Here it is the usual compilation for the Cyber Attacks in the first half of September, a period which has apparently confirmed the revamping of hacktivism seen in August.
Several operations such as #OpFreeAssange (in support of Julian Assange), #OpTPB2 against the arrest of The Pirate Bay Co-Founder Gottfrid Svartholm Warg, and #OpIndipendencia in Mexico have characterized the first half of September. Curiously the hacktivists have also characterized this period for a couple of controversial events: the alleged leak of 1 million of UDIDs from FBI (later proven to be fake) and the alleged attack to GoDaddy (later proven to be a network issue, that is the reason why I not even mentioned it in this timeline). Other actions motivated by hacktivists have been carried on by Pro-Syrian hackers.
From a Cyber Crime perspective, there are two events particularly interesting (even if well different): the alleged leak of Mitt Romney’s tax returns and yet another breach against a Bitcoin Exchange (Bitfloor), worthing the equivalent of 250,000 USD which forced the operator to suspend the operations.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Fate, it seems, is not without a sense of irony. And this rule worths also for the Infosec Matrix…
Yesterday, while a five-hour outage, due to an alleged DDoS cyber attack initially claimed by the Anonymous, left GoDaddy unable to serve millions of websites (panicking millions of Internet Users), a digital publishing company named BlueToad came forward to take responsibility for the leak of a million iOS unique device identifiers (UDIDs). For sure you will remember that the same infamous collective claimed to have stolen the UDIDs from an FBI laptop few days ago.
Probably the FBI had really nothing to deal with the hack, since yesterday BlueToad admitted (and apologized) to have been breached and that the UDIDs were stolen just in that circumstance.
And as if that was not enough, hour after hour even the alleged cyber attack to GoDaddy has taken a paradoxical turn: after the initial claims, the Anonymous have denied the responsibility for the action (at first marked as the latest form of protest against GoDaddy’s support to SOPA), and have also mocked @AnonymousOwn3r, the alleged author of the attack, who self-proclaimed (sic) “security leader of Anonymous because I’m behind many things such like irc, ops, attacks, and many“.
Now the latest coup de théâtre: there’s no IRC bot behind GoDaddy’s outage (as claimed by the alleged author), but a much less romantic series of (unspecified) internal network events that corrupted data tables, apparently “simple” (for those famliar with networking) routing issues.
And they are two… In the same day, two alleged cyber attack initially claimed by the Anonymous, and then proven to be false. And even if it is not so common to discover two in the same day, fake cyber attacks are becoming quite frequent (think for instance to the alleged hack to Philips, old data leaked in February according to the Dutch Giant, and to Sony). Of course the point are not the Anonymous, the point is that claiming hacks and leaks (made by others, or worst totally false) is becoming too simple… Nowadays with Twitter and Pastebin you can (claim to) hack whatever you want (as an example I often find on pastebin dumps repeated several times and claimed by different authors).
Maybe it is time to take with caution and skepticism the news of massive leaks.
Yesterday Saudi Aramco issued a public statement declaring to have fixed most damage and restored all its main internal network services affected by the Cyber Attack occurred on August 15, 2012 (or a “malicious virus” to quote the same term used by the company).
In the same statement, the company has unveiled the real entity of the attack, confirming what was reported in my original blog post: the malicious virus originated from external sources and affected about 30,000 workstations (on a total of 40,000).
The light at the end of the Cyber Tunnel seems quite close, since the company has stated that the workstations have been cleaned and restored to service. There are however some restrictions still in place: as a precaution, remote Internet access to online resources is still restricted and the website aramco.com is offline showing a courtesy page in which the company confirms that all the electronic systems are isolated from outside access.
You will probably remember that the attack occurred nearly in contemporary with the discovery of the latest malware in Middle East, Shamoon, tailored for targeting companies belonging to the Energy Sector, which had consequently put in close relationship with the cyber attack to Saudi Aramco. At the beginning, security researchers believed to have found a brand new cyber weapon in Middle East, but some coding errors found inside the malicious program have convinced the community that Shamoon is not the work of experienced cyber weapons programmers (anyway I believe that if Shamoon is really the source of the troubles for Saudi Aramco, 30,000 erased computers are a respectable results for a team of amateur programmers).
But if the situation is close to normal, hackers all over the world continue to threaten the company: a couple of days ago, an isolated group posted a new menace to Aramco, announcing a new attack for the 25th of August, at 21:00 GMT.Even if the website of aramco.com is still offline, this does not seem the effect of the latest alleged cyber attack: the hackers have posted today, Monday 29 August (sic), a new statement containing the result of their action (several password of internal router and a couple of accounts) but it appears lame and does not seem too much convincing.
The city of Taranto is famous worldwide for its delicious mussels “Tarantina Style” with tomato soup, chilly pepper and garlic. Unfortunately in these days Taranto is also the unvoluntary protagonist of the ILVA affaire, a paradoxical situation typical of Italy.
On July the 31st, The ILVA steel plant, the largest of Europe, has been placed under precautionary judicial seizure, and eight current or former executives under house arrest. This is the consequence of an inquiry into environmental pollution. Unfortunately such a similar decision is leading to heavy consequences for the steel plant workers who went on the warpath, and for the unions as well who have announced an indefinite strike.
A so delicate and complex situation could not be ignored by hacktivists of the infamous collective Anonymous who, in name of OpItaly&OpGreenRights, yesterday have hacked and defaced the Taranto Municipality website and left a message directed to workers against the steel plant activity. The hacktivists have also dumped portion of a database of Ilva and Riva Group (the corresponding holding) on pastebin.
The latest example of the strict interconnections between the real and cyber worlds, even if a so complex and potentially devastating situation deserves much more in-depth reflections (about the national economic strategies and policies), than a “simple” (maybe fashion-motivated) defacement.
Thanks to Cybwerwarnews.info for publishing the news.
Cyber War News has just reported the details of a small database leak against Udinese Calcio, one of the oldest and most important Italian “Serie A” Football teams (Udinese ended the last Italian season at the third place and is going to play the preliminary phase of the prestigious UEFA Champions League).
As far as I remember, this is the first time that a “Serie A” Football Team gets hacked, and among the remarkable records that Udinese collected during the 2011-2012 season, this is probably the most unwelcome. The leak has been performed by norton-z, who has exploited an SQL Injection vulnerability on the team’s web site and has hence dumped on pastebin some details including administrative accounts.
If you follow my timelines you will have probably noticed that norton-z has been very active in the last period, so it looks like he has decided to turn his attention to Italy and just to a Football team (in the same days in which the continent is watching the European Championship EURO 2012 in Poland and Ukraine).
If you are just wondering if the leak is somehow related to the recent scandal (AKA Calciopoli AKA Operation Last Bet) which has dramatically hit the Italian Football Landscape, you will probably be disappointed. According to the autohor’s pastebin statement, there is no other reason than fun!
Is it time for football teams to allocate some budget for securing their online services?
Thanks to @Cyber_War_News for the fresh info!
As usual, here is the list of the main cyber attacks for April 2012. A first half of the month which has been characterized by hacktivism, although the time of the resounding attacks seems so far away. Also because, after the arrest of Sabu, the law enforcement agencies (which also were targeted during this month, most of all in UK), made two further arrests of alleged hackers affiliated to the Anonymous Collective: W0rmer, member of CabinCr3w, and two possible members of the infamous collective @TeaMp0isoN.
In any case, the most important breach of the first half of the month has nothing to deal with hacktivism, targeted the health sector and occurred to Utah Department of Health with potentially 750,000 users affected. According to the Last Ponemon Study related to the cost of a breach ($194 per record) applied to the minimum number of users affected (250,000), the monetary impact could be at least $ 55 million.
Another interesting event to mention in the observed period is also the alleged attack against a Chinese Military Contractor, and the takedown of the five most important al-Qaeda forums. On the hacktivist front, it worths to mention a new hijacked call from MI6 to FBI, but also the alleged phone bombing to the same Law Enforcement Agency. Both events were performed by TeamPoison, whose two alleged members were arrested the day after.
For the sample of attacks I tried to identify: the category of the targets, the category of the attacks, and the motivations behind them. Of course this attempt must be taken with caution since in many cases the attacks did not target a single objective. Taking into account the single objectives would have been nearly impossible and prone to errors (I am doing the timeline in my free time!), so the data reported on the charts refer to the single event (and not to all the target affected in the single event).
As usual the references are placed after the jump.
By the way, SQL Injection continues to rule (the question mark indicates attacks possibly performed by SQL Injection, where the term “possibly” indicates the lack of direct evidences…).
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @pausparrows on Twitter for the latest updates.