What are the real ISIS capabilities in the cyber domain?
Any ISIS activities become a hot topic after destructive events organized by the Islamic State (IS) during 2015. The whole world is concerned about ISIS plans and afraid of another bloody attacks.
One of the most discussed topic is the Islamic State offensive capabilities in the cyber space. In 2015 various organizations were hit by a number of cyber-attacks allegedly launched by IS hackers. Nevertheless, some cyber security experts presume that a sophisticated group of Russian hackers stands behind the attacks against a French TV station in April 2015 and the hijacking of the CENTCOM Twitter account in January 2015. Anyway, let’s have a look at the timeline of cyber-attacks that are related to ISIS in 2015. Investigate the Infographic. We will appreciate your opinion regarding ISIS cyber capabilities.
During January 2016 we will publish our annual Cyber Threat Intelligence report, in which you could find fascinating information regarding ISIS cyber activities, recent developments in the Russian underground, technical analysis of self-developed malicious tools that we identified this year, new trends in Darknet platforms, and more.
The short answer to this question is another question – does it really matter? What is more important is their ever-growing desire and motivation to obtain and develop offensive capabilities in cyber-space.
There has been debate among security experts on this matter since the Islamic State (IS) started operating in the cyber domain. On the one hand, some argue that IS hackers have already proven their ability to launch successful cyber-attacks and now they are attempting to carry out meaningful attacks against critical infrastructures (with no success thus far).
On the other hand, an emerging theory suggests that attacks previously associated with IS were actually perpetrated by a sophisticated group of Russian hackers. In other words, the alleged attacks against a French TV station in April 2015, the hijacking of the CENTCOM Twitter account in January 2015 and others were the work of a Russian APT group, and not the IS-affiliated “Cyber Caliphate.”
But again – does it really matter? We can say with a high degree of certainty that IS as a terror organization is trying to develop cyber capabilities. We received a strong indication of this trend in late August 2015, when a US drone strike killed a British IS cyber expert.
Even before that, in early 2014, we had heard of so-called cyber operations conducted by the Al-Qaeda Electronic Army (AQEA, or AQECA – the Al-Qaeda Electronic Cyber Army) against US government websites.
We assess that at the moment IS hacking entities (such as “Cyber Caliphate” or the Islamic Cyber Army – ICA) do not have high technical capabilities. That said, we should not underestimate the Islamic State’s attempts to develop an offensive cyber capability. An analysis of IS publications reveals a clear increase in the motivation of IS-inspired hackers to wage attacks against high-profile Western targets.
A concerning development in this aspect would be indications of the purchasing of attack tools and malware from highly sophisticated cyber criminals. Taking into consideration the clear intentions expressed by IS in relation to executing cyber-attacks against the West, such tools could be directed at critical infrastructures, sensitive organizations, government agencies and more.
By Dori Fisher, VP Intelligence Solutions
Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.
Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.
Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.
What is Intelligence?
Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”
Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”
The common thread in definitions of intelligence is that it is information analyzed to create value.
Stages of Cyber Intelligence
Cyber intelligence, like classic intelligence, consists of a number of major processes:
Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)
Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)
Filtering and aggregation: Filtering and combining bits of information.
Analysis: Understanding the information and its value.
Conclusions and deliverables: Insights about the information analyzed and packaging of the information.
Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.
Intelligence vs. Information
Many of the deliveries called intelligence (or CTI) are in fact, information.
Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).
Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”
For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.
Cyber Intelligence as a Nail and Information Security Tools as a Hammer
Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”
In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.
The technological information is the delivery but not the essence.
High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.
Anthem Inc., the second largest health insurer in the US, has suffered a security breach to its databases. According to media reports, the breached database contains information from approximately 80 million individuals. Although medical records appear not to be in danger, names, birthdays, social security numbers, email addresses, employment information and more have been compromised.
Anthem described the hacking as a “very sophisticated attack,” and the company reported it to the FBI and even hired a cyber security firm to help with the investigations. However, the extent of the stolen data is still being determined. In addition, there is no concrete information regarding the perpetrators and the modus operandi (MO) of this cyber-attack.
In February 2014 we wrote that cyber criminals are shifting their focus from the financial industry to the healthcare industry, which has become an easier target. Healthcare records contain a wealth of valuable information for criminals, such as social security numbers and personal information. This information can sometimes prove more valuable than credit card numbers, which the financial industry is working hard to protect.
In 2013, at least twice as many individuals were affected by healthcare data breaches than in the previous year, owing to a handful of mega-breaches in the industry. According to a cyber security forecast, published at the end of 2013, the healthcare industry was likely to make the most breach headlines in 2014. However, it appears that 2014 was the year in which American retailers suffered massive data breaches (Home Deopt, Staples, Kmart, and of course Target at the end of 2013).
We should consider the Anthem hack as a warning sign for all of us – the healthcare industry might be the prime target for cyber criminals in 2015. We already know that PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on black markets continue to rise. Such underground marketplaces are being used as a one-stop shop for identity theft and fraud. Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Here at SenseCy, we monitor on a daily basis the usage of breached medical information on Underground forums and the Darknet platforms.
We believe that this industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.
Written and prepared by SenseCy’s Cyber Intelligence analysts.
Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.
This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.
The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: firstname.lastname@example.org
Below are several of our insights regarding cyber activity this past year:
- The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
- In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
- This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
- Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.
The Past Year on the Russian Underground
In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.
The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.
The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):
Key Trends Observed on the Russian Underground this Past Year
Trojan Horses for the Financial Sector
Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.
In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.
This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.
This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.
Additional trends and insights are detailed in the full report.
Written by Tanya Koyfman
Instead of spending days and nights coding, crypting and modifying the malware to avoid AV detection, the underground market offers to sign it by a digital certificate issued for a legitimate entity.
While monitoring our Russian-speaking sources, we identified a Russian forum member offering code signing certificates issued by one of the largest CAs for sale.
The forum thread was opened on a Russian password-protected forum that serves as an illegal platform for cybercrime related discussions. On the forum, one can find sales of financial malware, stolen databases and exploits, as well as technical discussions regarding hacking and programming.
The post about the sale of certificates was initially published two months ago, and the topic is still updated regularly. In the first message, the post author offered one certificate for sale in exchange for almost $1000. According to the seller, the certificate can be used to sign exe files. Forum members who are interested in purchasing are requested to connect via Jabber (an instant messaging service based on XMPP protocol, highly popular among Russian cybercriminals).
The next day, the author published another post claiming that the certificate had been sold. He said that he could obtain 1-2 certificates per week, and that if there was a demand he could get his hands on also driver signing certificates.
The thread also included feedback messages from buyers, who testified that the certificates were useful in avoiding AV detection, but only for a specific malware infection. In a case of a mass distribution of malware programs, the certificate would be cancelled within days.
During the forum discussion, the seller mentioned that signing an exe file by certificate helped avoid detection by all AV pro-active detection mechanisms, except for one. He also clarified that the certificates could be used for .exe, .dll, .jar and .doc files, but not for .sys files (drivers).
To date, after almost two months of sales, at least 7-10 certificates have been sold (providing a profit of $10,000 for the seller).
Taking into account that the above forum member has regular access to legitimately issued certificates from one of the top five Certificate Authorities (CA) in the world, the above case is probably only the tip of a slippery slope. We may soon witness an increase in malware distribution attacks based on using genuine code signing certificates. The $1,000 paid for the certificates is an incredibly low price for the hacker to pay, compared to the large sums of money he can earn using these certificates in his attacks. While we do not know the precise origin of the certificates (a breach in an organization that purchases certificates, a breach in a reseller supplying the CA certificates or simply an “illegal” reselling or legally purchased certificates), the volume of certificates that the seller is supplying is reminiscent of the DigiNotar case.
The Case of DigiNotar (July-August 2011)
DigiNotar was a Dutch Certificate Authority company owned by VASCO Data Security International. DigiNotar went bankrupt following a security breach that resulted in the fraudulent issuing of CA certificates on September 3, 2011. DigiNotar hosted a number of CA’s and issued certificates including default SSL certificates, Qualified Certificates and ‘PKIoverheid’ – government accredited certificates.
In August 2011, a rogue certificate for *.google.com signed by DigiNotar was revoked by several Internet user browsers in Iran. Fox-IT conducted an investigation of the events in their report ‘Operation Black Tulip’ and found that a total of 531 fraudulent certificates had been issued. They identified around 300,000 requests to google.com with IPs originating from Iran that used the rogue certificate before it was revoked. The attack lasted nearly six weeks.
The compromised IP users might have had their emails intercepted, and their login cookie could have been intercepted making the attacker able to enter their Gmail accounts and all other services offered by Google. Having access to the e-mail account, the attacker is also able to reset passwords of other services with the lost password button. Fox-IT further examined the hacking tools and found some of them to be amateurish and some very advanced, some were published hacking tools and some specifically developed.
The #OpSaveGaza Campaign was officially launched on July 11, 2014, as a counter-reaction to operation “Protective Edge”. This is the third military operation against Hamas since the end of December 2008, when Israel waged operation “Cast Lead”, followed by operation “Pillar of Defense” in November 2012.
These military operations were accompanied by cyber campaigns emanating from pro-Palestinian hacker groups around the world. #OpSaveGaza was not the only recent cyber campaign against Israel, but it is the most organized, diverse and focused. During this campaign, hacker groups from Malaysia and Indonesia in the East to Tunisia and Morocco in the West have been participating in cyber attacks against Israel.
The Use of Social Networks
Hacktivist groups recruit large masses for their operations by means of social networks. Muslim hacker groups use mostly Facebook and Twitter to upload target lists, incite others to take part in cyberattacks and share attack tools.
The #OpSaveGaza campaign was planned and organized using these two social media platforms. The organizers of the campaign succeeded in recruiting tens of thousands of supporters to their anti-Israel ideology.
When examining the types of attacks perpetrated against Israeli cyber space, it appears that this campaign has been the most diverse in terms of attack vectors. It not only includes simple DDoS, defacement and data leakage attacks, but also phishing (even spear-phishing based on leaked databases), SMS spoofing and satellite hijacking (part of the Hamas psychological warfare), in addition to high-volume/high-frequency DDoS attacks.
Furthermore, these attacks have been much more focused as the attackers attempt to deface and knock offline governmental websites, defense contractors, banks and energy companies. Simultaneously, a large number of small and private websites were defaced (over 2,500) and several databases were leaked online.
Motivation and the Involvement of other Threat Actors
The motivation for waging cyberattacks against Israel during a military operation is clear. This is not the first time that a physical conflict has had implications on the cyber sphere. However, we believe that other factors are contributing to the cyber campaign. In July 2014, the Muslim world observed the month of Ramadan, a holy month in Muslim tradition. There are two significant dates in this month – “Laylat al-Qadr” (the Night of Destiny), the night the first verses of the Quran were revealed to the Prophet Muhammad; and “Quds Day” (Jerusalem Day), an annual event held on the last Friday of Ramadan and mentioned specifically by Iran and Hezbollah. We identified an increase in the number of attacks, as well as their quality, surrounding these dates.
Last year, several days before “Quds Day” a hacker group named Qods Freedom, suspected to be Iranian, launched a massive cyber operation against Israeli websites. In other words, we believe that not only hacktivist elements participated in this campaign but also cyber terrorism units and perhaps even state-sponsored groups from the Middle East.
To summarize, this campaign was far better organized than the recent cyber operations we experienced in 2009 and 2012 alongside physical conflicts with Hamas. We have seen changes in several aspects:
- Improvement in attack tools and technical capabilities
- Information-sharing between the groups (targets, attack tools, tutorials)
- The involvement of hacker groups from Indonesia in the East and Morocco in the West.
- Possible involvement of cyber terrorism groups
- Well-managed psychological warfare and media campaign by the participating groups
The scope and manner in which this campaign was conducted shows improved capabilities of the perpetrators, which is in-line with Assaf Keren’s assessment of the evolution of hacktivist capabilities.
Written by Gal Landesman
In recent years, insurance companies have been finding themselves affected by the rising number of major incidents of cyberattacks. On the one hand, this trend presents a business opportunity for selling cyber insurance to organizations concerned about protecting their sensitive assets. On the other hand, insurance companies are not excluded from the cyber battlefield, as they hold large amounts of sensitive information regarding their clientele and are therefore targeted by cyber criminals. Moreover, data breaches that occur in the insurance industry are more difficult to detect than credit card information theft because clients check their bank accounts more frequently.
(Please note – this blog post is an excerpt from our report: “Cyber Threats to the Insurance Industry”. If you are interested in receiving the full report please write to: email@example.com).
Cyber insurance is a service much sought-after by many companies today. Most fear the bad PR in the wake of a cyberattack, the cost of dealing with the Data Protection Commissioner and handling affected clients. The financial burden and threat of reputation damage caused by downtime and data leakage are becoming more noticeable. Companies in industries such as healthcare, financial services, telecommunications and online retails now realize that cyber insurance is essential to minimize potential financial impact.
Some insurance companies selling cyber insurance have reported up to 30% increase in sales over the last year. This type of insurances typically covers such things as exposure to regulatory fines, damages and litigation expenses associated with defending claims from third parties, diagnostic of the source of the breach, recovering losses and reconfiguring networks.
The cyber insurance market is fast-growing with a value of EUR one billion annually in the U.S. and EUR 160 million annually in the E.U., where it has been adopted at a slower rate.
Insurance Company Data Breaches
Insurance companies are now selling cyber insurance to organizations – ironically making them more vulnerable to attack as they withhold valuable information about organizations and people.
Lately, regulators have been focusing their efforts on insurance companies that can sometimes hold very sensitive information on their customers, such as PII (Personally Identifiable Information) and PHI (Protected Health Information). The New York State Department of Financial Services sent out a survey in 2013 to insurance companies asking them about their cyber security policy. Insurance companies hold not only information on regular people, but they also hold sensitive and valuable information on their corporate customers. Insurers hold sensitive information on companies across a variety of industries.
The risks are evident in the following examples of reported data breaches of insurance companies:
- Aviva Insurance company suffered a data leak disclosing information and car details to third party companies, by two of their workers.
- The Puerto Rican insurance company Triple-S Salud (TSS) suffered a data breach and its management was fined $6.8 million by the Puerto Rico Health Insurance Administration.
- In October 2012, Nationwide insurance provider was hacked, compromising the personal information of 1.1 million customers.
Not only is the insurance sector suffering from the aforementioned threats, but insurance companies are apparently also facing threats from their competitors in the industry, who are going after their data in commercial espionage, employing hacking techniques. According to a report released by The Independent, SOCA – the British Serious Organized Crime Agency – suppressed reports revealing that law firms, telecom giants and insurance companies routinely hire hackers to steal information from rivals. According to the report, a key hacker admitted that 80% of his clientele were law firms, wealthy individuals and insurance companies.
Selling Insurance Information on the Underground Black Market
PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on the underground continue to rise.
Several underground marketplaces include the selling of information packages containing “verified” health insurance credentials, bank account numbers/logins, SSN and other PPI. According to Dell SecureWorks, these packages are called “fullz” – an underground term for the electronic dossier on individuals used for identity theft and fraud, and they sell for about $500 each.
Such underground marketplaces can be used as a one-stop shop for identity theft and fraud. Health insurance credentials are sold for about $20 each and their value continues to rise as the cost of health insurance and medical services rise.
Written by Yotam Gutman
When the cannons roar, the muses stay silent (but the hacktivists hack).
As we reported last week, operation “Protective Edge” instigated a flurry of activity by Muslim hacktivists, targeting Israel. In the following post we will review the activities which took place so far and try to characterize them.
Attackers can by divided into three types: individuals, hacktivist groups and cyber terror organizations. Individuals usually join larger campaigns by hacktivists groups and show their support on social media sites.
Hacktivist groups taking a stance make extensive use of Facebook as a “command and control” platform. The largest “event” dubbed #OpSaveGaza was created by Moxer Cyber Team, a relatively new group who probably originated from Indonesia whose event page has 19,000 followers.
The event included many lesser known Islamic groups, mainly from Indonesia, who did not participate in previous campaigns against Israel. Another event page by the Tunisian AnonGhost announced that the attack will include 38 groups from around the Muslim world. The campaign is planned to continue until the 14th of July.
Cyber terror organization in the form of the SEA (Syrian Electronic Army and ICR (Islamic Cyber Resistance) have not officially declared their participation in the campaign but have waged several high profile attacks, such as hacking into the IDF spokesman blog and Twitter account (SEA) and leaking a large database of job seekers (ICR).
The participants in this campaign use similar tools as previous campaigns – Generic DDoS tools, SQLi tools, shells and IP anonymization tools.
Results (Interim Summary)
#OpSaveGaza campaign included to date mainly defacement attacks (about 500 sites have been defaced), DDoS attacks of minor scale and some data dumps. Two interesting trend we’re seeing are recycling older data dumps and claiming it to be a new one, and posting publicly available information which was allegedly breached.
We estimate that these activities will continue until the hostilities on the ground subside, with perhaps more substantial denial of service or data leak attempts.