Recent Activity from The European Cyber Army (ECA)

Intelligence Analysis, the threat monitor for Recorded Future, detailed recent attacks and events linked back to The European Cyber Army (ECA) in a recent article. The group has also been linked to several campaigns against U.S. banks in recent months. Additionally, large-scale Syrian web outages have also been traced back to the ECA as of March.

European Cyber Army Logo

For those interested in seeing what other groups remain active in Europe, outside of Crimea, be sure to follow this group.

Summary of 2013 Malware Development

HackSurfer just released a summary on malware development for 2013 based on the formal report from Panda Labs. Here are some of the key points from the summary:

  • Almost 32% of computers across the world found infected with malware.
  • There were 82,000 different malware strains that emerged in 2013.
  • Android Platforms remained the primary target for cyber criminals with nearly two million android based malware being created in the year of 2013.
  • Trojans were the biggest contributor in 2013 with 71.11% of all new malware.
  • The growth of new malware strains rose to 13.3% versus 9.67% in 2012 year.
  • China remained the most infected country in 2013 with 54.0% ratio.
  • Sweden was on the last position with least malware-infected countries.
  • 20% of all malware were created in the year of 2013.
  • The most popular virus families were Sality and Xpiro.
  • 30 million new malware variants were created in 2013.

2014 Prediction about Imminent Threats:

  • New malware variants can hit the market in 2014 that will compel to implement strong security parameters in organizations.
  • Java vulnerability will remain in 2014 due to countless security flaws and its high usage in the world.
  • Users will fall victim to cyber culprits due to social engineering techniques.
  • Android platform will remain on the top in malware spreading.
  • Ransomware malware will be on the top position in 2014 than Trojans and Botnets.
  • Corporate culture has to think beyond traditional antivirus product.
  • Hackers can target internet-connected device (Internet of Things) for attack purpose.

Turkey Thrashes Twitter, Leaks put Gov in a Twist

Amid deepening corruption scandals in Turkey, the Turkish Government has shut down access to a number of social media outlets, most recently Twitter, after Twitter failed to comply with their demands to censor links to wiretapped conversations of the inner circle which seem to provide evidence of corruption. Prime Minister Erdogan was unfazed by condemnation of this move, saying “the international community can say this, can say that. I don’t care at all. Everyone will see how powerful the Republic of Turkey is”.


Commerce Dept. Cans ICANN

The US Government is winding down their participation in the Internet Corporation for Assisgned Names and Numbers (ICANN). ICANN’s duties include setting policies for domain names, top level domains, and controlling the root nameservers that are the backbone of the Domain Name Service, which is a distributed registry that translates addresses entered into a web browser from something like to a machine readable address (in this case While much hay has been made by certain political personalities, among them Moonbase Commander Newt Gingrich, about this loss of control by the US to an undefined international community, this move has been planned for a significant amount of time, and the transition of ICANN towards a more global regulatory system will occur under a planned framework.

There was another possible path for the governance of the DNS and addressing systems, that being the ITU, which would have been overseen by the UN. However, as every nation would have had a vote in that situation, and the number of nations which would like to see substantial control instituted and widespread surveillance authorized is almost certainly greater than those who (at least publicly) would like to see a free and open internet. Many nations saw this as problematic, among them the US and Russia, which has lent significant weight to the process being adopted now of reforming ICANN and reducing US Government influence. That said, the existing system was no longer sustainable, especially in the wake of the Snowden leaks which revealed wide ranging activities by the US Government, activities which have done significant damage to the moral authority which is the foundation of governance.

Pursuing ICANN as a regulatory body for the future is an example of the use of the Multistakeholder governance model, which will essentially give regulatory control to a number of major internet and technology companies, and Internet civil society groups. A presentation on the application of this model in ICANN may be found here.


Dan Gifford, MCySec Media Manager

Point of Sale Target’ed, Millions of Credit Cards Scraped.

Early in December rumors began bouncing across cyberspace that retail giant Target had been hit in an extensive cybercrime scheme, wherein point of sale devices, (read here cash registers) had been infected with a program designed to steal credit card details. The attack seems to have been concentrated on the “Black Friday” sale after Thanksgiving, one of the busiest shopping days of the year. Since then a number of the stolen credit cards have been cloned and sold online, and retailers and credit card companies have been sent scrambling to contain the damage.

More details about the specifics of the breach have become available as time goes on. Security journalist Brian Krebs, who broke the story and has been a driving force in the public exposition of the damage, has revealed the method used by the attackers to penetrate into Target’s network. The attackers sent spearphishing emails to a subcontractor who had access to parts of Target’s internal networks, Fazio Mechanical, and used the access credentials they gained within this heating, ventilation and air conditioning company to break into the Target network.

The breach potentially exposed millions of consumer credit cards, and many have shown up for sale on forums within the deep web. In response to the scale of the breach, hearings have been held in Congress on methods to prevent similar breaches in the future. One proposed method is to transition to smartcard technologies over the 1960′s era magnetic strips that currently employed.

Hotels May Become New Data Breach Point

A data breach appears to have hit White Lodging, a firm which manages hotel franchises for the Marriott, Hilton and Starwood Hotel chains. As reported by Brian Krebs, The breach appears to have struck computers in the restaurants and gift shops of a number of hotels managed by the company over a time period extending from March 2013 until the end of the year, collecting credit card information. Krebs was alerted to the breach by a number of fraud specialists working in banking who were dealing with the fallout of the credit card frauds.

Mask/Careto Unmasked, Shadowy Spanish Spybots Slink into Sunset

Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager

The Syrian Electronic Army: Mediums of Disinformatics


“We are just Syrian youths who want to defend their country against the media campaign that is full of lies and fabricated news reports”

The Syrian Electronic Army (SEA) most likely began at least in part as an outgrowth of the Syrian Computer Society (SCS), an internet and information science advocacy group founded by the late Basil Al-Assad in 1989, and later led by Bashar Al-Assad prior to his elevation to the presidency. In 1997 there were only 35,000 computers in the country, two for every thousand people.  The early days of Syria’s acceptance of the internet were marked by significant bureaucratic trepidation, predominantly motivated by concerns of cultural penetration. The opposing camp was urged onward by a recognition that in the face of heavy usage of the internet by other nations, especially Israel, Syrian perspectives were being drowned out. Surveys conducted in 1998 by an early advocate, Dr. Imad Mustafa, found that of 1.5 million documents on the web dealing with Syrian aspects of the Arab-Israeli conflict, 56% had been written by Israeli organizations, 18% by Zionist groups outside of Israel and another 17% were written by US government organizations. On issues rich with nationalistic fervor such as the Golan Heights, the survey found that there were essentially no existing sources or documents on the internet which were benign to Syrian interests, and that 71% of the documents were absolutely hostile to Syrian perspectives. This preoccupation with “correcting” the established media narrative has fed directly into the ethos of the SEA, though they also engage in “punishing” media outlets by propagating false news events.

The personnel evolution of the group can be roughly split into two phases. In the early phase of the group their website from May of 2011, was hosted by the SCS, and the domain registration pointed to the same group. A later site,, was registered with the approval of the SCS. By May of 2013, however, the SCS cut all of these ties and disabled use of the site. There may have been significant personnel changes later in the 2011 era, and it is entirely possible that the activists who shared membership in SCS and SEA left at that point. The second phase of the group was much more shadowy, international and varied in their technical aptitude.

The method of attacks has been multi-pronged, from website defacement and redirects, to propaganda posting on facebook, and in some cases campaigns distributing malware (intended to reveal the identity and activity of online actors) against the Syrian Opposition. Recent operations have been heavily focused on compromising social media accounts of news organizations and celebrities.

In April of 2013 SEA conducted spearphishing (directed emails designed to steal user credentials and other data) attacks which resulted in them obtaining control of the Associated Press twitter account, which they used to spread a false story about an explosion at the White House which injured the President.


The tweet caused a temporary drop in the Dow Jones Industrial Average of over a hundred points, but AP was quickly able to regain control of their twitter account and retract the false story.


This method of attack has proven to be both high profile and high impact, and the group seems to have generally shifted focus onto compromising social media accounts. These compromises have been varied in intent, from posting false information for shock value to pushing propaganda against perceived international enemies of Syria and Al-Assad. This week there has been a compromise of CNN’s twitter account and website, used both to spread propaganda in favor of Al-Assad and to plant a false news story apparently intended to disrupt financial markets. Increasing attempts to manipulate markets may indicate economic motives behind SEA operations, especially if these actions are combined with short-selling, though this connection would require further analysis for confirmation.

CNN hacked syrian-electronic-army-hack-cnn


The Syrian Electronic army represents a new type of cyber actor, one which is both a hacktivist group in the vein of Anonymous, and a state sponsored group much like many in operation across the world. However, unlike many hacking groups with state sponsorship, SEA concentrates on propaganda operations instead of espionage for military or economic reasons. In this sense they bear some similarity to groups like the Chinese Honker Union, and Russian hacktivist movements which have surrounded military operations and international controversies in Estonia and Georgia. The funding for the group remains murky. There are allegations that Rami Makhlouf, a billionaire cousin of Bashar Al-Assad, supported the group in leaving Syria and basing their operations in other Arab states, and continues to provide accommodations for group members. There are also rumors that hackers are paid between five hundred and a thousand dollars for successful website compromises.

Dan Gifford – MCySec Media Manager



Russia Crowdsourcing It’s Cyber Security Strategy: Clever Experiment or Solicitation of Internet Restriction Freedoms?

On November 29, 2013 the Federation Council (CF) of the Russian Federation held parliamentary hearings on the draft of the Concept of Russia’s Cyber Security Strategy. Participants of the hearing, recognizing the significant security implications of the proposed cyber security strategy, offered to submit the draft online for public discussion. The main concerns of the draft concept were gaps in the overall cyber security posture for Russia, incorporation of both state and private-sector entities, and establishing clear incident response models for individuals, businesses and the state.

On January 10, 2014 the CF published a 10-page draft of the Concept of the Russian Federation Cyber Security Strategy and allowed commentators to personally email one of the lead senators overseeing the concept’s development. The senator, Ruslan Gattarov, is the head of the Federation Council Committee on Development of Information Society which established a working group of experts to work on the cyber security strategy a year ago. Several other Russian government organizations also contributed to the final draft, including the Security Council, the Ministry of Communications and Mass Media, the Federal Security Service (FSB), the Ministry of Internal Affairs and the Ministry of Foreign Affairs.

(Pictured Above: Senator Ruslan Gattarov)

However, the FSB criticized the draft strategy pointing out the use of incorrect terminology: the term “cyber security” as used in western countries primarily encompasses the protection of equipment and communication channels. The term “information security”, which the FSB insists on, has a broader meaning and includes Internet content.

On January 13 of this year, RBK-TV, (currently Russia’s only 24-hour business news television channel), aired a report on Cyber Security (2:32 – 9:28) in Russia and invited two subject matter experts to express their opinions about the subject. During this broadcast RBK-TV stated that the Concept of the Russian Federation Cyber Security Strategy offers seven key directions, in particular, the improvement of the legal framework in the field of information technology. The authors suggest that for crimes committed on the Internet, there should be harsher punishment, including criminal prosecution. Furthermore, among the general objectives of the strategy is to increase “digital literacy” of the population and improve the culture of information security. The strategy also proposes to abandon the need of foreign programs and computers and instead rely on domestic products. However, the strategy does concede that technical support and consultation from foreign experts is still necessary for the protection of strategic resources.

Yuriy Gatchin, Chair of the Computer Security Systems Department at the St. Petersburg National Research University of Information Technologies, Mechanics and Optics (St. Petersburg NRU ITMO) disagrees with the draft strategy’s proposal that Russia still needs outside technical support. Mr. Gatchin argues that there should be no such need of foreign experts since there are plenty of “competent and smart professionals” within Russia and that Russia “needs to rely on its own strength”.  Another expert, Artem Kozlyuk, one of the leaders of the Pirate Party of Russia and also the head of the project “RosKomSvoboda“/RuBlackList.Net, sees this document as mostly “focused towards the domestic market”. Kozlyuk clearly identifies the Russian government’s recent trend of fostering fear and then responding with quick policy solutions issued through the State Duma.

According to Mr. Kozlyuk, cyber security responsibility should lie on private companies’ and structures’ self-regulation as well as individuals self-policing their online activities instead of relying on the government’s implementation of an information blocking directive.  Although the draft strategy currently welcomes public suggestions, Mr. Kozlyuk is pessimistic about what influence the commentators will have since there is no legal framework to support any type of publicly determined policy.

In a separate interview with Systemnyi Administrator / System Administrator, Mr. Kozlyuk offers his outlook on the future of Russian Internet:

“The Future of the Internet – is blocking, censorship under the pretext, aggressive defense of copyright, widespread identification and criminal liability for the comments. In short, the state, with some delay, but still came to the Internet”.

(Picture Above: Artem Kozlyuk)

“Personally, I think that the next year will be a turning point for Runet (Russian Internet): either State will choose “Chinese version” of Internet regulation with the Ministry of censorship, total information control, burdensome sanctions for Internet business and the introduction of thousands of army pro-government bloggers to refute negative impact of censorship on civil society. Or perhaps our efforts will not be wasted, and the process of integrating adequate public interests and the leveling of the negative impact of laws to limit the information will begin. I’m not saying that everything will be decided within the next year, but I’m almost certain a vector will be given, and all of us will feel what it will be”.

It is difficult to predict if Russia’s idea will prove to be successful. The draft of the Concept will be accessible for discussion, comments and suggestions for approximately one month. We will have to wait until all the results are in to see whether the final product of this endeavor will become Russia’s first publicly inspired piece of legislation or simply sputter out of existence.

- by Olga Volcsko, graduate student at the Monterey Institute of International Studies