FBI Says A Mysterious Hacking Group Has Had Access To US Government Networks For Years

The FBI has warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011.

The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.

In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.”

Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.

“Anybody who’s been in that network all this long, they could be anywhere and everywhere.”

“Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.”

For Adams, this alert shows that the US government still is not in control of what’s going on inside its most sensitive networks. This alert, he said, is an admission of that.

“It’s just flabbergasting,” he told me. “How many times can this keep happening before we finally realize we’re screwed?”
The FBI wouldn’t comment on the alert, only saying that it was just another example of a routine notice to private partners, “provided in order to help systems administrators guard against the actions of persistent cyber criminals.”

This group of “persistent cyber criminals” is especially persistent. The group is none other than the “APT6” hacking group, according to sources within the antivirus and threat intelligence industry. There isn’t much public literature about the group, other than a couple of old reports, but APT6, which stand for Advanced Persistent Threat 6, is a codename given to a group believed to be working for the Chinese government.

“This is one of the earlier APTs, they definitely go back further than 2011 [...] more like 2008.”

“This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.

Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.”

APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”

Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing.

At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, and it’s clear hackers haven’t given up attacking US targets.

Motherboard: http://bit.ly/1S4QypG

« Women in Cybersecurity
Who’s in Charge When US Suffers A Cyberattack? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Zybert Computing

Zybert Computing

Zybert Computing provide server solutions with built-in security and information protection features for the SME market.

enSilo

enSilo

enSilo secures customers data on premise or in the cloud. Regardless of the where the threat comes from, enSilo can protect your data.

Shape Security

Shape Security

Shape Security provide best-in-class defense against malicious automated cyberattacks on web and mobile applications.

Hypori

Hypori

Hypori is a virtual smartphone solution that makes truly secure BYOD a reality for organizations in healthcare, finance, government, and beyond.

IDnow

IDnow

IDnow is the world’s fastest, most flexible and most secure identity verification platform, delivering instant verification of the identity documents used by 7 billion people.

Zen360Consult

Zen360Consult

Zen360Consult provides Advisory and Training services in the field of Cyber Resilience, which includes Cyber Security /ISMS and Business Continuity.

Reed

Reed

reed.co.uk is a leading job site in the UK, providing a full online service for anyone looking for a new job.

SAIFE

SAIFE

SAIFE has adapted a Software Defined Perimeter approach and paired it with a Zero Trust model that defines access by the user, their device, and where they are located.

SecureAge Technology

SecureAge Technology

We’re a rapidly growing cybersecurity company with an 18-year history of ZERO Data breaches. Our security solutions place security and usability on equal footing. Learn more about our technology.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

CyNam

CyNam

CyNam is a platform for enabling the growth and development of people and organisations within Cheltenham’s flourishing cyber technology ecosystem.

Trusted Cyber Solutions

Trusted Cyber Solutions

Trusted Cyber Solutions is an independent Cyber Security and Risk Management consultancy.

Swish Data Corp.

Swish Data Corp.

Swish delivers when the problems are complex, requirements are difficult, and the mission is absolutely critical.

OX Security

OX Security

OX is a DevOps software supply chain security solution. Teams can verify the integrity and security of every artifact using a pipeline bill of materials (PBOM).

PyNet Labs

PyNet Labs

PyNet Labs is a Training Company serving corporates as well as individuals across the world with ever-changing IT and technology training.

Lodestone

Lodestone

Lodestone partners with clients to help them mitigate business and reputational risk, through our human-based, approach to cyber security, digital forensics and incident response.