Wednesday, 18 January 2017

Largest National Health Service in UK Faces Cyber Attack



The Barts Health NHS Trust in London UK has suffered an unspecified ‘IT attack’ on this January 13. First reports suspect that it was due to a ransomware attack, but that has since been ruled out. Nevertheless, a number of drives offline drives are taken by the trust as a precautionary measure.

The Barts (Wikipedia) is the largest National Health Service (NHS) Trust in the London, United Kingdom. It is being operated in five hospitals in London: Newham University Hospital, Mile End Hospital, St. Bartholomew’s Hospital in Smithfield in the City, The Royal London Hospital in Whitechapel, and Whipps Cross University Hospital.

The health service journal HSJ reported this Friday that(subscription required), “The largest NHS hospital trust in England has been infected with a ransomware causing it to take its pathology service offline, HSJ can reveal.”

The claim was made based on the reports of an internal email to the employees warning that the trust was suffering a “ransomware virus attack issue,” which is followed by an afternoon communication warning that three of the trust’s four hospitals had engaged “operating downtime procedures” for their pathology systems.

However at the time of this report, the only official statement from Barts rules out ransomware. “On 13 January Barts Health became aware of an IT attack,” it states. “We continue to urgently investigate this matter and have taken a number of drives offline as a precautionary measure. Importantly, we can now rule out ransomware as the root cause. We have also established that in addition to the Trust’s core clinical system Cerner Millennium, Radiology and imaging from X-rays and scans continue to be used as normal. We have tried and tested contingency plans in place and are making every effort to ensure that patient care will not be affected.”

The nature of the attack is yet ti be specified. It is not yet known whether it is an attempt to steal confidential data, or a just a virus/worm infection spreading through Bart’s networks.

TinfoLeak – Full Information About A Twitter User Activity


Tinfoleak is the best OSINT tool for Twitter, and is open-source. The latest updated version includes a lot of new and improved features

Download & Install

Download and install Tinfoleak. Enter the twitter username/ID to get the details.

Screenshot







tinfoleak

Tuesday, 17 January 2017

Russian Hackers At It Again Over Brits


Russian hackers get blamed for everything these days – from Hillary Clinton’s loss of the presidential election in November to, in a latest, the leak online of the final episode of the BBC drama Sherlock a day before it was due to air. And Russian state broadcaster Channel One blamed hackers for the leak of the final episode of the fourth series of the popular detective drama starring Benedict Cumberbatch on Saturday, complete with Russian dubbing.

It was shown just after midnight Moscow time Monday, simultaneously with Britain.

In a rare show of cooperation, spokeswoman Larisa Krymova Channel One “has been in close contact with the BBC from the moment it learnt of the leak and is carrying out an investigation to identify the source of the material uploaded onto the Internet.”


The BBC reportedly said Sunday that it had launched a full investigation, with a source at the corporation as claiming that the leak was “more than an accident.”

On Russian-language Twitter, hashtags and jokes about the leak were trending over the weekend. “That moment when the Russians have watched your show before you,” wrote one Twitter user, nfzaz1995.

Hackers Found A Way To Bypass Google Security And Watch Porn In YouTube


Hackers have found a simple trick to bypass Google’s stringent policy on hosting sexual and pirated content via its YouTube service. These Internet scoundrels are uploading illegal and inappropriate content to the streaming content provider and YouTube is undergoing a serious crackdown to stop the secret porn and stolen content rush.

A report from website Torrent Freak shares how users are able to trick Google’s high-end Content-ID security system by simply listing uploaded video as “private” content. These unlisted videos are then given direct links with content coming straight from Google’s servers. Typically, Content-ID has checks and balances in place to note what kind of content is going on the site.

While YouTube has a host of pirated videos, albums, and movies, the stashing of porn via the site has seen a recent uptick.

This hosting hack has given a rise to adult sites using Google’s servers to host their illegal content. The direct links grabbed from the uploads are then embedded on other websites, pulling content directly from YouTube on the back end and giving the pirates endless opportunities to stream unbeknownst to Google or, if the content is pirated, the original owners.

Google has been doing its best to take down the adult content as it discovers it but the task is arduous at best. Trying to locate the content has proven difficult and unless original owners say something, the company is unable to identify much of the videos

No reports or data area available as of yet to determine how likely this hosted pornographic content could show up. If you have kids or otherwise don’t wish to see this type of content up on your various YouTube video watching sessions, there are a number of tips online on browsing safely. Still, due to the nature of this type of security breach, results could be unexpected and random.

Source: yahoo.com

How to Access WhatsApp from Linux Desktop


WhatsApp is one the most used instant messaging apps available as of now. It is used by more than a billion people around the globe. One of the key reasons for its success is that it has a simple interface and is snappy.

We use WhatsApp from various devices and with the inclusion of WhatsApp web on the desktop, it has been very convenient for many people like me since we don’t have to constantly take our eyes off the monitor. To access WhatsApp web, you can go to this link https://web.whatsapp.com/ on this address in your browser, synchronise with your WhatsApp account on your mobile device. This method is available for all platform starting Mac, Windows and Linux.

Whatsie

Whatsie is another app that allows you to access WhatsApp from your Linux desktop. It is actually a cross platform app. So, it is not limited to Linux platform. Both Windows and Mac users can also use the app.

For Linux platform, Whatsie offers two major packages, DEB (Debian based distros) and RPM (Red Hat based distros). This article will show you how to use Whatsie on Ubuntu 16.10.


  • First, download the DEB package of Whatsie here
  • Open up your terminal and go to the directory where your Whatsie package is installed.
  • Hit the below command to install Whatsie


sudo dpkg -i whatsie-2.1.0-linux-amd64.deb


  • Once Whatsie is installed, launch the app immediately to get started.

  • As you can see from the screenshot above. WhatsApp offers a QR code as a method to synchronise. Open WhatsApp on your mobile device and head to the three-dots icon on the top right corner and tab on the WhatsApp Web (I use Android in this case).
  • Scan the QR Code available on the desktop app of WhastApp. Wait for a moment and you will have all of your WhatsApp conversation available on your desktop app.

Hackers Target Putin’s Website Thousands of Times A Day


One of the Russian officials revealed that the country Russia faces hundreds and sometimes thousands of cyberattacks every day, many of those are launched from the United States.

Russia is the country that’s most often blamed for cyber attacks that happen on other nations. Even the United States claims that Kremlin had tried to disrupt the election process in 2016. But the country’s Security Council head Nikolay Patrushev told that the Russia itself was a target for hackers.

In a public statement, Nikolay said that the US authorities accusing Russia of hacking their systems has no proof and they are just false allegations.

“Obama’s administration accuses Russia of hacking attacks without giving any proof, but deliberately ignores the fact that all major internet servers are located on US territory and are used by Washington for intelligence and other purposes aimed at retaining [US] dominance in the world,” he said.

Moreover, the Russian official said that his country itself is a target for hackers, who are always trying to break into the Kremlin government’s computers to steal data.

“Recently we noted a great increase in attempts to inflict harm on Russia’s informational systems from the external forces,” he stated.

President Vladimir Putin is also one of the popular targets for hackers, and his website is continuously under attack, Patrushev revealed. There are days when the number of cyber attacks launched against Putin’s website exceeds one thousand, he said, and many of these attempts are launched from the Europe, United States, China, or India.

“However, it does not lead to a situation when we say that we know [US President Barack] Obama ordered [this attack] and the White House is behind it,” he continued.

Sunday, 8 January 2017

The world's largest Blue Screen of Death



It's a scene straight out of a failed "Blade Runner" reboot.

A Facebook photo posted by Blake Sibbit shows what could be the biggest Blue Screen of Death (BSOD) known to man, all five stories of it.

The gigantic Windows error was spotted on the outdoor digital billboard of the CentralFestival Pattaya Beach shopping mall, a sprawling complex in Pattaya, Thailand.

Windows users are all too familiar with random BSODs, those sudden PC crashes that seem to come out of nowhere, locking you out with cryptic white-on-blue text stuffed chock full of technical gibberish.

Simply put, a BSOD means your Windows machine has a "problem."

In this humongous instance in Thailand, the error seems to be in the "ftser2k.sys" device driver. A little Google-Fu tells us that this file is associated with a USB-to-Serial device driver provided by Future Technology Devices International (FTDI).

Giant digital billboards are supposed to entice people to buy big. Shoppers were treated with a wonderwall of fail instead.

By the way, Microsoft revamped the Blue Screen of Death since Windows 8. It looks something like this:


Obviously, the Pattaya Beach shopping mall has not updated to the latest and greatest operating system that Microsoft has to offer. Too bad they're missing out on the Anniversary Update. (Note: Windows 10 has its own fair share of issues, like killing webcams.)

Hmm, we hope they're not running their serial dot-matrix printers through Windows XP. If that's the case, then a busted billboard is the least of their problems.

Time to call the IT support team of giant replicants, Mr. Deckard?

Google’s First Move in 2017, Patches 22 Critical Vulnerabilities in Android



On this Tuesday, Google released their first Android Security Bulletin for 2017. In this, they mentioned that Google patched a total of 95 vulnerabilities in the operating system, 22 of those are rated critical. About 50 of these bugs are addressed as Elevation of privilege flaws.

Since the process has been going over the past several months, the security bulletin of January is split in two. This makes it easy for the manufacturers to sort out the patches: while the 2017-01-05 security patch level addressed 72 bugs affecting drivers and other ODM software, the 2017-01-01 security patch level resolved 23 issues which affect various Android components.

Among these 22 vulnerabilities mentioned above with a Critical severity rating, a Remote code execution flaw was resolved in Mediaserver. This is one of the Android components that are most impacted. From the time Google kicked off the monthly patch program in 2015 summer, several Critical issues are found in Mediaserver. The list starts with the ever so popular Stagefright, and followed by a second Stagefright vulnerability a few months later.

The remaining 21 Critical flaws patched this month include Elevation of privilege issues affecting the kernel memory subsystem, Qualcomm bootloader, kernel file system, NVIDIA GPU driver, MediaTek driver, Qualcomm GPU driver, and Qualcomm video driver. Three other Critical vulnerabilities were patched in various Qualcomm components, Google’s advisory reveals.

While only one of the 23 vulnerabilities addressed in the 2017-01-01 security patch level was rated Critical, 14 of them were rated High severity. These included Remote code execution bugs in c-ares and Framesequence; Elevation of privilege vulnerabilities in Audioserver, Framework APIs, libnl, and Mediaserver; an Information disclosure vulnerability in External Storage Provider; and Denial of service flaws in Mediaserver, core networking, and Telephony.

Eight of the bugs resolved by this security patch level were Medium risk: an Elevation of privilege vulnerability in Contacts, two Information disclosure vulnerabilities in Mediaserver, and five Information disclosure issues in Audioserver.

DragonOK Hackers Group From China Is Now Expanding Their Operations



DragonOK, A China-linked hackers group has updated the toolset. Following the new decoy documents they are using to attack, researchers came to a conclusion that the hacker group is expanding their territory to Russia and Tibet.

Earlier in September of 2014, an article is published on the activities of the DragonOK was and it was published by FireEye. For the first time, the security firm said that the group is now focussing on high-tech companies in both Japan and Taiwan and noticed that their goal is to collect money as ransom.In Japan, considered DragonOK’s main target, the group has recently attacked organisations in several industries, including manufacturing, higher education, technology, energy and semiconductor, Palo Alto Networks said in a blog post published on Thursday.

DragonOK has attacked many organisations in Japan, which is now considered as the group’s main target. The list of organisations includes several industries, including manufacturing, technology, energy, higher education and semiconductor, Palo Alto Networks said in a blog post published on Thursday.

A piece of malware used by the hacker named “Sysget,” was delivered to attack in Taiwan. The same security firm has identified three new versions of Sysget and all of them have improved over the previous generation malware which makes them hard to detect and analyse.

Sysget was delivered using phishing emails and it through specially crafted documents set up to exploit CVE-2015-1641, one of the most widely used Microsoft Office vulnerabilities to date. CVE-2015-1641 is known to have been exploited by APT actors that focus on East Asia.

The group also targeted Taiwan with a piece of malware named “IsSpace.” This Trojan is believed to be an evolution of the NFlog backdoor, which has been used by both DragonOK and a different China-based threat group tracked as Moafee. IsSpace was previously seen in a watering hole attack targeting an aerospace company, but the samples spotted recently appear to have been updated.

Steghide – Tool To Find Hidden Information And Password In A File



Steghide, is a tool that executes a brute force attack to file with hide information and password established.

System Requirement 

  • Linux operating system 
  • Steghide 
  • Python


Download and Install

Step 1: Download and install Steghide from GitHub or enter the following command on your Linux terminal:

git clone https://github.com/Va5c0/Steghide-Brute-Force-Tool.git

Step 2: Now run the script by typing:

python steg_brute.py [option] [-f file]

For more instruction type:

python steg_brute.py -h

British Intelligence Provided A Major Tip-off To The United States


The UK’s involvement came to light after the US intelligence community published an unclassified version of a report that accused Russian President Vladimir Putin of ordering a multi-pronged operation to influence the election.

In their report released on Friday, the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) concluded that the Russian government “sought to help” Republican Donald Trump by hacking various Democratic Party organizations and operatives as well as running a smear campaign against his Democratic rival, Hillary Clinton.

Citing “two people familiar with the conclusions” of the assessment, The New York Times reported that British intelligence was “among the first” to alert their American counterparts that Russian hackers had infiltrated the computer servers of the Democratic National Committee (DNC).

The breach of email exchanges among senior Democrats was spotted from voice intercepts, computer traffic and agents outside the US as emails and other data from the DNC flowed toward Moscow. British officials were as concerned as their US counterparts over the extent of contacts between Trump aides and Moscow and by the president-elect’s pro-Russia stance.

However, those officials are now finding themselves in an awkward position as the government of Prime Minister Theresa May is trying to solidify ties with the incoming Trump administration, in part to compensate for the UK’s divorce from the European Union, according to The Guardian.

Trump downplayed Russia’s role in the election after he was briefed on the issue by senior intelligence officials on Friday afternoon, saying any attempt to hack Democratic groups had “absolutely no effect on the outcome of the election.”

The president-elect also tweeted Saturday that Democrats were making a lot of “noise” about Russia’s alleged campaign because they were “embarrassed” by the election results.

Source: presstv.com

Hackers Add More Games To NES Classic Edition


Hackers have figured out a way to score even more games that will make you nostalgic for the way gaming used to be. According to Ars Technica, hackers in Japan and Russia have discovered a modification that can allow users to find new classic games.

First, you need to create a save file in Super Mario Bros, which you’ve probably already done anyway. Then, connect the NES Classic to a computer with a micro-US cable and boot it in “FEL” mode (hold the reset button while pushing the power button).

Then, as Ars Technica writes:

"While you’re booting, you should also run a “sunxi-FEL” interface on your computer. (An open-source version of compatible “USBBoot” software can be found here.) The rest of the steps land firmly in “operate at your own risk” territory, as they require copying your NES Classic’s internal data to your computer, then modifying and adding files via an application made by hackers. Doing so, by the way, includes the dubious step of supplying your own ROM files, which you may have either dumped from your own cartridges or downloaded from other Internet users. One tool linked from that Reddit community, however, comes with two open-source NES ROMs that are in the legal free-and-clear to upload to your hardware."

"Once you’ve added your own game files, which should also include custom JPGs that will appear in the NES Classic’s “box art” GUI, you’ll have to repack the hardware’s kernel, then fully flash the hardware yourself. (Again, we remind you, these kinds of technical steps can result in a bricked NES Classic if anything unexpected happens.) Do all of those steps correctly, and you’ll see every single game you’ve added appear in the slick, default interface."

Monday, 2 January 2017

Hackers May Have Hacked South Korea’s Military Cyber Command



South Korea’s military cyber command, established to counter external hacking attempts on the country’s military, may have been hacked, according to South Korea’s Yonhap news agency reports.

“It seems the server of the cyber command has been hacked,” an official at the South Korean military said on condition of anonymity. “We have to go through additional checkups to confirm the cyberattack and to find out who launched the cyberattack and what data have been leaked.”

The latest allegation comes out after Rep Kim Jin-pyo, a lawmaker of the main opposition Democratic Party of Korea, claimed that the cyber command was hacked in September.

He told Yonhap News Agency two months ago that the hacking targeted the “vaccine routing server” installed at the cyber command.

Kim, who is a member of the parliament’s national defense committee, then said that a malicious code was found and it appears to have taken advantage of the vulnerability of the routing server.

The server is examined with security on computers that the military has for internet-connection purposes.

Nearly 20,000 military computers are connected to the server.

Kim said in October that chances are “very low” that the hacking led to a leak of confidential information, given that the military’s intranet is not connected to the server.

The defense ministry later announced that malicious code has be identified and removed as a cautious measure, it separated the server from the network.

According to the source, there is a possibility that the military’s intranet may have been compromised due to the hacking which could force South Korea to rewrite its military operation plans.

Samsung Have Made Knox Software Free



Samsung has dropped the cost of its mobile device management (MDM) suite Knox software free.

You don’t get all of Knox for that price, as $0 what you’ll pay for a new “Express” version of the service offering basic MDM features like a cloud management portal and the ability to create a password-protected partition in which employer-provisioned apps and data are accessible. Outfits with more than 250 devices to manage will need the new dollar-a-month “Premium” edition, which adds Active Directory integration, application white-and-blacklisting and the ability to manage mobile devices according to centralised policies.

For those of you who don’t know, Samsung KNOX Enterprise Mobility Management (EMM) is a complete set of cloud-based MDM, Identity Access Management (IAM) and security services for efficient and convenient enterprise mobility management. These services extend to cross-platform devices and enable users to easily access mobile apps with a single click using Single Sign-On (SSO). Businesses can provide IT administrators remote control of user devices and applications through KNOX EMM Admin Portal, or allow employees to manage their own devices with the KNOX EMM User Portal.

Malware Easily Bricked The Smart TV Running Google TV


There’s a good chance you don’t remember Google’s own smart TV platform called Google TV, but although this was pretty much a failure, there still are people out there who actually bought devices running it.

The number of TVs powered by Google TV, however, is declining, and this Christmas, for example, at least one smart TV went dark unexpectedly.

Darren Cauthon took to Twitter to reveal that his LG smart TV running Google TV was infected with malware when his family tried to install a movie streaming application. Judging from the photo he posted, this looks like a form of ransomware which requires him to pay to have access to the device restored.

But since the ransomware wasn’t necessarily developed for TVs, but for Android devices such as tablets and smartphones, it’s now completely bricked and no workaround seems to be able to restore it. Booting obviously leads to the same ransomware notification and other options are not available given the limited input on a TV.

The only thing that could work, however, is flashing the stock firmware, which could only be possible with the firmware image provided by LG. Oddly enough, LG isn’t willing to help the owner remove the ransomware from his TV unless he pays, and according to his tweets, he could easily buy a new TV with the money that the company is asking for servicing.

The cost of removing the malware by flashing the stock firmware is $340, which, given the fact that this is an old TV running a platform that’s no longer supported, makes absolutely no sense.

This doesn’t necessarily mean that all smart TVs in general, or smart TVs running Android in particular, are bad because this kind of thing shouldn’t normally happen anyway, at least when owners stay away from apps they don’t trust.

Major Cyber Attack on OSCE By The Company



The Organization for Security and Co-operation in Europe, an international election and war monitor, said Wednesday it had become the latest global institution to suffer a “major” cyber attack.

The Vienna-based OSCE has its origins in the Cold War but after 1991 it expanded and now has 57 member states including the United States, Russia and Ukraine.

It currently has 700 monitors focused on the conflict in eastern Ukraine and is also active in observing elections and tracking media freedom.

OSCE spokeswoman Mersiha Causevic Podzic told AFP in an email that it “became aware of a major information security incident” in early November.

The attack “compromised the confidentiality” of the organisation’s IT network and put “its integrity at risk”, although it was still able to operate, she said.

According to French daily Le Monde, which first reported the incident, a Western intelligence agency believes that Russian hackers group APT28 was behind the attack.

This group, also known as Pawn Storm, Sofacy and Fancy Bears, is believed to be behind other high-profile cyber attacks and to be linked to Russia’s security services.

The OSCE said “the way in which the attacker accessed the OSCE was identified, as have some of the external communication destinations”.

France’s ambassador to the OSCE played down the dangers from the attack, saying officials in Vienna — long seen as a hotbed of espionage — are trained to be aware to the risks.

“Diplomats at the OSCE are warned that attempted spying, in whatever form, are part and parcel of this organisation,” Veronique Roger-Lacan told AFP.

But cyber attacks by criminals and governments are on the rise, with states and firms spending billions of dollars to defend and arm themselves.

The issue has become contentious between the United States and Russia, with the latter alleged to have hacked party computers and leaked documents during the US election campaign.

The White House has said Russian President Vladimir Putin was directly involved and President Barack Obama has vowed Washington will retaliate “at a time and place of our own choosing”.

Korea’s Military Cyber Command Hacked


According to a lawmaker said Saturday that,”South Korea’s cyber command established to counter external hacking attempts on the country’s military was found to have been hacked last month.” raising speculation that North Korea might be behind the latest cyber attack.

Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command. Kim is a member of the parliament’s national defense committee.

“A malicious code has been identified and it seems to have taken advantage of the vulnerability of the routing server,”

“In a cautious measure, the server has been separated from the network.”

The server is tasked with security on computers that military has for Internet connection use. More than 20,000 military computers are known to have been connected to the server. Kim said that chances are “very low” that the latest hacking led to a leak of confidential information given that the military’s intranet is not connected to the server.

An investigation is underway to figure out where the hacking originated. He said that it has yet to be confirmed whether the North was involved but noted that military authorities are leaving that possibility on the table.

The defense ministry later confirmed the hacking of the cyber command, and is working on to figure out how the malicious code got into the system. Despite the incident, he said that the military Internet system remains up and running.

Serious PHP Issues Found From PHPMailer and SwiftMailer


Experts have determined that the remote code execution vulnerabilities affecting the PHPMailer and SwiftMailer email-sending libraries are caused by PHP design flaws.

Researcher Dawid Golunski from Legal Hackers recently discovered that PHPMailer has a critical flaw that can be exploited by a remote, unauthenticated attacker for arbitrary code execution in the context of the web server user. The weakness, exploitable by submitting specially crafted input through contact and registration forms, can allow an attacker to completely take over the targeted web application.

PHPMailer developers attempted to patch the vulnerability (CVE-2016-10033) with the release of version 5.2.18. However, Golunski determined that the fix could be bypassed. The new flaw (CVE-2016-10045) was patched on December 28 with the release of version 5.2.20.

In the meantime, the researcher found the same security hole in the SwiftMailer library (CVE-2016-10074). SwiftMailer developers included a fix for the vulnerability in version 5.4.5, released on December 29, but it may not be complete either.

Researcher Paul Buonopane believes that CVE-2016-10033, CVE-2016-10045 and CVE-2016-10074 are just the tips of the iceberg as they are caused by PHP design flaws that could expose many applications.

The issues, according to Buonopane, revolve around the lack of proper input sanitization, particularly related to the PHP functions escapeshellarg and escapeshellcmd. escapeshellcmd is designed to escape characters that might be used to trick a shell command into executing arbitrary commands, while escapeshellarg escapes a string that will be used as a shell argument.

Buonopane has pointed out that the escapeshellarg function is incomplete and escapeshellcmd was never meant to sanitise user input, which leaves room for abuse. The expert said PHP developers have known about some of the issues surrounding the problematic functions for several years.

“The underlying vulnerability is really a design flaw and will take many years to fix. That cannot begin without the active participation of the greater PHP community,” Buonopane said.

Both PHPMailer and SwiftMailer are very popular. PHPMailer is used by projects such as WordPress, Drupal and Joomla, while the SwiftMailer library is leveraged by PHP frameworks such as Yii2, Laravel and Symfony. While disclosures have focused on PHPMailer and SwiftMailer, Buonopane believes nearly all other PHP email libraries are affected by these vulnerabilities.

Fancy Bear Gang Is Linked To Election Hack Reports FBI-DHS



In a report released Thursday the Federal Bureau of Investigation and the US Department of Homeland Security implicated Russian hacking group Fancy Bear in attacks against several election-related targets.

According to the Joint Analysis Report, the hacking group Fancy Bear, believed to have ties to the Russian government, used a combination of techniques ranging from spear phishing, spoofed domains and malware to harvest credentials in order to gain access to accounts controlled by a political party.

Attacks against U.S. targets came in two waves starting in the summer of 2015 and as recently as November 2016, according to the report. The FBI-DHS implicates Russian intelligence services who allegedly initiated the attacks via Fancy Bear, also known as Cozy Bear, APT28 and Sofacy.

The 13-page report (PDF) said attackers “masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.” It said hackers aimed “to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities.”

In June, researchers at Crowdstrike implicated Cozy Bear in hacks against the Democratic National Committee. Crowdstrike said Cozy Bear has also been behind attacks against the White House, State Department and Joint Chiefs of Staff, as well as numerous organizations in critical industries around the Western world, Central Asia and the Far East.

According to the FBI-DHS the malicious cyber activity, it designated as Grizzly Steppe, began in April 2015 and included a spear phishing campaign that targeted over 1,000 recipients.

“APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spear phishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party,” according to the report.

The spear phishing campaign lured at least one victim to download a file that contained malware that “established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure,” according to the report.