The infosec chronicle has offered many interesting events in this first part of October. Upon all, the massive leak against top 100 universities by the infamous Team GhostShell, the Skype worm, and, last but not least, the U.S. congressional report accusing China’s leading telecom equipment makers, Huawei and ZTE, of being a potential security risk.
Inevitably these events are obfuscating what’s going on in Middle East where Iran, on one hand, is facing the latest wave of Cyber Attacks against its internal assets, and on the other hand, claims to have infiltrated the “most sensitive enemy cyber data”.
This hot autumn for the Middle East has begun on September 30 (approximately one week after Iran connected all its government agencies to its secure autarchic domestic internet service). In that circumstance Iranian Rear Admiral Ali Fadavi announced a clamorous cyber strike of his navy’s cyber corps, being able to “infiltrate the enemy’s most sensitive information” and successfully promote “cyberwar code,” i.e. decrypt highly classified data.
Ali Fadavi did not specify the name of any particular enemy, but simply referred to “imperialistic domination,” a clear reference to Iran’s “enmity with America.”
Maybe is a coincidence, or maybe not, but on October 3 Iran has suffered a massive outage of its Internet infrastructure, at least according to what Mehdi Akhavan Behabadi, secretary of the High Council of Cyberspace, has declared to the Iranian Labour News Agency. An outage that the Iranian official has attributed to a heavy organized attack against the country’s nuclear, oil, and information networks, which forced to limit the usage of the Internet.
The latest (?) episode a couple of days ago, on October 8, when Mohammad Reza Golshani, head of information technology for the Iranian Offshore Oil Company, told Iran’s Mehr news agency that an unsuccessful (i.e. repelled by Iranian Experts) cyber attack had targeted the company platforms’ information networks in the past few weeks. I wonder if we are in front of a new Flame. In any case, according to Mr. Golshani there were few doubts about the authors of the attack.
“This attack was planned by the regime occupying Jerusalem (Israel) and a few other countries”.
Few hours later Iran has officially blamed Israel and China for planning and operating the attack.
It is not a mystery that the Stuxnet attack forced Iran to tighten its cyber security, a strategy culminating on the creation of a domestic Internet separated from the outer world (a way to control the access to the Web according to many observers).
For sure it is not a coincidence that the same network separation is the main reason why Iran was able to repel the latest attacks.
My sixth sense (and half) tells me that other occasions to test the cyber security of the Iranian domestic Internet will come soon!
In the last wave, Yourikan has taken down 106 Iranian sites, defacing them with a message against the Nuclear Strategy of Iran.
He also claims to have deleted the backend databases.
This is only the latest occurrence of the mutual attacks between the two cyber factions. My sixth sense and one half tells me that more are to come…
After the jump you find the complete list (at the time of writing, in many cases the defaced pages have already been removed).
Approximately a couple of weeks ago, an Israeli hacker called You-r!-k@n, one of the early contenders of the Middle East Cyber War, had defaced the Iran Energy Water Website. The attack was claimed as a form of cyber protest (and cyber retaliation) against Iranian institutions executed by the same author.
Yesterday, two weeks later, with the same motivations, the same hacker has targeted and defaced 91 Iranian sites, including several government and education sites together with several important companies.
All the affected sites (at the time of writing the ones listed below are still defaced) show the same message against the “terror” and the nuclear strategy of Iran together with an Israeli flag.
According to the author, the list of the victims include:
- The Tehran’s urban development (http://ashayer.gov.ir) and other web sites with domain gov.ir
- A large number of sites faculties and institutions, for example one of the largest universities in Iran: (http://sama-saveh.ac.ir/info1-28.htm);
- The websites of several large electronic companies (http://gaamelectric.ir/info1-28.htm);
- The websites of one of the largest gas and oil company (http://satrap.ir/info1-28.htm);
According to the original statement of You-r!-k@n:
This is an attack against Iran than support terrorism and developing nuclear weapons to destroy Israel.
The situation between the two hot countries of the Middle East continues to be tense, and cyberspace is not an exception.
You-r!-k@n keeps on his personal battle against Iran.
The latest target is the official website of Iran Energy Water (tw.org.ir), which has been defaced, showing, in several sections, of the main page, a message against the Iran Nuclear Program and against the recent event in Bulgaria where five Israeli tourists (and their local driver) were killed in a terrorist attack in the Black Sea city of Burgas. At the time of writing the web site is unavailable, showing the well-familiar IIS7 Splash Screen (in spite of the embargo and the alleged Iranian Cyber Autarchy).
As you know, Israel blamed Iran for the latter event (backed by American Officials), and hence, easily predictable, the dispute between the two states has (once again) crossed the boundaries of the cyber world (but a defacement is quite a simple question in comparison with Stuxnet and The Flame).
The time of the Middle East Cyber War is well behind, nevertheless cyber events targeting both countries, whether state-sponsored or carried on by lone rangers, continue to happen at a constant rate.
From an information security perspective, the second half of June has been characterized by the hacking collective UGNAZI (and its members) and also by an individual hacker: .c0mrade AKA @OfficialComrade.
Both entities have left behind them a long trail of Cyber Attacks against different targets (in several cases the real extent of the attack is uncertain) and with different techniques, although it is likely that the UGNAZI collective will be forced to change the plans after the arrest of the group’s leader, JoshTheGod, nearly at the end of the month (27thof June), effectively they have considerably reduced the rate of their cyber attacks in the second part of the analyzed period.
On the other hand, hospitals, banks, several major airlines are only few examples of the preys fallen under the attacks carried on by .c0mrade. Plese notce that from Cyber Crime perspective, is also interesting to notice the High Roller Operation, a giant fraud against the banking industry, unmasked by McAfee.
Needless to say, the Cyber War front is always hot, most of all in Middle East, were several DDoS attacks targeted some Israeli institutions and, most of all, an alleged unspecified massive Cyber Attack targeted tje Islamic Republic of Iran.
The hacktitic landscape is completely different: maybe hacktivists have chosen to go on vacation since June 2012 has apparently shown a decreasing trend, in sharp contrast with an year ago, when the information security community lived one of its most troubled periods.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timeline.
I have just received an email from the israeli hacker dubbed you-ri-k@n providing me with some details about a peculiar Cyber Attack against an Iranian news web site. Looks like you-ri-k@n has a kind of predilection for Iran: you will probably remember him for his last cyber attack (nearly a couple of months ago) targeting the Iranian Meteorological Organization.
This time the victim is the Islamic Republic Of Iran Broadcasting World Service, whose main page currently shows a fake news reporting the death of Mahmoud Ahmadinejad, the sixth and current President of the Islamic Republic of Iran, in a plane crash.
Clicking on the “News” button redirects the user to an image where (few) additional details about the fake incident are provided:
Few days ago, with the flame still burning, Iranian officials claimed to be under the fire of a massive cyber attack. Of course this isolated episode may not be compared with Stuxnet or The Flame, nevertheless it shows that, even if in a microscopic scale, the cyber tension between the two countries is still high.
- A New Beginning For The Middle East Cyberwar? (hackmageddon.com)
While the U.S. and Israel keep on mutually claiming the Stuxnet’s paternity, Kaspersky Lab has unveiled further details about Flame that allow to connect it with the infamous malware targeting Iranian Nuclear Plants.
Are the two 21st century Cyber Weapons really correlated? Due to some architectural differences, the first data seemed to exclude any similarities between the two platforms: the so-called Tilded platform which Stuxnet and Duqu are based on, and the brand new platform from which Flame has been developed. In any case never trust appearances, as a small detail dating back to 2012 has unveiled a landscape that seems completely different from what was previously believed, which suggests the hypothesis that the Stuxnet malware had a kind of “proto flame” inside.
The Cyber Spy Story begins in October 2010 when the automated systems by Kaspersky Lab detected a False (Stuxnet) Positive. This sample apparently looked like a new variant (Worm.Win32.Stuxnet.s) but a deeper analysis showed (then) no apparent correlation with Stuxnet so it was subsequently dubbed Tocy.a.
Only two years later, in 2012, after the discovery of Flame, the russian security firm started to compare the brand new malware with previously detected samples to find any similarities. And guess what? The nearly forgotten Tocy.a was nearly identical to Flame. A further check to logs, allowed to discover that the Tocy.a, apparently an early module of Flame, was actually similar to “resource 207” from Stuxnet, and this similarity was the reason why the automatic system had previously classified it as Stuxnet.
Resource 207 is a 520,192 bytes Stuxnet encrypted DLL file that contains another PE file inside (351,768 bytes). It was found in the 2009 version of Stuxnet, despite it was dropped in the 2010 evolution, with its code merged into other modules. The PE file is actually a Flame Plugin, while the purpose of Resource 207 on the 2009 variant of Stuxnet was just to allow the malware propagation to removable USB drives via autorun.inf, as well as to exploit a then-unknown vulnerability (MS09-025) to escalate privileges in the system during the infection from USB drive.
Given the evidences collected, researchers suggests that, although Flame has been discovered a couple of years after Stuxnet, it was already in existence when Stuxnet was created (Jan-Jun 2009), having already a modular structure. The “Resource 207″ module was removed from Stuxnet in 2010 due to the addition of a new method of propagation (vulnerability MS10-046), while the Flame module in Stuxnet exploited a vulnerability which was unknown then, allowing an escalation of privileges, presumably exploiting MS09-025.
Part of the Flame code was used in Stuxnet despite, after 2009, the evolution of the Flame platform continued independently from Stuxnet.
Probably, this is the second important discovery about Flame after the MD5 Collision Attack, which enabled to malware to hide the download of its own modules behind Windows Updates.
Regarding the MD5 Collision Attack, I suggest you to have a look at this very interesting presentation. You will be amazed in discovering that the first successful demonstration of this attack took, in 2008 (the alleged year in which Flame was created), about 2 days on a cluster of 200 PS3s (corresponding to about $20k on Amazon EC2). Together with the complexity of the attack, this aspect is enough to suggest a state-sponsored origin for the malware (i.e. the need of huge resources and know-how). But there’s more: to make the MD5 Collision Attack successful in Flame, the Attackers, had to overcome a huge obstacle corresponding to prediction the Serial Number of the Certificate (which is based on a sequential certificate number and the current time). Nothing strange apparently, except for the fact that they had a 1-millisecond window to get the certificate issued. What does this mean in simple words? A large number of attempts required to get the certificate issued at the right moment, an effort 10-100x more costly that the original MD5 Collision Attack Demonstration.
Now I understand why the Iran Cyber Warfare Budget is estimated to be “only” USD 100 Million…
- Back to Stuxnet: the missing link (securelist.com)
- Researchers Connect Flame to U.S.-Israel Stuxnet Attack (wired.com)
- Discovery of new “zero-day” exploit links developers of Stuxnet, Flame (arstechnica.com)