Case Studies II and Cyber Response
New York Organized Crime
Origin: US FBI
Tactics: Malware
Goal: Roving Bug
FBI covertly downloaded software onto the cell phones of two leading members of the
Genovese crime family, turning the phones into “roving bugs.” The phones could be remotely activated to listen to conversations in a room, even when their owners had turned them off.
Greek Leadership
Origin: Unknown Tactics: Malicious Software Goal: Espionage
https://www.greeka.com/greece-history/athens-2004/
Estonia
Origin: Russia Tactics: Denial of Service Goal: Political Statement
https://wwwnc.cdc.gov/travel/destinations/traveler/none/estonia
Syria
Origin: Israel Tactics: Cyber and Kinetic Goal: Destruction of Nuclear Facility
Pre and post strike imagery of the target
http://commons.wikimedia.org/wiki/File:Syrian_Reactor_Before_After.jpg
After getting wind of a nuclear program underway in Syria, Israel’s Mossad tailed a senior Syrian official to London. There they slipped into his hotel room during his absence, copied the hard drive on his laptop and installed spyware. Data recovered from this operation included photos and blueprints for what turned out to be a plutonium reactor near Dayraz Zawr built and operated with North Koran assistance. (8) Was Syria developing a nuclear weapon? On 6 September 2007 an Israeli airstrike destroyed the facility. Clever use of both electronic and cyber attack enabled the strike force to complete its mission unscathed. According to coverage in Aviation Week & Space Technology:
”…(analysts) contend that network penetration involved both remote air-to-ground electronic attack and penetration through computer-to-computer links. “There also were some higher-level, non-tactical penetrations, either direct or as diversions and spoofs of the Syrian command and control capability, done through network attack,” one U.S. intelligence specialist says…” (9)
Georgia
The Georgian Parliament web site was defaced with images of Hitler (credit The New York Times).
U.S. and South Korea
Origin: North Korea (DPRK)
Tactics: Denial of Service
Goal: Political Statement
https://commons.wikimedia.org/wiki/File:2006_North_Korean_nuclear_test.svg
South Korea Banking
Origin: North Korea (DPRK)
Tactics: Server Attack
Goal: Political Statement
http://commons.wikimedia.org/wiki/File:Currency_South_Korea.jpg
Iran
Stuxnet, which surfaced in mid-2010, represents a major development in the cyber war battleground. The size and complexity of its code along with its ability to take advantage of zero day Windows exploits almost certainly point to state sponsorship. While its authors haven’t been officially identified, a New York Times article (10) suggests that Stuxnet may have been a joint U.S. Israeli effort and part of a larger cyber war campaign known as Olympic Games.
Stuxnet represents the first piece of malware targeted against a specific infrastructure element - in this case the Siemens PLC (programmable logic controller) used in the uranium enrichment centrifuges of Iran’s nuclear processing effort. Its code was cleverly designed to derail or delay any attempt to process uranium into weapon grade material. It did so by taking control of the spinning centrifuges and causing them to spin erratically or even self-destruct while reporting normal operation to their control panel.
For more on Stuxnet, check out this wrap up video by F-Secure.
Iran
Origin: United States (?) Tactics: Flame worm Goal: Espionage
Initially reported by both Iran CERT and security firm Kaspersky in May 2012, Flame is a highly sophisticated spyware worm which infects Windows PCs via a spoofed Microsoft Windows update.
Although its originator has not been identified, Flame’s size (20 MB for some versions) and complexity indicate state sponsorship. A map of infections (left) suggests Iran and one or more Middle Eastern countries as its targets.
Flame’s tactics include: (11)
• Remote activation and monitoring of a PC’s web cam and microphone.
• Copying of selected files.
• Screenshots from applications of interest.
• Ability to evade detection by current security systems.
• A complex command and control network of proxy servers (which went dark shortly after Kaspersky publicly announced its discovery).
A map showing flame infections as of May 2012 as compiled by Kaspersky Lab (12)
Middle Eastern Banking and Financial Networks
Origin: United States (?) Tactics: Gauss Spyware Goal: Espionage
Kaspersky Lab map of Gauss infections (14)
Saudi Arabia and Qatar
Origin: Iran Tactics: Shamoon Virus Goal: Damage or disrupt petroleum industries
http://commons.wikimedia.org/wiki/File:Oil_and_Gas_Infrastructure_ Persian_Gulf_(large).gif
According to U.S. CERT, Shamoon contains three modules: (1) a dropper which does the initial installation (2) a reporter which passes information about the infection and selected files to the attacker, and (3) a wiper which erases files on the victim computer. Once the reporter module has finished, the wiper overwrites the Master Boot Record and other key files on the victim computer, rendering it useless. Fortunately, Shamoon was directed against business networks and did not affect SCADA links associated with production. (16)
US Banks
Origin: Iran
Tactics: DDoS
Goal: Disrupt Customer Access
http://commons.wikimedia.org/wiki/File :Botnet_edit.svg
References
1. Declan McCullagh and Anne Broache, "FBI taps cell phone mic as eavesdropping tool," CNET News, December 1, 2006, http://news.cnet.com/FBI-taps-cell-phone-mic-as-eavesdropping-tool/2100-1029_3-6140191.html?tag=mncol
2. Prevelakis and Spinellis, "The Athens Affair," IEEE Spectrum, July 2007, http://offnews.info/downloads/athensAffaire.pdf
3. Joshua Davis, "Hackers Take Down the Most Wired Country in Europe," Wired, August 21, 2007, http://www.wired.com/print/politics/security/magazine/15-09/ff_estonia
4. Markoff (Aug. 12, 2008) Before the Gunfire, Cyberattacks The New York Times, Aug. 12, 2008 http://www.nytimes.com/2008/08/13/technology/13cyber.html?_r=2&hp
5. John Sudworth, "New 'cyber attacks' hit S Korea," BBC News, July 9, 2009, http://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm
6. Kim Tae-gyu, "NH blames IBM for network crash," The Korea Times, April 14, 2011, http://www.koreatimes.co.kr/www/news/biz/2011/04/123_85196.html
7. Se Young Lee, "Seoul Blames North for Bank Hack," The Wall Street Journal, May 4, 2011, http://online.wsj.com/article/SB10001424052748703922804576300562037789384.html
8.
9. David A. Fulghum and Robert Wall, "U.S. Electronic Surveillance Monitored Israeli Attack On Syria”, Aviation Week & Space Technology, November 21, 2007, https://www.worldsecuritynetwork.com/Israel-Palestine/David-A.-Fulghum-and-Robert-Wall-/U.S.-Electronic-Surveillance-Monitored-Israeli-Attack-On-Syria
10. Sanger, David. "Obama Order Sped Up Wave of Cyberattacks Against Iran." The New York Times, June 1, 2012. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all
11. Kaspersky Lab, "Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat," Kaspersky Press Center, May 29, 2012, https://usa.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-itu-research-reveals-new-advanced-cyber-threat
12. Kaspersky Lab, ”The Flame: Questions and Answers," Kaspersky, May 28, 2012, https://www.pcworld.com/article/256508/the_flame_virus_your_faqs_answered.html
13. GReAT, "Gauss: Nation-state cyber-surveillance meets banking Trojan," Securelist blog, August 9, 2012, http://www.securelist.com/en/blog?weblogid=208193767
14. Kaspersky Lab, ”Gauss: Abnormal Distribution," Kaspersky Lab, August, 2012, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
15. Mills, Elinor. "Saudi Oil firm says 30,000 computers hit by virus." CNET, August 27, 2012. http://news.cnet.com/8301-1009_3-57501066-83/saudi-oil-firm-says-30000-computers-hit-by-virus
16. ICS-CERT. "Shamoon." ICS-CERT Monthly Monitor, September 2012, 1-2. https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2012.pdf
17. Egan, Matt. ”Lieberman: Blame Iran for Cyber Attacks on Bank of America, Chase" FoxBusiness, September 24, 2012. https://www.foxbusiness.com/features/lieberman-blame-iran-for-cyber-attacks-on-bank-of-america-chase
18. Lemos, Robert. "More Banks Come Under Denial-of-Service Attack”, eWeek, October 13, 2012, https://www.eweek.com/security/more-banks-come-under-denial-of-service-attack