Category Archives: Law Enforcement

Those are NOT your grandchildren! FTC warns of new scam

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the Federal Trade Commission (FTC) warned on Monday.

The FTC says that its Consumer Sentinel Network has noticed a “striking” increase in the median dollar amount that people 70 and older report losing to fraud. When they started to peel back the layers, the Commission found a number of stories that involve people of that age group having mailed “huge” amounts of cash to people who pretended to be their grandchildren.

People from all age groups report having fallen for phoney family and friends: the reported median loss for individuals is about $2,000, which is more than four times the median loss of $462 reported for all fraud types.

But that’s nothing compared with how much money is being bled out of the elderly: those who send cash reported median losses of a whopping $9,000. About one in four of the ripped-off elderly who report that they lost money to a family or friend imposter say that they sent cash: a far higher rate than the 1 in 25 of people who sent cash for all other frauds.

CBS News talked to one man who got scammed in a way that the FTC says is a common ploy.

Slick scripts

It started with a phone call one morning in April, Franc Stratton told the station. The caller pretended to be a public defender from Austin, Texas, who was calling to tell Stratton that his grandson had been in a car wreck, had been driving under the influence, and was now in jail.

Don’t be afraid, the imposter told Stratton: you can bail out your grandson by sending $8,500 in cash via FedEx. It didn’t raise flags for a good reason: Stratton had done exactly that for another family member in the past.

The cherry on top: the “attorney” briefly put Stratton’s “grandson” on the phone. The fake kid sounded injured, so Stratton drove to the bank to get the cash.

Stratton went so far as to go to a local FedEx to overnight the money to an Austin address. But later that night, he said, he and his wife looked at each other and said, Scam!

Fortunately, they came to their senses in time to call FedEx to have the package returned. He got his money back, but Stratton is still frustrated. Of all people, he should know better, he says: he’s retired now, after a career spent working in intelligence, first for the Air Force and later as a cybersecurity programmer.

That’s how slick the scammers are, with their meticulously prepared scripts, and it shows that they know exactly how to put people into a panicked state, where they’re likely to make bad decisions. Stratton said he fell for it “because of the way that they scripted it.”

I’m the last person, I thought, would ever fall for a scam like this.

The FTC says that Americans have lost $41 million in the scam this year: nearly twice as much as the $26 million lost the year before.

Self-defense for grandparents

These scams are growing more sophisticated as fraudsters do their homework, looking you and/or your grandkids up on social media to lace their scripts with personal details that make them all the more convincing.

Grandparents, no matter how savvy you are, you’ve got an Achilles heel: your love for your grandchildren. The fakers know exactly how to milk that for all it’s worth.

The FTC warns that they’ll pressure you into sending money before you’ve had time to think it through. The Commission offers this advice to keep the shysters from wringing your heart and your wallet:

  • Stop. Breathe. Check it out before you send a dime. Look up your grandkid’s phone number yourself, or call another family member.
  • Don’t overshare. Whatever you share publicly on social media becomes a weapon in the arsenals of scammers. The more personal details they know about you, the more convincing they can sound. It’s one of many reasons to be careful about what you share on social media.
  • Pass the information on to a friend. Even if you haven’t been targeted yourself, you probably know somebody who’s either already gotten a call like this or who will.
  • Report it. The FTC asks us all to please report these scams. US residents can do so online to the FTC. If you’re in the UK, report scams to ActionFraud.

Please report these scams. Doing so helps the authorities nail these imposters before they can victimize others.

Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online

Honored to be speaking at 2017 NMHC OPTECH Conference & Exposition in Las Vegas October 25-27, 2017 Mandalay Bay Resort and Casino.

 

 

Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online
With the Internet of Things poised to revolutionize our systems and appliances just as the internet did with our information, the question remains—can we keep these devices safe? Today’s “smart” home demands a modern take on security and privacy as well as possible integrations with property management systems or even new voice activated consumer technology. Online security experts will assess the risk of the internet-enabled apartment and will present best practices to keep your residents and your enterprise safe from hackers.

 

U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

It’s just a matter of time.

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Social Security numbers, birth dates, addresses and driver’s license numbers exposed.

Credit-reporting company Equifax Inc. said Thursday that hackers gained access to some of its systems, potentially compromising the personal information of roughly 143 million U.S. consumers in one of the biggest and most threatening data breaches of recent years.

The size of the hack is second only to the pair of attacks on Yahoo disclosed last year that affected the information of as many as 1.5 billion customers. It also involves nearly twice the number affected by one of the highest-profile breaches at a financial firm, the cyberattack at J.P. Morgan Chase & Co. about three years ago.

The Equifax breach could prove especially damaging given the gateway role credit-reporting companies play in helping to determine which consumers gain access to financing and how much of it is made available. The attack differs, too, in that the attackers in one swoop gained access to several pieces of consumers’ information that could make it easier for the attackers to try to commit fraud.

Equifax said hackers gained access to systems containing customers’ names, Social Security numbers, birth dates and addresses. The company also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information.

“This is the nightmare scenario—all four pieces of information in one place,” said John Ulzheimer, a credit specialist and former manager at Equifax.

On Friday, shares of Equifax fell 14% to $123.03 in morning trading in New York.

The incident comes at a time of heightened sensitivity to cyberattacks in the political, commercial and personal realms, especially in the wake of presumed Russian interference in the U.S. presidential election last year.

The number of large hacks has increased in recent years—with incidents involving tens of millions of accounts each involving tech companies, banks, retailers and others.

More companies are putting more information online from more users, creating bigger targets for hackers who continually develop and refine their techniques and tools.

Equifax is one of the big three credit-reporting firms in the U.S. and maintains credit reports on more than 200 million U.S. adults. The other two are TransUnion and Experian. Credit reports compiled by such companies include personally identifiable information as well as records of the credit cards and loans consumers have, their spending limits on cards, and whether they are on time with their debt payments.


“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”

The four pieces of information exposed in the attack are generally needed for consumers to apply for many forms of consumer credit, including credit cards and personal loans. That means that swindlers who have access to this data could have an easier time getting approved for credit in other people’s names and potentially makes it more difficult for lenders to spot a problem. In addition, Equifax said the hackers gained access to some driver’s license numbers.

An added concern is that the breach raises the chances of more fraudulent loan approvals occurring when various forms of fraud are already hitting lenders and contributing to higher losses.

Smaller financial institutions, including community banks, credit unions and online personal-loan lenders, are more vulnerable to the effects of this breach, said Al Pascual, head of fraud and security at Javelin Strategy & Research.

That is because they are more reliant on the four, key pieces of borrower information when determining whether they are dealing with a legitimate applicant, he said. The biggest banks, he added, have in recent years moved to relying on additional information. With online applications, for example, that includes pinpointing what geographic area the applicant is located in to figure out whether they are an actual person or a fraudster.

Equifax said in its statement that while the incident potentially affected approximately 143 million U.S. consumers, “the company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Equifax said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company said it discovered the breach on July 29.

Equifax said it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review. In the days following the company’s discovery of the breach, three top Equifax executives, including Chief Financial Officer John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange Commission filings. A company spokesman said the three executives who sold a small percentage of their Equifax shares on Tuesday, Aug. 1, and Wednesday, Aug. 2, had no knowledge that an intrusion had occurred at the time they sold their shares.

Equifax also said credit-card numbers for approximately 209,000 U.S. consumers were accessed, as well as dispute documents with sensitive information for another 182,000 people.

With the Equifax attack, banks now will have to reissue cards for the approximately 209,000 credit cards stolen in the breach, but for consumers the theft uniquely identifying information such as Social Security numbers and birth dates could have a permanent effect. Additionally, a limited number of people in Canada and the U.K. were affected, the company said.

Stock of other financial companies weren’t initially affected with shares of credit-card issuers and big banks mostly unchanged or up slightly in after-hours trading.

Equifax said it has set up a website—www.equifaxsecurity2017.com—to help consumers determine if their information has been compromised and to allow them to sign up for a complimentary slate of credit-monitoring and identity-theft protection. The company also has established a dedicated call center for consumers.

This is becoming an everyday occurrence.  When are we going to get the message to tighten up security across this nation !!

CIA Rant :-)

From a great friend in the business
Chris Roberts:
Chief Security Architect at Acalvio Technologies

Was asked to provide something to a media source….thought I’d post it here too…enjoy..was told to NOT use “its a wake up call….”

1. Of course it’s not a bloody wake up, Oh No! An intelligence spy agency is caught spying…headline news…my ass.

2. Of course it’s not a wake up call, 0Day exploits are as old (almost) as the hills AND the stuff that was in most of the files was nothing new.

3. Tactics, yes nice to see them, but nothing out of the ordinary we didn’t already know OR suspect..

4. Of course it’s not a bloody wake up call when it becomes public (again) that Samsung can’t code worth shit and their TV’s listen in 🙂

5. What IS surprising BUT NOT REALLY is the fact that our CIA friends could have helped THEIR FBI friends get into all sorts of Apple shit…and didn’t

  •  So does the CIA not trust the FBI and it’s inability to retain secrets…welcome to the pot calling the kettle black 🙂
  •  Or does the CIA not want people knowing what we already know…people can break into almost anything, again NOT a bloody wake up call.
  •  Nice to see the CIA practice code re-use, good to see the taxpayer dollars not being spent on re-inventing the bloody wheel, that’s got to be a first!

Chris is always entertaining in his post, thank you Chris !!!!

DOJ defends new cyber snooping regulations

digital_fingerprintThe Department of Justice calls them procedural changes that will help the government to pursue child pornographers who use cybertechnology to conceal their identities. Opponents say they are substantive and troubling changes that will vastly expand the government’s ability to spy on innocent Americans.

The changes in question are amendments to Rule 41 of the Federal Rules of Criminal Procedure, which deals with the issuance of warrants and protocols for searches and seizures. Barring congressional action, the amendments take effect on Dec. 1.

The amendments have been under debate for the past three years and are designed to address the thorny question of which court has jurisdiction to issue warrants in cases where suspected cybercriminals are using tools such as Tor or virtual private networks to conceal their identities and locations. Journalists, human rights activists and law enforcement officials also use such tools for legal purposes.

The amendments would allow the issuance of a single warrant to potentially search millions of computers suspected of being infected by botnet malware.

The Justice Department has been posting a series of blogs in support of the new rules.

“When a child abuser has successfully anonymized their identity and location online, investigators do not know where the abuser’s computer is located,” Assistant Attorney General Leslie Caldwell wrote in a recent blog post. “So in those cases, the [existing] rules do not clearly identify which court the investigators should bring their warrant application to.”

In another post, Caldwell argued for using a single warrant to search multiple computers in different locations that are suspected of being infected by a botnet.

“The Rules [of criminal procedure] as currently written (and as conceived in 1917) would require the investigators to apply simultaneously for identical warrants in all 94 judicial districts in America — a severe impracticality if not impossibility,” he wrote.

Privacy advocates and some lawmakers are trying to block what they see as a green light to access the personal devices of millions of Americans on the mere suspicion that they are infected with botnets.

In October, a bipartisan group of 23 members of Congress signed a letter to the attorney general asking for clarification on how the Justice Department will notify individuals whose computers are infected with botnet malware, how it will conduct searches or “clean” such computers without collateral damage and how the principle of probable cause will be applied to “justify the remote search of tens of thousands of devices.”

The Electronic Frontier Foundation also has been a vocal opponent of the changes. “The amendment to Rule 41 isn’t procedural at all,” EFF Activism Director Rainey Reitman wrote earlier this year. “It creates new avenues for government hacking that were never approved by Congress…. Congress should reject the proposal completely.”

The Justice Department released another blog post on Nov. 28 to respond to criticisms of the amendments.

“The pending amendments do not authorize the government to undertake any search or seizure or use any remote search technique that is not already permitted under the Fourth Amendment,” the post states. “The amendments neither endorse particular searches as reasonable, nor do they in any way change the traditional constitutional, statutory, and prudential factors the department relies on to determine whether to seek a warrant. They simply identify the appropriate court to ask.”

But that response has not satisfied critics, including Sen. Ron Wyden (D-Ore.), who co-sponsored legislation that would block the Rule 41 amendments from going into effect. Although his office acknowledges it is an uphill battle to pass any legislation before the rules take effect, he and others remain committed to blocking or amending the changes.

In a recent statement, Wyden said Justice officials have failed to provide details on how they intend to hack potentially millions of devices under a single warrant.

“[That] should be a big blinking warning sign about whether the government can be trusted to carry out these hacks without harming the security and privacy of innocent Americans’ phones, computers and other devices,” he said.

Police Want to 3D Print a Dead Man’s Fingers to Unlock His Phone

Finger_Print

Asking Apple to help break an iPhone is so three months ago. Police have a new, and higher-tech idea: 3D print the fingers of a dead man and use those fingerprints to unlock the phone instead.

Michigan State University professor Anil Jain—who has been assigned six U.S. patents on fingerprint recognition—told Fusion that police showed up at his lab to ask for help in catching a murderer in an ongoing investigation. They had scans of the victim’s fingerprints from a previous arrest and thought that unlocking his phone (the make and model weren’t divulged) might provide clues as to who killed him.

Jain and his PhD student Sunpreet Arora have already printed all 10 digits using the scans and coated them in a layer of metallic particles to mimic how conducive skin is and make it easier to read. The final 3D-printed fingers aren’t finished, but they’ll be ready for police to try out in a matter of weeks.

It’s possible that the whole move will be futile because many phones that use biometric data require a PIN to be entered if it hasn’t been used in two days. If that’s the case, fingerprint won’t unlock anything.

The legality of this move is still up in the air, but the case is further proof that fingerprints, while cool, are not really the safest way of securing our private data.

Not that it matters for a dead man, but in 2014 a judge ruled that suspects can be required to unlock a phone with a fingerprint.  While the Fifth Amendment protects the right to avoid self-incrimination and makes it illegal to force someone to give out a passcode, biometric indicators like fingerprints are not covered by the Fifth Amendment, according to the ruling.

Maybe it’s time to go back to a 6-8 digit PIN.

Thoughts on Emailgate.

Department of State

Note: not a political post, just adding some Infosec commentary to what we were told yesterday.

Last night, I sat back and watched FBI Director James Comey’s press conference on the Hilary Clinton email saga through my technical and investigative eyes.

I think it was the first mainstream press conference I’d seen with so much mention of slack space, a digital forensics term for the portions of the hard drive not currently used, but filled with fragments of previously deleted files. It was like when you see someone you knew from growing up on the local news and thinking, “oh, I used to sit next to that person in math class!”

The overview of how the FBI had reconstructed years worth of “shadow IT” usage by the former Secretary of State and her staff, spoke of a classic unwinding of the spaghetti exercise. Where a path that lead to an end state is crisscrossed by avenues that may or may not be of relevance, but nevertheless must be investigated.

James Comey then went on to list the findings of the investigation, and painted a picture, which is unfortunately a picture that I’ve personally seen painted over and over again through my work in information security and digital forensics.

A culture existed at the State Department that allowed Mrs. Clinton and her staff to operate outside the boundaries of the policies, procedures and regulations that were in place to protect information and people. In this case of course, that is all the more concerning, because we’re talking about highly sensitive national security information which is protected by law.

In Comey’s words, Clinton and her staff were “Extremely Careless” in their information handling.  He was right, they were, there can be no denying that. As he went into detail on some of Mrs. Clinton’s email practices, I was reminded of a few similar cases I’d personally worked on.

  • While conducting a security review of a semiconductor’s perimeter IP address range, I found evidence that FTP sites were being hosted on an unofficial server within the range. As it turned out, one of the network administrators had punched a hole through the firewall to a server that was hidden in the data center, attached to the internal network, and he made money hosting data for others with zero overhead costs. I was shocked to discover that this was a known activity when it was raised in the report, although, when I explained the risk in more detail the sites did go away, and the network administrator was reprimanded and eventually lost their job.
  • I once stumbled across an undocumented SSH entry point to a hosting environment, set up by a team to bypass a corporate two-factor requirement. It had been “approved” by a couple of layers of management.
  • I conducted an audit of an on-premises corporate Exchange deployment and found that a senior member of an organization was forwarding every single email received to a personal Gmail account, because they preferred the Gmail UI. The idea had been suggested by another person within the company.
  • Anecdotally, I have a thousand stories of siloed groups within organizations using “cloud services” and tools dangerously “under the radar”.

In all of the cases above, a culture existed in which, for whatever reason, people were empowered to do extremely careless things, which put the safety of information at risk. Much like at the State Department in regards to email.

The problem is, the end result doesn’t really care if it is born of malice, extreme carelessness or ignorance. It’ll still be the same. And if the end result is a breach, well, we’ve all seen that one play out many times.

In the end, the FBI will not be recommending charges against Mrs. Clinton or her staff. I’m not going into any more detail on whether I think that is right or wrong. To use one of those most horrific of terms, “it is what it is, and we can’t change that.”

Given this fact, I hope if anything positive comes out of this case, it’s the following:

  • The case highlights that security cultures everywhere, especially in government agencies charged with keeping us all safe, that empower this type of behavior, get an overhaul.
  • It encourages more productive and positive conversations between IT teams, Security teams and end users about things that they find restrictive or cumbersome in their working lives, so a mutually acceptable solution can be found.
  • It reinforces that no one within an organization should be above the rules when it comes to information security. Leaders should set an example.
  • That security teams are reminded that not all threats come in the form of IDS alerts from Chinese IP addresses. Some of your biggest risks might be right under your nose, in the form of Shadow IT lurking in broad daylight. Get visibility, now.

 

The US government is touting cyber as the next theatre of warfare. If the US wants to be seen as a leader in cybersecurity, a top down order to discover and address the doubtless many Emailgates that are occurring right now must surely be forthcoming.

Napolitano: FBI Plan to Access Browser History “Major Step Towards Police State

It never gets better no matter who is in the White House, he said

DOJ

The Obama administration is pushing Congress to amend existing surveillance laws to give the FBI unquestionable authority to access a person’s browser history without a warrant, a move Judge Andrew Napolitano slammed as “a major step towards a police state.”

Under existing law, the FBI and National Security Agency (NSA) are required to obtain a surveillance warrant from the Foreign Intelligence Surveillance Court (FISA) before accessing an individual’s electronic records.

However, the FBI is able to bypass the court system and access information relating to an individual’s phone records through the use of a “National Security Letter.”

“NSLs are shadowy administrative subpoenas for information issued by the FBI, whose authority to use them was bolstered by the Patriot Act in 2001,” as reported by US News and World Report. “The requests often are accompanied by a gag order disallowing the company from which information is sought from discussing it.”

FBI Director James B. Comey has requested Congress pass legislation to amend a “typo” in the Electronic Communications Privacy Act that, he claims, has allowed some tech companies to refuse to provide data that Congress originally intended them to hand over to the FBI.

The new legislation, if passed, would allow the FBI to access an individual’s browser history by using a National Security Letter, rather than a warrant from the FISA Court. A National Security Letter only requires approval from the special agent in charge of a FBI Field Office.

Appearing before the Senate Intelligence Committee in February, Comey claimed the inability to obtain electronic information without a NSL affects the FBI’s work, “in a very, very big and practical way.” The Intelligence Authorization Act of 2017, with the NSL amendment attached, will now head to the full Senate for a vote.

Senator Ron Wyden (D-Ore.) was the sole member of the Intelligence Committee in opposition to the amendment.

“This bill takes a hatchet to important protections for Americans’ liberty,” he said. “This bill would mean more government surveillance of Americans, less due process, and less independent oversight of US intelligence agencies.”

Texas Republican Senator John Cornyn is a co-sponsor of a similar amendment that is set to be voted on by the Senate Judiciary Committee on Thursday; He has argued a “scrivener’s error” in the law is “needlessly hamstringing our counterintelligence and counterterrorism efforts.”

A coalition of tech firms and privacy advocates submitted a letter to the members of the Senate Judiciary Committee expressing concern over the amendment and the threat it poses to civil liberties.

“This expansion of the NSL statute has been characterized by some government officials as merely fixing a ‘typo’ in the law,” they wrote. In reality, however, it would dramatically expand the ability of the FBI to get sensitive information about users’ online activities without court oversight.”

Appearing with Shepard Smith on Fox News, Judge Andrew Napolitano expressed anger over the amendment and warned the American people to wake up to the ongoing erosion of their civil liberties.

“It gets worse, it never gets better no matter who is in the White House, no matter which party controls the Congress,” he said. “The American people should wake up….This is a major step towards a police state.”

“It’s done in the name of, it’s always done in the name of keeping us safe. Who or what will keep our liberties safe?”

 

 

 

FBI Quietly Admits to Multi-Year APT Attack, Sensitive Data Stolen

shutterstock_70882576-680x400

he FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.

The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.

“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.

Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.

“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,” Deepen said.

In its February bulletin, the FBI wrote: “The FBI has obtained and validated information regarding a group of malicious cyber actors who have compromised and stolen sensitive information from various government and commercial networks.

The FBI said the “group of malicious cyber actors” (known as APT6 or 1.php) used dedicated top-level domains in conjunction with the command and control servers to deliver “customized malicious software” to government computer systems. A list of domains is listed in the bulletin.

“These domains have also been used to host malicious files – often through embedded links in spear phish emails. Any activity related to these domains detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement,” wrote the FBI in its bulletin.

When asked for attack specifics, the FBI declined Threatpost’s request for an interview. Instead, FBI representatives issued a statement calling the alert a routine advisory aimed at notifying system administrators of persistent cyber criminals. “The release was important to add credibility and urgency to the private sector announcements and ensure that the message reached all members of the cyber-security information sharing networks,” wrote the FBI.

Deepen told Threatpost the group has been operating since at least since 2008 and has targeted China and US relations experts, Defense Department entities, and geospatial groups within the federal government. According to Deepen, APT6 has been using spear phishing in tandem with malicious PDF and ZIP attachments or links to malware infected websites that contains a malicious SCR file. The payload, Deepen said, is often the Poison Ivy remote access tool/Trojan or similar. He said the group has varied its command-and-control check-in behavior, but it is typically web-based and sometimes over HTTPS.

Experts believe that attacks are widespread and not limited to the US federal government systems. “The same or similar actors are compromising numerous organizations in order to steal sensitive intellectual property,” wrote Zscaler in a past report on APT6.

In December 2014, US government systems were compromised by hackers who broke into the Office of Personnel Management computer systems. That data breach, where 18 million people had their personal identifiable information stolen, didn’t come to light until months later in June of 2015.