Category Archives: Cyberwarfare

Mask/Careto Unmasked, Shadowy Spanish Spybots Slink into Sunset

Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager

The Syrian Electronic Army: Mediums of Disinformatics

sea-195x110

“We are just Syrian youths who want to defend their country against the media campaign that is full of lies and fabricated news reports”

The Syrian Electronic Army (SEA) most likely began at least in part as an outgrowth of the Syrian Computer Society (SCS), an internet and information science advocacy group founded by the late Basil Al-Assad in 1989, and later led by Bashar Al-Assad prior to his elevation to the presidency. In 1997 there were only 35,000 computers in the country, two for every thousand people.  The early days of Syria’s acceptance of the internet were marked by significant bureaucratic trepidation, predominantly motivated by concerns of cultural penetration. The opposing camp was urged onward by a recognition that in the face of heavy usage of the internet by other nations, especially Israel, Syrian perspectives were being drowned out. Surveys conducted in 1998 by an early advocate, Dr. Imad Mustafa, found that of 1.5 million documents on the web dealing with Syrian aspects of the Arab-Israeli conflict, 56% had been written by Israeli organizations, 18% by Zionist groups outside of Israel and another 17% were written by US government organizations. On issues rich with nationalistic fervor such as the Golan Heights, the survey found that there were essentially no existing sources or documents on the internet which were benign to Syrian interests, and that 71% of the documents were absolutely hostile to Syrian perspectives. This preoccupation with “correcting” the established media narrative has fed directly into the ethos of the SEA, though they also engage in “punishing” media outlets by propagating false news events.

The personnel evolution of the group can be roughly split into two phases. In the early phase of the group their website from May of 2011, syrian-es.com was hosted by the SCS, and the domain registration pointed to the same group. A later site, sea.sy, was registered with the approval of the SCS. By May of 2013, however, the SCS cut all of these ties and disabled use of the sea.sy site. There may have been significant personnel changes later in the 2011 era, and it is entirely possible that the activists who shared membership in SCS and SEA left at that point. The second phase of the group was much more shadowy, international and varied in their technical aptitude.

The method of attacks has been multi-pronged, from website defacement and redirects, to propaganda posting on facebook, and in some cases campaigns distributing malware (intended to reveal the identity and activity of online actors) against the Syrian Opposition. Recent operations have been heavily focused on compromising social media accounts of news organizations and celebrities.

In April of 2013 SEA conducted spearphishing (directed emails designed to steal user credentials and other data) attacks which resulted in them obtaining control of the Associated Press twitter account, which they used to spread a false story about an explosion at the White House which injured the President.

AP_Tweet_2544300c

The tweet caused a temporary drop in the Dow Jones Industrial Average of over a hundred points, but AP was quickly able to regain control of their twitter account and retract the false story.

Graph_2544313b

This method of attack has proven to be both high profile and high impact, and the group seems to have generally shifted focus onto compromising social media accounts. These compromises have been varied in intent, from posting false information for shock value to pushing propaganda against perceived international enemies of Syria and Al-Assad. This week there has been a compromise of CNN’s twitter account and website, used both to spread propaganda in favor of Al-Assad and to plant a false news story apparently intended to disrupt financial markets. Increasing attempts to manipulate markets may indicate economic motives behind SEA operations, especially if these actions are combined with short-selling, though this connection would require further analysis for confirmation.

CNN hacked syrian-electronic-army-hack-cnn

 

The Syrian Electronic army represents a new type of cyber actor, one which is both a hacktivist group in the vein of Anonymous, and a state sponsored group much like many in operation across the world. However, unlike many hacking groups with state sponsorship, SEA concentrates on propaganda operations instead of espionage for military or economic reasons. In this sense they bear some similarity to groups like the Chinese Honker Union, and Russian hacktivist movements which have surrounded military operations and international controversies in Estonia and Georgia. The funding for the group remains murky. There are allegations that Rami Makhlouf, a billionaire cousin of Bashar Al-Assad, supported the group in leaving Syria and basing their operations in other Arab states, and continues to provide accommodations for group members. There are also rumors that hackers are paid between five hundred and a thousand dollars for successful website compromises.

Dan Gifford – MCySec Media Manager

 

 

DARPA is Trying to Turn Cyberwar Into Child’s Play

DARPA, as expected, is coming up with many new and inventive ways of trying to rethink the cyber security challenges that DOD is plagued with. First they have developed a series of free computer and mobile app based games that, while seemingly innocuous, are actually providing algorithms for solving basic programming vulnerabilities. DARPA is also looking to shift the established system of cyberwarfare practices residing predominantly in the hands of technical experts to a mass-production type operation. This transition project is detailed in Wired’s article This Pentagon Project Makes Cyberwar as Easy as Angry Birds. Bob Dylan was right, “the times they are a-changin”.

- by Ben Volcsko, Research Assistant

FBI Asking Tech Vendors to Install Backdoors

Wickr’s Nico Sell has disclosed in a PCMag article that she was approached by the FBI at a security conference, and that an agent casually asked if she would be willing to install a backdoor for them in her company’s encrypted communication app. Sell refused, saying that even if the claims of the FBI are legitimate, “It was very clear that a backdoor for the good guys is  always a backdoor for the bad guys.”

Wickr’s laudable stance aside, the question remains as to how many other technology companies have been more forthcoming with granting access to state agencies. If an approach is made to every major app developer, how many of the apps on your phone can you trust? And if one is compromised, and has rights to read all information on the machine, is everything else likewise compromised?

Cyber: The Achilles’ Heel of Drones?

As Unmanned Aerial Vehicles (UAVs) continue to advance and play an ever growing role in modern warfare, could cyber vulnerabilities pose a potential pitfall? With drone technology rapidly advancing and allowing for the production of truly autonomous UAVs, concerns over these flying terminators being hacked become more legitimate. Here are a couple of articles to give you a little flavor on the topic. 1) Flying Hacker Contraption Hunts Other Drones, Turns Them Into Zombies, an article by Dan Gooding for Ars Technica released in December, discusses how “hacker drones” are being developed and tested to target and gain control of other UAVs. 2) Hacking the Drone War’s Secret History by Wired details how rudimentary programming and hacking skills can allow access to drone’s communication feeds. Having friendly drones falling into the control of opposition forces is a scary thought.

- by Ben Volcsko, Research Assistant

For All of You Sinophiles Out There…

The Australian Strategic Policy Institute (ASPI) produced a great report on the People’s Republic of China’s cyber intelligence capabilities. Titled Enter the Cyber Dragon: Understanding Chinese Intelligence Agencies, this report is a great starting point for getting a grip on what the PRC is up to in the world of cyber espionage.

- by Ben Volcsko, Research Assistant

Cyber Threats to the Global Oil Supply Chain

The Federation of American Scientists has published a paper detailing threats to the global oil supply chain. Rounding out a list of major regional and geopolitical threats to the global oil infrastructure, the risks of SCADA and other attacks on pipelines, tanker ships, and refineries does seem substantial. The author is a little off base in suggesting that STUXNET type weapons could be used to attack oil systems- the sophistication of oil systems is much less than that seen in the Iranian nuclear enrichment program, and as such a STUXNET level weapon would probably be overkill. Even still, Despite significant vulnerabilities of the often unprotected systems to the internet and other venues of attack, major SCADA attacks have not yet become prevalent. The author is also somewhat mistaken in assessing that groups such as the Syrian Electronic Army could have the capabilities to conduct major SCADA infrastructure attacks. SEA capabilities are simply not on that level, and they have concentrated primarily on hacking email accounts by abusing password resets and other social engineering methods, rather than the technical expertise that would be necessary to deploy custom attack tools on SCADA. These technical quibbles aside, the author is entirely correct in his assessment that the complexity of the logistics operations involved in global oil systems provides a major avenue of attack, and I must agree that these sorts of attacks are waiting over the horizon.

Dan Gifford – MCySec Media Manager

 

The Sunshop Digital Quartermaster – a State Cyber-Espionage Armory?

Cyber-security research firm FireEye has published a new report alleging that there may be a single actor providing important code development resources to as many as 11 separate APT campaigns. All of the tools have been written using a Chinese language character set, pointing to the likely national origin of this tool provider. FireEye alleges that this “Quartermaster” may be something of a digital arms dealer, enabling various APT teams to construct attack tools using point and click interfaces rather than advanced coding skills.

FireEye first discovered the digital breadcrumbs leading to their conclusion while examining the Sunshop water-holing attack which took over legitimate websites and used them to redirect browsers to malware sites. The 11 APT groups that they connected through their investigation were found to share resources in various combinations, among them: Portable executable resources, Pilfered Digital Certificates, API import tables, Compile times, and C2 (Command and Control) Infrastructure. FireEye’s highest confidence assessment is that a “Sunshop Digital Quartermaster” (SDQ) exists which supports a variety of separate APT campaigns as part of a “formal offensive apparatus”. While some of the APT campaigns are also using malware obtained from the digital black market, most of them are heavily reliant on tools which are not available on the criminal internet underground and almost certainly originated with a single source, this “SDQ”.  FireEye does acknowledge that it is still possible that the APT groups simply share these programs informally, but there is substantial evidence that there is a single originating source of the tools within the code examples they have analyzed in the report.

Dan Gifford – MCySec Media Manager

Red October(?) Evolves, Hits Finnish Foreign Ministry

The Red October RAT (Remote Access Tool) which has been extensively analyzed by Kaspersky appears to have continued its development. The Finnish Foreign Ministry has disclosed that they were the victims of a penetration attack going on over four years. The tool used in the attack was specifically described as “not Red October”, however there were similarities.  The research and analysis of the attack is ongoing, but it appears to have first been detected earlier this year. The attack targeted data traffic between the Ministry and the EU, and the Finns have rather nebulously said that they believe “China or Russia” is the originating actor.