The infosec chronicle has offered many interesting events in this first part of October. Upon all, the massive leak against top 100 universities by the infamous Team GhostShell, the Skype worm, and, last but not least, the U.S. congressional report accusing China’s leading telecom equipment makers, Huawei and ZTE, of being a potential security risk.
Inevitably these events are obfuscating what’s going on in Middle East where Iran, on one hand, is facing the latest wave of Cyber Attacks against its internal assets, and on the other hand, claims to have infiltrated the “most sensitive enemy cyber data”.
This hot autumn for the Middle East has begun on September 30 (approximately one week after Iran connected all its government agencies to its secure autarchic domestic internet service). In that circumstance Iranian Rear Admiral Ali Fadavi announced a clamorous cyber strike of his navy’s cyber corps, being able to “infiltrate the enemy’s most sensitive information” and successfully promote “cyberwar code,” i.e. decrypt highly classified data.
Ali Fadavi did not specify the name of any particular enemy, but simply referred to “imperialistic domination,” a clear reference to Iran’s “enmity with America.”
Maybe is a coincidence, or maybe not, but on October 3 Iran has suffered a massive outage of its Internet infrastructure, at least according to what Mehdi Akhavan Behabadi, secretary of the High Council of Cyberspace, has declared to the Iranian Labour News Agency. An outage that the Iranian official has attributed to a heavy organized attack against the country’s nuclear, oil, and information networks, which forced to limit the usage of the Internet.
The latest (?) episode a couple of days ago, on October 8, when Mohammad Reza Golshani, head of information technology for the Iranian Offshore Oil Company, told Iran’s Mehr news agency that an unsuccessful (i.e. repelled by Iranian Experts) cyber attack had targeted the company platforms’ information networks in the past few weeks. I wonder if we are in front of a new Flame. In any case, according to Mr. Golshani there were few doubts about the authors of the attack.
“This attack was planned by the regime occupying Jerusalem (Israel) and a few other countries”.
Few hours later Iran has officially blamed Israel and China for planning and operating the attack.
It is not a mystery that the Stuxnet attack forced Iran to tighten its cyber security, a strategy culminating on the creation of a domestic Internet separated from the outer world (a way to control the access to the Web according to many observers).
For sure it is not a coincidence that the same network separation is the main reason why Iran was able to repel the latest attacks.
My sixth sense (and half) tells me that other occasions to test the cyber security of the Iranian domestic Internet will come soon!
Yesterday Bloomberg reported the news of a new cyber attack in Middle East targeting an Oil Company. The latest victim is Ras Laffan Liquefied Natural Gas Co., a Qatari LNG producer that has shut down part of its computer systems targeted by an unidentified malware since Aug. 27.
According to the scant official information available, desktop computers in company offices were the only affected, while operational systems at onshore and offshore installations were immune, with no impact on production or cargoes.
Of course it is impossible to avoid a parallelism with the cyber attack targeting Saudi Aramco a couple of weeks ago, and the 30,000 workstations that the company admitted to have been targeted (and restored only few days ago) by this malware outbreak. It is also impossible not to mention the infamous Shamoon, the brand new malware discovered in Middle East that information security community immediately connected to the Saudi Aramco cyber incident, furthermore stating (by literally quoting Symantec’s blog):
W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector.
The Ras Raffan cyber attack maybe provides a partial answer to the question regarding who else might have been affected by Shamoon (I wonder if we will soon learn of other companies targeted) and even if security researchers have not confirmed, so far, the connection between Shamoon and this latest attack, the first speculations on regard have already appeared. According to the WSJ, the RasGas information technology department identified the virus as Shamoon, stating that:
Following the virus attack, some “computers are completely dead”.
The Middle East is considered the Cradle of Civilization, but I am afraid that, in this 21st century, it is becoming the “Cradle of Cyber War”. And even if you consider Shamoon just an amateurish copycat (with no cyberwar intentions), you cannot ignore that the latest research according to which even Wiper is a son of the so-called Tilded Platform (the same malware platform that originated Stuxnet, Duqu and Flame).
This cannot be considered a mere coincidence.
Two months again and the World will assist to the 2012 London Olympic Games. Unfortunately the same is not true for Information Security Professional for which the Olympic Games have started approximately two years ago in Iran, more exactly during the summer of 2010 when the infamous malware Stuxnet (the first 21st Century Cyber Weapon) became public, unleashing its viral power to the entire World.
Apparently Olympic Games have nothing to deal with Stuxnet… Only apparently since “Olympic Games” is just supposed to be the code-name of the cyber operation, begun under the Bush administration and accelerated by Mr. Obama, aimed to build the first Cyberweapon targeting the Iranian Nuclear Facilities. This is in few words the genesis of Stuxnet, at least according to a controversial article published by The New York Times, which anticipates a book on the same argument by David E. Sanger (Confront and Conceal, Obama’s Secret Wars and Surprising Use of American Power), and which is generating a comprehensible turmoil.
Of course many words have been spent on the argument and probably (too) many will be spent as Stuxnet has not proven to be an isolated case. Moreover (is this a coincidence?) these revelations of the NYT came out in the aftermath of the discovery of the Flame Malware which is further fueling the tension in Middle East and, if officially confirmed, could set a potentially dangerous precedent for other countries looking to develop or expand their own clandestine cyber operations.
I think I cannot give any useful contribution to the debate, if not a humble suggestion to read this interesting interview to F-Secure CRO Mykko Hypponen who explains the reason antivirus companies like his failed to catch Flame and Stuxnet… If really the alleged NYT revelations will encourage other countries to enhance their cyber arsenal, there is much to be worried about, even because the 21st century cyber weapons have shown, so far, a clear attitude to escape from the control of their creators.
The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict
cooperation coproduction between CIA and Mossad.
Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.
Consequantly it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).
Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
- A Flame on the Cyberwarfare Horizon (hackmageddon.com)
Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.
Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.
Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.
The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:
Cyber WeaponMalware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
- According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
- Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
- Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
- The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
- Flame includes a piece of code (about 3000 lines) written in LUA, a not so common occurrence for malware;
- Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
- Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
- Flame may also replicate via local networks using the following:
- The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
- Remote jobs tasks.
- When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.
- So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.
With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.
This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:
The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.
Cyberwarfare is generally considered asymmetric since, in theory, inside the cyber world “size does not matter” and a smaller and weaker state could declare a cyber war against an enemy, regardless of the size of the latter in the real world. Think for instance to the example of China and Philippines to quickly understand how this assertion can dramatically come true.
Because of this asymmetry and other factors such as the difficulty to trace cyber attacks, many consider quite likely that cyberwars might make wars easier according to the equation: “more cyberwarfare means more wars.”
A new and provocative article by Princeton’s Adam Liff in the “Journal of Strategic Studies” offers a completely new interpretation that may be summarized as: the advent of cyber-weapons may eventually promote world peace.
In his article the author debunks several myths about Cyberwarfare: first of all, cyberwarfare may seem asymmetrical but it’s a myth that advanced cyber-weapons are cheap and easily available; developing them requires a lot of resources, time, and operational secrecy. Think for instance to Stuxnet (and the effort needed to build it) that clearly demonstrates that building a targeted cyber weapon, capable of limiting collateral damages require a deep knowledge of the target and hence huge investment.
Moreover, would not be wise for weaker states to start a cyber war against an enemy nation without adequate capabilities to back up the same conflict in the real world, otherwise they might be wiped out by the conventional enemy response of the stronger state.
Last but not least, according to Liff, would not be easy for states engaged in cyberwarfare to fully understand the actual consequences of their own cyber-attacks. The risk of self-inflicted damage would be high while cyber-attacks might inadvertently affect some otherwise lucrative assets like an enemy’s banking infrastructure.
Instead, paradoxically, the availability of cyber-weapons, whatever their actual destructive potential, might in theory allow weaker states to get better bargains from their stronger adversaries, perhaps, even avoiding conflict.
The consequence is that, according to the author, the net effect of the proliferation of cyberwarfare capabilities on the frequency is relatively small. This effect is not be constant across all situations and in some cases the advent of cyberwarfare capabilities may decrease the likelihood of war.
In most cases, [cyberware] is unlikely to significantly increase the expected utility of war between actors that would otherwise not fight. Furthermore, a cyberwarfare capability may paradoxically be most useful as a deterrent against conventionally superior adversaries in certain circumstances, thus reducing the likelihood of war.
Make peace and cyberwar!
- What is a Cyber Weapon? (theaviationist.com)
05/11/12: Updated timeline. The tension between Philippines and China escalates and new cyber attacks target both sides.
The month of April has suddenly revealed a new unexpected Cyber Conflict between two very different countries: Philippines and China.
Of course the Chinese Cyber Activity is not that surprising, differently from the Philippines which had not shown any bellicose intention in the Cyber Domain. At least until these days when the cyber peace between the two countries has been broken because of a dispute concerning the sovereignty on the Scarborough Shoal and the Spratly Islands claimed from both countries. As often happens, the dispute has crossed the boundaries between the real and the cyber worlds and has hence unleashed an endless and unexpected trail of mutual cyber attacks.
According to Roy Espiritu, spokesman of the government’s information technology office, all the attacks came after Philippine ships faced off with Chinese patrol vessels in April 8 in the disputed Scarborough Shoal in the South China Sea. Before that, there had been no such eventsm at least until April 2o, when some hackers, identifying themselves as Chinese, attacked to the University of the Philippines. In that circumstance they defaced the UP website (up.edu.ph) with a map, labeled with Chinese characters, showing the Scarborough Shoal (Panatag as called by the Philippines and Huangyan by China).
Needless to say, the latter episode has started an endless line of mutual attacks that are still continuing despite the calls to end the attacks from Manila.
Will the cyber conflict be limited to “simple” defacements, or will it take the shape of the first phase of the Middle East Cyber War when both parties faced themselves leaking credit card details of innocent individuals? Moreover, are critical infrastructure really in danger as suggested by Filipino IT professionals?
Based on the current events, maybe this latter scenario is exaggerated, in any case once again, the upsetting evidence shows that the Cyber World has become a consolidated further battlefield for the disputes inflicting the real world.
If you want to have an idea of how fragile is the equlibrium inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Another week of Cyber War in the Middle East…
Another week in which pro Israeli hackers seem to have disappeared, and hence have apparently left the scene to Pro Palestine hackers, although not so many high-profile actions have been reported in this period. The only exception to this schema is represented by Mauritania Hacker Team who dumped 4000 login accounts from Microsoft Israel Dynamics CRM Online website. This action is particularly significant… Not because it targeted a Cloud service, and not even because it targeted a Microsoft Cloud Service, but most of all because on the wake of the multiple dumps performed by Pro Arab hackers against Israel (among which the dump to the Microsoft Cloud Service was only the latest), the Israel’s Justice Ministry has releases guidelines forbidding unnecessary collection of personal national identification numbers. This is the first time in which the aftermath of a Cyber War has direct implications on everyday life.
From this point of view the wars fought on the cyber domain are completely different from the wars fought on the real world… In the cyber battlefield the civilians are the primary targets (since they have their personal data dumped) and not collateral victims…
The second part of this post covers the cyber attacks carried on by Indian hackers against Bangladesh. Apparently their number is smaller but a deeper analysis shows a sharper strategy focused on paralyzing the financial system of Bangladesh.
In this first quarter of 2012, the cyber war between the two countries went through two different phases: until the beginning of March, the two opposite factions faced themselves with sparse defacement and DDoS actions (unchained after the attacks following the India Republic Day). After March we entered the Cyber War 2.0 characterized by High Profile actions, most of all suffered by Bangladesh, that led to the takedown of the Stock Exchange and one important Bank.
Again, thanks to Catherine for collecting the data.
Of course do not forget to follow @paulsparrows for the latest updates on the (too many) Cyber Wars, being fought on the underground of our planet.