Hackers working for Western intelligence agencies broke into Russian Internet search company Yandex late last year and deployed a rare type of malware in an attempt to spy on user accounts, four people with knowledge of the matter said.
The malware, called Regin, is known to be used by the “Five Eyes” intelligence-sharing alliance of the US, Britain, Australia, New Zealand and Canada, the sources said.
Intelligence agencies in the alliance declined to comment. Western cyberattacks against Russia are seldom acknowledged or spoken about in public.
It could not be determined which of the five “Five Eyes” members was behind the attack on Yandex, said sources in Russia and elsewhere, three of whom had direct knowledge of the hack.
The breach took place between October and November last year.
Yandex spokesman Ilya Grabovsky acknowledged the incident in a statement, but declined to provide further details.
“This particular attack was detected at a very early stage by the Yandex security team. It was fully neutralized before any damage was done,” Grabovsky said.
The company also said that “the Yandex security team’s response ensured that no user data was compromised by the attack.”
The company, widely known as “Russia’s Google” for its array of online services from Internet search to e-mail and taxi reservations, says it has more than 108 million monthly users in Russia. It also operates in Belarus, Kazakhstan and Turkey.
The sources who described the attack said that the hackers appeared to be searching for technical information that could explain how Yandex authenticates user accounts. Such information could help a spy agency impersonate a Yandex user and access their private messages.
The hack of Yandex’s research and development unit was intended for espionage purposes rather than to disrupt or steal intellectual property, the sources said.
The hackers covertly maintained access to Yandex for at least several weeks without being detected, they said.
The Regin malware was identified as a “Five Eyes” tool in 2014 following revelations by former US National Security Agency (NSA) contractor Edward Snowden.
Reports by The Intercept, in partnership with a Dutch and Belgian newspaper, tied an earlier version of Regin to a hack at Belgian telecom firm Belgacom in 2013 and said Britain’s Government Communications Headquarters (GCHQ) and the NSA were responsible.
At the time GCHQ declined to comment and the NSA denied involvement.
Security experts say attributing cyberattacks can be difficult because of obfuscation methods used by hackers, but some of the Regin code found on Yandex’s systems had not been deployed in any known previous cyberattacks, the sources said, reducing the risk that attackers were deliberately using known Western hacking tools to cover their tracks.
Yandex called in Russian cybersecurity company Kaspersky, which established the attackers were targeting a group of developers inside Yandex, three sources said.
A private assessment by Kaspersky concluded that the hackers likely tied to Western intelligence breached Yandex using Regin.
A Kaspersky spokeswoman declined to comment.
The US Office of the Director of National Intelligence declined to comment. The White House National Security Council did not respond to a request for comment.
The Kremlin did not immediately respond to a request for comment.
Moscow-based Yandex, listed on the NASDAQ in the US and the Moscow Exchange, has come under tighter regulatory control by the Russian government after the passage of new Internet laws.
Former Russian minister of economics and trade Herman Gref became a Yandex board member in 2014.
US firm Symantec said it had also recently discovered a new version of Regin. It declined to discuss where the sample was discovered, citing client confidentiality.
“Regin is the crown jewel of attack frameworks used for espionage. Its architecture, complexity and capability sits in a ballpark of its own,” Symantec Security Response technical director Vikram Thakur said. “We have seen different components of Regin in the past few months. Based on the victimology coupled with the investment required to create, maintain and operate Regin, we believe there are at best a handful of countries that could be behind its existence.”
Since her personal telephone number was posted online, Hong Kong democracy advocate and Hong Kong Confederation of Trade Unions chairperson Carol Ng has received menacing calls from strangers and been bombarded with messages calling her a “cockroach.” She is not alone. A sophisticated and shady Web site called HK Leaks has ramped up its “doxxing” — where people’s personal details are published online — of Hong Kong democracy advocates, targeting those it says have broken Hong Kong’s National Security Law. Promoted by groups linked to the Chinese Chinese Communist Party and hosted on Russia-based servers, HK Leaks has become the most prominent “doxxing”
‘CONFESSED’: A court in Beijing said that former CCP member Ren Zhiqiang abused his power at a state firm and embezzled almost US$7.14 million of public funds A Chinese tycoon who called Chinese President Xi Jinping (習近平) a clown and criticized his handling of the COVID-19 pandemic was yesterday jailed for 18 years for corruption, bribery and embezzlement of public funds. Ren Zhiqiang (任志強) — once among the Chinese Communist Party’s (CCP) inner circle — disappeared from the public eye in March, shortly after penning an essay that lambasted Xi’s pandemic response. His outspokenness had earned the former chairman of state-owned property developer Huayuan Group the nickname “Big Cannon.” Yesterday’s verdict said that Ren embezzled almost 50 million yuan (US$7.4 million) of public funds and accepted bribes worth 1.25 million
AUSTRALIAN SITE: China has had a contract with SSC’s Yatharagga station since at least 2011, but the last time it used it was in June 2013. No final date has been given China would lose access to a strategic space tracking station in Western Australia when its contract expires, the facility’s owners said, a decision that cuts into Beijing’s expanding space exploration and navigational capabilities in the Pacific region. The Swedish Space Corp (SSC) has had a contract allowing Beijing access to the satellite antenna at the station since at least 2011. The station is located next to an SSC satellite station primarily used by the US and its agencies, including NASA. The Swedish state-owned company said it would not enter into any new contracts at the Australian site to support Chinese customers after
Australia is notorious for its venomous spiders, snakes and sea creatures, but researchers have now identified “scorpion-like” toxins secreted by a tree that can cause excruciating pain for weeks. Split-second contact with the dendrocnide tree, a rainforest nettle known by its Aboriginal name gympie-gympie, delivers a sting far more potent than similar plants found in the US or Europe. A team of Australian scientists said that they now better understand why the gympie-gympie’s sting haunts those unlucky enough to brush up against its leaves. Victims report an initial sting that “feels like fire at first, then subsides over hours to a pain reminiscent