About these ads

Archive

Posts Tagged ‘Cyberwarfare’

Saudi Aramco Admits 30K workstations affected

August 27, 2012 Leave a comment

Yesterday Saudi Aramco issued a public statement declaring to have fixed most damage and restored all its main internal network services affected by the Cyber Attack occurred on August 15, 2012 (or a “malicious virus” to quote the same term used by the company).

In the same statement, the company has unveiled the real entity of the attack, confirming what was reported in my original blog post: the malicious virus originated from external sources and affected about 30,000 workstations (on a total of 40,000).

The light at the end of the Cyber Tunnel seems quite close, since the company has stated that the workstations have been cleaned and restored to service. There are however some restrictions still in place: as a precaution, remote Internet access to online resources is still restricted and the website aramco.com is offline showing a courtesy page in which the company confirms that all the electronic systems are isolated from outside access.

You will probably remember that the attack occurred nearly in contemporary with the discovery of the latest malware in Middle East, Shamoon, tailored for targeting companies belonging to the Energy Sector, which had consequently put in close relationship with the cyber attack to Saudi Aramco. At the beginning, security researchers believed to have found a brand new cyber weapon in Middle East, but some coding errors found inside the malicious program have convinced the community that Shamoon is not the work of experienced cyber weapons programmers (anyway I believe that if Shamoon is really the source of the troubles for Saudi Aramco, 30,000 erased computers are a respectable results for a team of amateur programmers).

But if the situation is close to normal, hackers all over the world continue to threaten the company: a couple of days ago, an isolated group posted a new menace to Aramco, announcing a new attack for the 25th of August, at 21:00 GMT.Even if the website of aramco.com is still offline, this does not seem the effect of the latest alleged cyber attack: the hackers have posted today, Monday 29 August (sic), a new statement containing the result of their action (several password of internal router and a couple of accounts) but it appears lame and does not seem too much convincing.

About these ads

1 – 15 August Cyber Attacks Statistics

August 22, 2012 Leave a comment

First of all, let me begin with great news: The Cyber Attacks Statistics page is complete with all the data collected so far: I created and inserted even the charts for January, so I am currently covering (and will cover) the whole 2012.

Now, after this small “self-gratification” it is time to look at the statistics derived from the Cyber Attacks Timeline for the first half of August. You will soon discover that this month has seen an (un)expected revamping of Hacktivism and consequently of his preferred weapon (DDoS), and preferred targets (governments). This is a consequence of the so-called OpDemonoid carried on by the Anonymous collective against the takedown of the famous Torrent Tracker (which in many ways reminded the most famous OpMegaUpload). But this is also a consequence of OpAustralia, the operation (successful since the law proposal is in standby) against the new Australian Internet Surveillance Law.

As far as the Motivations Behind Attacks are concerned, Hacktivism ranked at number on with nearly the 50% of the events. Cyber Crime ranked at number two (43%) while as usual Cyber Espionage and Cyber Warfare are well behind (but I wonder how many targeted attacks are acting in this moment, silent and undetected). It is interesting to notice the rise of events motivated by Cyber Espionage (three inside the interval taken into consideration): the Gauss Cyber Attack, the campaign against Saudi Aramco and the attacks against the Nepalese Government.

The winds of hacktivism have a clear influence even in the Distribution Of Attack Techniques which shows a new entry (as it were) at number one. Yes, in the first half of August the DDoS has overtaken the SQLi with nearly one third of the occurrences (31.9%) against the 21.3 of the latter. Only for the 17% of the attacks it has not been possible to identify with certainty the attack technique leveraged.

Clearly the hacktivism also influenced the Distribution Of Targets: nearly one cyber attack on five (among the sample considered), corresponding to the 21%, hit government targets. Targets belonging to the industry sector and to the news sector ranked at number two, both of them with the 13% of the occurrences. Apparently the first half of August has been particularly awful for the News Sector, thanks most of all to Thomson Reuters, that has been hacked three times in two weeks.

Again, I will never get tired of repeating that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Another Massive Cyber Attack in Middle East

August 16, 2012 5 comments

Update August 17: More details about Shamoon, the malware targeting Saudi Aramco and other Middle East companies belonging to Energy Sector. Apparently the destructive details unveiled yesterday are confirmed.

Upate August 27: Saudi Aramco Admits 30K workstations affected.

I have just received a couple of tweets from an unknown user @cyberstrikenews providing more details about the latest Cyber Attack in Middle East targeting Saudi Arabian Oil Company (Saudi Aramco).

The Oil Company declared that “production had not been affected” and even if the virus affected some computers, it did not penetrate key components of the network. The company also said it would return to normal operating mode soon.

From the information I have received (I cannot verify the integrity of the source, so I report the data integrally), the situation appears quite different:

  • The company has about 40000 computer clients and about 2000 servers, the destructive virus was known to wipe all information and operation system related files in at least 30000 (75%) of them all data lost permanently.
  • Among the servers which (were) destroyed are the company main web server, mail server (smtp and exchange), and the domain controller which as the central part of their network.
  • All clients are permanently shut down and they will not be able to recover them in a short period.
  • The main company web site ( http://www.aramco.com ) was down during 24 hours and at last they redirected it to an outside country web site called “www.saudiaramco.com”.

Apparently the web site has just been restored to normal operation redirecting the user to Saudi Aramco.

After Stuxnet, Duqu, Flame and Gauss, yet another confirm that there is no cyber peace in middle East!

References:

http://pastebin.com/p5C4mCCD

http://pastebin.com/5YB3TUH1

Several Small Enhancements to 2012 Cyber Attacks Statistics

August 14, 2012 Leave a comment

I wrote a small script to automate the parsing of the data collected in the Cyber Attacks Timelines. I am just verifying the data for January and February 2012 for which I did not publish any statistics. I was already able to classify the data for March 2012, whose results you can see in the Statistics page.

I also did a small exercise and tried to collect the distribution of targets for 2012. I know, I still miss the data of the first two months but I promise I will fill the gap very soon. In the meantime have a look at the graph and notice the impact of Cyber Crime. Of course the data for the single months can be viewed at the 2012 Cyber Attacks Statistics page.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

July 2012 Cyber Attacks Statistics (Part I)

Here we are with the statistics from the Cyber Attack Timeline for the first half of July 2012. The sample included 39 attacks which have been analyzed according the three familiar parameters: Motivations behind attacks, Distribution of attacks techniques and Distribution of targets.

As far as Motivations Behind Attacks are concerned, the first two weeks of July confirmed the trend of the last months: Cybercrime ranked at number one with nearly the 70% of the occurrences, well ahead hacktivism, at number two with the 23%. Cyber Warfare and Cyber Espionage are well behind with respectively the 5% and 3% of the attacks.

The Distribution Of Attack Techniques has shown, for the first half of July, a considerable number of attacks of unknown origin. As a matter of fact, in more than one half of the occurrences (53%) it has not been possible to track the attack technique used by cyber croockers, at least according to the available information. In all those cases in which it has been possible to track the attacks, the first half of July has seen an overtake of DDoS (18%) against SQL Injection (13%), although if one sums the total occurrences of SQL Injections (certain and claimed, the latter are characterized by a question mark in the chart), the total of SQLi is a remarkable 21%, slightly greater than DDoS). I had to modify this chart after I came across an article indicating an SQL Injection attack as the vector of the breach suffered by Nvidia.

The Distribution of Targets chart confirms the Industry at rank number one with the 38% of occurrences. In any case, if we do not consider the fragmentation of this category (I have dedicated an apposite chart to drill it down), Governments have confirmed to be the most vulnerable targets with the 10% of the occurrences, corresponding to the most vulnerable single category.

Amongst the single categories, Law Enforcement Agencies rank at number two with the 8% of occurrences, followed by Education targets, online forums and political organizations, each one of them with the 5% of occurrences.

Again, please notice that data must be taken very carefully since they do refer only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the considered period. Moreover, remember that the most dangerous threats are the invisible ones.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

July 2012 Cyber Attacks Timeline (Part I)

July 20, 2012 1 comment

Update 08/02/2012: July 2012 Cyber Attacks Timeline (Part II)

Although the number of attacks has considerably diminuished, the first half of July has left several high-profile attacks which deserverd huge attention, exposing in theory more than 2,000,000 individuals. Yahoo! Voice, Android Forums, Nvidia, Formspring, Billabong and ASUS are several of the well-known names that were victims of the high-profile breaches in the first two weeks of July.

World Health Organization and PBS (once again) were also illustrious victims of Cyber Attacks.

Besides these remarkable events, it looks like the actions carried on by the Law Enforcement agencies in the last period led to some results since the number of incidents looks undoubtably smaller than the previous months.

For what concerns the cyber attacks driven by hacktivism, it is particularly important to notice #OpPedoChat, still ongoing, which caused many pedophiles to be exposed, in several cases with unpredictable consequences, as in Belgium where a far-right official resigned after Anonymous’ Paedophilia Claims.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Read more…

June 2012 Cyber Attacks Statistics

July 13, 2012 1 comment

As usual I aggregated the data from the Cyber Attack Timelines of June to provide some aggregated statistics. Data must be taken very carefully since they do refers only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the month. Moreover, remember that the most dangerous threats are the invisible ones, how I can easily verify thanks to the advanced malware detection campaigns I am performing in these hard days.

Let us start with the Motivations Behind Attacks chart. Cybercrime is undoubtedly on the rise and has reached the unprecedented percentage of 72%. On the other hand Summer seems to be a period of vacation for hacktivists, whose influence on the landscape fell down to 18%. As usual Cyber Warfare and Cyber Espionage are well behind respectively to 6% and 4%. But of course, this is only the tip of the iceberg. On the other hand, I would not expect a complex cyber espionage action to be easily uncovered, or worst, advertised on social media as it happens for (too) many actions allegedly motivated by cyber crime or hacktivism.

Moving to Distribution of Targets, shows a preference of cybercrookers for  Industry targets (21%), immediately followed by Government targets (18%). Targets belonging to education sadly confirm their top position, and rank, even in June, at number three with the 8% of occurrences. Of course industry targets are hugely fragmented hence, if we consider each category singularly, it turns out that Governments are still the most vulnerable victims of cyber attacks.

Last but not least, the next chart: Distribution Of Attacks Techniques. Apparently is getting harder and harder to recognize the attack techniques leveraged to execute the reported cyber attacks. Anyway, in those cases where it has been possible to do it, SQL Injection steadily keeps on being the King of Hill. The smaller occurrence of DDoS attacks reflects the minor influence of hacktivism during this month, with account hijacking confirming to be one of the most dangerous vectors. When looking at defacements, consider that typically I do not take them into consideration in my timelines (they are really too many) unless they are executed against very remarkable targets, hence consider that 3% belonging to what I defined high profile defacements.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

June 2012 Cyber Attacks Timeline (Part II)

July 5, 2012 1 comment

Part I (1-15 June) at this link

From an information security perspective, the second half of June has been characterized by the hacking collective UGNAZI (and its members) and also by an individual hacker: .c0mrade AKA @OfficialComrade.

Both entities have left behind them a long trail of Cyber Attacks against different targets (in several cases the real extent of the attack is uncertain) and with different techniques, although it is likely that the UGNAZI collective will be forced to change the plans after the arrest of the group’s leader, JoshTheGod, nearly at the end of the month (27thof June), effectively they have considerably reduced the rate of their cyber attacks in the second part of the analyzed period.

On the other hand, hospitals, banks, several major airlines are only few examples of the preys fallen under the attacks carried on by .c0mrade. Plese notce that from  Cyber Crime perspective,  is also interesting to notice the High Roller Operation, a giant fraud against the banking industry, unmasked by McAfee.

Needless to say, the Cyber War front is always hot, most of all in Middle East, were several DDoS attacks targeted some Israeli institutions and, most of all, an alleged unspecified massive Cyber Attack targeted tje Islamic Republic of Iran.

The hacktitic landscape is completely different: maybe hacktivists have chosen to go on vacation since June 2012 has apparently shown a decreasing trend, in sharp contrast with an year ago, when the information security community lived one of its most troubled periods.

If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timeline.

Read more…

Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Middle East Cyber War Reloaded

I have just received an email from the israeli hacker dubbed you-ri-k@n providing me with some details about a peculiar Cyber Attack against an Iranian news web site. Looks like you-ri-k@n has a kind of predilection for Iran: you will probably remember him for his last cyber attack (nearly a couple of months ago) targeting the Iranian Meteorological Organization.

This time the victim is the Islamic Republic Of Iran Broadcasting World Service, whose main page currently shows a fake news reporting the death of Mahmoud Ahmadinejad, the sixth and current President of the Islamic Republic of Iran, in a plane crash.

Click To Enlarge

Clicking on the “News” button redirects the user to an image where (few) additional details about the fake incident are provided:

Few days ago, with the flame still burning, Iranian officials claimed to be under the fire of a massive cyber attack. Of course this isolated episode may not be compared with Stuxnet or The Flame, nevertheless it shows that, even if in a microscopic scale, the cyber tension between the two countries is still high.

June 2012 Cyber Attacks Statistics (Part I)

As usual, here we are with some fresh charts obtained from the first part of the June 2012 Cyber Attacks Timeline.

Let us start with the Motivations Behind Attacks chart. Once again Cyber Crime Ranks at number 1, showing a growing trend respect May, from the 61% to 82% (at least in this first half). On the other hand, hacktivism-led cyber events have dropped from 30% to 14%. Apparently no explicit Cyber Warfare event has been detected, at least according to the data I collected.

Starting, from this month, to make the Distribution Of Targets chart less fragmented and more readable, I decided to aggregate all the attacks against Industries (and Organizations). With this new classification, Government targets go down at rank number 2 with the 15% of occurrences (against the 22% of the previous month), followed by targets belonging to education with the 10% (the same value collected on May). Interesting to notice is the apparent lack of attention by cybercrookers against Law Enforcement targets. In any case, if we consider the fact that Industry data have been aggregated, the chart is not so much different from the one of May: Governements keep on showing a worrying lack of Security.

Last but not least, during the first half of June, it has apparently been difficult to identify the 40% of the attack techniques, although, SQLi (and more in general DB vulnerabilities) keeps on to hold the crown among the identified events. Interesting to notice the drop of DDoS attacks (from 20% of the sample to 10%). Probably it is not a coincidence that it has followed the same trend than the hacktivism-driven Cyber Attacks, having halved its rate with respect to the previous month.

Again, no need to repeat that data must be taken very carefully since they do refers only to discovered attacks (the so-called tip of the iceberg), and hence do not pretend to be exhaustive but only aim to provide an high level overview of the “cyber landscape” of the month.

Furthermore, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

Follow

Get every new post delivered to your Inbox.

Join 2,898 other followers