Here it is the usual compilation for the Cyber Attacks in the first half of September, a period which has apparently confirmed the revamping of hacktivism seen in August.
Several operations such as #OpFreeAssange (in support of Julian Assange), #OpTPB2 against the arrest of The Pirate Bay Co-Founder Gottfrid Svartholm Warg, and #OpIndipendencia in Mexico have characterized the first half of September. Curiously the hacktivists have also characterized this period for a couple of controversial events: the alleged leak of 1 million of UDIDs from FBI (later proven to be fake) and the alleged attack to GoDaddy (later proven to be a network issue, that is the reason why I not even mentioned it in this timeline). Other actions motivated by hacktivists have been carried on by Pro-Syrian hackers.
From a Cyber Crime perspective, there are two events particularly interesting (even if well different): the alleged leak of Mitt Romney’s tax returns and yet another breach against a Bitcoin Exchange (Bitfloor), worthing the equivalent of 250,000 USD which forced the operator to suspend the operations.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Fate, it seems, is not without a sense of irony. And this rule worths also for the Infosec Matrix…
Yesterday, while a five-hour outage, due to an alleged DDoS cyber attack initially claimed by the Anonymous, left GoDaddy unable to serve millions of websites (panicking millions of Internet Users), a digital publishing company named BlueToad came forward to take responsibility for the leak of a million iOS unique device identifiers (UDIDs). For sure you will remember that the same infamous collective claimed to have stolen the UDIDs from an FBI laptop few days ago.
Probably the FBI had really nothing to deal with the hack, since yesterday BlueToad admitted (and apologized) to have been breached and that the UDIDs were stolen just in that circumstance.
And as if that was not enough, hour after hour even the alleged cyber attack to GoDaddy has taken a paradoxical turn: after the initial claims, the Anonymous have denied the responsibility for the action (at first marked as the latest form of protest against GoDaddy’s support to SOPA), and have also mocked @AnonymousOwn3r, the alleged author of the attack, who self-proclaimed (sic) “security leader of Anonymous because I’m behind many things such like irc, ops, attacks, and many“.
Now the latest coup de théâtre: there’s no IRC bot behind GoDaddy’s outage (as claimed by the alleged author), but a much less romantic series of (unspecified) internal network events that corrupted data tables, apparently “simple” (for those famliar with networking) routing issues.
And they are two… In the same day, two alleged cyber attack initially claimed by the Anonymous, and then proven to be false. And even if it is not so common to discover two in the same day, fake cyber attacks are becoming quite frequent (think for instance to the alleged hack to Philips, old data leaked in February according to the Dutch Giant, and to Sony). Of course the point are not the Anonymous, the point is that claiming hacks and leaks (made by others, or worst totally false) is becoming too simple… Nowadays with Twitter and Pastebin you can (claim to) hack whatever you want (as an example I often find on pastebin dumps repeated several times and claimed by different authors).
Maybe it is time to take with caution and skepticism the news of massive leaks.
Yesterday Saudi Aramco issued a public statement declaring to have fixed most damage and restored all its main internal network services affected by the Cyber Attack occurred on August 15, 2012 (or a “malicious virus” to quote the same term used by the company).
In the same statement, the company has unveiled the real entity of the attack, confirming what was reported in my original blog post: the malicious virus originated from external sources and affected about 30,000 workstations (on a total of 40,000).
The light at the end of the Cyber Tunnel seems quite close, since the company has stated that the workstations have been cleaned and restored to service. There are however some restrictions still in place: as a precaution, remote Internet access to online resources is still restricted and the website aramco.com is offline showing a courtesy page in which the company confirms that all the electronic systems are isolated from outside access.
You will probably remember that the attack occurred nearly in contemporary with the discovery of the latest malware in Middle East, Shamoon, tailored for targeting companies belonging to the Energy Sector, which had consequently put in close relationship with the cyber attack to Saudi Aramco. At the beginning, security researchers believed to have found a brand new cyber weapon in Middle East, but some coding errors found inside the malicious program have convinced the community that Shamoon is not the work of experienced cyber weapons programmers (anyway I believe that if Shamoon is really the source of the troubles for Saudi Aramco, 30,000 erased computers are a respectable results for a team of amateur programmers).
But if the situation is close to normal, hackers all over the world continue to threaten the company: a couple of days ago, an isolated group posted a new menace to Aramco, announcing a new attack for the 25th of August, at 21:00 GMT.Even if the website of aramco.com is still offline, this does not seem the effect of the latest alleged cyber attack: the hackers have posted today, Monday 29 August (sic), a new statement containing the result of their action (several password of internal router and a couple of accounts) but it appears lame and does not seem too much convincing.
The city of Taranto is famous worldwide for its delicious mussels “Tarantina Style” with tomato soup, chilly pepper and garlic. Unfortunately in these days Taranto is also the unvoluntary protagonist of the ILVA affaire, a paradoxical situation typical of Italy.
On July the 31st, The ILVA steel plant, the largest of Europe, has been placed under precautionary judicial seizure, and eight current or former executives under house arrest. This is the consequence of an inquiry into environmental pollution. Unfortunately such a similar decision is leading to heavy consequences for the steel plant workers who went on the warpath, and for the unions as well who have announced an indefinite strike.
A so delicate and complex situation could not be ignored by hacktivists of the infamous collective Anonymous who, in name of OpItaly&OpGreenRights, yesterday have hacked and defaced the Taranto Municipality website and left a message directed to workers against the steel plant activity. The hacktivists have also dumped portion of a database of Ilva and Riva Group (the corresponding holding) on pastebin.
The latest example of the strict interconnections between the real and cyber worlds, even if a so complex and potentially devastating situation deserves much more in-depth reflections (about the national economic strategies and policies), than a “simple” (maybe fashion-motivated) defacement.
Thanks to Cybwerwarnews.info for publishing the news.
Cyber War News has just reported the details of a small database leak against Udinese Calcio, one of the oldest and most important Italian “Serie A” Football teams (Udinese ended the last Italian season at the third place and is going to play the preliminary phase of the prestigious UEFA Champions League).
As far as I remember, this is the first time that a “Serie A” Football Team gets hacked, and among the remarkable records that Udinese collected during the 2011-2012 season, this is probably the most unwelcome. The leak has been performed by norton-z, who has exploited an SQL Injection vulnerability on the team’s web site and has hence dumped on pastebin some details including administrative accounts.
If you follow my timelines you will have probably noticed that norton-z has been very active in the last period, so it looks like he has decided to turn his attention to Italy and just to a Football team (in the same days in which the continent is watching the European Championship EURO 2012 in Poland and Ukraine).
If you are just wondering if the leak is somehow related to the recent scandal (AKA Calciopoli AKA Operation Last Bet) which has dramatically hit the Italian Football Landscape, you will probably be disappointed. According to the autohor’s pastebin statement, there is no other reason than fun!
Is it time for football teams to allocate some budget for securing their online services?
Thanks to @Cyber_War_News for the fresh info!
As usual, here is the list of the main cyber attacks for April 2012. A first half of the month which has been characterized by hacktivism, although the time of the resounding attacks seems so far away. Also because, after the arrest of Sabu, the law enforcement agencies (which also were targeted during this month, most of all in UK), made two further arrests of alleged hackers affiliated to the Anonymous Collective: W0rmer, member of CabinCr3w, and two possible members of the infamous collective @TeaMp0isoN.
In any case, the most important breach of the first half of the month has nothing to deal with hacktivism, targeted the health sector and occurred to Utah Department of Health with potentially 750,000 users affected. According to the Last Ponemon Study related to the cost of a breach ($194 per record) applied to the minimum number of users affected (250,000), the monetary impact could be at least $ 55 million.
Another interesting event to mention in the observed period is also the alleged attack against a Chinese Military Contractor, and the takedown of the five most important al-Qaeda forums. On the hacktivist front, it worths to mention a new hijacked call from MI6 to FBI, but also the alleged phone bombing to the same Law Enforcement Agency. Both events were performed by TeamPoison, whose two alleged members were arrested the day after.
For the sample of attacks I tried to identify: the category of the targets, the category of the attacks, and the motivations behind them. Of course this attempt must be taken with caution since in many cases the attacks did not target a single objective. Taking into account the single objectives would have been nearly impossible and prone to errors (I am doing the timeline in my free time!), so the data reported on the charts refer to the single event (and not to all the target affected in the single event).
As usual the references are placed after the jump.
By the way, SQL Injection continues to rule (the question mark indicates attacks possibly performed by SQL Injection, where the term “possibly” indicates the lack of direct evidences…).
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @pausparrows on Twitter for the latest updates.
Hacktivists and Information Security Professionals could not believe their eyes while reading the breaking news published by Fox News according to which the infamous Sabu, the alleged leader of the LulzSec collective, has been secretly working for the government for months and played a crucial role for the raids which today led to the arrests of three members of the infamous hacking collective with two more charged for conspiracy.
You will probably remember that the hacking collective which, in its “50 days of Lulz” become the nightmare for System Administrators and Law Enforcement Agencies all over the Globe, suddenly decided to give up, on June the 25th, in a completely unexpected way, leaving their supporters and followers completely surprised, but also leaving the heritage of a name which has become a synonym for hacktivism (also because of their pact with the Anonymous, with whom they are often associated, in the name of the #Antisec movement).
Even after the group left the scene, Sabu has continued to constantly tweet and comment the events through his “official” Twitter account @anonymouSabu, probably a fake or a diversionary tactic, since it looks like that Sabu had already been arrested by the FBI since June, the 7th, more than a couple of weeks before the breakdown of the group,
At that time, the hacking group was hunted by Law Enforcement Agencies and several Grayhats as well (among all @th3j35ter, the A-Team and Web Ninjas whose blog, lulzsecexposed.blogspot.com, unfortunately is no longer available).
Curiously, it looks like that Sabu had already been “doxed” since then. At that time many claimed to have revealed the identity of the members: there was no day without a new pastebin promising to expose new information. But if you have a look at them, they all have only one thing in common, and it is just the identity of Xavier Monsegur (or Montsegur), also known as Sabu. The truth was very close and before everybody eyes: on pastebin.
June, 28th 2011: http://pastebin.com/qmP7R49Y
The real identity of the other members is not still completely known, but for sure it is not a coincidence that no one of the pastebins was able to guess anyone else except Sabu, who hence was the first to be arrested, well before the rest of the group.
Find here February 2012 Cyber Attacks Timelime Part I.
With a small delay (my apologies but the end of February has been very busy for me and not only for Cybercrooks as you will soon see), here it is the second part of my compilation with the main Cyber Attacks for February 2012.
Easily Predictable, the Hacktivism is still the main concern for System Administrators, in particular for the ones of Stratfor who suffered a huge leak of 5 million of emails.
On the same front, the threats of the Anonymous for the Friday actions have come true and as a matter of fact Law Enforcement Agencies suffered other remarkable breaches in this month: Infragard for the second time and also Interpol (a new entry) that was taken down after the arrest of 25 members of the collective. Anti ACTA protest also continue to shake Europe as also the delicate economical and social situation in Greece.
Last but not least, this month has also seen an unforgettable leak, affecting potentially more than 1.000.000 Youporn users.
As usual, the chart does not include the events related to Middle East Cyber War Timeline, that you may find at this link, as they “deserve” a dedicated timeline.