Let us begin with the Country Distribution chart that, easy predictable, shows the US on top of all categories. However, globally, even Italy, Canada and UK show up, respectively for Hacktivism (the first two countries) and Cyber Crime (the latter).
The Daily Trend of Attacks chart shows a moderate activity with a peak on the 10th, and a plateau between the 13th and 14th. Despite the 5th of November is a day felt by Hacktivists, no noticeable operations have been recorded this year.
Once again Cyber Crime leads the Motivations Behind Attacks chart with 55.8% substantially in line with the previous month (was around 60%). Hacktivism ranks at number two with 28.6%, a remarkable increase compared to 13.8% of October. Whereas Cyber Espionage remains quite high (13%, despite in decrease compared to the record value of 17.2% recorded in October.
Defacements lead the Attack Techniques chart with 20.8% (among the known attacks). SQLi ranks at number two with 13.0% very close to DDoS, at number three with 11.7% (a consequence of the hacktivism driven hacking spree recorded in November). Targeted attacks rank at number four with 10.4%, still quite an important value, even if in decrease compared to 13.8% of October.
For the third month in a row, industry ranks on top of the Distribution of Targets chart (28.6%, nearly identical to October when it was 28.7%). As always governmental targets rank at number two (23.4%). While organizations are back at number three (14.3%).
Again, targets belonging to E-Commerce rank on top of the Industry Dill Drown chart, while political organizations lead the Organization Drill Down chart.
As usual, the sample must be taken very carefully since it refers only to discovered attacks included in my timelines. The sample does not pretend to be exhaustive but only aims to provide an high level overview of the “cyber landscape”, or at least of the ones that gained space in the media (yes, using an abused expression this is just the tip of the Iceberg).
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013 and now 2014 (regularly updated). You may also want to have a look at the Cyber Attack Statistics.
Here we are with the statistics for the cyber attacks included in the June 2013 timelines (part I and part II). A priori this month should have been characterized by huge operations (such as the infamous OpPetrol), instead, all in all, the cyber activity was quite moderated as shown by the Daily Trend of Attack chart, that shows a single remarkable peak around the 3rd of July (when several primary DNS providers were the victims of DDoS attacks).
The Motivations Behind Attacks chart shows an evident predominance of Cyber Crime (with 62% of the occurrences). Please keep in mind that the stats cannot take into considerations all the attacks made under the umbrella of the so-called OpPetrol, since many attacks were considered fake or even old dumps “recycled” for this occasion. Without these attacks, hacktivism ranks at number two, well below, with the 26% of occurrences. It is also interesting the growing weight of cyber-espionage, with an 8% substantially in line with the 9% of the previous month.
The Distribution of Attack Techniques chart is substantially in line with the previous month: SQLi leads the chart with nearly one third of the known occurrences, while DDoS ranks at number three with nearly 15%. A factor particular interesting in this chart is the growing influence of targeted attacks (11.1%) at the third rank among the known attacks, and fourth rank in general since in many cases (18.5%) it was not possible to detect the attack technique used.
The Distribution of Target chart confirms the industry sector on top of the unwelcome attentions of the cybercrooks, immediately followed by governmental targets and essentially in line with the previous month. The news sector ranks at number three, immediately before Internet Services (as a consequence of the uncommon number of attacks reported against DNS Providers).
As usual, please bear in mind that the sample must be taken very carefully since it refers only to discovered attacks included in my timelines. The sample does not pretend to be exhaustive but only aims to provide an high level overview of the “cyber landscape”.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012 and now 2013 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Another day, another revelation inside the (in)visible Cyber War going on Middle East. Today Kaspersky Lab has announced the discovery of another strain of malware derived from the infamous Tilded-Platform family: the little brother of Flame, the so-called miniFlame (or “John”, as named by the corresponding Gauss configuration).
The malware has been discovered while looking closer at the protocol handlers of the Flame C2 Infrastructure. An analysis that had previously revealed four different types of malware clients codenamed SP, SPE, FL and IP, and hence the fragmented evidence of a new family of cyber weapons, where one only element were known at the time the FL client corresponding to Flame.
Exactly one month later, another member of the family has been given a proper name: the SPE element corresponding to miniFlame.
Unlike its elder brother Flame (and its cousin Gauss) miniFlame does not appear to be the element of a massive spy operation, infecting thousands of users, but rather resembles more a small, fully functional espionage module designed for data theft and direct access to infected systems. In few words: a high precision, surgical attack tool created to complement its most devastating relatives for high-profile targeted campaigns. The main purpose of miniFlame is to act as a backdoor on infected systems, allowing direct control by the attackers.
Researchers discovered that miniFlame is based on the Flame platform but is implemented as an independent module. This means that it can operate either independently, without the main modules of Flame in the system, or as a component controlled by Flame.
Furthermore, miniFlame can be used in conjunction Gauss. It has been assumed that Flame and Gauss were parallel projects without any modules or C&C servers in common. The discovery of miniFlame, and the evidence that it can works with both cyber espionage tools, proves that were products of the same ‘cyber-weapon factory’: miniFlame can work as a stand-alone program, or as a Flame or event Gauss plugin.
Although researchers believe that miniFlame is on the wild since 2007, it has infected a significantly smaller number of hosts (~50-60 vs. more than 10,000 systems affected by the Flame/Gauss couple). The distribution of the infections depends on the SPE variant, and spans a heterogeneous sample of countries: from Lebanon and Palestine, to Iran, Kuwait and Qatar; with Lebanon and Iran that appear to concentrate the bigger number of infected hosts.
Another evidence of the ongoing (since 2007) silent Cyber War in Middle East.
Here we are with the statistics from the Cyber Attack Timelines for the first and the second half of July 2012. The sample included 76 attacks which have been analyzed according the three familiar parameters: Motivations behind attacks, Distribution of attacks techniques and Distribution of targets.
Again, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period. Moreover, remember that the most dangerous threats are the invisible ones.
As far as the Motivations Behind Attacks are concerned, July has confirmed the predominance of Cyber Crime, although it dropped down to 55% from 72% of the previous month. It is interesting to notice the corresponding growth of Hacktivism, from 18% in June to 32% in July. Although the number of (discovered) attacks motivated by Cyber Espionage is always low, this month their occurrences nearly doubled as a consequence of the events in the Middle East, that confirms to be a “hot area” for the Cyber Arena. Cyber Warfare is positioned at the bottom of the chart with a “poor” 4% of the occurrences.
The Distribution Of Attacks Techniques chart confirms that is getting harder and harder to recognize what the cyber crooks have leveraged to reach their goal. The percentage of the unknown attacks has grown from the 36% of June to the 45% of July. In any case, among the recognized attacks, SQL Injection ranks at number one with the 28% of possible occurrences. DDoS has confirmed his decreasing trend from 16% in June to 9% in July. Maybe the possible victims are learning to effectively defend themselves?
The Distribution of Targets chart confirms that targets belonging to industry are always on top of the preferences of Cyber Crooks with the 32% of occurrences, well above the 21% of the last month. Government targets confirmed their second place with the 15% of occurrences (were the 18% on July) followed by Online Services with the 10%. It is interesting to notice the low occurrences of incidents targeting Law Enforcement Agencies and Military Institutions. Maybe after the high number of cyber attacks suffered, they are learning to enforce adequate countermeasures.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
05/11/12: Updated timeline. The tension between Philippines and China escalates and new cyber attacks target both sides.
The month of April has suddenly revealed a new unexpected Cyber Conflict between two very different countries: Philippines and China.
Of course the Chinese Cyber Activity is not that surprising, differently from the Philippines which had not shown any bellicose intention in the Cyber Domain. At least until these days when the cyber peace between the two countries has been broken because of a dispute concerning the sovereignty on the Scarborough Shoal and the Spratly Islands claimed from both countries. As often happens, the dispute has crossed the boundaries between the real and the cyber worlds and has hence unleashed an endless and unexpected trail of mutual cyber attacks.
According to Roy Espiritu, spokesman of the government’s information technology office, all the attacks came after Philippine ships faced off with Chinese patrol vessels in April 8 in the disputed Scarborough Shoal in the South China Sea. Before that, there had been no such eventsm at least until April 2o, when some hackers, identifying themselves as Chinese, attacked to the University of the Philippines. In that circumstance they defaced the UP website (up.edu.ph) with a map, labeled with Chinese characters, showing the Scarborough Shoal (Panatag as called by the Philippines and Huangyan by China).
Needless to say, the latter episode has started an endless line of mutual attacks that are still continuing despite the calls to end the attacks from Manila.
Will the cyber conflict be limited to “simple” defacements, or will it take the shape of the first phase of the Middle East Cyber War when both parties faced themselves leaking credit card details of innocent individuals? Moreover, are critical infrastructure really in danger as suggested by Filipino IT professionals?
Based on the current events, maybe this latter scenario is exaggerated, in any case once again, the upsetting evidence shows that the Cyber World has become a consolidated further battlefield for the disputes inflicting the real world.
If you want to have an idea of how fragile is the equlibrium inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.