A data breach appears to have hit White Lodging, a firm which manages hotel franchises for the Marriott, Hilton and Starwood Hotel chains. As reported by Brian Krebs, The breach appears to have struck computers in the restaurants and gift shops of a number of hotels managed by the company over a time period extending from March 2013 until the end of the year, collecting credit card information. Krebs was alerted to the breach by a number of fraud specialists working in banking who were dealing with the fallout of the credit card frauds.
A new corporate initiative spearheaded by the White House has assembled a war chest of $750 million through donations from the business sector. The money will be used to ensure that “99 percent” of students receive strengthened access to technology within 5 years.
Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.
Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.
The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.
The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.
“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”
Dan Gifford- MCySec Media Manager
The Syrian Electronic Army (SEA) most likely began at least in part as an outgrowth of the Syrian Computer Society (SCS), an internet and information science advocacy group founded by the late Basil Al-Assad in 1989, and later led by Bashar Al-Assad prior to his elevation to the presidency. In 1997 there were only 35,000 computers in the country, two for every thousand people. The early days of Syria’s acceptance of the internet were marked by significant bureaucratic trepidation, predominantly motivated by concerns of cultural penetration. The opposing camp was urged onward by a recognition that in the face of heavy usage of the internet by other nations, especially Israel, Syrian perspectives were being drowned out. Surveys conducted in 1998 by an early advocate, Dr. Imad Mustafa, found that of 1.5 million documents on the web dealing with Syrian aspects of the Arab-Israeli conflict, 56% had been written by Israeli organizations, 18% by Zionist groups outside of Israel and another 17% were written by US government organizations. On issues rich with nationalistic fervor such as the Golan Heights, the survey found that there were essentially no existing sources or documents on the internet which were benign to Syrian interests, and that 71% of the documents were absolutely hostile to Syrian perspectives. This preoccupation with “correcting” the established media narrative has fed directly into the ethos of the SEA, though they also engage in “punishing” media outlets by propagating false news events.
The personnel evolution of the group can be roughly split into two phases. In the early phase of the group their website from May of 2011, syrian-es.com was hosted by the SCS, and the domain registration pointed to the same group. A later site, sea.sy, was registered with the approval of the SCS. By May of 2013, however, the SCS cut all of these ties and disabled use of the sea.sy site. There may have been significant personnel changes later in the 2011 era, and it is entirely possible that the activists who shared membership in SCS and SEA left at that point. The second phase of the group was much more shadowy, international and varied in their technical aptitude.
The method of attacks has been multi-pronged, from website defacement and redirects, to propaganda posting on facebook, and in some cases campaigns distributing malware (intended to reveal the identity and activity of online actors) against the Syrian Opposition. Recent operations have been heavily focused on compromising social media accounts of news organizations and celebrities.
In April of 2013 SEA conducted spearphishing (directed emails designed to steal user credentials and other data) attacks which resulted in them obtaining control of the Associated Press twitter account, which they used to spread a false story about an explosion at the White House which injured the President.
The tweet caused a temporary drop in the Dow Jones Industrial Average of over a hundred points, but AP was quickly able to regain control of their twitter account and retract the false story.
This method of attack has proven to be both high profile and high impact, and the group seems to have generally shifted focus onto compromising social media accounts. These compromises have been varied in intent, from posting false information for shock value to pushing propaganda against perceived international enemies of Syria and Al-Assad. This week there has been a compromise of CNN’s twitter account and website, used both to spread propaganda in favor of Al-Assad and to plant a false news story apparently intended to disrupt financial markets. Increasing attempts to manipulate markets may indicate economic motives behind SEA operations, especially if these actions are combined with short-selling, though this connection would require further analysis for confirmation.
The Syrian Electronic army represents a new type of cyber actor, one which is both a hacktivist group in the vein of Anonymous, and a state sponsored group much like many in operation across the world. However, unlike many hacking groups with state sponsorship, SEA concentrates on propaganda operations instead of espionage for military or economic reasons. In this sense they bear some similarity to groups like the Chinese Honker Union, and Russian hacktivist movements which have surrounded military operations and international controversies in Estonia and Georgia. The funding for the group remains murky. There are allegations that Rami Makhlouf, a billionaire cousin of Bashar Al-Assad, supported the group in leaving Syria and basing their operations in other Arab states, and continues to provide accommodations for group members. There are also rumors that hackers are paid between five hundred and a thousand dollars for successful website compromises.
Dan Gifford – MCySec Media Manager
On November 29, 2013 the Federation Council (CF) of the Russian Federation held parliamentary hearings on the draft of the Concept of Russia’s Cyber Security Strategy. Participants of the hearing, recognizing the significant security implications of the proposed cyber security strategy, offered to submit the draft online for public discussion. The main concerns of the draft concept were gaps in the overall cyber security posture for Russia, incorporation of both state and private-sector entities, and establishing clear incident response models for individuals, businesses and the state.
On January 10, 2014 the CF published a 10-page draft of the Concept of the Russian Federation Cyber Security Strategy and allowed commentators to personally email one of the lead senators overseeing the concept’s development. The senator, Ruslan Gattarov, is the head of the Federation Council Committee on Development of Information Society which established a working group of experts to work on the cyber security strategy a year ago. Several other Russian government organizations also contributed to the final draft, including the Security Council, the Ministry of Communications and Mass Media, the Federal Security Service (FSB), the Ministry of Internal Affairs and the Ministry of Foreign Affairs.
(Pictured Above: Senator Ruslan Gattarov)
However, the FSB criticized the draft strategy pointing out the use of incorrect terminology: the term “cyber security” as used in western countries primarily encompasses the protection of equipment and communication channels. The term “information security”, which the FSB insists on, has a broader meaning and includes Internet content.
On January 13 of this year, RBK-TV, (currently Russia’s only 24-hour business news television channel), aired a report on Cyber Security (2:32 – 9:28) in Russia and invited two subject matter experts to express their opinions about the subject. During this broadcast RBK-TV stated that the Concept of the Russian Federation Cyber Security Strategy offers seven key directions, in particular, the improvement of the legal framework in the field of information technology. The authors suggest that for crimes committed on the Internet, there should be harsher punishment, including criminal prosecution. Furthermore, among the general objectives of the strategy is to increase “digital literacy” of the population and improve the culture of information security. The strategy also proposes to abandon the need of foreign programs and computers and instead rely on domestic products. However, the strategy does concede that technical support and consultation from foreign experts is still necessary for the protection of strategic resources.
Yuriy Gatchin, Chair of the Computer Security Systems Department at the St. Petersburg National Research University of Information Technologies, Mechanics and Optics (St. Petersburg NRU ITMO) disagrees with the draft strategy’s proposal that Russia still needs outside technical support. Mr. Gatchin argues that there should be no such need of foreign experts since there are plenty of “competent and smart professionals” within Russia and that Russia “needs to rely on its own strength”. Another expert, Artem Kozlyuk, one of the leaders of the Pirate Party of Russia and also the head of the project “RosKomSvoboda“/RuBlackList.Net, sees this document as mostly “focused towards the domestic market”. Kozlyuk clearly identifies the Russian government’s recent trend of fostering fear and then responding with quick policy solutions issued through the State Duma.
According to Mr. Kozlyuk, cyber security responsibility should lie on private companies’ and structures’ self-regulation as well as individuals self-policing their online activities instead of relying on the government’s implementation of an information blocking directive. Although the draft strategy currently welcomes public suggestions, Mr. Kozlyuk is pessimistic about what influence the commentators will have since there is no legal framework to support any type of publicly determined policy.
“The Future of the Internet – is blocking, censorship under the pretext, aggressive defense of copyright, widespread identification and criminal liability for the comments. In short, the state, with some delay, but still came to the Internet”.
(Picture Above: Artem Kozlyuk)
“Personally, I think that the next year will be a turning point for Runet (Russian Internet): either State will choose “Chinese version” of Internet regulation with the Ministry of censorship, total information control, burdensome sanctions for Internet business and the introduction of thousands of army pro-government bloggers to refute negative impact of censorship on civil society. Or perhaps our efforts will not be wasted, and the process of integrating adequate public interests and the leveling of the negative impact of laws to limit the information will begin. I’m not saying that everything will be decided within the next year, but I’m almost certain a vector will be given, and all of us will feel what it will be”.
It is difficult to predict if Russia’s idea will prove to be successful. The draft of the Concept will be accessible for discussion, comments and suggestions for approximately one month. We will have to wait until all the results are in to see whether the final product of this endeavor will become Russia’s first publicly inspired piece of legislation or simply sputter out of existence.
- by Olga Volcsko, Contributing Researcher
Just in time for your holiday shopping, we are pleased to announce the Highlands Group 2013 Reading List.
Each year the Highlands Group present a list of books that we would like to call to your attention as being noteworthy. We hope that you will find a book on this list to enjoy and spend time with over the holidays or when you are on travel. This year we have a robust stocking full of twenty-one books, including two works of fiction, covering a wide range of topics.
Our panel of distinguished guest reviewers for 2013 includes Lawrence Wright, Pulitzer Prize-winning author for his book, The Looming Tower; Peter Ho, the former Singaporean Secretary of Defence and Secretary of Foreign Affairs; Melanie Greenberg, CEO of the Alliance for Peacebuilding; George Dyson, author and historian of technology; Richard Bookstaber, economist and author; Bob Belden, Grammy-winning jazz composer, arranger and musician; and Ann Pendleton-Jullian, author, architect, and designer.
The arrest of Paunch shut off the flow of updates to the highly popular crimeware infastructure support tool, the Blackhole Kit. Since then there have been a number of contenders for the lucrative crown. A new article at Threatpost speaks with analysts at Kaspersky labs about the prospects for newcomers as they come into the market. Thus far, no single product has shown it can dominate. This may indicate that taking down people like Paunch may have a real and lasting impact on the cybercrime milieu.
NASA developed an advanced robot known as Valkyrie that competed in DARPA’s 2013 Robotics Challenge Trial. DARPA hosted the robot challenge at the Florida’s Homestead Miami Speedway this past December. Eight teams were selected to participate in a series of trials that were focused on displaying whether each team’s robot could react to common disaster response situations. Sadly, NASA’s Valkyrie performed poorly compared to its peers, being blown out of the water by the Japanese designed robot SCHAFT. The end goal of DARPA is to promote the advancement of robotics technology and lead interested companies to produce functional automatons that can serve the public good. While this goal is worthy of praise, is this new frontier of technology not also rifled with potential vulnerabilities? Not to wear out my Terminator references, but its seems like Skynet is a definite possibility…
- by Ben Volcsko, Research Assistant
As Unmanned Aerial Vehicles (UAVs) continue to advance and play an ever growing role in modern warfare, could cyber vulnerabilities pose a potential pitfall? With drone technology rapidly advancing and allowing for the production of truly autonomous UAVs, concerns over these flying terminators being hacked become more legitimate. Here are a couple of articles to give you a little flavor on the topic. 1) Flying Hacker Contraption Hunts Other Drones, Turns Them Into Zombies, an article by Dan Gooding for Ars Technica released in December, discusses how “hacker drones” are being developed and tested to target and gain control of other UAVs. 2) Hacking the Drone War’s Secret History by Wired details how rudimentary programming and hacking skills can allow access to drone’s communication feeds. Having friendly drones falling into the control of opposition forces is a scary thought.
- by Ben Volcsko, Research Assistant
Techday IT news published this article on their predictions for cyber trends to look for in 2014. We will see how good their crystal ball skills really are.
- by Ben Volcsko, Research Assistant