Cyber Warfare - Weapons of Mass Disruption
If your interested in the story Cambridge Analytica - Facebook you can check out the webpage on this website and also go to a link to a set of additional documents.
For some more up-to-date information and comments on Cyber Warfare you can also check out my 'Brain’ on the topic.
Introduction - from Cold War to 'code war'
Computer Security includes “cyber warfare”, which initially was defined as one nation-state attacks another nation’s computers and communication networks with the intent to cause damage or destruction (a form of state terrorism). But today cyber warfare can also include non-state attacks by terrorists, companies, extremists, or criminals. NATO has defined cyber warfare as iWar, and in one way or another it involves topics such as electronic warfare, network-centric warfare, communication security, information security, cryptography, signals intelligence, industrial espionage, cyber spying...
Modern day definitions of cyber warfare can also include elements of psychological warfare, information warfare, social engineering, black propaganda, false flag, and even disinformation, astroturfing, push polling, whispering campaigns, historical negationism, ...
Note: On the 11 March 2017, the US awoke to a fresh cache of internal CIA documents posted on WikiLeaks (Quartz, 7 March 2017). They detailed the spy organisation’s playbook for cracking digital communications. WikiLeaks claimed to have large portions of the CIA’s hacking arsenal in a series called Vault 7 (though the first information dump didn’t contain any of the code used to actually crack modern smartphones and internet-connected devices). These documents showed exactly how a spy agency uses a technologically-saturated culture to its own ends. As such they’re a neat foil to the National Security Agency (NSA) secrets unveiled by Edward Snowden in 2013. As NPR writes, “other leaks featured program overviews; these are developer notes”. Many of the CIA documents outlined “zero-day exploits”, or undetected security loopholes, in software made by companies like Apple, Google, and Samsung.
Ironically, though, the Vault 7 dump also shows just how strong modern encryption and privacy measures are. While Snowden revealed that telcos handed over data about their customers to the NSA in bulk, there is no sign in the Vault 7 documents that the CIA can hack into encrypted messaging apps like WhatsApp or Signal and use that to carry out mass surveillance. To see what’s on your phone, the agency must get access to the phone itself. Zeynep Tufekci, writing in the New York Times, said security researchers she interviewed saw “no big surprises or unexpected wizardry”.
There’s also one other big difference between now and 2013. Snowden’s NSA revelations sent shockwaves around the world. Despite WikiLeaks’ best efforts at theatrics, distributing an encrypted folder and tweeting the password “SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds”, the Vault 7 leak has elicited little more than a shrug from the media and the public, even if the spooks are seriously worried. Maybe it’s because we already assume the government can listen to everything.
There was a separate report (16 April 2017) stating that security weaknesses (and the tools) had been used to monitor money flows among some Middle East and Latin American banks (using the Swift global banking system). This report said that the files were released by Shadow Brokers.
Warfare and Cyber Warfare
Traditionally there are four “generations” in the history of modern warfare. First-generation wars replaced the ancient and post-classical battles by conflicts between states, and involved uniformed soldiers (1648-1860) using line and column tactics (and the smoothbore musket). Second-generation warfare involved the invention of the rifled musket and breech-loaded weapons through to the development of the machine gun (end WW I). Third-generation warfare involved late-modern tactics of speed, stealth and surprise, heralding the end of linear warfare (e.g. Blitzkrieg rather than trench warfare). These first three “generations” were inter-state warfare about land and resources, whereas many experts define fourth-generation warfare as being between states and non-states. Fourth-generation warfare is seen as a post-modern, decentralised form involving a mix of combatants and civilians (often a type of asymmetric warfare or irregular warfare), and including terrorism, media manipulation, lawfare, and guerrilla tactics.
Successive types of warfare are far less well defined, but one way to look at them is as follows....
Fifth-generation warfare involves destroying a specific target without actually seeing it, e.g. a kind of non-contact warfare. The V-1 and V-2 buzz bombs were early examples, however today laser and GPS-guided weapons (smart weapons) provide added precision and accuracy. The Predator drone equipped with Hellfire missiles is often used as a starting point for fifth-generation warfare (2001). At this point targets could be specific pieces of infrastructure or even individual human beings.
A kind of fifth-generation (plus) also exists, combining combat forces with drones (unmanned aerial vehicles), unmanned underwater vehicles, and ground robots (unmanned ground vehicles). Other military experts have also placed nuclear weapons as part of fifth-generation warfare. No longer is thermonuclear war seen as a tool to create and maintain a strategic stalemate. Today there is a completely new generation of nuclear weapons with yields less than 1 kiloton. i.e. the 'micrornuke' with yields well below that of the first bombs used on Hiroshima and Nagasaki. This article provides a good description of 'micronukes', even if it goes on to suggest that numerous past terrorist attacks were in fact 'micronukes' masked as conventional explosions. In my opinion such devices would be almost impossible to make even by the most skilled terrorist organisations (at least today), and as far as I know there are no publicly available and verifiable reports on very small, concealable nuclear devices. Nor, to my knowledge, have there been any reliable reports about detecting trace radioactivity or any activation of structural components, etc. at any past terrorist attack. However, we should not underestimate the continued interest in tactical nuclear weapons, such as the Davy Crockett device, and W54 and suitcase device. In fact the U.S. tested recently their first precision-guided nuclear bomb, and it is well known that some countries have focussed on small tactical nuclear weapons, e.g. Pakistan has said it would be prepared to use low-yield nuclear weapons against India’s 'Cold Start' doctrine.
Another element of fifth-generation warfare were/are the so-called “Colour Revolutions”, such as the 2003 Rose Revolution in Georgia or the 2004 Orange Revolution in Ukraine. Seen by many as popular uprisings and protest movements for replacing restrictive governments with more liberal legitimate ones, the Russians suggest that the U.S. incited the uprisings to destabilise the regions for political gain (and Crimea was the Russians just doing the same thing). In any case one 'hidden' aspect of fifth-generation warfare is the post WW I (U.S. lead) ideal that everyone has the right to self-determination, even if the notion of 'self' was never defined.
So fifth-generation warfare also includes protests (by “ad-hoc warriors”), information warfare, destabilisation, government opposition, economic 'warfare', humanitarian interventions, and peacekeeping forces (and for some experts this (still) also includes terrorism and guerrilla warfare). The key is that fifth-generation warfare reduces the reliance on pure military force. But it also allows a government to view organic internal opposition as identical to hostile foreign subversion. So another key element of fifth-generation warfare is the inability (or unwillingness) to differentiate between legitimate dissent and foreign aggression. Other experts see fifth-generation warfare as being highly decentralised (using 'extreme' coordination methodologies enabling people to 'fight alone'), and involving so-called 'black globalisation' and the creation of virtual states. Fifth-generation sabotage is intended to disrupt existing systems and undermine global order, and is often inspired by the ideas of 'creative destruction'. Experts suggest that the aim is to show the impotence of secular military might, and the key is to win by not losing, whereas nation-states lose by not winning. Fifth-generation warfare includes car bombs, narcotic trafficking, individual stabbings, 'random' acts of violence ... The suggestion is that the aim is not to make one party submit to the will of the other, but to compel one party (the enemy) to accept the interests of the other.
Sixth-generation warfare is about the 'informatisation' of conventional warfare, and includes precision strike systems which make the massing of conventional forces suicidal. This type of warfare has also been termed 'system-versus-system' warfare, where distant, no-contact operations take place. A vital component of sixth-generation warfare is the C4ISR concept of Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance, sometimes including also a T for Target Acquisition (ISTAR). Experts have placed a number of other topics within sixth-generation warfare, ranging from the Arab Spring (2010-2012), missile defense systems, the Russian global navigation satellite system GLONASS, the Falcon HTV-2 hyper-sonic unmanned bomber, Topol-M the Russian intercontinental ballistic missile, and even prisoner exchange. The US Conventional Prompt Global Strike capability is seen as the “perfect” example of distant, no-contact warfare.
Seventh-generation warfare will be totally automated warfare. First, the enemy’s commercial and military communications systems, power grid, and water utilities must be shut down using advanced electronic warfare (EW) systems and cyber-weapons, or even localised EMP (electromagnetic pulse) weapons. This should disable their economy and banking system. Think that is futuristic? On 31 March 2015, Iranian military hackers shut-down the power grid to 44 of the 81 provinces in Turkey in retaliation after Turkey’s President Erdogan made statements supporting the Saudi bombings of the Houthi rebels in Yemen (who are supported by Iran). Iran and Houthi are Shia, while Turkey and Saudi Arabia are Sunni.
Next, the enemy’s airspace must be controlled by swarms of flying autonomous weapon platforms (lethal autonomous weapons), neutralising their air force (creating no-fly zones). Ports and seacoast must be controlled by swarms of autonomous naval surface vessels, unmanned underwater vehicles (UUV’s) such as smart torpedoes, and upward falling platforms (UFP’s), thereby eliminating the enemy’s naval forces. Ground forces can be attacked using swarms of aerial and ground-based weapons platforms. Satellite and unmanned aerial vehicle (UAV) intelligence gathering systems capture enemy movements and actions, feeding to autonomous weapons platforms commanded from a home base. There is no need for a single boot on enemy soil. The objective of automated warfare is to “subdue the enemy without fighting” by eliminating his ability to fight, thereby destroying his will to fight.
So the aim is to integrate a state’s capabilities, and at a distance and with minimum physical contact, obtain a quick decisive victory by destroying an enemy’s war waging potential and their command and control systems. Experts talk today of integrating ‘destructive kinetic energy’ and 'relentless information operations'. One essential function of ‘information operations' is cyber warfare, i.e. attacking the enemy’s communication networks and electronic systems whilst protecting their own. It also involves collecting critical information and cyber deception.
The Cyber-Arms Industry
There exists a cyber-arms industry for cyber-weapons. One market research organisation estimated that the global cyber weapon market was valued at US$390 billion in 2014, and the market was expected to reach US$522 billion by the end of 2021. Defensive cyber weapons represented nearly 75% of the market, with an increasing focus on defending critical infrastructure (industrial control, air traffic control systems, and military defence). All major defence contractors see cyber as the new platform for warfare.
What is a Cyber-Attack?
Wikipedia has a List of Cyber-Attacks (and a List of Data Breaches) and divides them into several subgroups, namely: indiscriminate attacks, destructive attacks, cyber warfare, government espionage, corporate espionage, stolen email addresses and login credentials, stolen credit card and financial data, stolen medical-related data, and hacktivism (with a list of notable events and a timeline of events associated with Anonymous, an international activist group).
The most effective type of cyber-attack uses so-called zero-day vulnerabilities. However, in a recent study (2016) they found that 99% of post-intrusion cyber-attack activities did not employ malware, but rather leveraged standard networking, IT administration and other tools that could be used by attackers on a directed or improvisational basis. While malware was commonly used to initially compromise a host, once inside a network malicious actors did not typically utilise malware. As an example, Angry IP Scanner, an IP address and port scanner, was the most common tool associated with attack behavior, followed closely by Nmap, a network discovery and security auditing tool.
Attackers use common networking tools in order to conduct ‘low and slow' attack activities while avoiding detection. Sophisticated attackers using these tools, rather than known or unknown malware, can typically work undetected for an average of five months, according to multiple industry reports.
Once inside a network, an attacker must learn about the network that they’ve compromised and map its resources and vulnerabilities. The highest frequency attacker activity found in this study was reconnaissance, followed by lateral movement and then command and control communication.
As an example, much was written about Stuxnet which targeted Siemens’ programmable logic controllers in Iran. However, in a recent report (2016) more than 1,500 similar attacks have been (publicly) reported over the last 15 years, about a third using zero-day vulnerabilities (i.e. undisclosed or new vulnerabilities).
Hackers have numerous motives, from greed to simply gaining peer recognition. Some hacker groups want to demonstrate their dissatisfaction with powerful organisations. Nation-state hackers are very well funded, and their motives can be just as varied, from theft of intellectual property through to harming the physical infrastructure in a target country. What is perhaps less evident to the untrained eye is that cyber warfare is increasingly becoming the preferred means of warfare (replacing the option of all-out physical conflict). On Cyber Warfare (2010) gives a good overview of the many aspects associated with cyber conflicts, and highlights the fact that “cyberspace” is still currently beyond the reach of mature political discourse. And a recent Wired article tells us that almost every major power is beefing up its offensive cyber capabilities.
In 2015 the U.S. government was running nearly 10,000 different computer systems, but only about 9,400 of them were considered vital infrastructure. However for those vital systems, nation-state attacks were the most frequent and most serious threats (not criminals or terrorist groups). Malicious insiders and hacktivists were second and third. According to US-CERT the number of cyber incidents affecting U.S. federal networks increased by about 1,000 % from 2006 to 2015 (nearly 80,000 attacks annually in 2015).
In an article in the Communications of the ACM (Vol. 59, No. 2, Feb. 2016) it was said that you did not have to hack a system to do damage. You could simply cut the fibre optic cables. This could disable a specific company, small area, or if you cut a submarine cable, a whole country. You could attack the industrial systems that control the electrical network, or attack sites housing network exchanges, data centres or cloud storage services. An open question is the attack on sensors, etc. as part of the IoT. In 2014 it was estimated that 23.6 billion sensors were in some way or another connected to the Internet, most of them simply protected by default passwords.
Cyber Warfare: China, Russia, and the U.S.
The most obvious cyber warfare activities are by and between the U.S., Russian and China. Wikipedia has articles on Cyberwarfare by Russia, Chinese Information Operations and Information Warfare, Cyberwarfare in the U.S., Chinese Intelligence Operations in the U.S., Chinese Intelligence Activity Abroad, and the U.S. Tailored Access Operations and U.S. Cyber Command.
Everything appears to point to the following:
Almost every new geo-political event is coupled with a cyber attack
The skills to make theft-oriented (national secrets, money, intellectual property) attacks are now present in virtually every country on Earth
Increasing presence of non-state attacks designed to disable or destroy infrastructure
For the moment cyber attacks will remain interesting because of the relatively low cost of entry, because the perceived payoff’s are high, and because the consequences don't appear significant
Nation-states will increase their efforts on attribution, on sanctions, and on norms that deepen understanding about what is acceptable and unacceptable behaviour in a cyber conflict
Trend to increased reliance of drones, autonomous robots, etc., which places a premium on hardening defences against cyber attacks (i.e. dronejacking), and offensive capabilities in the same field
Trend to attack “smart city” infrastructure, i.e. intelligent traffic control, on-demand street lighting, energy management systems, building automation (heating, ventilation, lighting, alarms, lifts, etc.), and later, services such as self-drive cars
Trend to increasing attacks on IoT (Internet of Things) devices (beyond the usual default passwords and hardcoded backdoors), and the development of Shadownets (i.e. IoT botnets)
Trend to automated attacks against groups of smaller targets, and highly customised attacks against larger targets
Trend to autonomous malware designed to adapt to overcome a targets defences, learning the best way to attack systems based upon an understanding of the applications being used, transaction details, traffic flow, network architecture, and security tools that appear to be used, i.e. so-called polymorphic and metamorphic malware
Trend to malware that can work across multiple platforms, include mobile
Trend towards queries to a domain name system (DNS) server with spoofed address that identifies the target, and the replies for the DNS servers flood the target (can be coupled with compromised DNS servers to ensure amplification up to 100 times)
Trend to http flood attacks due to overwhelming number of page downloads
Trend towards attacks on health, gaming, education, hosting and ISP, and government (always government), e.g. a medical centre in Los Angeles paid the equivalent of $17,000 in Bitcoin after a ransomware attack on its computers
Trend to changing data rather than pure theft, causing reputational damage, brand damage and erosion of trust, e.g. increasingly chatbots will be hacked in order for them to acquire credit card numbers, etc.
Trend to multiple attacks, one after another, on the basis that you can’t stop everything
Trend to constant attacks against target
Trend to move botnets to server infrastructure
Trend to http post requests, sending one byte every 10 seconds, making the connection last forever, and when done in parallel exhausts server resources.
Can We Set Rules for Cyber Warfare?
The “Tallinn Manual of the International Law Applicable to Cyber Warfare” (2013) list 95 so-called “black letter rules” (see this article). It is not known if any state has agreed to “play” by these rules. But even the Stuxnet attack looks to have respected Rule 54 on the “Choice of means or methods” in that it did appear to minimise incidental injury to civilians. And accusations made by North Korea against the U.S. and South Korea concerning the intensive and persistent virus attacks on their broadcasters, banks and insurance companies also actually respect Rule 81 in that the targets are ones that merely enhance civilian well-being or quality of life. In fact the Internet or communication networks are not “objects indispensable to the survival of the civilian population”. This is equally true for the attacks (from a Chinese IP address) that damaged 32,000 computers and servers in South Korean media and financial companies. However, an attack aimed to contaminate a city’s drinking water system would violate this rule. But a false rumour that caused panic in the population would be neither an attack or a threat. Rule 80 does not prohibit attacks on dams, dykes and nuclear electrical generating stations, but it does require that “collateral damage” should not be “excessive” and that the attackers pay “sufficient attention” to avoiding excessive civilian deaths.
Interestingly civilian activists (“hacktivist”) who participate in these type of attacks can be lawfully targeted with deadly force and killed. Rule 35 says that civilians enjoy protection as long as they do not participate in hostilities.
Much of this sounds very theoretical. However in 2016 the U.S. signed a cyber-security agreement with the Chinese. Some experts have suggested that the willingness of the Chinese to enter into such an agreement was because five Chinese military officers were indicted in 2014 (and there was the promise of more to come). Others suggest that the threat of sanctions was the key. In any case some experts report that Chinese economically-oriented cyber espionage has slowed down. Naturally other experts have suggested that things have not dropped off, but that the Chinese are just more difficult to detect (using more covert tools and methods). Maybe the Chinese will increase their efforts on the allies and friends of the U.S. Yet other experts noted that the Chinese had already reduced their cyber espionage attacks on the U.S., possibly because President Xi Jinping was already bringing the Chinese military more under his personal control. And this has been further linked with his crackdown on the Chinese media, bloggers and hackers that could challenge the Communist Party. Yet others have noted that malicious attacks have dropped, but espionage of the U.S. private sector is still ongoing.
Here are some points worth considering on the Sino-American agreement, or on any future cyber warfare agreement. The parties agree not to attack each other “in peacetime”, but what about a “Digital Pearl Harbour” as an opening act of war? Do such agreements cover cyber espionage? Do they cover the preparatory acts that take place before an attack? How do you unambiguously deal with those cases where an attacker tries (successfully, or not) to implicate another party? Can cyber forensics be developed to overcome these problems? The Sino-American agreement only covers attacks on infrastructure, not the theft of intellectual property. Nor does it cover the development of cyber warfare tools. Can the Sino-American agreement truly be called an “arms reduction” agreement? Even if the “no first use” doctrine derives from the nuclear arms agreements? What about verification? The reality is that cyber warfare technology will continue to diffuse throughout the world (much like chemical or biological weapons), but there are still behaviour-based agreements that do work. Setting aside the “first mover” problem, can agreements be found that limit attacks to military targets?
Some Major State-Sponsored Attacks
This list is far from being exhaustive and stops in April 2017. Whilst I have placed the most recent reports on top of the list the reader might well benefit from going to the bottom of the page and reading up to these most recent reports.
For some more up-to-date information check out my 'Brain’ on the topic.
Reuter’s reported (24 April 2017) that the campaign of Emmanuel Macron, the then favourite to win France's presidential election, had been targeted by a cyber espionage group linked by some experts to the Russian military intelligence agency GRU. Evidence was found that spy group, dubbed "Pawn Storm", targeted the Macron campaign with email phishing tricks and attempts to install malware on the campaign site. The same telltale digital fingerprints was found linked the Macron attacks with those last year on the U.S. Democratic National Committee (DNC) the campaign of presidential candidate Hillary Clinton, and that similar techniques were used to target German Chancellor Angela Merkel's party in April and May 2016.
In a BuzzFeed article (26 Jan. 2017) there was talk of a major shake-up in the Russian Cybersecurity world. a research at Kaspersky Lab and the head of FSB’s Center for Information Security were arrested. Another Russian in in the same state service was also arrested. Were these people linked in some way with the leak about Cozy Bear and the “King Servers”? Cozy Bear were the DNC hackers, and “King Servers” was the nexus used by the Russian hackers.
On the 31 December 2016 it was reported that “Grizzly Steppe” malware was found on a laptop of a US electrical company. It was on the same day that the US expelled 35 Russian “diplomats” over alleged Russian interference in the US presidential elections. CERT has clearly stated that this was a product of the Russian civilian and military intelligence services. Here is an alternative view on the topic.
On 27 December 2016 it was reported that the Russians made a phishing attack on US think tanks and non-profit organisations, using a fake Harvard email address.
On 11 November 2016 it was announced that at least five Russian banks suffered prolonged DDoS attacks of their online banking services. The attack originated from a botnet of at least 24,000 computers located in 30 different countries (and peaked at 660,000 requests per second). The attack is said to have originated from a botnet of IoT (Internet of Things) devices. Some experts suggest the Mirai botnet was used, but others have stated that it was not used for this attack. Russian banks have also been targeted in the past, in 2015 eight banks were hit by DDoS attacks.
The malware Mirai spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords (using a password guessing technique based upon a dictionary). Vulnerable devices were “seeded”, turning them into “bots” which were then used for DDoS attacks. Mirai is one of two recent malware tools designed to create IoT botnets, the other being “Bashlight” (but they used the same principles). Mirai was first seen on 20 September 2016 during an attack on the website of Brian Krebs, and on the 30 September 2016 the source code was published. In an analysis of the code it was interesting to note a “Don’t Mess With” list including the U.S. Postal Service, the U.S. Department of Defence, and Hewlett-Packard. The code also kills off processes from other botnets (other memory scrapers) and blocks attempts of other botnets to access the compromised device. Lastly, some of the code contains traces of Russian-language strings.
The reality is that almost 5.5 million new things (IoT and others) are connected to the Internet each day, most not protected against attacks.
Over the weekend of 26-28 November 2016 almost 1 million users were thrown off the Internet after a Mirai-like attack on routers in Germany. With a twist on the idea of IoT attacks they used an open port normally used by Internet providers to remotely manage and maintain their routers.
On the 4 November 2016 the West African country of Liberia lost its Internet connections to the outside world after a massive DDoS attack using the Mirai IoT botnet.
On the 21 October 2016 the U.S. suffered its largest every Internet blackout with an attack that included Dyn, a dynamic domain name service provider to a collection of major U.S. websites (e.g. PayPal, Twitter, Amazon, Netflix, ...). This DDoS attack was made by a IoT botnet, in part powered by the malware Mirai. In this attack digital video recorders and IP cameras were compromised. It has been said that almost 150,000 CCTV cameras were involved, and that attacks were close to 1.1 Terabits per second (Tbps), which would exceed the traffic handling capacity of many networks.
In late September 2016, a separate Mirai attack on French webhost OVH broke the record for the largest recorded DDoS attack. That DDoS was at least 1.1 Tbps, and may have been as large as 1.5 Tbps.
On 7 October 2016 the U.S. government formally accused Russia of a campaign of cyber attacks against Democratic Party organisations ahead of the 2016 (November 8) presidential election. The accusation was that the Russian government was conducting or orchestrating cyber attacks against the U.S. Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee, possibly to disrupt or discredit the election, in which Democrat Hillary Clinton faced Republican Donald Trump. It would appear that they stole more than 19,000 emails from Democratic party officials. This was just one of several attacks on the U.S. Democratic Party during 2015 and 2016.
The U.S. Democratic National Committee publicly disclosed earlier intrusions into its systems in June 2016 and held Russia responsible. Leaks of committee emails from pro-transparency group WikiLeaks followed on 22 July 2016, demonstrating what appeared to be favoritism for Clinton over another Democrat, Bernie Sanders, by committee chairwoman Debbie Wasserman Schultz (she later stepped down). In the statement of 7 October 2016, the U.S. government said disclosures of emails by WikiLeaks and hacking entities known as DCLeaks and Guccifer 2.0 “are consistent with the methods and motivations of Russian-directed efforts”. Guccifer 2.0 claimed to be an independent Romanian hacker, but security analysts have concluded they are more likely to be the public persona of a Russian hacking group. Many experts think that Guccifer 2.0 was/is part of the two Russian intelligence groups.
In the statement by the U.S. Department of Homeland Security and the Office of the Director of U.S. National Intelligence it was stated that “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities”.
Concerning state election systems, they did not blame the Russian government for hacking attempts, but said "scanning and probing" of those systems originated in most cases from servers operated by a Russian company. However, a Department of Homeland Security spokesman said U.S. officials had concluded that the hacking attacks or probes of state voter registration systems were "consistent with Russian motivations". Attacks in August 2016 on these systems in Illinois and Arizona involved the theft of as many as 200,000 voter records, and the FBI issued a “flash alert” to election officials.
At the same time Microsoft said there had been a small number of attacks using "spear-phishing" emails from a hacking group known as Strontium, which is more widely known as "Fancy Bear". Microsoft did not identify any victims. In spear-phishing, an attacker sends targeted messages, typically via email, that exploit known information to trick victims into clicking on malicious links or opening tainted attachments. Microsoft said the attacks exploited a vulnerability in Adobe's Flash software and one in the Windows operating system.
“Fancy Bear” were also said to be responsible for stealing in March 2016 the emails of John Podesta, the chairman of Hillary Clinton’s 2016 U.S. presidential campaign and a former White House chief of staff.
A second group, codenamed “Cozy Bear” or “CozyDuke” (or APT29), appears to have broken into the DNC as well, but has not yet distributed whatever information it may have retrieved. “Cozy Bear” is believed to be affiliated to the FSB, the Russian Federal Security Service most directly descended from the KGB (was the main security agency until 1991). For example, in August 2015 “Cozy Bear” was linked to an spear-phishing attack against the Pentagon email system causing the shut down of the entire U.S. Joint Staff unclassified email system and Internet access during the investigation. “Cosy Bear” (or ATP29) exploited Twitter to mask their attacks, using it to send commands to their malware Hammertoss. This malware generates a new Twitter handle everyday so that it can communicated with the hackers command and control server using specific Twitter accounts (many companies do not block outbound communication with social media). Tweets contained a URL and a hashtag, the URL lead to an image on a different server that contained a hidden message through a steganographic technique. The hashtag contained the file size of the image and the some characters that must be added to the decryption key stored within Hammertoss for extracting the hidden data in the image. In addition Hammertoss was only active during local office hours (hiding in local traffic), and equally only communicated to the command centre during working hours in Moscow (and it avoids Russian holidays).
“Cosy Bear” targeted the U.S. White House, State Department and U.S. Joint Chiefs of Staff, as well as companies and government agencies in Western Europe, China, Brazil and many other countries. Their preferred method is spear-phishing and they prefer to “live-of-the-land”, i.e. techniques that bypass security controls. Whereas “Fancy Bear” targets defence ministries and military officials in the U.S., Western Europe, Brazil, China, Iran and many other countries. Their preferred method is by registering domains that resemble legitimate domains and establishing phishing sites that spoof them.
“Fancy Bear”, sometimes under different names, have also been associated with attacks on the German parliament, on the French television network TV5 Monde, on NATO and the White House, on the World Anti-Doping Agency, and on the Dutch Safety Board and Bellingcat (who were investigating the shooting down of Malaysia Airlines Flight 17 over Ukraine). “Fancy Bear” is believed to be operating under the aegis of the GRU, Russia’s largest intelligence service.
On 13 September 2016 “Fancy Bear”, also known as Tsar Team (or APT28), illegally accessed ADAMS, the Anti-Doping Administration and Management System of the World Anti-doing Agency (WADA). They created an account for the Rio 2016 Games which included confidential medical data. This access was obtained by spear-phishing of email accounts, resulting in obtaining ADAMS passwords. Basically they created WADA-like domains and then harvested credentials using targeted illegitimate emails (spear-phishing). This is typical of the tactics, techniques and procedures used by “Fancy Bear”. For example, they used the same name server from ITitch[.]com as they used for the attack of Democratic Congressional Campaign Committee, and the domains were all registered through Domains4bitcoins[.]com. Registrar acceptance of anonymous Bitcoin payments is typical for “Fancy Bear”, as is their use of the same name server for their domains. The actual domains are hosted in Germany and Italy. The webmail address used to register these domains had already been used in the past by “Fancy Bear”. The attacks had started on 12 August 2016 when they obtained the ADAMS password for Yuliya Stepanova, the whistleblower that exposed widespread doing in Russian athletics (Vladimir Putin called her a “Judas”). They released her medical testing results, history and whereabouts. Unusually, it was announced that the hack had been made by Anonymous Poland (who it is assumed worked with “Fancy Bear”). Here is a full account. On 14 September 2016 they released data for 25 athletes from eight countries. On 19 September 2016 they released data for another 26 athletes, and on 23 September they released data concerning an additional 41 athletes.
There was a later report (3 April 2017) that Fancy Bear had hacked athletes’ therapeutic use exemptions.
“Fancy Bear”, using the name “Sofacy”, was responsible for a six-month-long attack on the German parliament that began in December 2014. Authorities feared that sensitive information could be gathered by hackers to later manipulate public opinion ahead of elections such as Germany's next federal election due in September 2017. For example, servers of the Die Linke party were attacked, one was attacked with an open source utility used to remotely issue commands on Window hosts on the network, and another was forced to act as a tunnel to allow attackers to maintain a persistent link to the compromised network. In 2016 Germany accused Russian intelligence agencies for both the earlier attacks (mostly spying for information), and the more recent sabotage attacks designed to close down the computer systems in the Angela Merkel’s conservative party and in the Bundestag.
In August 2015, “Fancy Bear” spoofed the Electronic Frontier Foundation (EFF) and launching spear-phishing attacks on the White House and NATO (as part of “Pawn Storm”). They used a zero-day exploit of Java to take control of visitor’s computers. The EFF later won control of the spoof site, ElectronicFrontierFoundation.org, through a cybersquatting complaint with World Intellectual Property Organization. Sofacy (otherwise known as “Fancy Bear”) were behind the “Pawn Storm” operation (which is in fact a type of chess strategy). For once “Pawn Storm” was also found on Apple iOS devices. “Pawn Storm” was part of a Sednit-related spyware attack designed to steal personal data, record audio, make screenshots, and send them to a remote command and control server. Sednit would appear to be designed to steal confidential information from high-profile individuals, starting with their email credentials (mostly Gmail), and asking them to urgently act upon an emailed request by clicking on a link (thus infecting the targets computer).
Journalists associated with bell¿ngcat (a website for “citizen investigation journalists” and started by Eliot Higgins), researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spear-phishing emails. The messages were fake Gmail security notices with bitly and Tiny.CC shortened URL’s (link management and branding platforms). According to ThreatConnect, some of the phishing emails had originated from servers that “Fancy Bear” (Russian’s “attack dogs”) had used in previous attacks elsewhere (later in 2016 CyberBerkut, a pro-Russian Ukrainian hacktivist also defaced the bell¿ngcat website). bell¿ngcat is best known for having accused Russia of being culpable for the shoot down of MH17, and is frequently derided in the Russian media.
“Fancy Bear” also targeted the Dutch Safety Board (DSB), the body conducting the official investigation into the crash, before and after the release of the board's final report. They set up fake SFTP and VPN servers to mimic the board's own servers, likely for the purpose of spear-phishing usernames and passwords. A spokeswoman for the DSB said the attacks were not successful. Coupled with the attacks on bell¿ngcat, fake satellite images were also shown on Russian State television (post-truth) suggesting that MH17 was shot down by a non-Russian (i.e. Ukrainian) aircraft.
On 8 April 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself "CyberCaliphate" and claiming to have ties to the terrorist organisation Islamic State of Iraq and the Levant (ISIL, ISIS, IS). Hackers breached the TV network's internal systems, possibly aided by passwords openly broadcast by TV5Monde, overriding the broadcast programming of the company's 12 channels for over three hours. Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into 9 April 2015. Various computerised internal administrative and support systems including email remained shut down or otherwise inaccessible due to the attack (in fact they just “pulled-the-plug” on affected systems). The hackers also hijacked TV5Monde's Facebook and Twitter pages to post the personal information of ('doxing') relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were "gifts" for his "unforgivable mistake" of partaking in conflicts that "[serve] no purpose". Access was both simple (spear-phishing to gain access) and complex in the use of customised software to attack the TV channel servers.
The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company, and if it had taken longer to restore broadcasting, satellite distribution channels would have cancelled their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned, and the first known penetration of the network was on 23 January 2015. The attackers then carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station's operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France, and one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5's studios. Although the attack purported to be from IS, France's cyber-agency told Bigot to say only that the messages claimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers (again “Fancy Bear”). No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost to TV5Monde was estimated at €5 million in the first year, followed by recurring annual cost of over €3 million for new protection. The company's way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.
Before moving on it is perhaps interesting to look at how experts try to identify the original perpetrator of an attack. In 2014 FireEye released a report titled “Digital Bread Crumbs: Seven Clues To Identifying Who’s Behind Advanced Cyber Attacks” that explained how to conduct an investigation based on common errors committed by the hackers.
The report was based on the analysis of nearly 1,500 campaigns tracked by FireEye, and the common characteristics of various attack were:
Keyboard Layout. Hidden in phishing attempts is information about the attacker’s choice of keyboard, which varies by language and region.
Malware Metadata. Malware source code contains technical details that suggest the attacker’s language, location, and ties to other campaigns.
Embedded Fonts. The fonts used in phishing emails point to the origin of the attack. This is true even when the fonts are not normally used in the attacker’s native language.
DNS Registration. Domains used in attacks pinpoint the attacker’s location. Duplicate registration information can tie multiple domains to a common culprit.
Language. Language artefacts embedded in malware often point to the attacker’s country of origin and common language mistakes in phishing emails can sometimes be reverse-engineered to determine the writer’s native language.
Remote Administration Tool Configuration. Popular malware-creation tools include a bevy of configuration options. These options are often unique to the attacker using the tool, allowing researchers to tie disparate attacks to a common threat actor.
Behaviour. Behavioural patterns such as methods and targets give away some of the attacker’s methods and motives.
APT28 has quite a collection of tools and techniques, for example for data obfiscation they add junk data to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Equally they are known for using one victims computer to relay command traffic to other victims. APT29, also known as “Cozy Bear” and “The Dukes” is thought to to have been active since 2008, and often uses “Cozy” or “Duke” in the naming of its software, e.g. such as with the malware CosmicDuke.
Attacks are not the only way cyber warfare works. Trolls from Olgino is an Internet slang term which appeared in late 2014, referring to a series of fake accounts registered on major discussion boards (social networks, online newspaper sites, video hosting services, etc.) that were used for promoting the Russian point of view on topics involving Ukraine and the Middle East.
In 2016, a U.S. grand jury indicted seven Iranians employed by two Iran-based computer firms (ITSec Team and Mersad Co.) on charges of hacking into the U.S. financial sector between 2011 and 2013 (for a total of at least 176 days). They were accused of blocking access to 46 U.S. financial institution websites (DDoS or distributed denial of service attacks using a botnet). At times some of the servers were hit with as much as 140 Gigabits of data per second. The seven people went under the name “Turk Server” (this was the Internet handle of one of the seven). Mersad was founded by members of Iran-based computer hacking groups Sun Army and ADST. Sun Army members are known to hacked the servers of NASA and “defaced” nine of their websites in early 2012. In 2013 one of the group was also detected inside the control system of the Bowman Dam in Rye, New York. They were accused of working on behalf of the Iranian government. The accused are in Iran, and are unlikely to appear in a U.S. court (see FBI “Most Wanted”). At least one of the seven hackers was a founding member of Ashiyane (presented as a “digital security team”), a group of Iranian hackers that make up the bulk of the Islamic Republic’s cyber army. Babol-Hacker Security Team is another Iranian hacker team. A report of 2015 indicated that much of the Ashiyane infrastructure is actually hosted in the U.S. (probably violating sanctions at that time).
zone-h has an archive of “verified” defaced websites. Ashiyane is still active (as of 25 November 2016). zone-h lists all the different defacements performed by Ashiyane, all actually declared by the hackers themselves. For example, on the 24 November 2016 they defaced 11 websites, 7 in the U.S., 2 in Canada, 1 in Australia, and 1 in Germany. None appeared to be strategically significant.
In September 2016 Yahoo! reported that “state-sponsored” hackers stole data on about 500 million users in late 2014 in perhaps the biggest cyber breach ever. Details included names, passwords, email addresses, phone numbers and security questions, but not bank and payment details. In August 2016 one hacker was found to be selling login information for 200 million Yahoo! account's on the Dark Web. Security firms questioned the attribution to “state-sponsored”, suggesting that the hack was by “Group E”, an Eastern European criminal gang who had performed earlier hacks on LinkedIn, Tumblr and MySpace. Other experts have suggested that the hack was made by a Russian team. Yahoo! Voices was also hacked in July 2012.In December 2016 Yahoo! now say that the theft might have affected 1 billion user accounts.
In a Reuter’s report (15 March 2017) it was stated that the United States had charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber offences. The 47-count Justice Department indictment included charges of conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft. It painted a picture of the Russian security services working hand-in-hand with cyber criminals, who helped spies further their intelligence goals in exchange for using the same exploits to make money. The indictment named the FSB officers involved as Dmitry Dokuchaev and his superior, Igor Sushchin, who are both in Russia.
On 30 June 2016 it was announced that a computer system of the Standard Bank South Africa was hacked on the 15 May 2016. The hack made their system operate with no credit card authorisation controls. The system had been hacked earlier to obtain about 3,000 sets of personal data, and forged credit cards had been prepared. At the same time as this system failure cash was removed from ATM’s in Japan. It would appear that about 100 people visited 1,400 ATM’s in Tokyo over a 3 hour period. They withdrew about $13 million.
In May 2016 there was a “global call to arms” by Anonymous and GhostSquadHackers (GSH) against the global banking industry. An initial attack was against the Central Bank of Greece, followed by attacks against eight more financial institutions (Dominican Republic, Maldives, Guernsey,..., and later Panama and Kenya). This was followed by a DDoS against the Central Bank of Mexico. It should be noted that there are numerous cases of attacks, including DDoS attacks, against Mexican journalists and news organisations that publish stories unfavourable to the authorities.
In February 2016 South Korea discovered that North Korea had hacked into 140,000 computers belonging to 160 South Korean companies and government entities. They had targeted a vulnerability in some network management software. Around 42,000 documents were stolen, 40,000 defence related, including blueprints for the wings of F-15 fighter jets. The IP address used was the same as that used in an attack in 2013 on South Korean banks and TV stations. On 12 May 2016 the official website of the South Korean Air Force was shut down for two weeks after a massive cyber attack hit its server. South Korea’s National Intelligence Service has also accused North Korea of trying to hack into the smartphones of 300 South Korean foreign affairs, security, and military officials, and successfully penetrating 40 of them. About the same time it was also alleged that North Korea had tried to hack into email accounts belonging to employees of South Korea's railways, reportedly with the idea of waging a cyberattack on the country's transport system (see this about hacking trains). The plot was foiled by preemptively shutting down the official email addresses of some transportation workers. South Korea had previously blamed the North for cyberattacks against its nuclear power operator.
Two months after its second nuclear test in 2009, North Korea launched a sweeping cyberattack on South Korea, targeting government websites, news sites, and financial sites.
During 2015 and 2016 the SWIFT banking network was attacked resulting in the theft of millions of dollars (e.g. $101 million from the Bangladesh central bank, and $12 million from Ecuadorian Banco del Austro in 2015). The hacker group was called Lazarus, but it appears to have been the same North Korean group that hacked Sony Pictures in 2014. There was a later report (27 May 2016) that $10 million was stolen from an unnamed Ukrainian bank also by exploiting the SWIFT banking system. In October 2016 Symantec found evidence that the Odinaff group had mounted attacks on SWIFT users. This new hack was unrelated and was on SWIFT customers’ local messaging logs, and not on SWIFT itself. It would appear that the attempt was to gain backdoor access to financial systems as a first stage for a more complex attack. Once the malware installed it would download other Odinaff hacking tools to allow a deeper penetration into a victims network.
The Odinaff group appears to share some links with the Carbanak group. According to Kaspersky Lab Carbanak is an APT-style campaign targeting (but not limited to) financial institutions (initially in the Ukraine but primarily in Russia, although the U.S., China and Germany were also attacked). The malware was said to have been introduced to its targets via phishing emails (more precisely a spear-phishing email with a control panel files (CPL) attachment). The backdoor is what is now known as Carbanak. Once inside the victim’s network they used tools to move around different computers to learn internal banking procedures. They could even take videos that were sent back to their command and control servers. Along with keylogged data they could unfold the banks internal procedures. It is said to have been detected when banks started to lose money from ATM’s. The SWIFT network was also used to make money transfers to fake accounts. It would appear that more than 100 banks were affected, and more than 50 lost money (between $2.5 and $10 million each). The hacker group was said to have stolen over $500 million not only from the banks but also from more than a thousand private customers. Carbanak is said to be based in Eastern Europe. There are some indications that some of the websites used for the spear-plishing attacks were travel sites hosted in China, and with a contact address of a William Danielson (who appears to own 484 domains of which at least 304 have malware plugins). However, a certain Artem Tveritinov in Russia also appears as the owner of some websites (the contact phone number in China is the same for Danielson and Tveritinov). Tveritinov appears to be the CEO of a Moscow-based computer security company called Infocube (“InfoKub”). For the full story check out this article, which also points to a link between Carbanak and the Citadel online banking malware. Citadel dates from 2011 and is a massively-distributed malware based upon Zeus, one of the most frequently used Trojan horse malware packages for Windows. In late 2015 Citadel emerged again in the form of Atmos, this time in attacks on French banks. Atmos was used with TeslaCrypt, a defunct ransomware trojan (TeslaCrypt 4 is the new encrypted data-stealing tool).
The FBI convicted the creator of Citadel, Dimitry Belorossov. Initially more than 11 million computers were infected with Citadel, and more that 7,000 victim bots contained personal information, including online banking credentials and credit card information. The idea was to steal small amounts from thousands of victims. However in 2012 a variant started to attack local government and private IT infrastructure. Finally Microsoft was able to disrupt more than 1,400 Citadel botnets, said to have been responsible for stealing in excess of $500 million.
The new Atmos appears to have the same objective as Citadel, steal money and confidential personal data from banks. The command and control servers are in Vietnam, Canada, Ukraine, Russia, U.S. and Turkey. The idea is to produce “injections” that modify a browser’s view of pages used for bank transactions, diverting money into an attacker-controlled bank account. This new version is polymorphic, in that it evades detection and covers its tracks in the infected system (it used AES-128 encryption and cryptographic file names). Atmos is thus a new type of malware (no longer brute force) that targets high-value transactions and looks to remain undetected for months or years. Part of its strength is that it attacks through a variety of vectors (banner ads, booby-trap websites, plishing attacks), and is hosted on servers in multiple countries. To the user it may first appear as a TeslaCrypt-based ransomware, but in fact it has already scraped the victims machine for data and credentials (and thus money). The attacks in France are seen as a trial period in order to work out bugs before going global.
In July 2015, the U.S. Office of Personnel Management was the target of a cyber breach of 21.5 million federal government employee records. In this case, the aggressor was Chinese intelligence agencies.
In May 2015 APT17 was found to be using Microsoft’s TechNet blog for its command and control (C&C) operation. Rather than compromise TechNet they created profiles and posted in the forums their encoded C&C instructions. The particular technique is called “hiding in plain sight”. APT17 is a China-based threat group that attacks U.S. government entities, defense industry, and IT companies. APT18 was a threat group operating since 2009 and sometimes also known as Dynamite Panda.
On 15 April 2015 the Belgian newspaper Le Soir was attacked, and Sud Presse and La Voix du Nord were also attacked at the same time. The attack lasted two hours, and a new attack was launched the next day against other Belgian newspapers. @SuadLinker claimed responsibility, but made no political or ransom claims. Later the Syrian Cyber Army claimed responsibility and accused the press for covering up government action in Aleppo. Some of the newspapers accused the Russians of funding the Syrian Cyber Army. A video was also received from the “Fallaga Team” in Tunisia claiming responsibility. The Belgian press was again attacked by the Syrian Cyber Army on 24 October 2016, closing their websites for several hours (this followed an attack by Belgian warplanes on the village of Hassadjek in Syria). There was a suggestion that the attacks originated in Turkey.
On 4 February 2015 Anthem Inc., a U-S. health insurance company (including Blue Cross), announced that it had been hacked and over 78.8 million records stolen. The breach was probably made in May 2014, but was only discovered in February 2015.
This attack was the work of “Black Vine”, which Symantec showed was a group that had carried out several such attacks in the past. The group was said to be well financed and to have a reliable stream of weaponised exploits for zero-day vulnerabilities in Microsoft's Internet Explorer browser. Since 2012, the gang had infected websites (so-called “watering-holes”) frequented by executives in the aerospace, energy, military, and technology industries and then used the compromises to siphon blueprints, designs, and other intellectual property from the executives' organisations. The targeting of Anthem appeared to reflect more of a secondary interest that was intended to further advance a primary interest in aerospace, energy, and other similar industries rather than to target healthcare information for its own sake. For example healthcare information about a people working for a government entity or a defence contractor can be combination with something else to reach an entirely non-healthcare related goal. As an example, they would compromise the website of a small defence contractor, then anyone visiting that site using the Explorer browser would be infected with a Trojan called “Sakurel” that would then open a backdoor on the clients computer allowing malicious files to be downloaded. Basically the Trojan places a copy of itself on the clients machine, and executes itself. It created a temporary file with a secure login, and a temporary media folder. It then adds a registry to enable its automatic execution at every fresh startup of the machine. It adds some Windows HOSTS files and then deletes the executed copy of itself. At successive logins it will, without the clients knowledge, access malicious URL’s. This is just one example, but the execution file can perform a number of actions depending upon the hackers choice. Up-to-date security tools can detect and remove this type of threat.
There is constant flow of “secondary” attacks designed to acquire information to be used later in a different attack on different targets. Data can also be stolen and published, reducing the importance of the target is a particular market, or just with the aim of helping in attacks on that companies customers. We also have to remember that in the U.S. bank often used social security numbers as usernames for their clients, and security questions could be covered in the other stolen data. Much of the data stolen could be used to issue new credit cards, and rack up debt.
“Sakurel”, exploiting a new and undocumented Explorer vulnerability, was first used in 2012 at a “watering-hole” for energy and aerospace industries. And it came with a certificate that bypassed the Windows security checks. At the time “Black Vine” was interested in turbine manufacturers, and they siphoned off blueprints and designs. In 2014 “Black Vine” continued their work using another newer zero-day vulnerability in the Explorer browser. Both vulnerabilities appear to have been shared with other groups who went on to attack U.S. administration websites, as well as a large European aerospace manufacturer. These tools were shared across a so-called Elderwood Project based in Beijing, China (Operation Aurora was an early series of cyber attacks by this group). The full Symantec report on “Black Vine” can be found here.
The hack on Anthem was the biggest of its type so far, but there have been a number of recent health data hacking incidents. Advantage Dental, an Oregon-based dental services provider, has notified more than 151,000 patients that an internal database was illegally accessed resulting in theft of names, dates of birth, phone numbers, Social Security numbers and home addresses. Sacred Heart Health System, based in Pensacola, Fla., reported that a third-party billing vendor revealed that one of its employee's email credentials had been compromised by a hacker. The resulting beach exposed personal information for approximately 14,000 patients of the health system. The data included patient names, dates of service, dates of birth, diagnoses and procedures, billing account numbers, total charges and physician name. Aurora Health Care in Wisconsin has stated that an undisclosed number of current and former caregivers of a breach after discovering malware on some of the company's workstations and servers. Another hacking incident recently added to the U.S. tally affected St. Mary's Health in Evansville, Ill. Employees' email user names and passwords had been compromised by a hacker and those compromised email accounts contained some personal information for approximately 4,400 individuals (included patient names, dates of birth, dates of service, insurance information, limited health information and, in some cases, Social Security numbers). Community Health Systems Inc., an operator of 206 hospitals in the U.S. had a data breach exposing personal information of 4.5 million people. The Montana Department of Public Health was hacked and records for 1.3 million people were stolen. In 2011 the U.S. military health program Tircare was attacked and data was stolen for 4.9 individuals.
After the physical attack on Charlie Hebdo (7 January 2015), Anonymous took down around 200 suspected jihadist Twitter accounts (OpCharlieHebdo), and attacked 14 Jihad websites.
In December 2014 a report was published on Operation Cleaver, which outlined attacks from the Islamic Revolutionary Guard Corps (a 20-man team of Iran’s armed forces masquerading as a construction engineering firm in Tehran) on more than 50 entities in 16 countries. It is said that the targets were critical infrastructure including airports, hospitals, telecommunications and government. The technique involved so-called SQL injections designed to take over database servers through Web applications. Once in the database, server instructions would be sent to other backend systems running critical infrastructure. The problem is that according to one major review most applications running on these system have each more than 20 serious vulnerabilities that can be exploited, and some large-scale systems can be running thousands of applications. What is more worrying is that, unlike their Russian and Chinese counterparts, which tend to grab IP and financial data where they can, the Iranian group has mostly avoided stealing such data. Instead it has focused on gathering as much information as it can about network topologies, sensitive employee information and schedule details, identification photos, and documents pertaining to housing, telecom, and electricity infrastructures. Operation Newscaster, identified in 2014, an Iranian “social engineering” attack similar to Operation Cleaver, targeted more than 2,000 U.S. Israel, and U.K. military, government and defense contractors. Contact was through NewsOnAir.org (do not visit this site) and exploited Twitter, Facebook, etc. In many ways this long-term attack was about harvesting credentials and information such as personal email addresses, etc. for future use.
On 24 November 2014 Sony Pictures was hacked by the “Guardians of Peace” (GOP), and confidential data was leaked. They claimed to have taken more than 100 terabytes of data, from employee details to then-unreleased films). GOP demanded that Sony pull the film “The Interview” about a plot to assassinate North Korean leader Kim Jong-un.
The attackers used a Server Message Block (SMB) Worm Tool. Components of the attack included a listening implant, backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool. The components clearly suggested an intent to gain repeated entry, extract information, and be destructive, as well as remove evidence of the attack. The cleaning tool used on Sony's computer infrastructure, Wiper, was a malware program designed to erase data from the servers. U.S. investigators concluded that the attack on Sony began with a series of apparently innocuous “spear-phishing” attacks, which persuaded unsuspecting targeted users to download malware. That allowed hackers to break into Sony’s computers, after which they spent two months studying the studio’s systems, preparing to cripple its network and leak thousands of sensitive files.
On 19 December 2014 the FBI formally identified the North Korean government as being connected with the cyber attacks (possibly using the Xkeyscore program to track malware programs back to their source). The basis of this connection was that the tools used were the same as employed by the North Korean Bureau 121 for their attacks on South Korean targets. Prior to the attack at Sony, North Korea was said to have attacked more than 30,000 PC’s in South Korea affecting banks and broadcasting companies as well as the website of South Korean President Park Geun-Hye. North Korea has also been thought to have been responsible for infecting thousands of South Korean smartphones in 2013 with a malicious gaming application. The attacks on South Korea were allegedly conducted by a group then called DarkSeoul Gang and estimated by the computer security company Symantec to have only 10 to 50 members with a "unique" ability to infiltrate websites (other sources put the number of trained hackers in north Korea at about 6,000). One expert also suggested that the hackers used a new zero-day vulnerability typically employed by nation-state attackers (in opposition to spear-phishing emails). Other experts have suggested that Sony Pictures security practices were so poor that the use of a new zero-day vulnerability was not necessary.
The Wikipedia article on the Sony Pictures hack also mentions the doubts expressed by some experts that “Guardians of Peace” were from North Korea. However it has also been said that the U.S. claim is supported by the fact that the NSA had broken into North Korean computer systems as early as 2010, through a Chinese network used by Pyongyang’s elite to connect to the outside world.
The impact of the hack included a class action suit brought by former Sony employees whose social security numbers and medical records were part of the data dump. Sony settled out of court. Naturally WikiLeaks published a total of 173,132 emails and 30,287 separate documents. The hack also took out Sony’s accounting software, so that they were not even able to announce their quarterly earnings, etc.
Because of this hack on Sony Pictures the U.S. administration announced new sanctions against North Korea. Later North Korea blamed the U.S. for a nation-wide Internet outage lasting some hours.
In September 2014 JPMorgan Chase disclosed an attacked from July 2014, in which data from 83 million accounts was stolen (names, addresses and emails, but not credit card numbers, passwords, or social security numbers). The attack was initially blamed on the Russian government, but in 2015 four men (three names, and one unknown) were indicted (three people were caught) for attacking 12 U.S. entities, including financial service firms. Using the stolen data they would cold-call people and pressure them into buying near-worthless shares (they also sent spam to their mailing list). Prices in these thinly traded securities (“penny stocks”) would rise, and they would buy low and sell high, making a profit. This is called a “pump and dump” scam. They key here was that the people were criminals, but not computer hackers. They just bought off-the-shelf tools on the black market. They opened bank and brokerage accounts using aliases and created shell companies to management payments. Through this scheme they netted $2.8 million. They also operated an unlicensed Bitcoin exchange service known as Coin.mx and front companies to launder money. Bank accounts in Cyprus, Hong Kong and Eastern Europe were used to funnel profits from the exchange. They also operated a ransomware scam, demanding payments in Bitcoin.
It is worth noting that at that time if you had email addresses and you knew which JPMorgan services were being used (e.g. checking account, credit card, etc.) you could gain access by simply using a database of five billion stolen username/password combos (presuming that the user was using his email address as a username). This is no longer possible because any login from a different device requires a different level of authentication.
One report mentioned that they also operated an online gambling Website, and in total they netted more than $100 million. The same report mentioned that they also used the Heartbleed vulnerability, again something they were able to buy and use.
In a separate attack three different people were also arrested in November 2014, and sentenced to nine years in prison. During July 2011 to August 2013 they obtained mortgage applications containing customers personal identification information for 40,000 people, including social security numbers, tax information and even driver license numbers. They then used information on about 250 people to defraud merchants and financial institutions of something between $400,000 and $1 million.
Regin is a malware toolkit discovered in 2014, and attributed to the U.S. NSA and U.K. GCHQ (presumably related to MUSCULAR the joint NSA-GCHQ surveillance program which goes back to ECHELON started in 1988). The use of the toolkit has been detected in Belgacom, and in Russia, Saudi Arabia, Pakistan, etc. This toolkit has been compared to Stuxnet in its completeness and complexity. As a toolkit it can be customised for an attack on a specific target. Regin is stealthy and does not store multiple files on the infected system. Instead it uses its own encrypted virtual file system (EVFS) entirely contained within what looks like a single file with an innocuous name to the host, within which files are identified only by a numeric code, not a name. Regin communicates over the Internet using ICMP/ping, commands embedded in HTTP cookies and custom TCP and UDP protocols with a command and control server which can control operations, upload additional payloads, etc.
It has been reported that this toolkit was used by the NSA for online surveillance of both EU citizens and institutions, as well as an attack against the EU diplomatic representations in Washington and its representations to the UN. The UK's GCHQ attacked Belgacom, Belgium's largest telecommunications company. In December 2014, it was reported that Regin was found on a USB flash drive used by a staff member of Chancellor Angela Merkel.
Warrior Pride appears to be related to Regin, but specifically designed for iPhone and Android-based smartphones. Components are named after The Smurfs, and include DREAMY SMURF for power management (an ability to stealthily activate a phone that is apparently turned off), NOSEY SMURF for the 'hot mic' (turning on the microphone to listen in on conversations), TRACKER SMURF for high-precision geolocation, PORUS for 'kernel stealth', and PARANOID SMURF for 'self-protection'. NSA ANT was an earlier catalog of NSA cyber surveillance tools, and Tempora was developed for GCHQ. Karma Police is a GCHQ Internet metadata collection program, and already in 2012 they were capturing 50 billion browsing sessions per day (see List of Government mass surveillance programs).
So as not to suggest that only the NSA and GCHQ have spyware, MiniPanzer and MegaPanzer are Swiss state-sponsored Trojans, R2D2 is a German state-sponsored Trojan, and FinFisher is a privately developed spyware packaged used by Egypt, Bahrain, Germany, Ethiopia, Uganda, ...
In June 2014 Anonymous attacked the World Cup in Brazil (FIFA and the competitions sponsors) with a DDoS. The also defaced a number of websites associated with the organisers, including the UNESCO office in Brazilia.
In 2013 Target was hacked during the holiday seasons. Before Thanksgiving, hackers had installed malware that infected Target’s point of sales system at every U.S. store, skimming customer credit card information and storing it on the hacked server (this affected about 1,800 stores, although online sales were not vulnerable). When the hackers went back into the system to liberate all the card information on 30 November 2013, Target’s malware detection system alerted their security operations in Bangalore, which turned around and notified Target’s Minneapolis HQ that a breach had occurred.
Target reacted slowly to the breach (Target shoppers were vulnerable through 15 December 2013, well after the system detected the breach), which allowed thieves to steal about 40 million credit card numbers, and personal information like names and addresses from 70 million people. Target didn’t issue an official statement or notify customers until 19 December 2013, which led to customer outrage, more than one class-action lawsuit against the company and holiday profits that were 46% less than the previous season. Target was subject to ridicule in the press and a tarnishing of its once almost unimpeachable brand.
On 28 October 2013 hackers of Anonymous Ukraine started Operation Independence (OpIndependence), to promote their independence from Russia and the EU. They started with a DDoS against the European Investment Bank. In November 2013 they attacked Estonian public institutions but little damage was recorded.
On 7 April 2013 OpIsrael coordinated cyber-attack by anti-Israel groups and individuals against websites they perceived as pro-Israeli, chiefly through DDoS assaults, database hijacking, database leaks, admin panel takeover, and defacements.
Over the last two years AnonGhost has been engaged in attacking both Israeli websites and the UN website. After the attack on Charlie Hebdo in January 2015 AnonGhost declare a digital jihad against France. Originally considered a pro-Palestinian hacking group, they have now been condemned by them. It has been reported that AnonGhost are now working with the Caliphate Cyber Army of the Islamic State militant group (ISIS).
In early 2013 Mendiant published a report APT1 Exposing One of China’s Cyber Espionage Units. It was about an advanced persistent threat (APT) by a certain group of attackers dubbed the Comment Crew (also Comment Group and Comment Panda were mentioned). The report documented evidence of cyber attacks by the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (specifically Pudong District in Shanghai and known under the Military Cover Designator (MUCD) as Unit 61398). It states that they targetted at least 141 organisations in the U.S. and other English-speaking countries, extending as far back as 2006. In the report, Mandiant refers to the espionage unit as APT1. The report states that it was likely that Unit 61398 was the source of the attacks. Many hackers like to sign their work, and in fact Comment Crew left the name 'Moonclient' in many instances of their malware. After this publication Comment Crew “rested”, and then went underground. In May 2014 the U.S. Department of Justice indicted five members of Unit 61398 for offences (theft of trade secrets) agains six U.S. victims in the nuclear power, metals and solar products industries. The charge was made against the Chinese military and state for economic espionage.
Quickly following the publication of APT1 someone performing targeted attacks used the report as bait in an attempt to infect those who might be interested in reading it. One of the original emails was is in Japanese, and purported to be from someone in the media recommending the report. The attachment was made to appear like the actual report with the use of a PDF file and the name of the company as the file name. However, like in many targeted attacks, the email was sent from a free email account and the content of the email uses subpar language. It was obvious to a typical Japanese person reading the email that it was not written by a native speaker.
When the fake report, a Trojan.Pidief, was opened, and a blank PDF was shown. However, in the background exploit code for Adobe Acrobat and Reader Remote Code Execution Vulnerability was executed. The PDF would execute Trojan.Swaylib and Trojan.Dropper, which would try to install Downloader.
PLA Unit 61486, often called “Putter Panda” was also a spear-phishing hacker group that also had it origins in China (and with the “putter” was known for targeting golfers). This group has also been called APT2 and MSUpdater.
When APT1 was uncovered in February 2013 the report covered the activities of that particular Chinese cyber espionage group dating back to 2006, and listed more than 3,000 activity indicators. One of the things that characterised APT1 was their use of a vast network of “middle infrastructure” siting between the target and the home base. An infrastructure of more than 1,300 IP addresses, including some deliberately deceptive domains such as weather.yahoodaily.com and download.applesoftupdate.com, and most hosted with well-connected infrastructure in the U.S.
APT3 is another Chinese-based threat group, responsible for Operation Clandestine Fox, Operation Clasdestine Wolf, and Operation Double Tap. APT12, yet another Chinese threat group, also called for DynCalc, IXESHE, and Numbered Panda. APT16 is a Chinese group that targets Japanese and Taiwanese organisations. The threat group APT30 is also known to be associated with the Chinese government. In 2012 Operation Ababil started with a series of cyber-attacks on U.S. financial institutions. The DDoS attacks were initially thought to be from a hacktivist group, but later they were attributed to the Iranian government.
In September 2011 one of the Dutch certification authorities, DigiNotar, was compromised and fraudulent certificates were issued. The company owning DigitNotar went bankrupt, and the Dutch government took over the the DigiNotar system. Originally setup in 1998 by the national body of Dutch civil law notaries, DigiNotar was sold in January 2011. In July 2011 they issued a so-called wildcard certificate for Google, a public key certificate that can be used with multiple subdomains of a root domain (these type of certificates secure websites with the “https”). This certificate was subsequently used by unknown persons in Iran to conduct a man-in-the-middle attack against Google services. In August 2011, certificate problems were observed on multiple Internet service providers in Iran. The fraudulent certificate was posted on pastebin. It would appear that DigiNotar had detected an intrusion into its certificate authority infrastructure on 19 July, 2011, but had not released this information. When finally the problem was detected, the certificates were blacklisted and removed from lists of trusted certificates. DigiNotar was also used as part of the Dutch government public key infrastructure, and they had to switch certification authority in September 2011.
It would appear that the main target was 300,000 Iranian Gmail users, and it was suspected that the Iranian government was behind the attack. Man-in-the-middle attacks is where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a secure connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate other end.
The group Lulz Security, was formed in May of 2011 and has since claimed responsible for several major cyber-attacks including a data breach at Sony Pictures in 2011. The group also claimed responsibility for taking down the CIA website of the U.S. government. LulzSec gained notoriety because of the sarcastic messages often left by the group following an attack.
LulzSec was partially taken down in March of 2012 with the arrests of members known as T-flow and Topiary. The group emerged again in June 2011 after launching Operation AntiSec, which was a joint-effort between LulzSec, Anonymous and other hackers.
In 2011 the Syrian Electronic Army surfaced with attacks (spamming, defacement, malware, phishing, and denial-of-service) on opposition groups and also those seemingly neutral to the Syrian conflict.
In September 2010 reports emerged that the Stuxnet malware was targeting Iranian nuclear facilities, and in particular the Siemens programmable logic controllers used in the uranium enrichment facilities in Natanz (causing improper functioning and a major accident with the centrifuges). The Wikipedia report is very complete, but the basic idea was that four zero-day flaws were exploited on Window computers, with the aim to seek out Siemens Step7 software. Stuxnet consisted of a worm to get inside computer systems, a link file to automatically propagate the worm to other systems, and a rootkit with an ability to hide the malicious files and processes. It was propagated using infected USB flash drives. But it remained dormant until it arrived on a PLC with Step7 software. Five different variants of Stuxnet were used, and by 2010 about 60% of the worlds infected computer were found in Iran. However, the way Stuxnet was designed it can be used to target any modern SCADA or PLC system used in industrial locations such as power plants, etc.
It has been said that Stuxnet was part of a joint U.S. and Israeli program (through Unit 8200) called Operation Olympic Games, for targeting Iranian nuclear facilities.
Stuxnet has been related to Duqu, a separate malware collection, and Flame, a modular malware set, and, in 2015 the Equation Group was detected as having infected more than 500 locations across 42 countries. Equation Group appears to be linked to Stuxnet, and thus to the NSA. In 2016 a group called 'The Shadow Brokers' (possibly of Russian origin) stole and published malware code from the Equation Group. For more information check out this useful description of NSA Global Surveillance Disclosures since 2013.
As with any cyber attack, there can remain doubts about who actually committed the attack and why. For example, in this case there are articles (see this one from Forbes) that suggest that Stuxnet has its origins in China, and the attack focussed on a Finnish company, Vacon, who makes frequency converter drives used by the Iranians.
Operation Aurora, a series of cyber attacks in 2009-2010 originating from China, targeted intellectual property and source code libraries in a large number of U.S. companies. They exploited new zero-day vulnerabilities in the Explorer browser. We already can see the complexity of these attacks when the command and control servers were actually running in Illinois, Texas and Taiwan. Experts saw Aurora as being important because it marked a move from attacks exploiting memory corruption vulnerabilities such as buffer overflow, targeting operating systems and applications written in C/C++, to attacks on Web.based applications and services written in higher-level languages such as Java and .NET. The objective was to access the data-centers and pivot to other internal systems inside target companies, and possibly modify source code repositories. Shamoon (also known as Distrack) is often mentioned in this context, as a virus that targeted the Windows NT kernel, spread over a company network collecting and uploading files to the attacker, then erasing them. A group called the “Cutting Sword of Justice” closed the computer network and 35,000 workstations of the Saudi Aramco petrol company for a week in 2012 (wiping all the hard drives), and it took a total of 5 months to get their entire system back online. Later the same thing happened to RasGas, a Qatar-based provider of liquefied natural gas. The “Cutting Sword of Justice” is probably linked in some way with Iran.
In 2009 GhostNet, an “advanced persistent threat” with its command and control infrastructure in China, attacked the embassies, foreign ministries and government offices of 103 countries. Here we saw contextually relevant emails hiding Trojan horses with links back to China. In some cases the Trojan was able to download Gh0st RAT, which allowed attackers to gain complete control of a target computer.
For some earlier attacks see Titan Rain, Moonlight Maze, Shady RAT, Night Dragon, Blackworm, Conficker, Welchia, ILOVEYOU, Storm Worm, Zeus, Gameover ZeuS, Tiny Banker Trojan, Alureon, Rustock, Storm, Mebroot and the botnet Torpig,
Wikipedia has a Timeline of Computer Viruses and Worms, and a separate List of Computer Worms, and Comparison of Computer Viruses.
Some Useful References
“A Military Guide to Terrorism in the Twenty-First Century”, U.S. Army TRADOC G2 Handbook No. 1, 15 August 2007
“The Cyber Warfare Lexicon”, January 2009
Martin C. Libicki, “Cyberdeterrence and Cyberwar”, RAND, 2009
Jeffrey Carr, “Inside Cyber Warfare”, O’Reilly Media, 2010 (the link is to a copy on WikiLeaks)
James P. Farwell & Rafal Rohozinski, “Stuxnet and the Future of Cyber Warfare”, Survival, 53:1, 28 January 2011
Deepak Sharma, “China’s Cyber Warfare Capability and India’s Concerns”, Journal of Defense Studies, Vol. 5, No. 2, April 2011
U.S. Joint Forces Command “Commander’s Handbook for Attack the Network”, version 1.0, 20 May 2011
Oona A. Hathaway, et.al., “The Law of Cyber-Attack”, California Law Review, (posted) 16 November 2011
T.J. OConnor, “The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare”, SANS Institute, 30 December 2011
Andrew F. Krepinevich, “Cyber Warfare: A “Nuclear Option”?”, Center for Strategic and Budgetary Assessments, 2012
Alexander Klimburg (ed.), “National Cyber Security Framework Manual”, NATO, 2012
Karin Kosina, “Wargames in the Fifth Domain”, Masters Thesis Vienna, 2012
Martin C. Libicki, “Crisis and Escalation in Cyberspace”, RAND, 2012
Robert Lai, “Analytic of China Cyberattack”, The International Journal of Multimedia and Its Applications, Vol. 4, No. 3, June 2012
“Law of Armed Conflict: Implications for U.S. Navy Cyber Strategy”, Masters of Information Technology Strategy, Carnegie Mellon, 3 August 2012
Gabi Siboni & Y.R., “What Lies behind Chinese Cyber Warfare”, Military and Strategic Affairs, Vol. 4, No. 2 September 2012
“NATO Logistics Handbook”, November 2012
Michael N. Schmitt (ed.), “Tallinn Manual of the International Law Applicable to Cyber Warfare”, Cambridge University Press, 2013
“DDoS Survival Handbook”, Radware, 2013
Jouko Vankka (ed.), “Cyber Warfare”, National Defense University, Helsinki, Series 1, No. 34, 2013
Paulo Shakarian, Jana Shakarian, Andrew Ruef, “Introduction to Cyber-Warfare”, 2013
“Comprehensive Study on Cybercrime”, United Nations Office on Drugs and Crime, February 2013
U.S. Navy Cyber Forces “Commander’s Cyber Security and Information Assurance Handbook”, revision 2, 26 February 2013
Ingo Ruhmann, “Cyber War: Will it define the Limits to IT Security?”, International Review of Information Ethics, Vol. 20, December 2013
Michael N. Schmitt, “The Law of Cyber Warfare: Quo Vadis?”, Stanford Law & Policy Review, Vol. 25:269, 2014
“Cyber-Attacks: Can the Market Respond?”, Willis Energy Market Review 2014
“FM 3-38 Cyber Electromagnetic Activities”, U.S. Department of the Army, February 2014
Gary D. Solis, “Cyber Warfare”, Military Law Review, Vol. 219, Spring 2014
“Profiling an enigma: The mystery of North Korea’s cyber threat landscape”, HP Security Briefing, Episode 16, August 2014
“Cyber defense in the EU”, European Parliament Briefing, October 2014
Jason Kick, “Cyber Exercise Playbook”, MITRE Corporation, November 2014
Alexandre Mansourov, “North Korea’s Cyber Warfare and Challenges for the US-ROK Alliance”, Korea Economic Institute of America, 2 December 2014
CERT-UK, “Common Cyber Attacks: Reducing The Impact”, 2015
Thomas Rid & Ben Buchanan, “Attributing Cyber Attacks”, The Journal of Strategic Studies, Vol. 38, No. 1-2, 2015
“Creating trust in the digital world”, EY Global Information Security Survey 2015
Antonia Chayes, “Rethinking Warfare: The Ambiguity of Cyber Attacks”, Harvard National Security Journal, Vol. 6, 2015
Fred Schreier, “On Cyberwarfare”, Democratic Control of Armed Forces, Working Paper No. 7, 2015
Kenneth Geers (ed.), “Cyber War in Perspective: Russian Aggression against Ukraine”, NATO, 2015
Scott Jasper, “Deterring Malicious Behavior in Cyberspace”, Strategic Studies Quarterly, Spring 2015
U.S. Department of Defense “Law of War Manual”, June 2015
Greg Austin, “Australia Rearmed! Future Needs for Cyber-Enabled Warfare”, Australian Centre for Cyber Security, January 2016
“Internet Security Threat Report”, Symantec, Vol. 21, April 2016
Keir Giles, “Handbook of Russian Information Warfare”, NATO, November 2016