X-Agent

Last updated
X-Agent
TypeSpyware
Author(s) Fancy Bear [1]
Operating system(s) affectedWindows, Linux, iOS, Android

X-Agent or XAgent is a spyware and malware program designed to collect and transmit hacked files from machines running Windows, Linux, iOS, or Android, to servers operated by hackers. It employs phishing attacks and the program is designed to "hop" from device to device. [2] [3] [4] In 2016, CrowdStrike identified an Android variant of the malware for the first time, and claimed that the malware targeted members of the Ukrainian military by distributing an infected version of an app to control D-30 Howitzer artillery. [1] The Ukrainian army denied CrowdStrike's report and stated that losses of Howitzer artillery pieces had "nothing to do with the stated cause". [5]

Slovak computer security company ESET obtained the X-Agent source code in 2015 and described its inner workings in a report released in October 2016. [6]

A Washington, DC grand jury indictment (resulting from Robert Mueller's investigation into Russian election interference) charges that agents of the Russian GRU in Moscow "developed, customized and monitored X-Agent malware used to hack the DCCC [Democratic Congressional Campaign Committee] and DNC [Democratic National Committee] networks beginning in or around April 2016" (item 15, at the end of page 4 and the beginning of page 5). [7]

Related Research Articles

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

On Apple devices running iOS and iOS-based operating systems, jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by the manufacturer. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the right to install software unavailable through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

XARA is an acronym for "Unauthorized Cross-App Resource Access", which describes a category of zero-day vulnerabilities in computer software systems.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

<span class="mw-page-title-main">Democratic National Committee cyber attacks</span> 2015-16 data breaches by Russian hackers as part of US election interference

The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as well as the U.S. government, determined that the cyberespionage was the work of Russian intelligence agencies.

<span class="mw-page-title-main">NSO Group</span> Israeli cyber-espionage and malware firm

NSO Group Technologies is an Israeli cyber-intelligence firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones. It employed almost 500 people as of 2017.

Pegasus is a spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. While NSO Group markets Pegasus as a product for fighting crime and terrorism, governments around the world have routinely used the spyware to surveil journalists, lawyers, political dissidents, and human rights activists.

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an Advanced Persistent Threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.

Candiru is a Tel Aviv-based technology company offering surveillance and cyberespionage technology to governmental clients.

References

  1. 1 2 "Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units". Crowdstrike.com. CrowdStrike. 22 December 2016. CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware
  2. Williams, Martyn (4 February 2015). "New iOS spyware steals pictures, data, and more even from non-jailbroken iPhones". PC World. Retrieved 22 July 2016.
  3. Ranger, Steve (6 February 2015). "iOS spyware steals texts, photos, contacts, switches on voice recorder". ZD Net. Retrieved 22 July 2016.
  4. "Pawn Storm Update: iOS Espionage App Found". Trend Micro. 4 February 2015.
  5. "Defense ministry denies reports of alleged artillery losses because of Russian hackers' break into software". Interfax-Ukraine. January 6, 2017.
  6. ESET (October 2016). "En Route with Sednit" (PDF). www.welivesecurity.com. Retrieved December 21, 2017.
  7. Mueller, Robert (2018). U.S. v. Viktor Borisovich Netyksho, et al  . pp.  4-5  via Wikisource. [ scan   Wikisource-logo.svg ]


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.