Yet another Sunday, yet another attack in Middle East.
Maher Center, the Iranian Computer Emergency Response Team / Coordination Center has just released a scant report concerning another (alleged) cyber attack targeting Iran.
Few information is available so far regarding this new targeted attack. The malware, simple in design and hence apparently unrelated to the other sophisticated cyber attacks targeting the same area, seems to have an efficient design and wiping features. According to the statement, the malware “wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software“. However, it is not considered to be widely distributed. The report also publishes the MD5s of the five identitified components.
Wiper malware samples are becoming increasingly common in Middle East. Of course the most known example so far is the massive cyber attack targeting Saudi Aramco, occurred in August 2012 and targeting 30,000 internal workstations. Few days ago, the final results of the investigations were unveiled, suggesting that the attack was carried on by organized foreign hackers, and aimed “to stop pumping oil and gas to domestic and international markets” with huge impacts on the national economy of the kingdom.
The next hours will tell us if we are in front of a similar scenario, or the statement is rather an attempt of propaganda aimed to emphasize Iranian defensive capabilities.
November has gone and it’s time to review this month’s cyber landscape.
From a Cyber Crime perspective, November 2012 will be probably remembered for the breach to Nationwide, one of the largest insurance and financial services providers in the US, a breach that has potentially left up to 1 million users exposed. Unfortunately, in terms of massive breaches, this is not the only remarkable event of the month, just at the end Acer India has suffered a massive cyber attack culminated in the leak of nearly 15,000 records. Not comparable with the breach that affected Nationwide, but for sure of big impact.
Also on the cyber-espionage front this month has been interesting: JAXA, the Japan Space agency has been targeted by yet another targeted attack (after January 2012) and Symantec has discovered W32.Narilam, a new destructive malware targeting several nations in Middle East.
The hacktivist front has been characterized by the dramatic events in Gaza, the attacks have reached a peak around the first half of the month (as in the first part, I did not take into consideration the attacks carried on in name of OpIsrael for which I wrote a dedicated timeline), in any case the Anonymous have found another way to mark this month, leaking 1 Gb of documents from the Syrian Ministry of Foreign Affairs.
Last but not least, this month has seen three large-scale DNS Poisoning attacks (against the Pakistani Registrar PKNIC, Inc., GoDaddy, and the Romanian Registrar). A very rare occurrence!
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
- 1-15 November 2012 Cyber Attacks Statistics (hackmageddon.com)
- Timeline of Opisrael (hackmageddon.com)
Another day, another revelation inside the (in)visible Cyber War going on Middle East. Today Kaspersky Lab has announced the discovery of another strain of malware derived from the infamous Tilded-Platform family: the little brother of Flame, the so-called miniFlame (or “John”, as named by the corresponding Gauss configuration).
The malware has been discovered while looking closer at the protocol handlers of the Flame C2 Infrastructure. An analysis that had previously revealed four different types of malware clients codenamed SP, SPE, FL and IP, and hence the fragmented evidence of a new family of cyber weapons, where one only element were known at the time the FL client corresponding to Flame.
Exactly one month later, another member of the family has been given a proper name: the SPE element corresponding to miniFlame.
Unlike its elder brother Flame (and its cousin Gauss) miniFlame does not appear to be the element of a massive spy operation, infecting thousands of users, but rather resembles more a small, fully functional espionage module designed for data theft and direct access to infected systems. In few words: a high precision, surgical attack tool created to complement its most devastating relatives for high-profile targeted campaigns. The main purpose of miniFlame is to act as a backdoor on infected systems, allowing direct control by the attackers.
Researchers discovered that miniFlame is based on the Flame platform but is implemented as an independent module. This means that it can operate either independently, without the main modules of Flame in the system, or as a component controlled by Flame.
Furthermore, miniFlame can be used in conjunction Gauss. It has been assumed that Flame and Gauss were parallel projects without any modules or C&C servers in common. The discovery of miniFlame, and the evidence that it can works with both cyber espionage tools, proves that were products of the same ‘cyber-weapon factory’: miniFlame can work as a stand-alone program, or as a Flame or event Gauss plugin.
Although researchers believe that miniFlame is on the wild since 2007, it has infected a significantly smaller number of hosts (~50-60 vs. more than 10,000 systems affected by the Flame/Gauss couple). The distribution of the infections depends on the SPE variant, and spans a heterogeneous sample of countries: from Lebanon and Palestine, to Iran, Kuwait and Qatar; with Lebanon and Iran that appear to concentrate the bigger number of infected hosts.
Another evidence of the ongoing (since 2007) silent Cyber War in Middle East.
The infosec chronicle has offered many interesting events in this first part of October. Upon all, the massive leak against top 100 universities by the infamous Team GhostShell, the Skype worm, and, last but not least, the U.S. congressional report accusing China’s leading telecom equipment makers, Huawei and ZTE, of being a potential security risk.
Inevitably these events are obfuscating what’s going on in Middle East where Iran, on one hand, is facing the latest wave of Cyber Attacks against its internal assets, and on the other hand, claims to have infiltrated the “most sensitive enemy cyber data”.
This hot autumn for the Middle East has begun on September 30 (approximately one week after Iran connected all its government agencies to its secure autarchic domestic internet service). In that circumstance Iranian Rear Admiral Ali Fadavi announced a clamorous cyber strike of his navy’s cyber corps, being able to “infiltrate the enemy’s most sensitive information” and successfully promote “cyberwar code,” i.e. decrypt highly classified data.
Ali Fadavi did not specify the name of any particular enemy, but simply referred to “imperialistic domination,” a clear reference to Iran’s “enmity with America.”
Maybe is a coincidence, or maybe not, but on October 3 Iran has suffered a massive outage of its Internet infrastructure, at least according to what Mehdi Akhavan Behabadi, secretary of the High Council of Cyberspace, has declared to the Iranian Labour News Agency. An outage that the Iranian official has attributed to a heavy organized attack against the country’s nuclear, oil, and information networks, which forced to limit the usage of the Internet.
The latest (?) episode a couple of days ago, on October 8, when Mohammad Reza Golshani, head of information technology for the Iranian Offshore Oil Company, told Iran’s Mehr news agency that an unsuccessful (i.e. repelled by Iranian Experts) cyber attack had targeted the company platforms’ information networks in the past few weeks. I wonder if we are in front of a new Flame. In any case, according to Mr. Golshani there were few doubts about the authors of the attack.
“This attack was planned by the regime occupying Jerusalem (Israel) and a few other countries”.
Few hours later Iran has officially blamed Israel and China for planning and operating the attack.
It is not a mystery that the Stuxnet attack forced Iran to tighten its cyber security, a strategy culminating on the creation of a domestic Internet separated from the outer world (a way to control the access to the Web according to many observers).
For sure it is not a coincidence that the same network separation is the main reason why Iran was able to repel the latest attacks.
My sixth sense (and half) tells me that other occasions to test the cyber security of the Iranian domestic Internet will come soon!
In the last wave, Yourikan has taken down 106 Iranian sites, defacing them with a message against the Nuclear Strategy of Iran.
He also claims to have deleted the backend databases.
This is only the latest occurrence of the mutual attacks between the two cyber factions. My sixth sense and one half tells me that more are to come…
After the jump you find the complete list (at the time of writing, in many cases the defaced pages have already been removed).
Approximately a couple of weeks ago, an Israeli hacker called You-r!-k@n, one of the early contenders of the Middle East Cyber War, had defaced the Iran Energy Water Website. The attack was claimed as a form of cyber protest (and cyber retaliation) against Iranian institutions executed by the same author.
Yesterday, two weeks later, with the same motivations, the same hacker has targeted and defaced 91 Iranian sites, including several government and education sites together with several important companies.
All the affected sites (at the time of writing the ones listed below are still defaced) show the same message against the “terror” and the nuclear strategy of Iran together with an Israeli flag.
According to the author, the list of the victims include:
- The Tehran’s urban development (http://ashayer.gov.ir) and other web sites with domain gov.ir
- A large number of sites faculties and institutions, for example one of the largest universities in Iran: (http://sama-saveh.ac.ir/info1-28.htm);
- The websites of several large electronic companies (http://gaamelectric.ir/info1-28.htm);
- The websites of one of the largest gas and oil company (http://satrap.ir/info1-28.htm);
According to the original statement of You-r!-k@n:
This is an attack against Iran than support terrorism and developing nuclear weapons to destroy Israel.
The situation between the two hot countries of the Middle East continues to be tense, and cyberspace is not an exception.
You-r!-k@n keeps on his personal battle against Iran.
The latest target is the official website of Iran Energy Water (tw.org.ir), which has been defaced, showing, in several sections, of the main page, a message against the Iran Nuclear Program and against the recent event in Bulgaria where five Israeli tourists (and their local driver) were killed in a terrorist attack in the Black Sea city of Burgas. At the time of writing the web site is unavailable, showing the well-familiar IIS7 Splash Screen (in spite of the embargo and the alleged Iranian Cyber Autarchy).
As you know, Israel blamed Iran for the latter event (backed by American Officials), and hence, easily predictable, the dispute between the two states has (once again) crossed the boundaries of the cyber world (but a defacement is quite a simple question in comparison with Stuxnet and The Flame).
The time of the Middle East Cyber War is well behind, nevertheless cyber events targeting both countries, whether state-sponsored or carried on by lone rangers, continue to happen at a constant rate.