sign the pledge.

(Reporting by Dustin Volz; Editing by Dan Grebler)

Lesser-known North Korea cyber-spy group goes international: report

Binary code is seen on a screen against a North Korean flag in this illustration photo November 1, 2017. REUTERS/Thomas White/Illustration

By Eric Auchard

FRANKFURT (Reuters) – A North Korean cyber espionage group previously known only for targeting South Korea’s government and private sector deepened its sophistication and hit further afield including in Japan and the Middle East in 2017, security researchers said on Tuesday.

Cyber attacks linked by experts to North Korea have targeted aerospace, telecommunications and financial companies in recent years, disrupting networks and businesses around the world. North Korea rejects accusations it has been involved in hacking.

U.S. cyber security firm FireEye said the state-connected Reaper hacking organization, which it dubbed APT37, had previously operated in the shadows of Lazarus Group, a better-known North Korean spying and cybercrime group widely blamed for the 2014 Sony Pictures and 2017 global WannaCry attacks.

APT37 had spied on South Korean targets since at least 2012 but has been observed to have expanded its scope and sophistication to hit targets in Japan, Vietnam and the Middle East only in the last year, FireEye said in a report.

The reappraisal came after researchers found that the spy group showed itself capable of rapidly exploiting multiple “zero-day” bugs – previously unknown software glitches that leave security firms no time to defend against attacks, John Hultquist, FireEye’s director of intelligence analysis said.

“Our concern is that their (international) brief may be expanding, along with their sophistication,” Hultquist said.

“We believe this is a big thing”.

APT37 has focused on covert intelligence gathering for North Korea, rather than destructive attacks or financial cyber crime, as Lazarus Group and other similar hacking groups have been shown to engage in order to raise funds for the regime, it said.

The group appears to be connected to attack groups previously described as ScarCruft by security researchers at Kaspersky and Group123 by Cisco’s Talos unit, FireEye said.

“We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artefacts and targeting that aligns with North Korean state interests,” the security report said.

From 2014 until 2017, APT37 concentrated mainly on South Korean government, military, defense industrial organizations and the media sector, as well as targeting North Korean defectors and human rights groups, the report said.

Since last year, its focus has expanded to include an organization in Japan associated with the United Nations missions on human rights and sanctions against the regime and the director of a Vietnamese trade and transport firm.

Its spy targets included a Middle Eastern financial company as well as an unnamed mobile network operator, which FireEye said had provided mobile phone service in North Korea until business dealings with the government fell apart.

FireEye declined to name the firm involved, but Egypt’s Orascom <OTMT.CA> provided 3G phone service in the country via a joint venture from 2002 to 2015, until the North Korean regime seized control of the venture, according to media reports.

Asked for comment, a spokeswoman for Orascom said she had no immediate knowledge of the matter and was looking into it.

(Reporting by Eric Auchard, and Nadine Awadalla in Cairo, Editing by William Maclean)