MIAMI — The Trump administration has seized the cargo of four tankers it was targeting for transporting Iranian fuel to Venezuela, U.S. officials said Thursday, as it steps up its campaign of maximum pressure against the two heavily sanctioned allies.

Last month, federal prosecutors in Washington filed a civil forfeiture complaint alleging that the sale was arranged by a businessman, Mahmoud Madanipour, with ties to Iran‘s Revolutionary Guard Corps, a U.S.-designated foreign terrorist organization. At the time, sanctions experts thought it would be impossible to enforce the U.S. court order in international waters.

A senior U.S. official told The Associated Press that no military force was used in the seizures and that the ships weren’t physically confiscated. Rather, U.S. officials threatened ship owners, insurers, and captains with sanction to force them to hand over their cargo, which now becomes U.S. property, the official said.

Prosecutors alleged the four ships were transporting to Venezuela 1.1 million barrels of gasoline. But the tankers never arrived at the South American country and then went missing. Two of the ships later reappeared near Cape Verde, a second U.S. official said.

Both officials agreed to discuss the sensitive diplomatic and judicial offensive only if granted anonymity.

Iran’s ambassador to Venezuela, Hojad Soltani, pushed back on what would appear a victory for the U.S. sanctions campaign, saying Thursday on Twitter that neither the ships nor their owners were Iranian.

“This is another lie and act of psychological warfare perpetrated by the U.S. propaganda machine,” Soltani said. “The terrorist #Trump cannot compensate for his humiliation and defeat by Iran using false propaganda.”

It is not clear where the vessels — the Bella, Bering, Pandi, and Luna — or their cargoes currently are. But the ship captains weeks ago turned off their tracking devices to hide their locations, said Russ Dallen, a Miami-based partner at brokerage Caracas Capital Markets, who follows ship movements.

The Bering went dark on May 11 in the Mediterranean near Greece and has not turned on its transponder since, while the Bella did the same July 2 in the Philippines, Dallen said. The Luna and Pandi were last spotted when they were together in the Gulf of Oman on July 10 when the U.S. seizure order came. Shipping data shows that the Pandi, which also goes by Andy, is reporting that it has been “broken up,” or sold as scrap, Dallen said.

As commercial traders increasingly shun Venezuela, Nicolás Maduro’s socialist government has been increasingly turning to Iran.

In May, Maduro celebrated the arrival of five Iranian tankers delivering badly needed fuel to alleviate shortages that have led to days-long gas lines even in the capital, Caracas, which is normally spared such hardships.

Despite sitting atop the world’s largest crude reserves, Venezuela doesn’t produce enough domestically refined gasoline and has seen its overall crude production plunged to the lowest in over seven decades amid its economic crisis and fallout from U.S. sanctions.

The Trump administration has been stepping up pressure on ship owners to abide by sanctions against U.S. adversaries like Iran, Venezuela, and North Korea. In May, it issued an advisory urging the global maritime industry to be on the lookout for tactics to evade sanctions like dangerous ship-to-ship transfers and the turning off of mandatory tracking devices — both techniques used in recent oil deliveries to and from both Iran and Venezuela.

One of the companies involved in the shipment to Venezuela, the Avantgarde Group, was previously linked to the Revolutionary Guard and attempts to evade U.S. sanctions, according to prosecutors.

An affiliate of Avantgarde facilitated the purchase for the Revolutionary Guard of the Grace 1, a ship seized last year by Britain on U.S. accusations that it was transporting oil to Syria. Iran denied the charges and the Grace 1 was eventually released. But the seizure nonetheless triggered an international standoff in which Iran retaliated by seizing a British-flagged vessel.

According to the asset forfeiture complaint, an unnamed company in February invoiced Avantgarde for a $14.9 million cash payment for the sale of the gasoline aboard the Pandi. Nonetheless, a text message between Madanipour and an unnamed co-conspirator suggested the voyage had encountered difficulties.

The National Security Agency and the FBI are jointly exposing malware that they say Russian military hackers use in cyber-espionage operations.

Hackers working for Russia’s General Staff Main Intelligence Directorate’s 85th Main Special Service Center, military unit 26165, use the malware, which the Russians themselves call “Drovorub,” to target Linux systems, the NSA and FBI said Thursday in a detailed report.

The hackers, also known as APT28 or Fancy Bear, allegedly hacked the Democratic National Committee in 2016 and frequently target defense, government, and aerospace entities. The Russian military agency is also known as the GRU.

While the alert does not include specific details about Drovorub victims, U.S. officials did say they published the alert Thursday to raise awareness about state-sponsored Russian hacking and possible defense sector vulnerabilities. The disclosure comes just months before American voters will conduct a presidential election.

“Information in this Cybersecurity Advisory is being disclosed publicly to assist National Security System owners and the public to counter the capabilities of the GRU, an organization which continues to threaten the United States and U.S. allies as part of its rogue behavior, including their interference in the 2016 U.S. Presidential Election,” the NSA and FBI said in the report.

The U.S. intelligence community has assessed that multiple foreign governments may “seek to compromise our election infrastructure.” It was not clear if the Russian hackers were using Drovorub malware in any ongoing interference efforts related to the 2020 presidential elections.

The NSA and FBI urged national security personnel, including the U.S. Department of Defense, to be on the alert for Drovorub attacks.

“The malware represents a threat because Linux systems are used pervasively throughout National Security Systems, Department of Defense, and the Defense Industrial Base,” the statement said. “All stakeholders should take action as appropriate.”

The announcement comes nearly one year after the NSA stood up a new cybersecurity directorate aimed at sharing more adversary threat intelligence with the public, and in recent weeks the NSA has worked to expose a spate of Russian campaigns, including Russian hackers’ efforts to target coronavirus research.

Senior Vice President of Intelligence at CrowdStrike, Adam Meyers, told CyberScoop the release shows these hackers are not easily deterred.

“Most importantly it demonstrates that FANCY BEAR has more tools and capabilities that are still being identified. This actor didn’t pack up and go home, they still have tricks up their sleeve,” Meyers told CyberScoop, adding that the news should raise alarm bells about Linux security. “Another important take away is that Linux is an area that organizations need to keep in mind from a malware perspective, many have not invested in similar security tools for this platform as they have for user platforms.”

Attacks employing Drovorub may be linked with previous Russian military efforts against connected devices, according to the NSA and the FBI. An APT28 attack that Microsoft security researchers identified last year against devices such as an office printer or a VOIP phone, for instance, was linked with an IP address that has also been used to access the Drovorub command and control IP address, the NSA and FBI said.

In such attacks, the hackers appeared interested in exploiting the so-called internet of things devices in order to gain access to broader networks, other insecure accounts, and sensitive data, according to Microsoft.

The joint NSA and FBI release also has the effect of alerting the Russian government that U.S. officials are capable of tracking some of their work. The 780th Military Intelligence Brigade, which currently works with the Pentagon’s offensive cyber arm, Cyber Command, tweeted information out about the malware, and tagged a state-funded media outlet, RT, to flag the news for them.

The Drovorub malware consists of several components, the NSA and the FBI said, including an implant, a kernel module rootlet, a file transfer tool, and an attacker-controlled command and control server.

“When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor-controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network,” the NSA and FBI said.

More detail from ZDNet:

“Technical details released today by the NSA and FBI on APT28’s Drovorub toolset are highly valuable to cyber defenders across the United States.”

To prevent attacks, the agency recommends that US organizations update any Linux system to a version running kernel version 3.7 or later, “in order to take full advantage of kernel signing enforcement,” a security feature that would prevent APT28 hackers from installing Drovorub’s rootkit.

The joint security alert [PDF] contains guidance for running Volatility, probing for file hiding behavior, Snort rules, and Yara rules — all helpful for deploying proper detection measures.

Some interesting details we gathered from the 45-page-long security alert:

• The name Drovorub is the name that APT28 uses for the malware, and not one assigned by the NSA or FBI.
• The name comes from drovo [дрово], which translates to “firewood”, or “wood” and rub [руб], which translates to “to fell”, or “to chop.”
• The FBI and NSA said they were able to link Drovorub to APT28 after the Russian hackers reused servers across different operations. For example, the two agencies claim Drovorub connected to a C&C server that was previously used in the past for APT28 operations targeting IoT devices in the spring of 2019. The IP address had been previously documented by Microsoft.