Russian Hackers Target Hundreds Of Western Energy Companies

Recently, a Russian group of hackers known as ‘Energetic Bear‘ has compromised over 1,000 European and North American energy firms with a sophisticated cyber weapon, similar to Stuxnet, that gave hackers access to power plant control systems, said a security firm.

The group of hackers also known as ‘Dragonfly‘, an eastern European collective that has been active since at least 2011 and has been using phishing sites and Trojans to target energy supplier organizations in the US and several other countries, since 2013.

“Its primary goal appears to be espionage,” claimed Symantec. The group appears to have the resources, size and organization that no doubt suggest the involvement of government in the malware campaign, said the firm.

According to the blog post published yesterday by security firm Symantec, Dragonfly group mainly targeted petroleum pipeline operators, electricity generation firms and other Industrial Control Systems (ICS) equipment providers for the energy sector in several companies.

Since 2013, Dragonfly has been targeting organizations that make use of Industrial Control Systems (ICS) to manage electrical, water, oil, gas and data systems, which affected almost 84 countries in a campaign spanning 18 months, although most of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.

“Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus mainly to US and European energy firms in early 2013,” reads the blog post. “Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.”

Dragonfly used different techniques to infect industrial software with Remote Access Trojan (RAT) in order to access computer systems, including attaching malware to emails, websites and third-party programs, giving it “the capability to mount sabotage operations that could have disrupted energy supplies across a number of European countries“.

“The attackers, known to Symantec as Dragonfly, managed to compromise a number of strategically important organizations for spying purposes,” Symantec said in a blog post. “If they had used the sabotage capabilities open to them, (they) could have caused damage or disruption to energy supplies in affected countries.”

Dragonfly used two hacking outfit, the first one is Backdoor.Oldrea which is used to gather system information, including the computers’ Outlook address book and a list of files and programs installed, and the second one is Trojan.Karagany which is used to upload stolen data, download new files and run them on infected computers, the firm said.

The Oldrea backdoor is also known as Havex . In short, both Oldrea and Karagany malware families allow cyber criminals to gain backdoor access of the infected systems, as well as to exfiltrate confidential data and, download and install additional malware to the systems.

The first powerful malware of this family is the famous Stuxnet Worm, which made international headlines in 2010 and was designed to sabotage the Iranian nuclear project. It specifically targeted a uranium enrichment facility to make the centrifuges spin out of control and cause physical damage to the plant in Natanz, Iran and successfully disabled 1,000 centrifuges that the Iranians were using to enrich uranium.

Credit Card Breach Warning from Point-of-sale (POS) Machine Vendor

Information Systems & Suppliers (ISS) Inc., the vendor of point-of-sale (POS) electronic cash registers and security systems used by restaurants including Taco Bell and Dairy Queen, has warned its customers that it may have experienced a payment card breach.

The company on June 12 notified restaurant customers of its remote-access service, the popular LogMeIn, had been compromised that may have exposed credit card details linked to POS transactions conducted between Feb. 28 and April 18 of this year.

“We recently discovered that our Log-Me-In account was breached on February 28, March 5 and April 18, 2014,” Thomas Potter, president of Information Systems & Suppliers (ISS) Inc., states in the letter. “We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates.“

Log-Me-In is a remote access and systems management service founded in 2003, which helps remote control, systems management, business collaboration, along with file sharing and data backup. The company is based in Boston, Massachusetts.

It is believed that the hacker possibly launch a phishing attack against a company’s employees in an effort to steal the company’s remote access credentials.

“We regret this happened, are sorry for any difficulties it may cause, and have taken additional action to protect this from happening again,” Potter said.

The company didn’t mention that how many restaurants or credit card accounts were at risk, but it believes that not all and FuturePOS customers are affected in the credit card breach. “We tried to get out ahead of this thing and do what was right by our customers,” he says, adding that the firm had so far not seen any direct evidence of card information being misused.

To be on the safer side in near future, the company has changed its “Log-Me-In” credentials, as well as added a secondary password protection to protect themselves from other malicious activities, and is in the process of running virus scans at all of its sites.

Due to lack of concern and security measures, point-of-sale (POS) systems have become an attractive target for cybercriminals. Attackers can also steal the information by leveraging the weakness in the point-of-sale (POS) environment such as unprotected memory, unencrypted network transmission, poorly encrypted disk storage, card reader interface, or compromised pinpad device.

In past year, we have seen many massive data breaches targeting POS machines such as the TARGET data breach occurred during the last Christmas holiday in which over 40 million Credit & Debit cards were stolen, and multiple retailers including Neiman Marcus, Michaels Store involving the heist of possibly 110 million Credit-Debit cards, and personal information.

Microsoft promises critical fixes for Internet Explorer and Windows bugs

Microsoft will release two critical fixes for vulnerabilities in its Windows operating system and Internet Explorer web browser in its forthcoming Patch Tuesday update.
Microsoft announced the fixes in an advanced threat advisory, warning that critical vulnerabilities could theoretically be used by hackers to mount remote code execution attacks.
The update will also include three important Windows updates and a single moderate fix for a flaw in Windows Server.
Trustwave Threat Intelligence manager Karl Sigler said none of the vulnerabilities are particularly dangerous and are part of what appears to be a fairly minor Patch Tuesday. "This seems to be a light release with two ‘critical' bulletins, three ‘important' bulletins and one ‘moderate' bulletin," he said.
"These bulletins will affect Internet Explorer, Microsoft Server software and Microsoft Windows. A restart will be necessary to install the updates. This security update should require minimal effort to install and should be quicker to update than normal."
Rapid7 senior manager of Security Engineering at Ross Barrett added that, despite being listed as a moderate update, IT managers should still install the Windows Server update as soon as possible.
"The odd one out this month is the moderate denial of service in ‘Microsoft Service Bus for Windows Server'," he said.
"This seems to be a message queuing library for Windows, it's part of the Microsoft Web Platform package and is not installed by default with any operating system version. That said, if you have this component you will probably care to patch this before script kids start knocking over your site."
The advanced advisory follows one of Microsoft's biggest Patch Tuesdays to date. On last month's Patch Tuesday Microsoft released a staggering 59 updates for Internet Explorer.

CosmicDuke hackers caught hitting UK government systems

Researchers from Kaspersky Labs have uncovered a wave of attacks leveraging the recently discovered CosmicDuke malware, warning that it has already infected more than 10 UK systems.
CosmicDuke is a new form of malware that combines the infamous MiniDuke and ancient Cosmu attack. It was first uncovered by researchers at F-Secure on Thursday.
It was originally unclear if the malware was being used for real-world attacks. However, on Friday Kaspersky Lab researchers reported finding evidence that the malware is being used to mount an ongoing advanced hack campaign.
“Recently, we became aware of an F-Secure publication on the same topic under the name ‘CosmicDuke’. During the analysis, we were able to obtain a copy of one of the CosmicDuke command-and-control servers,” read the report.
“One of the CosmicDuke servers we analysed had a long list of victims dating back to April 2012. This server had 265 unique identifiers assigned to victims from 139 unique IPs.”
The UK is the fourth worst affected country with Kaspersky detecting 14 infections. Above it the United States, Russia and Georgia respectively suffered 34, 61 and 84 CosmicDuke infections.
The malware grants hackers a variety of powers and installs a number of attack tools including a keylogger, clipboard stealer, screenshotter and password stealers for a variety of popular chat, email and web browsing programs.
Kaspersky reported that the victims included governments, diplomatic bodies, energy  companies, telecom operators, military departments and contractors and “individuals involved in the traffic and selling of illegal and controlled substances”.
The Kaspersky researchers said the MiniDuke malware is particularly dangerous as it leverages several advanced techniques to hide its activities.
“MiniDuke/CosmicDuke is protected with a custom obfuscated loader, which heavily consumes CPU resources for three to five minutes before passing execution to the payload. This not only complicates analysis of the malware but is also used to drain resources reserved for execution in emulators integrated in security software,” explained the report.
“Besides its own obfuscator, it makes heavy use of encryption and compression based on the RC4 and LZRW algorithms respectively. Implementations of these algorithms have tiny differences from the standardised code, which perhaps looks like a mistake in the code. Nevertheless, we believe that these changes were introduced on purpose to mislead researchers.”
F-Secure security analyst Sean Sullivan told V3 the firm has so far only caught decoy document samples of CosmicDuke and is yet to see it used in a real-world attack, but added that there is evidence to suggest it is being used by state-sponsored groups.
"It appears to be state sponsored. Or else it is an organised actor – perhaps a contractor who is gathering information to sell to a government. At the moment, crimeware which targets consumers is under attack by international law enforcement so it is quite possible that the displaced crimeware vendors found a new buyer of information."
Sullivan cited CosmicDuke as proof firms must investment in cyber security, warning them: "You are a target. Keep calm and secure your stuff. For IT managers: ask for the security budget you need, and fight for it. There is more evidence than ever that letting cost dictate security is bad management."
CosmicDuke is one of many advanced threats uncovered recently. Symantec reported on Wednesday that the infamous Dragonfly hackers have returned and are targeting a number of Western critical infrastructure companies with cyber attacks capable of physically sabotaging their systems.

Zeus malware re-emerges after NCA and FBI takedown

Symantec has spotted a resurgence in use of the Zeus malware following the high-profile international takedown operation against the Gameover Zeus botnet, indicating that the attack tool is still as popular as ever.
Associate threat analyst at Symantec Ankit Singh said the firm spotted Zeus use when forensically examining a recent attack on the AskMen.com site that occurred last week.
"Last week, it was reported that popular web portal AskMen.com was compromised to redirect users to a malicious website that hosted the Nuclear Exploit Kit. Symantec has found during investigations that users were also redirected to the Rig Exploit Kit during this attack," read the report.
"We found that the Rig Exploit Kit dropped a range of different malware samples, including the Zeus banking Trojan (Trojan.Zbot) and the CryptoDefense ransomware (Trojan.Cryptodefense)."
Singh cited Zeus use as proof that criminals are still interested in the malware, despite ongoing work by law enforcement to combat it.
"In early June, [law enforcement] announced that it took down a significant portion of the Gameover Zeus botnet. This latest incident shows that despite the takedown, attackers still see Zeus as an attractive payload to deliver in their campaigns," read the report.
The takedown operation saw law enforcement agencies across the globe, including the UK National Crime Agency (NCA), mount a co-ordinated sting operation that temporarily shut down the Gameover Zeus botnet, which was estimated to have enslaved between 500,000 and one million computers at its peak.
The temporary takedown was designed to give victims a window of opportunity to purge the malware from their systems, and separate the machine from the botnet's command-and-control server. The deadline for system administrators and web users to purge their systems passed in June.

The operation was heralded as a success by the UK government, which currently lists combating cyber crime and increasing the region's cyber defences as a top priority. Experts from the security community told V3 in June that, despite being a positive move, the takedown could lead to more dangerous attacks.

Singh agreed: "Attackers often use the newest exploit kits, as they believe that security software may not yet detect the kits' activities."
The Gameover Zeus takedown is one of many initiatives from law enforcement and government agencies to help combat cyber crime.
The UK Government Communications Headquarters (GCHQ) pledged to share cyber threat intelligence and "select" intellectual property with wider industry, in a bid to help protect them from hackers in June.

Evolved Cridex cyber attack found with 50,000 stolen credentials

Criminals are using a new form of the infamous Cridex malware to automatically increase the size of their botnet empire and target enterprise customers.
Seculert CTO Aviv Raff reported finding the evolved attack, codenamed Geodo, in a blog post, warning that the new malware has advanced self-spreading powers.
The attacks work using 50,000 stolen credentials to create and send automated emails with malicious attachments, which when clicked infect the victim machine and connect it to the criminal botnet.
"We were able to determine that the second piece of malware (the worm) is provided with approximately 50,000 stolen Simple Mail Transfer Protocol (SMTP) account credentials including the related SMTP servers to connect to. The bot then uses these credentials to target mostly German accounts by impersonating legitimate email," read the post.
"The command and control (C&C) provides the malware with a batch of 20 targeted email addresses. The malware is also given a from address, subject line and email body text unique to this particular batch of emails. Once the malware has run through the batch, it is provided with a new batch of 20 emails."
Cridex is a data-stealing worm that was first discovered in 2012. Raff said it is unclear where the credentials used in the new campaign came from, though it is likely they were stolen during attacks using the older Cridex version.
"There is no definitive information on where the 50,000 stolen credentials came from, but Cridex is the suspected culprit," he said.
"As a data stealer, Geodo can compromise the intellectual property of a corporation, putting its business and reputation at risk. This new email worm capability displayed by Geodo serves to further emphasise the growing threat of advanced malware to today's enterprises."
Cridex is one of many old attack tools to receive a technical upgrade in recent weeks. Researchers at F-Secure uncovered a fresh BlackEnergy hack campaign believed to be targeting European governments with a wave of spear-phishing emails masquerading as IT alerts in June.

Euro-cops get crash course in fighting cybercrime

A collection of high-ranking police officers are being trained in how to tackle increasingly advanced cyber threats at a two-week event hosted by Europol.

Some 37 officers from 22 countries will attend the event, which has been arranged by the Spanish Police Academy in Avila.

The cops will receive "high level training and education" in the "prevention, detection and disruption of advanced cybercrime targeting individuals, companies, governments and academia".
The two-week event follows a nine-week online training session, and is intended to improve investigation of international incidents.
"This high level training course [...] is an important contribution to the improved readiness in many countries to prevent and combat cybercrime. We need all hands on deck in order to match the overwhelming crime perpetrated in cyberspace by organised criminal networks and we need real experts in order to be able to detect, identify and hunt down these criminals," said Troels Oerting, the head of Europol's European Cybercrime Centre.
"Today we have 37 more cybercrime experts joining the growing group of cyber cops and more will follow. We might have started a bit late - but we are catching up fast, and will continue to invest in this area to do our part in keeping the internet open and transparent but also safe."
Spanish National Police commissioner Ignacio Cosidó Gutiérrez said that a united front is key to successful anti-cybercrime campaigns.
"International police co-operation, capacity building, public-private partnership and a network of specialised police officers are key elements in the fight against cybercrime," he said.

BAE retracts hedge fund hack allegation

BAE Systems Applied Intelligence has retracted allegations of a nasty attack on a hedge fund it floated on Canadian television a couple of weeks ago.
The firm today told Bloomberg was just a scenario that it used for “illustrative” purposes. BAE has promised not to scare us all with hypotheticals any more.
That promise is all well and good, save for the fact that “news” of the hack travelled swiftly, and widely enough that The Center for Financial Stability announced “the formation of a public / private partnership for the financial services community” staffed by lots of serious folks dedicated to making sure things like the imaginary hack couldn't possibly happen to other financial institutions.
The “incident” also generated a slew of global coverage, featuring buckets of expert comment to the effect that this kind of thing either happens all the time or could happen any minute now.
The latter remains true … assuming BAE's hypothetical was accurate. Even if it wasn't, that the mere mention of an unspecified attack on a high value target can provoke such a response suggests a worrying new way to spook users. And the markets.

NSA man says agency can track you through POWER LINES

Forensics and industry experts have cast doubt on an alleged National Security Agency capability to locate whistle blowers appearing in televised interviews based on how the captured background hum of electrical devices affects energy grids.
Divining information from electrified wires is a known technique: Network Frequency Analysis (ENF) is used to prove video and audio streams have not been tampered with.
The technique works by analysing the nearly inaudible 50 Hertz energy hum generated by power grids which is inadvertently captured by most audio recording devices. Investigators could strip away layers of audio until the bare hum remains. That hum can then be scrutinised for unnatural variations.
ENF analysis became topical this week when German outlet Heute.de reported an un-named former NSA staffer claimed the agency has used it to determine the physical location where a recording of TV interviews took place by matching captured energy hums with those previously recorded across the grid.
NSA operatives could therefore guess at a whistleblower's location.
Technology to conduct ENF is not exotic. Bandpass filters can detect variations in the 50Hz hum which would detect dips and rises as small as 0.001 Hz over 10 seconds.
That it is possible to geolocate variations in grid hum, which Heute.de reports the NSA and CIA can do, is more novel.
But experts are dubious the reports are correct.
"Let me start by saying that in principle it could well be possible to use ENF to determine the location a recording was made as well as the time it was made," Philip Harrison, an ENF forensics veteran of 18 years based in London told The Register.
"It's possible that there are some other aspects of the signal that vary by location that haven't been discovered yet, or perhaps the NSA have discovered them."
Harrison had performed ENF to verify audio recording presented as evidence in court showing that a undercover police recording of an illegal weapons deal had not been tampered with. In 2010, ENF was used in a high profile murder case in the UK. Blighty's Metropolitan Police Service have stockpiled a comprehensive database of electrical grid frequencies since 2005 to help with further cases.
Vulture South contacted Harrison and others about the ex-NSA agent's claims. Harrison saw three problems that were likely intractable for anyone other than the seemingly superhuman hackers at the NSA.
"Firstly," Harrison said, "the NSA would need to know over what geographic area the specific type of variation occurred".
Research published last month by the University of Porto, Portugal, (Real-Time Monitoring of ENF and THD Quality Parameters of the Electrical Grid in Portugal) examined local variation in the nation's power grid. It found fundamental differences in the structure of the harmonics of the 50 Hz which could be detected because Total Harmonic Distortion was strongly affected by local factors and had as a result little geographical consistency.
That research considered only a handful of locations meaning it was unclear how the features could vary between sub-stations or power stations, Harrison said. The NSA could know of other signal aspects that varied according to location, but that was speculative.
The second problem was the need to log ENF values and the secret signal sauce that allowed location to be determined. "This could mean hundreds or thousands of logging devices in a country if you want to be able to locate a recording accurately," he said.
The problem was a prodigious one because of the huge amount of frequency variation in local power grids. All manner of electrical devices could cause a dip or spike in neighbouring networks.
"You would need a tap on every one of thousands of transformers," said Ian Appleby, a former veteran of the Australian energy and defence sectors who maintained a comprehensive knowledge of electronics, but not of ENF. "In the industrial area where I used to be, my UPS (uninterruptible power supply) would freak out when nearby commercial places shut down causing a spike in frequency."
He doubted the feasibility of mapping a whole power grid considering these immense variables.
A third problem relates to the hit and miss process of extracting the relevant data from captured recordings.
"From my experience of casework this is the hardest part," Harrison said. "It's not always easy to get out the variation in 50 Hz since it is at such a low level in the signal, let alone trying to get more information out about the harmonics or some other aspect of the signal."
"So while it might be able to work in principle, actually applying it to a real-world recording could be a lot harder."
The audio and video equipment used to record whistle blowers could be identified, according to NSW-based Brian Stokes who had a background in the field but not ENF. He and other engineers agreed with Appleby's remarks.
"The possibilities of characterising the recording equipment such as microphone, input amplifier, etcetera are rather good, but the likelihood of determining the geographical location of the recording based upon artifacts of the mains supply, given the levels of filtration in DC supply design, sounds improbable."
If the NSA did have the technology, it was bad news for whistleblowers. The Heute.de source said they could nail a whistle blower in less than three weeks, even faster if they spoke at a monitored journalist's favourite haunt

Big Java security fixes on the way – but not so fast, Windows XP users

As if running Windows XP after Microsoft withdrew support wasn't risky enough, XP users who have Java installed may soon have even more to worry about.
Oracle is due to issue its next Critical Patch Update – the massive, quarterly fix-it fests that deliver security updates across the company's entire product line, including Java – on July 15. But when those next Java patches arrive (whatever they might be), there's no guarantee that they will even work on XP.
That's because unlike Microsoft, which spent two years hollering from the rooftops for Windows XP users to upgrade, Oracle hasn't made much of a fuss about the fact that it has already discontinued support for Java on XP.
Support for Java 7 ended on April 8, to be precise. And Java 8 – the current version – won't even install on the outdated OS.
Updates for Java 7 will keep coming – at least until April 2015, when Oracle plans to wind down support for that version. The most recent Critical Patch Update, which included fixes for Java 5 through 8, shipped on April 28, weeks after Oracle's Windows XP support had expired.
The catch is that because Oracle is no longer testing Java on XP, there may come a day when one of its security patches actually breaks Java on that platform, rather than fixing it.
At that point, Java users will be left in a similar position as they are with XP itself – unable to apply any more security patches and stuck using a platform that has well-known, exploitable vulnerabilities (because Oracle itself has made them known, in the form of published security fixes).
And that would be bad. In its 2014 annual security report, published in January, networking giant Cisco found that a dizzying 91 per cent of all web-based exploits throughout 2013 targeted Java.
So, while we know you've already been told a thousand times, we would be remiss if we didn't offer a word of friendly advice to all Windows XP users who also use Java: Upgrade to Windows Vista. Oracle plans to maintain support for that platform for the foreseeable future.

Austrian Tor exit relay operator guilty of ferrying child porn

An Austrian man has been found guilty after child sex abuse material transited his Tor exit relay.
IT administrator William Weber was charged in November last year after state police raided his home confiscating 20 computers, gaming consoles and devices after one of his seven global Tor exit relays funneled the illicit material.
On 1 July, Weber was found guilty by a criminal court, given three years' probation and told he'll pay an expected €30,000 in court and legal costs.
Tor exit relays are critical because they serve as stepping stones where user traffic could leave the popular proxy network and enter the public web. That arrangement leaves operators of the relays in a dangerous place because they could be liable for any malicious traffic leaving Tor.
Weber said he lacked sufficient money and motivation to appeal the case.
"... I simply can't afford it anymore, donations covered a lot of lawyer fees but I had to use my entire money on this case as well [and] I’m now bankrupt and the [court] costs does not help with it either," Weber said.
Prosecutors were in possession of chat logs where Weber allegedly promoted the use of Tor for a host of uses including child pornography -- a statement he argued was taken out of context and was made in a conversation with security blogger Brian Krebs about a botnet gang.
Users in various forums have reacted angrily to the ruling, with many arguments saying it was tantamount to blaming the postal service for mailing illicit material or making ISPs accountable for piracy over their networks (incidentally a move currently being considered by Australia's conservative Federal Government).
Online rights campaigner Moritz Bartl promoted the operating of exit relays through torsevers.net and was one voice among the rabble suggesting Weber could find success on appeal.
"We strongly believe that it can be easily challenged," Bartl said.
"While certainly shocking, lower court rulings should not be taken too seriously, and this won't necessarily mean that all Tor relays in Austria are now automatically illegal."
Bartl was seeking legal assistance for Weber and urged any exit relay operator in hot water to contact torservers.
He would reserve further judgement on the Weber case until he had properly consulted with legal eagles.
The privacy advocate known as MacLemon claimed the ruling contradicted so-called 'Provider's privileges' safeguards that protect network operators from liability for traffic transiting their pipes. It could also clash with an EU directive safeguarding service providers as 'mere conduits' provided they did not modify data.
The ruling comes at a bad time for the Electronic Frontiers Foundation which on the same day as the ruling issued a blog promoting the use of Tor.

ISPs take legal action against GCHQ

GCHQ and the NSA's spying work is under legal scrutiny

Seven internet service providers have filed a legal complaint against the UK's intelligence agency GCHQ.

ISPs from the US, UK, Netherlands and South Korea have joined forces with campaigners Privacy International to take the agency to task over alleged attacks on network infrastructure.
It is the first time that GCHQ has faced such action.
The move follows allegations about government snooping made by US whistleblower Edward Snowden.
'Infected with malware' The ISPs claim that alleged network attacks, outlined in a series of articles in Der Spiegel and the Intercept, were illegal and "undermine the goodwill the organisations rely on".
The allegations that the legal actions are based on include:

• claims that employees of Belgian telecommunications company Belgacom were targeted by GCHQ and infected with malware to gain access to network infrastructure

• GCHQ and the US National Security Agency, where Mr Snowden worked, had a range of network exploitation and intrusion capabilities, including a "man-on-the-side" technique that covertly injects data into existing data streams to create connections that will enable the targeted infection of users

• the intelligence agencies used an automated system, codenamed Turbine, that allowed them to scale up network implants

• German internet exchange points were targeted, allowing agencies to spy on all internet traffic coming through those nodes

While the ISPs taking the action were not directly named in the leaked Snowden documents, Privacy International claims that "the type of surveillance being carried out allows them to challenge the practices... because they and their users are at threat of being targeted".
Privacy International has previously filed two other cases - the first against alleged mass surveillance programmes Tempora, Prism and Upstream, and the second against the deployment by GCHQ of computer intrusion capabilities and spyware.
'Strict framework' Eric King, deputy director of Privacy International, said "These widespread attacks on providers and collectives undermine the trust we all place on the internet and greatly endangers the world's most powerful tool for democracy and free expression."
The ISPs involved in the action are UK-based GreenNet, Riseup (US), Greenhost (Netherlands), Mango (Zimbabwe), Jinbonet (South Korea), May First/People Link (US)and the Chaos Computer Club (Germany).
Cedric Knight, of ISP GreenNet, added: "Snowden's revelations have exposed GCHQ's view that independent operators like GreenNet are legitimate targets for internet surveillance, so we could be unknowingly used to collect data on our users. We say this is unlawful and utterly unacceptable in a democracy."
GCHQ maintains that all its work is conducted "in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate".