Tag Archives: cybersecurity

Who is Afraid of Shamoon? How to Wipe a Country Off the Face of the Earth

Suspected Iranian hackers infiltrated critical infrastructure and government computers in the Persian Gulf nation of Bahrain in July-August  2019, raising fears among leaders in the region that Tehran is stepping up its cyberattacks amid growing tensions…Hackers broke into the systems of Bahrain’s National Security Agency—the country’s main criminal investigative authority—as well as the Ministry of Interior and the first deputy prime minister’s office, according to one of the people familiar with the matter.

On July 25, 2019 Bahrain authorities identified intrusions into its Electricity and Water Authority. The hackers shut down several systems in what the authorities believed was a test run of Iran’s capability to disrupt the country, the person said. “They had command and control of some of the systems,” the person said.  The breaches appeared broadly similar to two hacks in 2012 that knocked Qatar’s natural-gas firm RasGas offline and wiped data from computer hard drives belonging to Saudi Arabia’s Aramco national oil company, a devastating attack that relied on a powerful virus known as Shamoon.  Bahrain is the smallest country in the Persian Gulf, but it is strategically important because it’s the permanent home of the U.S. Navy’s Fifth Fleet and Navy Central Command. It is closely allied with its much larger neighbor, Saudi Arabia, a regional rival of Iran.

The Bahrain authorities haven’t definitively attributed the attack to Iran, but they have been provided intelligence by the U.S. and others suggesting Iran is behind it, the people familiar with the matter said….“In the first half of 2019, the Information & eGovernment Authority successfully intercepted over 6 million attacks and over 830,000 malicious emails. The attempted attacks did not result in downtime or disruption of government services,” 

Excerpt from High-Level Cyber Intrusions Hit Bahrain Amid Tensions With Iran, WSJ, Aug. 7, 2019

Cyber-Attacks on South Korea 2009-2013

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013

The Secret Bugs: Exploits

Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal”.

Just a dozen years ago the buying and selling of illicit exploits was so rare that India’s Central Bureau of Investigation had not yet identified any criminal syndicates involved in the trade, says R.K. Raghavan, a former director of the bureau. Underground markets are now widespread, he says. Exploits empower criminals to steal data and money. Worse still, they provide cyber-firepower to hostile governments that would otherwise lack the expertise to attack an advanced country’s computer systems, worries Colonel John Adams, head of the Marine Corps’ Intelligence Integration Division in Quantico, Virginia.

Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.

More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively”.Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.

Exploits are a form of knowledge, expressed in computer code. Attempting to stop people from generating and spreading knowledge is futile, says Dave Aitel, a former computer scientist at America’s National Security Agency (NSA) who went on to found Immunity, a computer-security firm in Florida. He says that legal systems would not even agree on which code is good and which is bad. Many legal experts say code should be protected by free-speech laws—it is, after all, language expressed as strings of zeros and ones.

Moreover, tracking down exploits is hard. Hackers keep them secret so that the intended victim doesn’t identify and fix the vulnerability, thereby rendering the exploit worthless. As a French exploit developer puts it, those liable to be rapidly detected are about as useful as a “disposable gun” that can be fired just once. Secrecy surrounding the design, sale and use of exploits makes protecting computer networks from them akin to finding “unknown unknowns”, says Kenneth Geers, a cyber-security specialist at America’s Naval Criminal Investigative Service.

Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.

Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.

The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. They vary greatly, depending on three main factors: how hard the exploit is to develop; the number of computers to which it provides access; and the value of those computers. An exploit that can stealthily provide administrator privileges to a distant computer running Windows XP, a no-longer-fashionable operating system, costs only about $40,000. An exploit for Internet Explorer, a popular browser, can cost as much as $500,000 (see chart).

Software firms also buy exploits to identify and repair vulnerabilities in their products before others take advantage of them. A small Vancouver firm called Tarsnap, for example, has paid 30 people who pointed out flaws in its encryption software for online PC backups. To develop better defences for its clients’ computer systems, HP, an American giant, has spent more than $7m since 2005 buying hundreds of “zero days”, as undiscovered exploits are also known in hacker slang. (Once discovered, an exploit’s days are numbered, literally: it becomes a “one day”, then a “two day”, and so on until the vulnerability it exploits is patched.)

Such “bug bounty” schemes, however, will struggle to compete with buyers who want to exploit rather than seal vulnerabilities. Tarsnap’s biggest payout was just $500. Last year Google offered Vupen, a French firm, $60,000 for an exploit that burrowed into its Chrome browser. Vupen’s boss, Chaouki Bekrar, balked, noting that he could get more elsewhere.

Other reputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.

On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction.

Developing exploits in-house reduces the risk that a double-dealing vendor will resell code meant to be exclusive. Even so, the trade isn’t likely to fade away. When developers work out a trick that gives them control over the targeted software, they like to yell out a celebratory “who’s your daddy?” notes Pierre Roberge, boss of Arc4dia, a Quebec firm that sells exploits to spy agencies. Exploit trading will continue as long as people pay big money for the opportunity to utter the same joke—this time at the expense of a victim who has been hacked.

Cyber-security: The digital arms trade, Economist, Mar. 30, 2013, at 65.

Cyberwar: Attacking the Pipelines

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyberinfiltration of supervisory control and data acquisition (SCADA) systems could allow successful “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations.

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines…. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways:

• Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001.

• Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks.

• There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems.

• TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated….

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. The incidents drew new attention to an Al Qaeda video obtained in 2011 by the Federal Bureau of Investigation (FBI) reportedly calling for “electronic jihad” against U.S. critical infrastructure.  These cybersecurity events coupled with serious consequences from recent pipeline accidents have heightened congressional concern about cybersecurity measures in the U.S. pipelines sector.

Excerpt, Paul W. Parfomak, Pipeline Cybersecurity: Federal Policy, CRS Report for Congress, Aug. 16, 2012