DNC Hackers Are Using Apple Mac Spyware Code From FBI Surveillance Vendor,

[humble3d]

DNC Hackers Are Using Apple Mac Spyware Code From FBI Surveillance Vendor,

Claims Ex-NSA Researcher...

Source link: rasbridge

Earlier this week, malware said to belong to the Russian group behind the hack of the Democratic National

Committee, known as APT28 or Fancy Bear, leaked online.

Though novel both for its targeting of Apple Macs and iPhone backups, the surveillance tool's real intrigue lies

underneath the hood.

According to Patrick Wardle, an ex-NSA staffer and head of research at bug hunting firm Synack, a significant

chunk of the APT28 Mac spyware looks much like that shipped by Italian spyware vendor Hacking Team, which sold

to both Russian and U.S. government agencies.

Wardle compared the Hacking Team Mac malware, available on Wikileaks after a 2015 breach of the surveillance

company, to that published earlier this week by security firms BitDefender and Palo Alto Networks.

He claimed the APT28 code resembled Hacking Team's malware in numerous ways.

In particular, Wardle noticed that the two malware samples used the same techniques for injecting code onto a

target system, a feature that's quite rare on Apple Macs, he told FORBES.

After exploring further, he now believes the Russian crew "may have copied and pasted" that entire code injection

function of the malware, which could explain some of the "weirdness" Wardle saw.

That weirdness included what appeared to be mistakes, or "wrong logic" as Wardle put it, where the code that

appeared to have some function would do nothing other than return failed.

"[I'm] 100 per cent sure this is the same code," Wardle added.

Hacking Team's sells to adversaries

Hacking Team, a so-called "lawful intercept" company whose emails and files were dumped on Wikileaks after a

breach in 2015, sold to both America and Russia.

It was a provider for the FBI from 2011, selling as much as $775,000 in surveillance tools, though the feds found

limited use for them.

The DEA and the DoD were also customers, spending $567,000 and $190,000 respectively.

Emails indicated it demoed and sold kit to the FSB too, spending as much as $450,000 via research center Kvant.

And in leaked emails an employee from Hacking Team's chief Israeli surveillance partner NICE noted the FSB was

particularly interested in infecting Apple Macs.

Whilst intriguing, the fact that a slice of APT28's Mac malware looks like Hacking Team's does not mean it was

purchased from the Milan-based firm.

It could be that APT28 did what other cybercriminals did after Hacking Team's files were spilled online, copying and

reusing the malware from Wikileaks.

Furthermore, the FSB was not the Russian organization linked by the U.S. government to the DNC hack; the

military intelligence arm, known as the GRU, was instead blamed by the FBI and DHS. Putin himself was said to

have direct involvement in Fancy Bear's spy operations.

"Now whether the Russians bought it from Hacking Team directly, or simply copied and pasted from the leaks, who

knows," Wardle added.

"But I'm leaning towards the copy and paste with removing some of logic that they didn’t need, but leaving in some

other code that then didn't really make sense.

"Hacking Team could have done that themselves and then sold it to the Russians.

But if so, the removal of the unneeded code ... was done in a really shitty way."

Wardle plans to publish his full technical analysis on his own blog Thursday. He is unsure if the code injection

feature created by Hacking Team works on the most recent Mac OS.

Hacking Team had not responded to a request for comment at the time of publication.

Even Hacking Team had previously warned that terrorists would use its leaked tools, in condemning the 2015

breach.

It may not have anticipated the hacker group linked to the most significant breach in history would borrow its code

for their own machinations.
 

http://www.forbes.com/sites/thomasbrewster/2017/02/16/dnc-fancy-bear-russia-hackers-mac-malware-hacking-

team-fbi-fsb/#60ea951612bc