Security News: Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU)

Source: United States Department of Justice News

Operation Copied and Removed Malware Known as “Cyclops Blink” from the Botnet’s Command-And-Control Devices, Disrupting the GRU’s Control Over Thousands of Infected Devices Worldwide. Victims Must Take Additional Steps to Remediate the Vulnerability and Prevent Malicious Actors From Further Exploiting Unpatched Devices.

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control.

“This court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “By working closely with WatchGuard and other government agencies in this country and the United Kingdom to analyze the malware and to develop detection and remediation tools, we are together showing the strength that public-private partnership brings to our country’s cybersecurity. The department remains committed to confronting and disrupting nation-state hacking, in whatever form it takes.”

“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” said U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania. “Such activities are not only criminal but also threaten the national security of the United States and its allies. My office remains committed to working with our partners in the National Security Division, the FBI, foreign law enforcement agencies and the private sector to defend and maintain our nation’s cybersecurity.” 

“This operation is an example of the FBI’s commitment to combatting cyber threats through  our unique authorities, capabilities, and coordination with our partners,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “As the lead domestic law enforcement and intelligence agency, we will continue pursuing cyber actors that threaten the national security and public safety of the American people, our private sector partners and our international partners.”

“The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computer and launch attacks that threaten Americans’ safety, security and confidence in our digitally connected world,” said Special Agent in Charge Mike Nordwall of the FBI’s Pittsburgh Field Office. “The FBI has an unwavering commitment to combat and disrupt Russia’s efforts to gain a foothold inside U.S. and allied networks.”

On Feb. 23, the United Kingdom’s National Cyber Security Centre, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency released an advisory identifying the Cyclops Blink malware, which targets network devices manufactured by WatchGuard Technologies Inc. (WatchGuard) and ASUSTek Computer Inc. (ASUS). These network devices are often located on the perimeter of a victim’s computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks. As explained in the advisory, the malware appeared to have emerged as early as June 2019, and was the apparent successor to another Sandworm botnet called VPNFilter, which the Department of Justice disrupted through a court-authorized operation in 2018.

The same day as the advisory, WatchGuard released detection and remediation tools for users of WatchGuard devices. The advisory and WatchGuard’s guidance both recommended that device owners deploy WatchGuard’s tools to remove any malware infection and patch their devices to the latest versions of available firmware. Later, ASUS released its own guidance to help compromised ASUS device owners mitigate the threat posed by Cyclops Blink malware. The public and private sector efforts were effective, resulting in the successful remediation of thousands of compromised devices. However, by mid-March, a majority of the originally compromised devices remained infected.

Following the initial court authorization on March 18, the department’s operation was successful in copying and removing the malware from all remaining identified C2 devices. It also closed the external management ports that Sandworm was using to access those C2 devices, as recommended in WatchGuard’s remediation guidance (a non-persistent change that the owner of an affected device can reverse through a device restart). These steps had the immediate effect of preventing Sandworm from accessing these C2 devices, thereby disrupting Sandworm’s control of the infected bot devices controlled by the remediated C2 devices. However, WatchGuard and ASUS devices that acted as bots may remain vulnerable to Sandworm if device owners do not take the WatchGuard and ASUS recommended detection and remediation steps. The department strongly encourages network defenders and device owners to review the Feb. 23 advisory and WatchGuard and ASUS releases.

The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. Further, the operation did not involve any FBI communications with bot devices.

Since prior to the Feb. 23 advisory, the FBI has been attempting to provide notice to owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad. For those domestic victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims.  As required by the terms of the court authorization, the FBI has provided notice to the owners of the domestic C2 devices from which the FBI copied and removed the Cyclops Blink malware.

The efforts to disrupt the Cyclops Blink botnet were led by the FBI’s Pittsburgh, Atlanta and Oklahoma City Field Offices, the FBI Cyber Division, the National Security Division’s Counterintelligence and Export Control Section, and the U.S. Attorney’s Office for the Western District of Pennsylvania. Assistance was also provided by the Criminal Division’s Computer Crime and Intellectual Property Section and Office of International Affairs, as well as the U.S. Attorney’s Office for the Eastern District of California.

If you believe you have a compromised device, please contact your local FBI Field Office for assistance. The FBI continues to conduct a thorough and methodical investigation into this cyber incident.

Defense News in Brief: NSMRL Lieutenant Helps Bring Diversity to the Navy

Source: United States Navy

During the three-week trip, Babagana and other members of the team visited 12 colleges and high schools across nine cities in Tennessee, Mississippi, and Alabama.

Initiated in February 2021, the JODO program “brings successful naval officers from diverse backgrounds and cultures out of the fleet for a short time, and places them face-to-face with students and community leaders around the country in an effort to show what is possible to achieve through naval service.” As one of the selected JODO representatives, Babagana’s role on the trip was to share his unique journey of how he became a naval officer to students, parents, and teachers.

“I shared stories of how I overcame various barriers and hurdles while navigating my education and scientific training,” said Babagana. “I also provided general awareness of career opportunities available to students historically underrepresented in those fields.”

Although every school visit was unique, Babagana reported that each day would typically start off with formal presentations. “For universities, it was common to set up in the atrium after [the formal presentations] to connect with students in small groups or one-on-one throughout the day. During high school visits we typically presented to classes as they rotated through their periods and stayed after school sometimes for informal interactions. Evenings consisted of networking or community events.”

“Just knowing that I was able to connect with a few students and seeing the impact of those interactions emphasized the importance of [the JODO program’s] efforts, and provides an impetus to support further outreach efforts,” Babagana said.

He described “seeing a student, who had a similar ethnic background as one of the presenters, approach that presenter and exclaim how seeing him in his Navy leadership role gave the student the courage and confidence to also pursue such a career path.” Babagana also valued the chance to speak with extremely bright students about careers in the military that they never considered or knew were available. “Attracting these bright minds will be key to remaining the most innovative and capable military in the world,” he said.

While the JODO program is designed to help recruit racial and ethnic minorities into military service, Babagana reported receiving benefits from the experience as a JODO representative. “By interacting with the various Navy commands and communities participating in these outreach efforts, I was able to learn and experience firsthand the Navy’s multifaceted approach to improving diversity throughout the enlisted and officer ranks.”

When asked what advice Babagana would give to racial and ethnic minorities interested in joining the Navy, he said, “I would advise anyone looking to pursue a specific career path to find a mentor that can help guide them along. Each career path is unique and it can be easy for individuals to make common and, many times, avoidable mistakes. Mentors can help in this effort.” On his selection as a JODO representative, Babagana said, “I was honored to be a part of the junior officers chosen to be the face of the Navy and to participate in student outreach, community events, and community service efforts.” He plans to continue with his research programs while pursuing additional mentorship roles.

NSMRL, a command under the Navy Bureau of Medicine and Surgery, is located at the Naval Submarine Base New London. NSMRL delivers research solutions to promote the health, welfare, and performance of submariners and divers, with the mission to sustain the readiness and superiority of our undersea warriors through innovative health and performance research.

Defense News in Brief: Reserve Sailors Take the Lead During Largest Maritime Exercise in Africa

Source: United States Navy

Among the group, Reserve unit members supporting Commander, U.S. Naval Forces Europe-Africa N5 West Africa (CNE-CNA N5 Africa West), led the organizing for OE22 alongside ally and African partner nations. 

The annual exercise, held from March 6 to 18, is one of three African regional Express series exercises sponsored by U.S. Africa Command (USAFRICOM) and facilitated by U.S. Naval Forces Africa-U.S. Sixth Fleet (NAVAF/SIXTHFLT). This year was the eleventh iteration of the exercise, which focuses on the Gulf of Guinea and the Atlantic Ocean. Thirty-two nations were present, as well as representatives from Interpol, the U.S. Agency for International Development (USAID) the Department of Transportation (DOT), the Department of Homeland Security (DHS), and other international and interagency partners. 

The exercise also included Reserve Sailors from U.S. Naval Forces Africa, U.S. Naval Air Systems Command, and U.S. Sixth Fleet who worked throughout five exercise zones alongside active duty and civilian counterparts. 

“This year we have about 50 Reserve Sailors —with 29 from my unit—supporting OE22 in a wide variety of roles,” said Capt. Thaison Do, commanding officer, NR CNE-CNA N5 Africa West, and exercise director, OE22. “Our unit has had a representative at each of the exercise’s planning events since early last year to understand what the command and our African partner’s goals were for the exercise.”

OE22 is designed to improve regional cooperation, maritime domain awareness, information-sharing practices, and the collective capabilities of participating nations to counter sea-based illicit activity within the region. 

Throughout the exercise, Do’s unit deployed country teams to 16 West African countries during the exercise’s two-week execution period with his team serving as the Main Exercise Control Group from Dakar, Senegal, the host country for OE22. 

“Building the relationships with our African partners is very important in the long run,” said Cmdr. Tom Hess,Senegal team lead, logistics liason and unit member of NR CNE-CNA N5 Africa West. “If we ever needed help supporting a mission in the region sometime in the future, we know we have strong relations with contacts who view us warmly.”

Exercises such as OE22 provide a unique readiness opportunity for Reserve Sailors to work alongside active duty and foreign military personnel to execute training evolutions and rehearse for potential real-world scenarios.  

“Working with our African partners allows our team to become local experts, allowing us to better support needs in the region,” said Do. “Being involved in such a large exercise ensures that we are developing the capabilities to lead, act, organize, and respond to situations they may face in the fleet.”

For Reserve Sailors, this year’s exercise was an opportunity to gain a wealth of experience. 

“I have participated in every iteration of Obangame Express in some capacity since 2018,” said Cmdr. Richard Martucci, commanding officer, Office of Naval Intelligence – Nimitz Washington. “I believe my past experiences have set me up for success as the NAVAF assessor for OE22. I’m responsible for providing a strategic, operational, and tactical assessment of OE22.  My experience allows me to provide U.S., ally, and partner nation senior leaders with recommendations on a way forward.”

The two-week exercise showcased the skills and expertise Navy Reserve Sailors bring to the force on day one. 

U.S. Naval Forces Europe-Africa, U.S. Sixth Fleet, headquartered in Naples, Italy, conducts the full spectrum of joint and naval operations, often in concert with allied and interagency partners in order to advance U.S. national interests and security and stability in Europe and Africa.
 

Security News: North Charleston Man Who Fled from Police Sentenced to Thirteen Years in Federal Prison for Drug and Gun Offenses

Source: United States Department of Justice News

Charleston, South Carolina — Alouis Levorge Taylor, 37, of North Charleston, was sentenced to thirteen years in federal prison after pleading guilty to being a felon in possession of a firearm and to possessing cocaine and marijuana with intent to distribute.

Evidence presented to the court showed that on March 1, 2018, officers with the Charleston Police Department were on patrol in the Bridgeview apartment complex and approached a parked car running without lights. Taylor was sitting alone in the car, and officers could smell marijuana and see a bag of white powder in plain view. Instead of stepping out as requested, Taylor reversed and almost struck an officer with his driver-side door. He then attempted to drive away, plowing into a parked car, and driving erratically through the parking lot before fleeing on foot. Officers discovered Taylor’s abandoned vehicle nearby with a broken axel. There was a bag of cocaine in the cupholder and a loaded gun hidden behind a panel near the door. Officers also found five pounds of marijuana abandoned nearby and discovered that Taylor’s vehicle had been modified to install a secret compartment in the passenger seat.        

Taylor, who was already on federal supervision for a previous offense involving guns and drugs, was arrested soon thereafter. He was charged federally and pled guilty on November 19, 2021. Taylor has a long criminal history, which includes multiple prior convictions for gun and drug offenses and for assaulting police.        

United States District Judge Richard M. Gergel sentenced Taylor to 156 months in federal prison, to be followed by a six-year term of court-ordered supervision. There is no parole in the federal system. 

The case was investigated by the Drug Enforcement Agency and the Charleston Police Department.   

This case was prosecuted as part of the joint federal, state, and local Project Safe Neighborhoods (PSN), the centerpiece of the Department of Justice’s violent crime reduction efforts.  PSN is an evidence-based program proven to be effective at reducing violent crime. Through PSN, a broad spectrum of stakeholders work together to identify the most pressing violent crime problems in the community and develop comprehensive solutions to address them. As part of this strategy, PSN focuses enforcement efforts on the most violent offenders and partners with locally based prevention and reentry programs for lasting reductions in crime. Assistant United States Attorneys Chris Schoen and Whit Sowards prosecuted the case.

###

Security News: Russian Oligarch Charged with Violating U.S. Sanctions

Source: United States Department of Justice News

Defendant Hired American Citizen Jack Hanick to Work for His Television Network in Russia and Illegally Transferred $10 Million U.S. Investment to Business Associate

A Russian national is charged with violating U.S. sanctions arising from the 2014 Russian undermining of democratic processes and institutions in Ukraine.

According to the indictment, which was unsealed today in the Southern District of New York, Konstantin Malofeyev, 47, of Russia, is charged with conspiracy to violate U.S. sanctions and violations of U.S. sanctions in connection with his hiring of an American citizen, Jack Hanick, to work for him in operating television networks in Russia and Greece and attempting to acquire a television network in Bulgaria. As alleged, Malofeyev also conspired with Hanick and others to illegally transfer a $10 million investment that Malofeyev made in a U.S. bank to a business associate in Greece, in violation of the sanctions blocking Malofeyev’s assets from being transferred. Along with the indictment, the United States issued a seizure warrant for Malofeyev’s U.S. investment. Malofeyev remains at large and is believed to be in Russia.

“The Justice Department will work relentlessly to counter Russian aggression, including by enforcing U.S. sanctions law,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “As alleged in the indictment, Konstantin Malofeyev is a Russian oligarch who has been sanctioned since 2014 for threatening Ukraine and providing financial support to the Donetsk separatist region. Malofeyev knowingly violated U.S. sanctions by paying for services of a U.S. person and by seeking to transfer money that had been invested in the United States.”

“Konstantin Malofeyev is closely tied to Russian aggression in Ukraine, having been determined by OFAC to have been one of the main sources of financing for the promotion of Russia-aligned separatist groups operating in the sovereign nation of Ukraine,” said U.S. Attorney Damian Williams for the Southern District of New York. “The United States sanctions on Malofeyev prohibit him from paying or receiving services from United States citizens, or from conducting transactions with his property in the United States. But as alleged, he systematically flouted those restrictions for years after being sanctioned. The indictment unsealed today shows this office’s commitment to the enforcement of laws intended to hamstring those who would use their wealth to undermine fundamental democratic processes. This office will continue to be a leader in the Justice Department’s work to hold accountable actors who would support flagrant and unjustified acts of war.”

“The allegations in this case go back many years showing just how much effort the FBI and its partners put into investigating these crimes,” said Assistant Director Alan E. Kohler Jr. of the FBI’s Counterintelligence Division. “According to the indictment, the defendant used shell companies and other means to hide his deceptions and evade important sanctions meant to ensure the territorial integrity of Ukraine. While this case is about violating sanctions, it’s also about bringing people to justice who think they can violate our laws with impunity.”

“Kremlin-linked Russian oligarch Konstantin Malofeyev played a leading role in supporting Russia’s 2014 invasion of eastern Ukraine, continues to run a pro-Putin propaganda network, and recently described Russia’s 2022 military invasion of Ukraine as a ‘holy war,’” said Assistant Director Michael J. Driscoll of the FBI’s New York Field Office. “The FBI works tirelessly to protect our national interests, and we will continue to use all the resources at our disposal to aggressively counter Russia’s malign activity around the world.”

According to court documents, in 2014, the President issued Executive Order 13660, which declared a national emergency with respect to the situation in Ukraine. To address this national emergency, the President blocked all property and interest in property that came within the United States or the possession or control of any U.S. person, of individuals determined by the Secretary of the Treasury to be responsible for or complicit in actions or policies that threatened the peace, security, stability, sovereignty or territorial integrity of Ukraine, or who materially assist, sponsor or provide financial, material or technological support for, or goods and services to, individuals or entities engaging in such activities.

Executive Order 13660, along with certain regulations issued pursuant to it (the Ukraine-Related Sanctions Regulations) prohibits, among other things, making or receiving any funds, goods or services by, to, from or for the benefit of any person whose property and interests in property are blocked.

On Dec. 19, 2014, the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated Konstantin Malofeyev as a Specially Designated National (SDN) pursuant to Executive Order 13660. OFAC’s designation of Malofeyev explained that he was one of the main sources of financing for Russians promoting separatism in Crimea, and has materially assisted, sponsored, and provided financial, material, or technological support for, or goods and services to or in support of the so-called Donetsk People’s Republic, a separatist organization in the Ukrainian region of Donetsk.

As alleged in the indictment, Malofeyev hired a U.S. citizen named Jack Hanick in 2013 to work on a new Russian cable television news network (the Russian TV Network) that Malofeyev was creating. Malofeyev negotiated directly with Hanick regarding Hanick’s salary, payment for Hanick’s housing in Moscow, and Hanick’s Russian work visa, and Malofeyev paid Hanick through two separate Russian entities through the end of 2018.

After OFAC designated Malofeyev as a SDN in December 2014, Malofeyev continued to employ Hanick on the Russian TV Network, in violation of the Ukraine-Related Sanctions Regulations. Malofeyev also dispatched Hanick to work on a project to establish and run a Greek television network and on efforts to acquire a Bulgarian television network. At Malofeyev’s direction, Hanick traveled to Greece and to Bulgaria on multiple occasions in 2015 and 2016 to work on these initiatives and reported directly back to Malofeyev on his work. For instance, in November 2015, Hanick wrote to Malofeyev that the Greek television network would be an “opportunity to detail Russia’s point of view on Greek TV.” In connection with Malofeyev’s efforts to acquire the Bulgarian television network, Malofeyev instructed Hanick to take steps to conceal Malofeyev’s role in the acquisition by conducting the negotiations through a Greek associate of Malofeyev (the Greek Business Associate), so that it would appear the buyer was a Greek national rather than Malofeyev.

Malofeyev also employed Hanick to assist Malofeyev in transferring a $10 million investment in a Texas-based bank holding company (the Texas Bank) to the Greek Business Associate in violation of the Ukraine-Related Sanctions Regulations. In 2014, Malofeyev used a shell company to make the investment, and beginning in or about March 2015, Malofeyev began making plans to transfer ownership of the shell company to the Greek Business Associate as a means to transfer the investment in the Texas Bank. In or about May 2015, Malofeyev’s attorney drafted a Sale and Purchase Agreement that purported to transfer the shell company to the Greek Business Associate in exchange for one U.S. dollar. In June 2015 Malofeyev had Hanick physically transport a copy of Malofeyev’s certificate of shares in the Texas Bank from Moscow to Athens to be given to the Greek Business Associate. Malofeyev signed the Sale and Purchase Agreement in June 2015, but the agreement was fraudulently backdated to July 2014 to make it appear that the transfer had taken place prior to the imposition of U.S. sanctions. Malofeyev’s attorney then falsely represented to the Texas Bank that the transfer had taken place in July 2014, even though Malofeyev and his attorney well knew that the transfer of the shell company was executed in June 2015.

Along with the unsealed indictment, a seizure warrant was issued in the Southern District of New York for Malofeyev’s Texas Bank investment, which had been converted by the Texas Bank in 2016 to cash held in a blocked U.S. bank account. The United States recovered those funds pursuant to the warrant and will seek forfeiture of those funds as property that constitutes or is derived from proceeds traceable to the commission of the offenses alleged in the indictment.

Each of the two sanctions charges in the indictment carry a maximum penalty of 20 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The FBI is investigating the case, with valuable assistance provided by the Justice Department’s National Security Division and Office of International Affairs.

Assistant U.S. Attorneys Thane Rehn, Jessica Greenwood, and Vladislav Vainberg for the Southern District of New York are prosecuting the case, with valuable assistance provided by Trial Attorney Nathan Swinton of the National Security Division’s Counterintelligence and Export Control Section.