The Cyber Monday has just gone, and here we are with the second Cyber Attacks Timeline of November (Part I here).
Even if no massive breaches against retailers have been discovered so far (however do not get carried away since they will probably need several weeks to surface!), this month equally shows some remarkable events for Cyber Crime, Hacktivism and Cyber Espionage.
Actually I just really did not know where to begin, since each sector shows at least one noticeable events. However, after scrolling down the list, I believe that the crown of the month is all for the powerful Regin, the brand new cyber weapon discovered by Symantec. If you believed that the complexity of Stuxnet, Flame and Duqu was a closed page, you will have to change your mind.
This event has overshadowed the massive attack against Sony Pictures Entertainment, allegedly traced to North Korea, in the wake of the release of the comedy “The Interview”, which has been deemed discriminatory against the country and inciting to terrorism. This attack, which has more then one similarity with the infamous Dark Seoul, has completely blocked the Sony internal IT network and is making happy many individuals worldwide, since several Gigabytes of unreleased material are being leaked in these hours.
Last but not least the hacktivists are back! Not only the Syrian Electronic Army has exited stealth mode, with an attack to Gigya, an identity management platform, which has affected many illustrious victims worldwide, but also the Anonymous have been the authors of several attacks, just like the good old days, in the wake of the controversial decision of the Ferguson grand jury decision.
If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013 and now 2014 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Yesterday Bloomberg reported the news of a new cyber attack in Middle East targeting an Oil Company. The latest victim is Ras Laffan Liquefied Natural Gas Co., a Qatari LNG producer that has shut down part of its computer systems targeted by an unidentified malware since Aug. 27.
According to the scant official information available, desktop computers in company offices were the only affected, while operational systems at onshore and offshore installations were immune, with no impact on production or cargoes.
Of course it is impossible to avoid a parallelism with the cyber attack targeting Saudi Aramco a couple of weeks ago, and the 30,000 workstations that the company admitted to have been targeted (and restored only few days ago) by this malware outbreak. It is also impossible not to mention the infamous Shamoon, the brand new malware discovered in Middle East that information security community immediately connected to the Saudi Aramco cyber incident, furthermore stating (by literally quoting Symantec’s blog):
W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector.
The Ras Raffan cyber attack maybe provides a partial answer to the question regarding who else might have been affected by Shamoon (I wonder if we will soon learn of other companies targeted) and even if security researchers have not confirmed, so far, the connection between Shamoon and this latest attack, the first speculations on regard have already appeared. According to the WSJ, the RasGas information technology department identified the virus as Shamoon, stating that:
Following the virus attack, some “computers are completely dead”.
The Middle East is considered the Cradle of Civilization, but I am afraid that, in this 21st century, it is becoming the “Cradle of Cyber War”. And even if you consider Shamoon just an amateurish copycat (with no cyberwar intentions), you cannot ignore that the latest research according to which even Wiper is a son of the so-called Tilded Platform (the same malware platform that originated Stuxnet, Duqu and Flame).
This cannot be considered a mere coincidence.
Update August 17: More details about Shamoon, the malware targeting Saudi Aramco and other Middle East companies belonging to Energy Sector. Apparently the destructive details unveiled yesterday are confirmed.
Upate August 27: Saudi Aramco Admits 30K workstations affected.
I have just received a couple of tweets from an unknown user @cyberstrikenews providing more details about the latest Cyber Attack in Middle East targeting Saudi Arabian Oil Company (Saudi Aramco).
(@cyberstrikenews) August 16, 2012
The Oil Company declared that “production had not been affected” and even if the virus affected some computers, it did not penetrate key components of the network. The company also said it would return to normal operating mode soon.
From the information I have received (I cannot verify the integrity of the source, so I report the data integrally), the situation appears quite different:
- The company has about 40000 computer clients and about 2000 servers, the destructive virus was known to wipe all information and operation system related files in at least 30000 (75%) of them all data lost permanently.
- Among the servers which (were) destroyed are the company main web server, mail server (smtp and exchange), and the domain controller which as the central part of their network.
- All clients are permanently shut down and they will not be able to recover them in a short period.
- The main company web site ( http://www.aramco.com ) was down during 24 hours and at last they redirected it to an outside country web site called “www.saudiaramco.com”.
Apparently the web site has just been restored to normal operation redirecting the user to Saudi Aramco.
After Stuxnet, Duqu, Flame and Gauss, yet another confirm that there is no cyber peace in middle East!
Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.
Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.
Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.
The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:
Cyber WeaponMalware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
- According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
- Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
- Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
- The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
- Flame includes a piece of code (about 3000 lines) written in LUA, a not so common occurrence for malware;
- Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
- Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
- Flame may also replicate via local networks using the following:
- The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
- Remote jobs tasks.
- When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.
- So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.
With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.
This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:
The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.
Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.
Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…