It’s time for the first cyber attacks timeline of July reporting the main cyber events happened (or discovered) during the first half of the month.
In a short summary: if even the number of recorded attacks remains moderate, the most important events of this period are related to Cyber Espionage: eight sophisticated campaigns have been discovered, a number remarkably high for this category.
On the cyber crime front, the most important event of this period is undoubtedly the massive attacks against Boleto, the Brazilian payment system ($ 3.5 billion is the amount of money stolen by the criminals), but also the purported leak of CNET’s database (subsequently offered on sale by the criminals at the symbolic price of 1 Bitcoin) deserves a special mention. Also the African continent is on the spot with the discovery of a repeated fraud against a couple of Nigerian banks.
Nothing particularly remarkable by hacktivists, with the partial exception of the Syrian Electronic Army, back with the Specialty of the House (the account hijacking, this time against the official Twitter account of the Israel Defence Force). The hacktivistic landscape also offered some attacks against Israel, related to the events in Gaza. Nothing particularly relevant so far, but everything suggests that the number of these attacks will dramatically increase in the next timeline.
If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013 and now 2014 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
I have been quite busy in the last few months, so, unfortunately, I was not able to keep the pace with the statistics derived from my Cyber Attacks Timelines. However, thanks to the ISMS Forum Spain (Asociación Española para el Fomento de la Seguridad de la Información), I have been invited to take part at the XV Jornada Internacional de ISMS Forum: La Sociedad Digital, entre Confianza y Ciber-riesgos (to be held on May, the 28th in Madrid).
Taking advantage of this awesome opportunity, I have been able to reorganize the data collected so far for the events recorded in 2014.
What I show below, is a synthesis of this work. Further information will be presented in Madrid, and later in my blog. Meanwhile, I hope the information provided will satisfy the readers who kindly asked for an update of the stats.
Let us start with the Daily Attack Trend Chart.
Needless to say, the crooks have started this infosec year with the brakes on. Apart from few noticeable examples (for instance the peak on the 20th of April due to the NullCrew collective), the activity is quite low in comparison with the past years (again a full analysis will be shown in Madrid).
Drilling down the Daily Attack Trend:
Shows a constant ‘bias’ of events related to Cyber Crime with some isolated peaks of Hacktivism. This is also evident from the Motivations Behind Attacks Chart.
Here the Cyber Crime dominates the chart, accounting for the 61% of the total events. Nearly twice more than Hactkivism, stuck to a ‘modest’ 31%. On the other hand Cyber Espionage and Cyber Warfare are quite stable at the values of 2013 when they were respectively at the 5% and 4% (but do not get carried away, the end of the year is far away and there is time to change along the way).
And the fall of Hacktivism finds another indirect confirm in the Distribution of Attack Techniques Chart:
Apparently fewer and fewer information is disclosed, so nearly one fifth of the recorded attacks if of uncertain origin. However both DDoS and SQLi confirmed the decreasing trend. On the other hand Account Hijacking maintains its growing trend (was 9% in 2013).
Last but not least, the Distribution of Targets chart:Targets belonging to industry rank at number one with the nearly 30% of occurrences, well ahead of governmental targets (at number two with nearly 19%) and organizations (at number three with nearly 12%). The others are behind (luckily for them).
Well, that’s all folks… At least so far… As I said before further data will follow…
As usual, please bear in mind that the sample must be taken very carefully since it refers only to discovered attacks, published in the news, and included in my timelines. The sample cannot be exhaustive but only aims to provide an high level overview of the “cyber landscape”.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Let us gave a look to the landscape of Cyber Attacks, during the first half of December 2012. Apparently cybercrooks are taking a break for Christmas, since, according to my selection Criteria, the number of attacks has shown a small decrease in comparison with the previous months.
The Daily Trend shows an inconstant trend with two peaks around respectively the 3rd December and the 11th and 12th (the latter due to the peak of Cyber Attacks against the US Banks).
The Distribution Of Attacks chart confirms that SQL Injection confirms to be the weapon preferred by Cyber Attackers with nearly one third of the occurrences (the value reaches nearly the 40% if one sums also the cases in which the attack seems to have been carried on with this technique but no enough evidences have been collected). In my opinion it is also important to notice the presence in the chart of several attacks perpetrated exploiting application vulnerabilities, but also the growing presence of targeted attacks (as usual you can find the details on the corresponding Cyber Attack Timeline.
Instead, at least for the first half of the month, the Distribution of Targets chart seems quite fragmented. Governmental targets lead the chart, but Financial, Industrial and Organizational targets are very close. Maybe the fragmentation depends from the partial sample. The second half of December will tell us if cybercrooks will concentrate their attacks against a specific sector.
As usual, no need to remind that the sample must be taken very carefully since it refers only to discovered attacks (the so-called tip of the iceberg), and hence it does not pretend to be exhaustive but only aims to provide an high level overview of the “cyber landscape”.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts). To do so, you can use this form.
The infosec chronicle has offered many interesting events in this first part of October. Upon all, the massive leak against top 100 universities by the infamous Team GhostShell, the Skype worm, and, last but not least, the U.S. congressional report accusing China’s leading telecom equipment makers, Huawei and ZTE, of being a potential security risk.
Inevitably these events are obfuscating what’s going on in Middle East where Iran, on one hand, is facing the latest wave of Cyber Attacks against its internal assets, and on the other hand, claims to have infiltrated the “most sensitive enemy cyber data”.
This hot autumn for the Middle East has begun on September 30 (approximately one week after Iran connected all its government agencies to its secure autarchic domestic internet service). In that circumstance Iranian Rear Admiral Ali Fadavi announced a clamorous cyber strike of his navy’s cyber corps, being able to “infiltrate the enemy’s most sensitive information” and successfully promote “cyberwar code,” i.e. decrypt highly classified data.
Ali Fadavi did not specify the name of any particular enemy, but simply referred to “imperialistic domination,” a clear reference to Iran’s “enmity with America.”
Maybe is a coincidence, or maybe not, but on October 3 Iran has suffered a massive outage of its Internet infrastructure, at least according to what Mehdi Akhavan Behabadi, secretary of the High Council of Cyberspace, has declared to the Iranian Labour News Agency. An outage that the Iranian official has attributed to a heavy organized attack against the country’s nuclear, oil, and information networks, which forced to limit the usage of the Internet.
The latest (?) episode a couple of days ago, on October 8, when Mohammad Reza Golshani, head of information technology for the Iranian Offshore Oil Company, told Iran’s Mehr news agency that an unsuccessful (i.e. repelled by Iranian Experts) cyber attack had targeted the company platforms’ information networks in the past few weeks. I wonder if we are in front of a new Flame. In any case, according to Mr. Golshani there were few doubts about the authors of the attack.
“This attack was planned by the regime occupying Jerusalem (Israel) and a few other countries”.
Few hours later Iran has officially blamed Israel and China for planning and operating the attack.
It is not a mystery that the Stuxnet attack forced Iran to tighten its cyber security, a strategy culminating on the creation of a domestic Internet separated from the outer world (a way to control the access to the Web according to many observers).
For sure it is not a coincidence that the same network separation is the main reason why Iran was able to repel the latest attacks.
My sixth sense (and half) tells me that other occasions to test the cyber security of the Iranian domestic Internet will come soon!
Update August 17: More details about Shamoon, the malware targeting Saudi Aramco and other Middle East companies belonging to Energy Sector. Apparently the destructive details unveiled yesterday are confirmed.
Upate August 27: Saudi Aramco Admits 30K workstations affected.
I have just received a couple of tweets from an unknown user @cyberstrikenews providing more details about the latest Cyber Attack in Middle East targeting Saudi Arabian Oil Company (Saudi Aramco).
(@cyberstrikenews) August 16, 2012
The Oil Company declared that “production had not been affected” and even if the virus affected some computers, it did not penetrate key components of the network. The company also said it would return to normal operating mode soon.
From the information I have received (I cannot verify the integrity of the source, so I report the data integrally), the situation appears quite different:
- The company has about 40000 computer clients and about 2000 servers, the destructive virus was known to wipe all information and operation system related files in at least 30000 (75%) of them all data lost permanently.
- Among the servers which (were) destroyed are the company main web server, mail server (smtp and exchange), and the domain controller which as the central part of their network.
- All clients are permanently shut down and they will not be able to recover them in a short period.
- The main company web site ( http://www.aramco.com ) was down during 24 hours and at last they redirected it to an outside country web site called “www.saudiaramco.com”.
Apparently the web site has just been restored to normal operation redirecting the user to Saudi Aramco.
After Stuxnet, Duqu, Flame and Gauss, yet another confirm that there is no cyber peace in middle East!
I have just received an email from the israeli hacker dubbed you-ri-k@n providing me with some details about a peculiar Cyber Attack against an Iranian news web site. Looks like you-ri-k@n has a kind of predilection for Iran: you will probably remember him for his last cyber attack (nearly a couple of months ago) targeting the Iranian Meteorological Organization.
This time the victim is the Islamic Republic Of Iran Broadcasting World Service, whose main page currently shows a fake news reporting the death of Mahmoud Ahmadinejad, the sixth and current President of the Islamic Republic of Iran, in a plane crash.
Clicking on the “News” button redirects the user to an image where (few) additional details about the fake incident are provided:
Few days ago, with the flame still burning, Iranian officials claimed to be under the fire of a massive cyber attack. Of course this isolated episode may not be compared with Stuxnet or The Flame, nevertheless it shows that, even if in a microscopic scale, the cyber tension between the two countries is still high.
- A New Beginning For The Middle East Cyberwar? (hackmageddon.com)
In the same hours in which I was publishing my post on Cyber Weapons, news agencies all around the world have begun to release (few) details about a new alleged Cyber Attack targeting the Iranian Oil Ministry, the National Iranian Oil Company and several other state-owned businesses.
The attack has been confirmed by a spokesman of the Iranian Oil Ministry, who also stressed that critical data have not been damaged or lost in the attack. Anyway, as a consequence of the Cyber Attack albeit as a precaution Internet access to several oil refineries has been cut off.
Of course Iran is not new to Cyber Attacks targeting Critical Infrastructures (do you remember Stuxnet and the possible hoax of
Duqu Stars?), in any case it is too soon to draw any connection with Stuxnet or any other kind of State-Sponsored Attack, even because, according to the scant information available, only a server providing public information has been harmed.
Probably this malware has nothing to deal with cyber weapons but, just for fun, I cannot help but notice that this alleged Cyber Attack came in the same day in which, among many doubts, Iran has announced to have reverse-engineered the U.S. stealthy RQ-170 Sentinel drone captured by Iran in December 2011.
The revenge of the reverse-engineered drone?
Paolo Passeri (@paulsparrows) April 23, 2012
- What is a Cyber Weapon? (hackmageddon.com)