Case Studies II and Cyber Response

profileislandbuilt
CaseStudies.docx

New York Organized Crime

Origin: US FBI Tactics: Malware Goal: Roving Bug https://myclassroom.apus.edu/content/enforced/33892-455448/cell-phones.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt FBI covertly downloaded software onto the cell phones of two leading members of the  Genovese crime family, turning the phones into “roving bugs.” The phones could be remotely activated to listen to conversations in a room, even when their owners had turned them off.

Greek Leadership

Origin: Unknown Tactics: Malicious Software Goal: Espionage

https://myclassroom.apus.edu/content/enforced/33892-455448/greece-history-athens-2004-1-1280.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

Sometime prior to the 2004 Olympics, someone illegally implanted software in at least four switches of the Greek cellular telephone network. This additional code routed audio from calls made by senior members of the Greek government to another unidentified mobile handset where they could be recorded.

https://www.greeka.com/greece-history/athens-2004/

The tap wasn’t discovered until March 2005 when the unauthorized code caused a new software build to crash. In an effort to clear the problem and get the system back up, the service provider cleared all old software and system logs, erasing any record of the problem. The perpetrators remain unidentified. (2)

Estonia

Origin: Russia Tactics: Denial of Service Goal: Political Statement

https://myclassroom.apus.edu/content/enforced/33892-455448/map-estonia.png?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

In 2007 after having realized independence from the former Soviet Union, Estonia moved monuments commemorating WWII Soviet soldiers from prominent positions in the capital to relatively obscure areas. Shortly afterward, Estonian media, banking, and government web sites experienced a massive DDoS attack. Although the attack appeared to originate from Russia, that country denied official involvement in the attack. (3)

https://wwwnc.cdc.gov/travel/destinations/traveler/none/estonia

Syria

Origin: Israel Tactics: Cyber and Kinetic Goal: Destruction of Nuclear Facility

https://myclassroom.apus.edu/content/enforced/33892-455448/syria%20reactor.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

Pre and post strike imagery of the target

http://commons.wikimedia.org/wiki/File:Syrian_Reactor_Before_After.jpg

After getting wind of a nuclear program underway in Syria, Israel’s Mossad tailed a senior Syrian official to London. There they slipped into his hotel room during his absence, copied the hard drive on his laptop and installed spyware. Data recovered from this operation included photos and blueprints for what turned out to be a plutonium reactor near Dayraz Zawr built and operated with North Koran assistance. (8) Was Syria developing a nuclear weapon? On 6 September 2007 an Israeli airstrike destroyed the facility. Clever use of both electronic and cyber attack enabled the strike force to complete its mission unscathed. According to coverage in Aviation Week & Space Technology:

”…(analysts) contend that network penetration involved both remote air-to-ground electronic attack and penetration through computer-to-computer links. “There also were some higher-level, non-tactical penetrations, either direct or as diversions and spoofs of the Syrian command and control capability, done through network attack,” one U.S. intelligence specialist says…” (9)

Georgia

Origin: Russia Tactics: Denial of Service, Web page defacement Goal: Part of a coordinated military campaign https://myclassroom.apus.edu/content/enforced/33892-455448/hitler.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

 

The Georgian Parliament web site was defaced with images of Hitler (credit The New York Times).

This may be the first recorded instance of a cyber attack being used as part of a coordinated military campaign. According to an Aug. 12, 2008, New York Times article: Before the Gunfire, Cyberattacks:“...In addition to D.D.O.S. attacks that crippled Georgia’s limited Internet infrastructure, researchers said there was evidence of redirection of Internet traffic through Russian telecommunications firms beginning last weekend …” “...malicious programs known as botnets, which were blasting streams of useless data at Georgian computers…”. (4)

U.S. and South Korea

Origin: North Korea (DPRK) Tactics: Denial of Service Goal: Political Statement https://myclassroom.apus.edu/content/enforced/33892-455448/korea.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

https://commons.wikimedia.org/wiki/File:2006_North_Korean_nuclear_test.svg

For several days during July 2009, web sites in both South Korea and the United States were hit by a massive distributed denial of service attack. Beginning around July 4th, the attacks hit the web sites of South Korea’s intelligence agency, biggest banks, and leading national newspaper. Similar attacks struck web sites at the Pentagon, and White House. (5)

South Korea Banking

Origin: North Korea (DPRK) Tactics: Server Attack Goal: Political Statement https://myclassroom.apus.edu/content/enforced/33892-455448/south%20korea.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

http://commons.wikimedia.org/wiki/File:Currency_South_Korea.jpg

In April 2011 attackers gained access to servers belonging to South Korean bank Nonghyup, (National Agricultural Cooperative Federation) via the compromised laptop of an IT support contractor. Once inside the network, the malware deleted key files on over 100 servers, blocking access to accounts and ATMs for several million customers over a three day period. Backup disaster recovery files were also damaged. (6) According to a Wall Street Journal report: “The Seoul Central District Prosecutors' Office said one of the IP addresses of an overseas server used for the attack matched one used in a previous cyberattack attributed to North Korea. The prosecutor's office also noted similarities in methods for the attack, including how malicious codes were planted in the compromised laptop.” (7)

Iran

Origin: United States and Israel(?) Tactics: Stuxnet worm Goal: Damage or disrupt key portions of Iran's nuclear processing effort

Stuxnet, which surfaced in mid-2010, represents a major development in the cyber war battleground. The size and complexity of its code along with its ability to take advantage of zero day Windows exploits almost certainly point to state sponsorship. While its authors haven’t been officially identified, a New York Times article (10) suggests that Stuxnet may have been a joint U.S. Israeli effort and part of a larger cyber war campaign known as Olympic Games.

https://myclassroom.apus.edu/content/enforced/33892-455448/tejran.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt Stuxnet represents the first piece of malware targeted against a specific infrastructure element - in this case the Siemens PLC (programmable logic controller) used in the uranium enrichment centrifuges of Iran’s nuclear processing effort. Its code was cleverly designed to derail or delay any attempt to process uranium into weapon grade material. It did so by taking control of the spinning centrifuges and causing them to spin erratically or even self-destruct while reporting normal operation to their control panel. For more on Stuxnet, check out this wrap up video by F-Secure.

Iran

Origin: United States (?) Tactics: Flame worm Goal: Espionage

Initially reported by both Iran CERT and security firm Kaspersky in May 2012, Flame is a highly sophisticated spyware worm which infects Windows PCs via a spoofed Microsoft Windows update. Although its originator has not been identified, Flame’s size (20 MB for some versions) and complexity indicate state sponsorship. A map of infections (left) suggests Iran and one or more Middle Eastern countries as its targets. Flame’s tactics include: (11) • Remote activation and monitoring of a PC’s web cam and microphone. • Copying of selected files. • Screenshots from applications of interest. • Ability to evade detection by current security systems. • A complex command and control network of proxy servers (which went dark shortly after Kaspersky publicly announced its discovery). https://myclassroom.apus.edu/content/enforced/33892-455448/iran%20map.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt A map showing flame infections as of May 2012 as compiled by Kaspersky Lab (12)

Middle Eastern Banking and Financial Networks

Origin: United States (?) Tactics: Gauss Spyware Goal: Espionage

Discovered by Kaspersky Lab in June 2012, Gauss is estimated to have been active since late 2011. Its code and command and control architecture bear a number of similarities to Flame’s. However, unlike Flame, Gauss appears to be specifically targeted at several Lebanese financial institutions. Was it intended to track terrorist finances? Its capabilities include:

"• Intercept browser cookies and passwords. • Harvest and send system configuration data to attackers. • Infect USB sticks with a data stealing module. List the content of the system drives and folders • Steal credentials for various banking systems in the Middle East • Hijack account information for social network, email and IM accounts.“ (13)

https://myclassroom.apus.edu/content/enforced/33892-455448/lebanon.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

http://www.securelist.com/en/downloads/vlpdfs/kaspersky-lab-gauss.pdf(this link opens in a new window/tab)  

Kaspersky Lab map of Gauss infections (14)

Saudi Arabia and Qatar

Origin: Iran Tactics: Shamoon Virus Goal: Damage or disrupt petroleum industries

In mid-August 2012 Saudi oil firm Aramco began experiencing problems with its workstations. Shortly afterward, several security firms reported the discovery of new malware dubbed “Shamoon” which appeared to be targeting the networks of both Aramco and a Qatari gas firm. It ultimately affected 30,000 computers on the companies’ networks before being identified and removed. Analysts suggest Iran as the attacker under the guise of a group calling itself the “Cutting Sword of Justice” (15).

https://myclassroom.apus.edu/content/enforced/33892-455448/saudi%20arabia.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

http://commons.wikimedia.org/wiki/File:Oil_and_Gas_Infrastructure_ Persian_Gulf_(large).gif

According to U.S. CERT, Shamoon contains three modules: (1) a dropper which does the initial installation (2) a reporter which passes information about the infection and selected files to the attacker, and (3) a wiper which erases files on the victim computer.  Once the reporter module has finished, the wiper overwrites the Master Boot Record and other key files on the victim computer, rendering it useless.  Fortunately, Shamoon was directed against business networks and did not affect SCADA links associated with production. (16)

US Banks

Origin: Iran Tactics: DDoS Goal: Disrupt Customer Access https://myclassroom.apus.edu/content/enforced/33892-455448/banking.jpg?_&d2lSessionVal=EUOoZ3KKJ3QWiRvBw1kk4bRSt

http://commons.wikimedia.org/wiki/File :Botnet_edit.svg

    

 

References

 

1. Declan McCullagh and Anne Broache, "FBI taps cell phone mic as eavesdropping tool," CNET News, December 1, 2006, http://news.cnet.com/FBI-taps-cell-phone-mic-as-eavesdropping-tool/2100-1029_3-6140191.html?tag=mncol

2. Prevelakis and Spinellis, "The Athens Affair," IEEE Spectrum, July 2007, http://offnews.info/downloads/athensAffaire.pdf

3. Joshua Davis, "Hackers Take Down the Most Wired Country in Europe," Wired, August 21, 2007, http://www.wired.com/print/politics/security/magazine/15-09/ff_estonia

4. Markoff (Aug. 12, 2008) Before the Gunfire, Cyberattacks The New York Times, Aug. 12, 2008 http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=2&hp

5. John Sudworth, "New 'cyber attacks' hit S Korea," BBC News, July 9, 2009, http://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm

6. Kim Tae-gyu, "NH blames IBM for network crash," The Korea Times, April 14, 2011, http://www.koreatimes.co.kr/www/news/biz/2011/04/123_85196.html

7. Se Young Lee, "Seoul Blames North for Bank Hack," The Wall Street Journal, May 4, 2011, http://online.wsj.com/article/SB10001424052748703922804576300562037789384.html

8.

9. David A. Fulghum and Robert Wall, "U.S. Electronic Surveillance Monitored Israeli Attack On Syria”, Aviation Week & Space Technology, November 21, 2007, https://www.worldsecuritynetwork.com/Israel-Palestine/David-A.-Fulghum-and-Robert-Wall-/U.S.-Electronic-Surveillance-Monitored-Israeli-Attack-On-Syria

10. Sanger, David. "Obama Order Sped Up Wave of Cyberattacks Against Iran." The New York Times, June 1, 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all

11. Kaspersky Lab, "Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat," Kaspersky Press Center, May 29, 2012, https://usa.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-itu-research-reveals-new-advanced-cyber-threat

12. Kaspersky Lab, ”The Flame: Questions and Answers," Kaspersky, May 28, 2012, https://www.pcworld.com/article/256508/the_flame_virus_your_faqs_answered.html

13. GReAT, "Gauss: Nation-state cyber-surveillance meets banking Trojan," Securelist blog, August 9, 2012, http://www.securelist.com/en/blog?weblogid=208193767

14. Kaspersky Lab, ”Gauss: Abnormal Distribution," Kaspersky Lab, August, 2012, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf

15. Mills, Elinor. "Saudi Oil firm says 30,000 computers hit by virus." CNET, August 27, 2012. http://news.cnet.com/8301-1009_3-57501066-83/saudi-oil-firm-says-30000-computers-hit-by-virus

16. ICS-CERT. "Shamoon." ICS-CERT Monthly Monitor, September 2012, 1-2. https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2012.pdf

17. Egan, Matt. ”Lieberman: Blame Iran for Cyber Attacks on Bank of America, Chase" FoxBusiness, September 24, 2012. https://www.foxbusiness.com/features/lieberman-blame-iran-for-cyber-attacks-on-bank-of-america-chase

18. Lemos, Robert. "More Banks Come Under Denial-of-Service Attack”, eWeek, October 13, 2012, https://www.eweek.com/security/more-banks-come-under-denial-of-service-attack