Security Market Segment LS
Monday, 11 March 2019 09:51

Credentials of firm that linked Parliament hack to Iran questioned Featured

By
Credentials of firm that linked Parliament hack to Iran questioned Image by OpenClipart-Vectors on Pixabay

Infosec outfit Resecurity, which has come under scrutiny by some well-known researchers over its attribution of some recent hacks, has hit back by accusing its detractors of having ulterior motives for indulging in such criticism.

The company claimed last month that an Iranian-linked entity was behind the breach of the Australian Parliament network. More recently, it claimed that the same Iranian group was responsible for the breach at multinational software company Citrix Systems.

In both cases, Resecurity put out blog posts which are somewhat similar in their content.

Criticism of Resecurity's claim about the Australian Parliament hack, which was published by The Wall Street Journal and iTWire, was made on 21 February by Kevin Collier, a reporter with Buzzfeed, who cited the company's claims and then linked to an article in the Sydney Morning Herald where the counter-claim was made that China was behind the hack.

Others who criticised Resecurity were Catalin Cimpanu, a reporter with ZDNet, who said he and Sergiu Gatlan, a reporter with Bleeping Computer, had talked about the Citrix hack and the latter had tried to contact Resecurity but received what was described as a "weird reply".

Wrote Cimpanu: "There were a lot of details around this story that kept changing last night. Then he (Gatlan) got a weird reply from the company via email. Then there was their obsession with Iran."

And Costin Raiu, a senior researcher and the head of Kaspersky Lab's Global Research and Analysis Team, said: "Some facts: the Resecurity website doesn't even have an About page. Their corporate movie has a bunch of actors talking about security but no names or titles. Their president has no work history before 2017. Of course, it may be legit, but for now it looks odd."

Added Raiu: "I'd be cautious with this story (the Citrix story on CNBC), feels like there's a lot of FUD (fear, uncertainty and doubt) surrounding it. Eg: 'Iridium broke its way into Citrix's network about 10 years ago, and has been lurking inside [...] ever since'. Then 'Citrix came under attack twice, once in December and again Monday."

Brian Bartholomew, another senior researcher from Kaspersky, said: "These Resecurity folks are really jacking some shit up lately. First they say Iran is responsible for the AU parliament hack, and now they say an Iranian group named 'Iridium' is behind the Citrix stuff."

The Resecurity website has only two research reports in its blog, about the Australian Parliament and Citrix hacks. There are claims on its website of supplying services to several high-profile clients like Microsoft, JPMorgan Chase and Amazon but the logos of these companies do not link to the clients' websites. There is also a list of awards that Resecurity claims to have won, but again the logos of these awards do not link anywhere.

Asked for his response to the criticism, Resecurity researcher Jean-Jacques Gonçalves told iTWire: "Unfortunately, we don't comment [on] such statements delivered in [the] form of 'tweets'. Moreover, they have no relation to the topic, and have minimal insight on it. We are not familiar with these wonderful gentlemen, and with interest read their communications when the time allows."

Gonçalves added: "None of them has reached out officially, besides Sergiu Gatlan, and has no relation to our company as well. We have provided an official comment only to Sergiu Gatlan through our press service, who later for some reasons said 'he has received a weird reply' (we have a copy, and documented correspondence with him, which included a kind and timely addressed recommendation to read an official statement published on our website)."

He also pointed out that Cimpanu, Gatlan and Raiu were all of Romanian ancestry — though he did not expand on the significance of this — while Raiu, Bartholomew and Eugene Kaspersky — who retweeted Collier's claims — were all from Kaspersky Labs.

Gonçalves provided links to show the Russian company had a relationship with Citrix, though he again did not expand on what he was implying.

"Probably, it may characterise the level of culture in general, but typically we don't comment such things," he said. "We wish only the best to Kaspersky Labs, understanding some challenges they had to face with in the past few years." The last statement was a reference to the issues Kaspersky Lab has faced in the US, which ended up with it losing all its business with the American public sector.

Gonçalves dismissed Collier's claims in detail, saying that only one of the three points he (Collier) had made was valid: the reference to the WSJ headline. Of the other two, he said Resecurity had a detailed blog post about the Australian hack, tying the group IRIDIUM to it. And he also contested Collier's claim about the SMH article being based on government or government-adjacent sources, saying that the article mentioned "top-level sources" who could not be in any way identified as they were not named.

He also mentioned that China had denied any involvement in the Parliament attack.

"Moreover, we have reached [out] to [the] lady [who] published this article – Latika Bourke. After our contact, it has been modified several times (starting from wrong use of our company name, and ending with 'top-level sources', who in the past 'couldn’t comment anything on the record'. In such case, on what sources she was relying is still a question. From our side, we haven’t changed a single word," he said.

The company's website was down for quite some time on Monday morning Australian time; when asked about this, Gonçalves said: "We have installed Cloudflare and you saw its cache for couple of minutes."

Resecurity's claims about the Citrix hack have been reported by several tech and general sites such as The Register and CNBC.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments