Iran's Islamic Revolutionary Guards Corps said on Thursday that the Global Hawk, produced by Northrup Grumman and part of a multi-billion dollar program dating back to 2001, had entered Iran's airspace and it was crushed in Iranian waters; US Central Command confirmed time and general location of the attack, but insists that the drone was flying in the international airspace.
The incident follows another situation last week in which the United States accused Iran of attacking two oil tankers in the Gulf of Oman. The United States also said that Iran had attempted to shoot another drone, a drone MQ-9 Reaper, but failed. The Pentagon also related Iran launched an attack against a Reaper drone in Yemen two weeks ago, which caused the vehicle to fall. Thursday's attack, however, was aimed at a massive and much more expensive surveillance drone, and probably represents a sharper escalation.
"There's a lot going on here, and we're probably only seeing part of it," said Thomas Karako, director of the missile defense project at the Center for Strategic and International Studies. "It's a long-range, costlier, higher-performance, higher-altitude intelligence reconnaissance machine." If they shoot down aircraft in the international airspace over international waters, they may incur measured reprisals. "
"There could still be a super secret spy technology on board that we do not know."
Ulrike Franke, European Council on Foreign Relations
Global Hawks are massive surveillance platforms, active since 2001, with a wingspan of more than 130 feet and a maximum take-off weight of more than 16 tonnes, approximately seven containers of cocaine shipment. They have a range of over 12,000 nautical miles, can fly at a staggering 60,000 feet, and can stay in the air for 34 hours. They have no offensive capability. their value lies in their ability to combine range, point of view and persistence with powerful surveillance sensors to monitor ground or sea activity in great detail. According to the Government Accountability Office's analysis, Global Hawks sometimes cost the United States more than 220 million dollars to manufacture and equip.
Global Hawks typically include infrared and thermal imaging, radar imagery and electro-optical imaging in their arsenal of sensors. In addition, their size and impressive weight allow drones to use equipment such as huge lenses for telephoto lenses to get detailed views of targets. But as Ulrike Franke, researcher at the European Council of Foreign Relations and researcher of drones, notes, the US Army customizes different vehicles for different missions, making uncertain the exact material of this Global Hawk. "There could always be a super-secret spy technology on board whose existence we do not know," says Franke.
It is likely, however, that this Global Hawk in particular was a watchdog typical of surveillance, was shot for geopolitical reasons rather than for the specific purpose of technological recognition. It is not known if parts of the drone are even recoverable or if it was destroyed during the attack. Iran captured in a memorable way by the US Sentinel RQ-170 drone in December 2011 and later, claimed to have reversed the vehicle's hardware and software to copy its technology. Sentinel UAVs are thought to use stealth technology for discreet aerial reconnaissance. Last year, Israeli officials said that they had intercepted an Iranian drone it seemed like a "copy" of a Sentinel.
As to whether the Global Hawk was flying over Iranian airspace, let's say that definitive proof would require the United States to release details of the flight path of the drone. "If they want to release that, it's more than a political decision," Karako said. "But until now, CentCom insists that it was in the international airspace."
At present, it is unknown at what altitude the drone was flying when it was shot down, but if it was in its high altitude area, it would have been difficult to catch it. . Still, Franke points out that such an interception is within the limits of Iran's known capabilities.
"One of the selling points is that the Global Hawks fly so high and they should normally be safe from slaughter," says Franke. "It's not incredibly difficult to break down such a system, but it's relatively difficult.
In response, President Donald Trump initially tweeted on Thursday: "Iran has made a very big mistake!" In subsequent commentsI thought to take a less aggressive tone by saying, "I had a hard time believing it was intentional". According to analysts, it is not shocking that Iran has the technology of interception to shoot down the drone; it would have required a radar-guided ground-to-air missile system, apparently from SA-6 or SA-17. SAM given to Iran by Russia. A more flexible, heat-seeking and shoulder-firing missile system could not hit a target at high altitude. In other words, you can not remove Global Hawk unless you really want it.
This story was updated to indicate that the SAM system likely to have shot down the Global Hawk was SA-17. He had originally told SA-7, to the system launched by the shoulder.
In one on the official Microsoft blog, Tom Burt, vice president of Customer Security & Trust, shared the details of the current he filed in the US District Court of Washington DC against the group of hackers called Phosphorus. The group is also known as APT 35, Charming Kitten and Ajax Security Team.
The Microsoft Digital Crime Unit has been authorized to take control of 99 domains in order to stop hacker attacks. Domains such as outlook-verify.net, yahoo-verify.net and check-live.com were used by Iranian hackers during phishing campaigns.
Phishing is an attack method that relies on social engineering, in which a hacker cheats an individual or a group by making him believe that he is a trusted source via a email or a web address. The hacker then uses this trust to obtain passwords or other sensitive information from their target.
In the United States, phosphorus companies and government agencies as well as activists and journalists. As says, former US An Air Force intelligence officer turned spy, Monica Witt would have links to the hacker group. Witt went to Iran and is currently a fugitive wanted by the FBI for alleged espionage. C & # 39; This Witt provided Iranian pirates with information about the United States. officials and his former colleagues. By using this information, hackers can more accurately target their spear-phishing campaigns against certain individuals.
According to Microsoft, Phosphorus would send a link containing malware under the pretext of a user-friendly source, sometimes even posing as a target on social networks. Hackers could use this software to access the victim's computer. The group also deployed another attack using domain names controlled by Microsoft to get its targets to believe that there was a security risk reported on their Outlook or Yahoo account. By clicking on the phishing link, the target will be prompted to log in to their account, providing their password to hackers.
This is not the first time in the United States. Microsoft has authorized the control of domain names related to phishing campaigns. Last year, an injunction from a federal court allowed Microsoft to deploy domains deployed by hackers damaging its brands. Microsoft end spear-phishing campaigns put in place by the group of Russian hackers called Fancy Bear, which targeted the United States. politicians, congressional staff and think tanks.
Most of the accounts deleted by Facebook this time were related to Russia. However, the company said the majority of accounts had been removed for spam-related activities. In total, the social network removed 1,907 pages, groups and related accounts in Russian. The "small part" of the accounts that had been set up to disseminate misinformation consisted mainly of content related to political problems and conflicts in Ukraine. About 1.7 million accounts were part of the 1,757 Facebook groups removed. The company also removed 86 pages and 64 Facebook accounts.
In addition to Russia-related accounts, Facebook has announced that it has removed 513 pages, groups and accounts connected to Iran for disappointment in coordinated inauthentic behavior. Pages related to Iran have turned out to be more openly political in nature than the latest series of Russian accounts. Facebook found that many of these accounts mimick current political groups and present themselves as legitimate media organizations. Many of the reports published by these stories have attempted to ease tensions between India and Pakistan, as well as between Israel and Palestine. Other frequently mentioned topics include conflicts in Syria and Yemen, the Venezuelan crisis and terrorism. According to Facebook, this operation was widespread in the Middle East and North Africa.
In total, Facebook has removed 158 pages, 263 Facebook accounts, 35 groups and 57 Instagram accounts connected to Iran. According to the company, approximately 1.4 million accounts have followed one or more of these pages. These accounts spent about $ 15,000 on Facebook ads between December 2013 and February 2019.
Facebook also said it had removed 212 pages, groups and Facebook accounts related to Macedonia and Kosovo for having coordinated unauthentic behavior. Users of these accounts shared beauty tips and celebrity information, as well as introductory pages from various political groups in the United States, United Kingdom, and Australia. About 685,000 accounts followed one or more of the 40 pages related to Macedonia and Kosovo. Facebook advertising on these accounts was approximately $ 5,800 between October 2013 and March 2019.
In the face of growing criticism over the years, Facebook has begun to focus its war on misinformation in 2018. The company has specifically targeted pages, accounts and groups that have engaged in "coordinated unauthentic behavior". Facebook qualifies this type of user behavior or organization. the establishment of "networks of accounts" in order to "deceive others about who they are or what they do".
In recent months, the social network has multiple related to Iran networks on his platform. Prior to this last purge, Facebook had already deleted more than a thousand pages and accounts connected in total to Iran.
Using a traditional tactic to undermine the security of data as it travels over the Web, hackers have captured sensitive data such as login information and commercial details from telecoms, ISPs, government organizations, and other institutions. Middle East, North Africa, Europe and the world. North America FireEye researchers claim that targets and stolen data types are in line with the Iranian government's espionage interests – and that whoever is behind the massive assault now has A mine of data that could fuel future cyber attacks.
"This corresponds to what we have seen before with Iran and the signs that lie in wait for us, but we just wanted to let it know because it affects dozens of entities," said Ben Read, senior director. of the cyber espionage analysis at FireEye. "We have not seen the end of this."
To siphon as much sensitive data from dozens of targets, the attackers used variants of the so-called DNS hijacking. This method takes advantage of the weaknesses of the underlying protocols underlying the Internet to transfer data to the hands of attackers.
"Iranians do not suffer this workload just for fun."
Dave Aitel, Cyxtera
When you load a website into a browser or use a Web service, you receive the correct content from the appropriate Web server because of a background checking process of the "Domain Name System". Essentially the Internet version of the search in the directory, the DNS servers indicate the access path to the browser or the services to be taken to connect to the desired destination.
Think of it this way: if you change other numbers in your directory or manipulate an infrastructure so that other numbers also ring on your line, you can listen to all kinds of calls without that your targets do not necessarily realize that everything is wrong
In the case of the massive DNS hacking panic reported by FireEye, hackers have been manipulating DNS records since January 2017 to intercept email data, user names, passwords, and Web domain details from the Internet. organizations.
The technique itself is not new; The attackers have been exploiting DNS hacking for years and the security research community knows about the possibility. But reading FireEye highlights that this approach has become even more popular recently as awareness of the need for cybersecurity grew and institutions grew, blocking their networks. DNS hacking is a relatively easy way to continue to access internal data without ever having to enter systems of a company.
"What they are looking for is information," Read says. "They do not really care where they get it from."
Iranian hackers have progressively stepped up their digital intelligence gathering operations over the last five years, ranging from government information to intellectual property to research university data. They use often Advanced phishing attacks in these campaigns to capture identity information and penetrate networks. But when this is not feasible, DNS hijacking can fill gaps and provide more obscure acquisition information.
To help protect against DNS hacking attacks, FireEye suggests that companies monitor mail server certificates and determine the domains on which their domains are really oriented in order to catch the shady behavior. "This means no one is keeping track of certificate changes," says Dave Aitel, a former NSA researcher and now a security technology leader at Cyxtera, a secure infrastructure company. And while attackers take advantage of these open doors wherever they can, the work they do to develop targeted attacks always lets you guess at the value of the resulting data. "Iranians do not suffer this workload just for fun," Aitel said.
Other Threat Intelligence Research Groups including Cisco Talos, have already detected various components of the malicious campaign. And FireEye points out that it's hard to control DNS hacker campaigns because it can be difficult to tell how attackers could handle particular DNS records and the extent of compromised data.
All the more reason for this hacking to be at the root of many future attacks.
"We have not even covered the full scope of this campaign," said Read. "Even after the publication of our blog, we discovered new areas that had apparently been diverted since."