Cross Posted from TheAviationist.
2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).
But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.
However, things are about change dramatically. And quickly.
The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.
For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.
Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.
As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.
Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.
While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.
Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.
As usual the references are after the jump…
Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)
This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.
In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.
As usual after the page break you find all the references.
A week ago, the Office of the National Counterintelligence Executive published a report to Congress concerning the use of cyber espionage to attempt to gain business and industrial secrets from US companies. Easily predictable, the results present a frightening picture!
With no surprise it turned out that the biggest dangers and perpetrators of cyber-espionage operations against American business are China and Russia.
- Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the Intelligence Community cannot confirm who was responsible.
- Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
- Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence tactics. Some of these states have advanced cyber capabilities.
Unfortunately the predictions for the near future are not encouraging: the authors of the report judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.
This is mainly due to three factors: a technological shift with a growing number of devices connected to the Internet (according to a Cisco Systems study, the number of devices connected to the Internet is expected to increase from about 12.5 billion in 2010 to 25 billion in 2015). An economical shift driven by the Cloud Paradigm which requires the information to be ubiquitous and always available and, last but not least, a cultural shift which bring users to a growing use of social media for personal and professional use with a dangerous overlapping.
With these considerations in mind I decided to concentrate on a single table all the attacks with cyber espionage implications reported in 2011 for which China was directly or indirectly (or allegedly) considered responsible. The details (and links) of each single attack can be found on my 2011 Cyber Attacks Timeline Master Index (of course the list does not include the infamous Operation Aurora and the attack to G20 during the French Leadership since these events occurred during 2010).
U.S., Canada, Japan and Korea are among the countries hit by the Cyber Attacks from Far East. The most known attack is for sure the one perpetrated against RSA, whose wake affected several U.S. Contractors. Moreover the same attack was not an isolated episode, but the tip of an iceberg hiding 760 affected organizations worldwide.
Shady Rat and the IMF attack were other noticeable events as also the breach reported against the Cyworld the Korean Social Networks in which 37 million users were affected.
A frightening scenario that also generated some resounding fake attacks during 2011 (do you remember the Renault affair?)
A new cold (cyber)war at the gates?
- Cyber-espionage attempts on US businesses are on rise (arstechnica.com)
A couple of weeks ago, during the RSA Conference in London, Tom Heiser, president of RSA declared that two separate hacker groups already known to authorities were behind the serious breach affecting tbe Security Firm early this year in March, and were likely working at the behest of a government. Heiser also declared that the attackers possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, concluding that, due to the sophistication of the breach:
“we can only conclude it was a nation-state-sponsored attack.”
In a statement issued after the breach, the Security Firm declared that some information related to their two-factor authentication technology SecurID had been extracted during the attack, and that information could be used, as part of a broader attack, to decrease the effectiveness of the two-factor authentication.
Curiously RSA refused to name the involved nation, so not confirming the suspects directed to China. Regardless of the nation, among Security Professional it was immediately clear that the true target of the attack was not RSA but its customers: SecurID tokens are used by 40 million people in at least 30,000 organizations worldwide to allow secure access to IT systems. So it was not a surprise the fact that few weeks after the breach three Defense Contractor were attacked using compromised seeds, and although in two cases (L-3 Communications and Northrop Grumman) there was no direct evidence of a direct involvement of compromised tokens but only rumors, in one case (Lockheed Martin), RSA admitted the use of compromised tokens and offered to replace the tokens to affected customers.
Today another interesting piece of the puzzle: in his blog Brian Kerbs publishes a list of companies whose networks were shown to have been phoning home (i.e. connect to the C&C Server) to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list.
Scroll down the names on the list and you will find many interesting and surprising firms, even if the author correctly advises that:
- Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit;
- It is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims;
- Some of the affected organizations (there are also several antivirus firms mentioned) may be represented because they intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
So at the end, what’s the matter with China? Simple, at the bottom of the article there is a chart reporting the location of more than 300 command and control networks that were used in these attacks. Guess where 299 of them were located…
(Thanks to @MasafumiNegishi for reporting the original blog post).
Update: F-Secure posted in their blog the complete description on how the patient 0 was found: And here it is the infamous “2011 recruitment plan message”.
Have a look to the fake sender: a message from beyond…
Original Post follows:
I am working hard for the August 2011 Cyber Attacks Timeline (stay tuned it is almost ready! Meanwhile you may check the previous ones) while I stumbled upon this very interesting article. Yes, I may say that finally I saw one of the Emails used for spear phishing attacks against RSA customers, using compromised seeds.
As you will probably know everything started on March 17, 2011, when RSA admitted to have been targeted by a sophisticated attack which led to certain information specifically related to RSA’s SecurID two-factor authentication products being subtracted from RSA’s systems.
Of course the sole seed and serial number of the token (the alleged information subtracted) is not enough to carry on a successful attack, so the attacker (whose possible target were presumably RSA customers) had to find a way to get the missing pieces of the puzzle, that is the username and the PIN. And which is the best way? Of course Spear Phishing!
And here the example of a fake spear phishing E-mail targeting one of the One of America’s Most Secret (and Important) Agencies and in the same Time RSA customers:
Likely the same attack vector was utilized against three Contractors (RSA Customers) which were targeted by attacks based on compromised SecurID seeds between April and May (Lockheed Martin, L-3, and Northrop Grumman). What a terrible year for Contractors and DHS related agencies!
By chance today F-Secure revealed to have discovered the patient zero, that is the mail (“2011 Recruitment Plan”) used to convey the APT inside RSA. Someone (who decided to follow the best practices for anomalous e-mails) submitted it to Virus Total, a cloud based service for scanning files, and it looks like that F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files.
The Antisec Typhoon seems unstoppable and has apparently hacked another Defense Contractor. Continuing their campaign against law enforcement agencies and related organizations, driven by the infamous hash #FFFriday, this time they have targeted Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). During the Breach nearly 4,713 emails and thousands of documents were stolen.
According to TechHerald, AntiSec targeted VDI’s website due to their relationship with several law enforcement agencies from Texas and other parts of the U.S., as well as their relationship with the FBI, the DHS, and U.S. Marshals Service. Moreover, with this hack Antisec (in)directly targeted FBI since Richard Garcia is the former Assistant Director in Charge of the FBI’s field office in Los Angeles. To those supporting AntiSec, this alone is reason enough to target VDI and release Garcia’s corporate email to the public.
As usual the attack had been anticipated by an enigmatic and threatening tweet:
The emails were taken after AntiSec breached VDI’s website, based on the popular WordPress platform. According to Antisec source, VDI had two outdated plugins installed on their website, which had its development outsourced to a local marketing company in Texas. Although the person from AntiSec did not disclose the exact method used to access Garcia’s email, he stated that the hack was performed through the VDI website, and that his password was rather weak.
VDI is the responsible for ShadowHawk, an unmanned helicopter that can be tasked with aerial surveillance or equipped for military usage. At its base, the ShadowHawk comes with CCD TV optics, or an upgraded version includes CCD TV optics and FLIR optics. A third version, for military or law enforcement usage only, can be equipped with a single or multiple shot 37 mm or 40mm grenade launcher, as well as a 12g shotgun, and thermal cameras.
The is only the last leak to Defense Contractor, scroll down the list for attacks targeting Defense Contractors in this very troubled year:
| Feb 5
Anonymous hacks HBGary Federal Web Site, copies tens of thousands of documents, posts tens of thousands of emails online and usurps CEO Aaron Baar’s Twitter Account.
| Apr 6
An E-mail dated April 6, sent to 5,000 employees of U.S. Defense Contractor L-3 warns of an attack attempt made with compromised SecureIDs. It is not clear if the attack was successful (it was revelead half a month later). This is in absolute the first attack perpetrated with RSA Seeds.
This is the first known (and the only officially recognized so far) attack perpetrated with compromised SecureID seeds targeting a U.S. Defense Contractor. This Attack was detected before any sensitive information could be stolen. 100,000 accounts were locked as a precaution.
Third U.S. Defense Contractor attacked using Compromised RSA Seeds. Attacked detected before any sensitive data was stolen.
| Jun 3
As part of the FFFriday campaign, LulzSec steals 180 usernames, real names, hashed and plain text passwords, are acquired and posted publicily
| Jul 8
Anonymous attacks IRC Federal and dumps the content of the attack on a torrent available at The Pirate Bay. The dumped content include databases, private emails, contracts, development schematics, and internal documents for various government institutions.
Anonymous attacks consulting firm Booz Allen Hamilton and releases details of internal data including 90,000 military emails and passwords. Estimated cost of the breach is around $5,400,000.00.
The Pentagon reveals to have suffered a breach of 24,000 documents in March, during a single intrusion believed to have been perpetrated by a Foreign Country. As a consequence of the Intrusion, a classified U.S. Military Weapon System will need to be redesigned after specs and plans were stolen during the breach.
| Jul 28
Anonymous hacks Mantech International Corporation, another FBI Contractor, as a consolidated tradition on Friday, and releases details of internal data and documsnts.
| Jul 29
As part of the Antisec operation and in retaliation for the raids and the arrest again alleged Anonymous and LulzSec members, Anonymous attacks 77 U.S. Law Enforcement Institutions, defacing and destroying their servers.
| Aug 1
||PCS ConsultantsAnother U.S. Government contractor, PCS Consultants gets hacked by Anonymous & Antisec. Hackers extract website Database and leak it on the internet via Twitter on Pastebin (as usual!). Leaked Data include Admin’s and 110 users emails, plus passwords in encrypted hashes.||?|
| Aug 16
Antisec targets Richard Garcia, the Senior Vice President of Vanguard Defense Industries (VDI). During the Breach nearly 4,713 emails and thousands of documents are stolen. As consolidated tradtion, the torrent is released on Friday, August the 19th.
|Vulnerability in WordPress Hosting Platform|
- Vanguard Defense Industries compromised by AntiSec (thetechherald.com)
As already suggested, I considered the original 2011 Cyber Attacks Timeline graph by Thomson Reuters not enough complete since it did not show some important attacks occurred during this tremendous 2011. This is the reason why I decided to draw an enhanced version which shows, according to my personal opinion (and metric), the list of 2011 major cyber attacks both for size and impact. Moreover in this version I added the cost of the breaches (where possible), and the alleged kind of attack perpetrated.
All the data were taken from the bulletins or statements released by the victims, or from the tweets released by the attackers.
Costs were calculated, where possible, using the indications from the Ponemon’s insitute: the average cost of a Data Breach is US $214 for each compromised record, if the targeted company decided to respond immediately the cost is around UD $268 for each compromised record, which drops to US $ 174 if the company takes longer to react.
The Total Cost is an incredible number: nearly US $ 18 billion.
Useless to say, Sony achieves rank #1 with US $ 13.4 billion. In this unenviable chart, Epsilon gains the second place with an estimated cost for its breach, of US $ 4 billion.
The others breaches, although not comparable with the previous ones, if summed, allow to achieve the grand total.
Even if smaller in size, and apparently in importance, I decided to insert in the chart also the attack to Comodo Certificates, happened in March, the 24th. In this annus horribilis, it came immediately after the RSA affaire and it has decreed, together with the RSA breach, the fall of the modern bastions of Strong Authentication (in few days tokens and certificates have proved to be vulnerable). Moreover I consider the message of the author a memorable declaration of Cyberwar. On the trail of the RSA breach the wave of attacks towards US contractors is noteworthy as well.
Hackers focused on Media Sites (Fox, PBS, Sony, Sony BMG), with a clear message against censorship (and probably the neverending problem of copyright). Interesting the second attack to PBS made to show the poor skill of LuzSecs by Warv0x, one of their enemies. In the last part of June Videogame industry was the preferred target (also Epic suffered a breach) with different intentions: LulzSec attacked Nintendo and Bethesda (the second attack resulted in data breach for the victim), but offered to avenge Sega (the manufacturer of Dreamcast), after the disastrous breach.
Direct attacks to governments focused essentially on LOIC based DDoS, albeit some infamous breaches to related sites (as in case of Infoguard/FBI and NATO) lead to Data Breaches.
Last but not least, please notice the intense activity from LulzSec in their intense “50 days of living dangerously”, just before the sudden dissolution of the group happened on June, the 25th.
- What do RSA, Epsilon and Sony breaches have in common? (paulsparrows.wordpress.com)
- It was only a matter of time… (paulsparrows.wordpress.com)
- More Random Thoughts on the RSA Breach (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)