In March 2013, a hacker group called the “Tunisian Cyber Army” (TCA) claimed that they, in coordination with the al-Qaeda Electronic Army (AQEA), (or AQECA – al-Qaeda Electronic Cyber Army), have hacked several U.S. government websites.
The attackers stated that they were assisted by “Chinese hackers.” In addition, the groups claimed that these attacks were in preparation for #OpBlackSummer, a cyber campaign designed to target U.S. websites between May and September 2013.
Regardless of the authenticity of these attacks, we clearly see the increased motivation of AQ-affiliated cyber units to wage attacks against Western targets. We would not be at all surprised to see sophisticated AQ attacks in the near future. We can assume that they are developing cyber attack tools, or even worse – purchasing advanced tools from the underground black market.
In September 2013, the Global Islamic Media Front (GIMF) – a propaganda organization associated with AQ – posted an encryption program for mobile phones on jihadi forums. The program is called Tashfeer al-Jawwal, or Mobile Encryption, and the GIMF described it as the “first Islamic encryption software for mobiles.”
The release was prefaced by an introduction from renowned jihadi ideologue Abu Sa’ad al-A’mili, who promised that the program would be a qualitative move for secure communications between jihadists and a surprising shock to the enemy. It should be mentioned that the GIMF provided a description of the program on their website, as well as tutorials in Arabic, English, Indonesian and Urdu.
In December 2013, the exclusively online AQ propaganda distributor, the al-Fajr Media Center, published a new encryption program called Amn al-Mujahid (“Security of the Mujahid”) on jihadi forums, accompanied by a 28-page instructional manual. Al-Fajr said that AQ’s Technical Committee sought to develop an encryption program equipped with the latest technology that would enable the user to use advanced encryption standards.
Although these developments are merely versions of available programs, the steady introduction of programs such as these reveals jihadi interest in cyber security and cyber warfare.
Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes). But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:
Recent years have witnessed an increase in the number of cyber attacks against the energy sector. This sector’s main vulnerability is its reliance on ICS/SCADA systems, which have been causing serious concern for the security community for the past years.
The Oil and Gas Industry is considered privileged targets for different adversaries such as nation-state actors, cyber terrorists, hacktivists and even cyber criminals that sell stolen sensitive data in the underground market. In 2012, for example, energy companies were targeted in 41% of the malware-attack cases reported to the US Department of Homeland Security (DHS). And, vulnerabilities in this industry have skyrocketed 600% since 2010, according to data reported in an NSS Labs’ Vulnerability Threat Report.
Here are some examples of significant attacks pertaining to the energy sector:
In August 2012, Saudi Aramco was hit by a computer virus that wiped data from 30,000 computers. Although the attack did not have an impact on the oil production, it disrupted Saudi Aramco’s internal communications. The virus, termed ‘Shamoon’, was inserted to the company’s network via a USB stick. The US government has blamed Iran for the attack, and the Secretary of Defense Leon Panetta stated that it was “probably the most destructive attack that the private sector has seen to date”.
On June 20, 2013, the hacktivist collective Anonymous launched a cyber operation dubbed #OpPetrol planned to target various oil companies around the world. The operation was not a success, but it emphasized the fact that the oil and gas industry represents an attractive target for attackers with different agendas and motivations, including sabotage, cyber espionage, financial, political, and more.
In Tunisia the hacker group Tunisian Cyber Army (TCA) is joining forces with the Electronic Army of al-Qaeda (AQEA). The groups had already carried out cyber attacks against Western targets and they definitely pose an emerging threat in the cyber domain.
We believe that the threat to the Oil and Gas industry will grow in the near future, as the hunt for vulnerabilities in SCADA systems has increased. A couple of weeks ago it was reported that Kaspersky experts discovered a java version of Icefog espionage campaign that targeted at least three US oil and gas companies. According to Symantec, the energy sector was the second most targeted vertical in the last six months of 2012, with only the government/public sector exceeding it with 25.4 percent of all attacks. With millions of threats of varying complexity experienced by the industry on weekly basis, it is not surprising that by 2018 the oil and gas industry will be spending up to $1.87 billion on cyber security.
Recent years have witnessed an increased awareness within the worldwide security community of risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber threats. As automation continues to evolve and assumes a more important role worldwide, the use of ICS/SCADA systems is likely to increase accordingly.
In this post I would like to present an analysis of several cyber incidents pertaining to ICS/SCADA systems and originating from threat elements in the Middle East.
Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility
On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the Iranian hacker group Parastoo, directed at the American authorities. The message headline connects the group to a “military-style” attack on an electric power station, the PG&E Metcalf substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear, despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures using cyber vectors.
On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power substation in California and cut the fiber-optic cables in the area around the station. The act neutralized some local 911 services and temporarily disrupted cell phone service in the area. The perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten were damaged and several others shut down.
It should be noted that there have been several attacks against different infrastructure facilities in the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the electric power industry is focusing on the threat of cyber attacks.
The Iranian hacker group Parastoo first emerged on November 25, 2012, when they posted a message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked personal details of its officials. In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and the personal identities of thousands of customers, including individuals associated with the U.S. military, that work with IHS Inc., a global information and analytics provider.
The Syrian Electronic Army Hacks into Israeli SCADA Systems
On May 6, 2013 the cryptome.org website reported a successful attack by the “Syrian Electronic Army” (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force (IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.
Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa’ar, near Nahariya. Control of this system would present the hacker with numerous capabilities, among which is the destruction of the agricultural yield.
We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible that the system clock was incorrectly set, but it is more likely that the system was breached a year ago and the published “Retaliatory Strike” was retained as a contingency plan for exactly such an attack by Israel.
The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not behind the attack. On other occasions, this Twitter account has been used as a platform for claims of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the group’s official website or forums (apart from the denial). It should be noted that there are numerous examples of fictitious claims of responsibility intended to deflect identification of the attacker MO (Modus Operandi) of state-sponsored hacker groups.
This incidence is another link in a chain of events demonstrating an impressive ability to locate and exploit SCADA systems that appear to be susceptible to the Muslim hackers’ skills. However, in our view, this event is unprecedented. For the first time in public, a critical computerized infrastructure facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering plateau.
Jihadist Cyber Terror Group to Target SCADA Systems
On June 11, 2011, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab, launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The campaign, which takes place over the thread itself, begins with a clear definition of the group’s tasks and priorities. Mukhaddab says:
Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack, for instance, the sites of Shi’a, Christians, apostates, slanderers, liar sites and forums or anything else. I repeat: it will only target the U.S., the U.K. and France.
Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top priority target, in order to “destroy power, water and gas supply lines, airports, railway stations, underground train stations, as well as central command and control systems” in these three countries. The second priority includes control systems of general financial sites, such as central savings organizations, stock markets and major banks. Third on the group’s agenda are websites and databases of major corporations dominating the economies of these countries, while fourth and last are less specified “public sites affecting the daily routine of citizens, in order to maximize the terror effects on the population”.
Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough understanding of SCADA systems, preferably with experience in hacking them; acquaintance with writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in networks, communication protocols and various kinds of routers and firewalls, specifically mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability of entering them easily, searching for required scripts, tools, or software, and providing them to fellow members, if asked to; complete mastery of English or French scientific language, and scientific background in computer engineering; mastery of the Russian language; and mastery of the Chinese language. Members who want to volunteer are asked to post a response in the thread, specifying the categories that fit their capabilities.
To date, close to a hundred volunteers have already signed on to Mukhaddab’s Electronic Jihad group. We have yet to see indications that this newly formed group has started to engage in online hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in the near future.
The technology industry loves buzzwords, and its offspring, the IT industry, is no different: “Cloud computing”, “Big data”, “Analytics”, “XX-As-a-Service (XaaS)”… it seems that some marketing wizard invents a new phrase and almost instantly the industry adopts it and uses it to such an extent that within months it has become a trend, and everybody follows suit, adapting their offerings accordingly. Then comes the day when somebody else invents a new, sexier phrase, and everything shifts again. Most of the time it is hard to assess whether the new trend is actually meaningful as such and will establish itself as mainstream or even core of technology, or is it simply being delighted in as a novelty, soon to be forgotten? The side effect of this cycle is that people in the industry are tiring of buzzwords and are becoming more and more skeptical when “The new, innovative concept” is marketed to them. The general public is even less interested – most only care about new technologies and concepts when they have been proven and incorporated into fully productized gadgets and applications.
And now, following the widely publicized breaches of large retail chains, everyone is talking about Cyber Security, and the question arises – is this just one more buzzword? Not at all, but some mistake it to be so, for several reasons.
First of all, although it appears to be a very young industry, cyber security is not new at all. In fact, it has been incorporated into our lives for over two decades, but under different names – information security, anti-virus etc.
Secondly, it is not a single-faceted industry but a very diverse one comprising older segments – encryption, anti-virus, firewall etc., as well as newer ones: mobile, biometric identification and intelligence.
Although many startups are developing new products, the market as a whole is mature and profitable. The general notion is that cyber companies are run by 20-something-year-olds in their garages, while in fact the young enterprises are fully seeded companies with solid business plans, and the larger companies are huge multinationals (and since the market is consolidating, there are now fewer but much larger players).
So why is it that this vast industry appears so young that it can be mistaken for a passing trend?
In absolute terms, it is relatively young – established in the 1980’s (although by technology standards it can be considered old, much older than the mobile or cloud technologies that it protects today). Also, up until the latest “rebranding”, it was not something most people noticed. IT security sounds boring, and because everything functioned smoothly, no-one worried about how the encryption worked or how viruses were stopped. Fast-forward to today and every news item seems to be entangled in cyber: Snowden and the NSA, the Adobe breach, the Target breach, the international arms race between the U.S., China and Russia – all involve cyber. And since the adoption of Internet and mobile technology, we are all much more exposed to the threat emanating from this world – be it the theft of our personal details or the monitoring of our online activities by various entities. And here’s the good part – the industry is not idle. In fact, it acknowledges the need to evolve to mitigate evolving threats and it is doing so at an extremely rapid pace, trying to come up with solutions for securing things that were not even dreamed of when the first anti-virus was developed. So no, this whole “Cyber” thing is definitely not just another trend. It is here to stay and will accompany us for many years to come. And that is a good thing – since the cybercriminals of the world are DEFINITELY here to stay.
It’s getting kind of hard to ignore all the buzz surrounding bitcoins these days. The cryptocurrency, which allows users to convene peer-to-peer (P2P) monetary transactions with a significant degree of anonymity, has exploded in value, currently hovering around $900 per bitcoin, leading many to speculate about the long-term viability and implications of cryptocurrencies in general. However, lost amid the debate is serious discussion over the next logical step in the evolution of encrypted P2P currencies: the eventual weaponization of the cyber-coin.
Bitcoinitself has already become a favorite among cyber-criminals. Whether laundering money, selling drugs (remember Silk Road?) or procuring the services of a hit man, the ability to anonymously carry out monetary transactions over the Internet has made online crime both easy and relatively risk free. This, and the fact that at least 2,600 stores accept bitcoins worldwide (as do the Sacremento Kings basketball team) according to Robert J. Samuelson of the Washington Post, has led to the massive inflation in Bitcoin’s value, and has attracted investors looking for an easy payday.
Like any good idea, Bitcoin has also attracted numerous imitations, which have resulted in cryptocurrencies ranging from the very serious to the Bizarre. For example, Litecoin is a cryptocurrency almost identical to Bitcoin that purports to incorporate three main improvements over the Bitcoin software. In contrast, the Dogecoin plays off the popularity of the “Doge” meme, which was rated 2013’s meme of the year, while the Coinyecryptocurrency uses the likeness of rapper and pop-culture icon Kanye West to market its brand (West’s lawyers are still attempting to shut the coin down). According to Carlotte Lyton of the Daily Beast, there are at least 71 types of crypto currencies out there, some of which are suspiciously reminiscent of the old Wall Street pump-and-dump scheme.
Enter Allahcoin. This P2P Islamic currency offers similar software to Bitcoin, but with a couple of modifications. One new feature is that for every Allahcoin mined, 10% will be donated to the Muslim Brotherhood foundation. This coin not only offers a brand new cryptocurrency, but an easy and anonymous way for users to donate to their favorite Islamist organization!
The Muslim Brotherhood does not fit the traditional definition of a terrorist organization. However, it may not be long before jihadist groups with ties to the Brotherhood, or similar-minded groups, catch on to the advantages of the nascent crytocurrency technology. Although, like criminals, fundraising and money laundering are the most obvious benefits for such groups, it is possible that terrorists could one day weaponize their own crypto currency.
How would a weaponizedcryptocurrency work? It is hard to say exactly, but current abuses of alternative cryptocurrencies may hint at an answer. For instance, some currencies are designed suspiciously similar to pump-and-dump schemes. An attacker could disperse a virus-laced currency in an identical fashion at the investment scheme’s pump phase. After sufficiently spreading the currency, the attacker could activate a trigger, spreading a virus through users’ virtual wallets. Depending on the type of attack, the virus could expose users’ identities, neutralize their virtual wallets, rip off their accounts, or steal information from their networks. In a worst case scenario, terrorists may target tech contractors and infect their computers and online accounts via the currency, thus increasing the possibility of the virus transferring to their clients’ networks (similar to how the Stuxnet virus may have been transferred to an Iranian nuclear facility, according to Ralph Langner writing in Foreign Policy).
Just as P2P file sharing through software such as Limewire and eMule eventually became natural habitats for the spread of viruses, it is likely that cryptocurrencies will one day be weaponized. The question is not if, but when the first attacks will occur, who will be behind them, and how much damage will they cause.
Lately, we have been hearing an awful lot about the Internet of Things (IoT).
What this buzzword describes is a world where every device is connected to the Web and communicates with other devices, and us humans, usually via Smartphone interface.
And, to a certain extent, this is an everyday reality, even today – smart TVs, printers, thermostats, and other home appliances are connected to the Web via wireless communication and receive orders from their owners who are often miles away. And, sure enough, this trend has not been overlooked by hackers.
Since each such device now has a unique IP address, Internet connectivity and the ability to send and receive packets of information, hackers can (in theory) connect them, infect them with malware and use them to send traffic – basically anything that can be performed with a regular PC. An evidence that such schemes are being planned and implemented is growing rapidly.
Security research firm Proofpoint recently announced that they discovered that hackers broke into more than 100,000 gadgets – including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23, 2013 and January 6, 2014 (I guess asking for a Smart TV for Christmas wasn’t such a good idea after all…).
So, while the (now-growing) popular belief is that such appliances can be hacked, tinkered with and turned into malicious machines attacking their human masters is not true, it is very likely that they will be used for all kinds of cyber crime, from sending SPAM, spreading malicious files or participating in DDoS attacks (these are, after all, robots).
Even more interesting are the discussions on various communication platforms regarding the possibilities presented by this trend. References to the above incident were found in Arab media and also on the Facebook page of the famous “Alkrsan”hacker forum. The latter may indicate a rising interest among Arab hackers for this method of cyber-attack.
As for the Russian-speaking Internet, the HabrHabr computer blog published a post entitled “a botnet consisting of ‘smart’ TVs, media centers, PCs and … refrigerators was discovered”.
Generally, news sites refer to this affair as an evolving new threat in the cyber world and lively discussions are being held on closed forums regarding the trend.
So, will your toaster turn against you anytime soon? Not likely. But we have every reason to believe that any device that can be hacked is a legitimate target for hackers and will be breached sooner or later, changing the “Internet of Things” into the “Internet of Vulnerabilities”.
The aviation industry faces major risks on all of its fronts: from the air traffic control systems, to the aircraft themselves, to the airline companies and airports and border crossings. The identified threats stem from the current nature of aviation industry systems, which are interconnected and interdependent.
(Please note – this blog post is an excerpt from our report: “Cyber Threats to the Aviation Industry”. If you are interested in receiving the full report please write to: email@example.com)
On August 13, 2013, the AIAA officially released a Decision Paper entitled “A Framework for Aviation Cyber security”, outlining existing and evolving cyber threats to the commercial aviation enterprise and noting the lack of international agreement on cyber security in aviation. There is no common overall coordination of efforts seeking a global solution.
According to the report, the global aviation system is a potential target for a large-scale cyber attack with attackers focusing on malicious intent, information theft, profit, “hacktivism”, nation states, etc.
The risks are not only theoretical. As portrayed below, some of the aforementioned security concerns have already been realized by hackers in real-life.
A presentation at the ‘Hack in The Box’ security summit in Amsterdam in April 2013 has demonstrated that it is possible to take control of an aircraft’s flight systems and communications using an Android smartphone.
Sykipot is a tool that serves as a backdoor that an attacker can use to execute commands on the affected system. It is being used to gather intelligence about the civil aviation sector in the U.S. Like most targeted attacks, Sykipot infects using spear-phishing techniques by sending emails with malicious attachments. Lately, as identified by Trend Micro, Sykipot has been observed gathering intelligence on the U.S. civil aviation sector. The intentions of this campaign are unclear as yet. Sykipot has a history of targeting U.S. Defense Initial Base (DIB) and key industries over the past six years.
Conficker, a worm that has infected millions of computers worldwide, infected the French Navy network on 2009, forcing it to cut connectivity to stop it from spreading, and to ground its Rafale fighter jets. It was probably introduced through an infected USB drive.
In 2008, Spanair flight 5022 crashed just after take-off, killing 154 people. According to the Spanish government’s Civil Aviation Accident and Incident Investigation Commission (CIAIAC), the disaster occurred because the central computer system used for monitoring technical problems in the aircraft was infected with a Trojan horse.
In 2008, the FAA reported that the computer network in the Boeing 787 Dreamliner’s passenger compartment was connected to the aircraft’s control, navigation and communication systems – a cause for grave security concern. This connection renders the plane control system vulnerable to cyber attack. Boeing advised that they would address the issue
We believe that the aviation industry is facing major threats from cyberspace and these threats encompass large areas of the industry and may become a greater burden for it, compromising the safety of the passengers, and causing financial and commercial damage to the associated companies.