PARIS LA DÉFENSE–(BUSINESS WIRE)–Powered by the cutting-edge technologies and products of Thales and Verint, the two companies are pleased to present The Cyberthreat Handbook,a report of unprecedented scope designed to provide a classification and basis for further investigation of major groups of cyberattackers, including cybercriminals, cyberterrorists, hacktivist groups and state-sponsored hackers. As part of the strategic partnership to create a comprehensive, state-of-the art Cyber Threat Intelligence technologies, threat intelligence analysts from Thales and Verint have worked together to provide this unique 360° view of the cyberthreat landscape, with detailed descriptions of the activities of about sixty particularly significant groups, including their tactics and techniques, their motives and the sectors targeted from analysis of multiple data sources such as web and threat intelligence.
The following is an excerpt from the report. To receive a copy, please send a request to: firstname.lastname@example.org
2016 has been replete with an unprecedented volume of cyber events of varying impact and future significance. From our perspective, on account of our persistent presence and active participation in discussions Continue reading “SenseCy 2016 Annual CTI Report”
Written and prepared by SenseCy’s Cyber Intelligence analysts.
SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.
The following is an excerpt from the report. To receive a copy, please send a request to: email@example.com
2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.
Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.
Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).
Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.
The following are several of our insights regarding activities in different cyber arenas this past year:
During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.
Trade on Russian Underground Forums
The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.
Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.
Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.
Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.
The English-Language Underground
Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.
The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.
The Iranian Underground
With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.
One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.
Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.
That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.
ISIS – Cyber-Jihad
On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.
Anthem Inc., the second largest health insurer in the US, has suffered a security breach to its databases. According to media reports, the breached database contains information from approximately 80 million individuals. Although medical records appear not to be in danger, names, birthdays, social security numbers, email addresses, employment information and more have been compromised.
Anthem described the hacking as a “very sophisticated attack,” and the company reported it to the FBI and even hired a cyber security firm to help with the investigations. However, the extent of the stolen data is still being determined. In addition, there is no concrete information regarding the perpetrators and the modus operandi (MO) of this cyber-attack.
In February 2014 we wrote that cyber criminals are shifting their focus from the financial industry to the healthcare industry, which has become an easier target. Healthcare records contain a wealth of valuable information for criminals, such as social security numbers and personal information. This information can sometimes prove more valuable than credit card numbers, which the financial industry is working hard to protect.
In 2013, at least twice as many individuals were affected by healthcare data breaches than in the previous year, owing to a handful of mega-breaches in the industry. According to a cyber security forecast, published at the end of 2013, the healthcare industry was likely to make the most breach headlines in 2014. However, it appears that 2014 was the year in which American retailers suffered massive data breaches (Home Deopt, Staples, Kmart, and of course Target at the end of 2013).
We should consider the Anthem hack as a warning sign for all of us – the healthcare industry might be the prime target for cyber criminals in 2015. We already know that PPI (Personally Identifiable Information) and PHI (Protected Health Information) sales on black markets continue to rise. Such underground marketplaces are being used as a one-stop shop for identity theft and fraud. Such breaches can cost their victims dearly – putting their health coverage at risk, causing legal problems or leading to inaccurate medical records. Here at SenseCy, we monitor on a daily basis the usage of breached medical information on Underground forums and the Darknet platforms.
We believe that this industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.
Written and prepared by SenseCy’s Cyber Intelligence analysts.
Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.
This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.
The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: firstname.lastname@example.org
Below are several of our insights regarding cyber activity this past year:
The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale(POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.
The Past Year on the Russian Underground
In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.
The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.
The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):
Key Trends Observed on the Russian Underground this Past Year
Trojan Horses for the Financial Sector
Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.
In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.
This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.
This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.
Additional trends and insights are detailed in the full report.
Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.
These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.
One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.
Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.
In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.
In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.
Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.
As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.
The intelligence world has undergone dramatic change in recent years. The growth in traffic, online platforms, applications, devices and users has made the intelligence gathering process much more complex and challenging.
Today, each individual makes multiple simultaneous online appearances. We operate social media accounts, such as Facebook and Twitter (in Russia there is VK and Odnoklassniki and in China RenRen and QZone). We are also active on professional networks, such as LinkedIn. We participate in discussion groups and forums. We share pictures and videos via dedicated websites, and we process transactions by way of ecommerce sites, etc. This makes it much harder today to track the online footsteps of an individual and connect the dots between his diverse online representations, especially if he uses multiple aliases and email addresses.
Man versus Machine
In today’s virtual world, web-crawlers and automated collection tools have limitations. Don’t get me wrong – they are very important and we are dependent on automated tools in our daily work, but in some areas they simply cannot compete with a human analyst.
I will give you an example – in order to access a particular Russian closed hacking forum, you must write 100 posts, receive a recommendation from the administrator of the forum and finally, pay 50 dollars in Bitcoin. Such a task cannot be accomplished by a crawler or an automated tool. You must have an analyst that understands the relevant ecosystem and who is also familiar with the specific slang or lingo of the forum members. You must know that “Kaptoxa” (“Potato” in Russian) on a deep-web hacking forum does not really mean “Potato”, but rather refers to the BlackPOS – a Point-of-Sale (POS) malware used in the Target attack at the end of last year.
Cyber Activity Areas
If we take a look at the threat actors in the world of cyber security, we can roughly divide them into four categories: hacktivists (such as Anonymous-affiliated groups around the world); cyber terrorists (for example, the cyber unit of Hezbollah, and lately we have seen clear indications of al-Qaeda (AQ) attempts to develop a cyber unit within their organization).
A third category is cyber criminals (we have recently heard about cybercrime activities organized by groups in Ukraine, Eastern Europe, China and Latin America). The final category is governments, or state-sponsored groups (such as the Chinese PLA Unit 61398, also known as APT1, or the Izz ad-Din al-Qassam Cyber Fighters, an Iranian hacker group that launched “Operation Ababil” two years ago against the American financial sector).
Today, it is clear that every industry or sector is a potential target for cyber attack, or, as the Director of the FBI said two years ago, “There are only two types of companies: those that have been hacked and those that will be.”
And indeed, we are witnessing attacks on media organizations, public records (and in recent months attacks against healthcare services, mainly for the purpose of extortion), academic institutions, banks, the energy sector, and, of course, government agencies.
These diverse threat actors use the Internet to chat, plan their attacks, publish target lists, and even upload and share attack tools. But where can we find them? They have different online platforms.
Unlike APT campaigns that have almost no online footprint, the strength of hacktivism is its capability to recruit large masses for its operations, using social networks. In recent hacktivist campaigns we have identified Facebook as a “Command and Control” (C&C) platform for the attackers, where they plan the operation, publish a target list and share attack tools.
Cyber terrorists are mostly active on closed, dedicated forums where you must login with a username and password after receiving admin approval. We have experience with such forums in Arabic, Persian and even Turkish.
Cyber criminals, on the other hand, can be found on Darknet platforms, where you need to use a special browser to gain access. They can also be found on password-protected forums that sometimes require an entrance fee, payable in Bitcoin or other crypto-currencies. On these platforms we can find sophisticated attack tools for sale, pieces of advanced code, zero-day exploits, stolen data dumps and more.
Regarding governments or state-sponsored groups, I do not believe that they chat online, and generally speaking they do not leave footprints on the Web. However, we occasionally uncover activities by nation-state actors, such as the Syrian Electronic Army (SEA) or Iranian-affiliated groups.
I would like to argue that in today’s world we must use traditional methods of intelligence gathering, specifically operating covert agents, or virtual spies, throughout the Web – in closed discussion rooms, on secret Facebook pages, in the deep-web and Darknet platforms – in order to obtain quality, relevant and real-time intelligence.
In the past few years, the penchant of the Iranian regime for legitimizing hacking groups and their activities in Iran has become increasingly evident. While cooperation between the regime and certain hacking groups in Iran remains a non-declarative action by the Iranian government, the remarkable coordination between the two sides cannot be ignored. Examples of this alleged coordination is evidenced in several cases where Iranian hacker groups appear to act according to government interests. Two such examples were the subdual of Iranian hacker activities during the nuclear negotiations and the lull in attacks against banks during the Iranian presidential elections.
That said, it was not unexpected for Iran to become a fertile ground for numerous hacking groups, some more prominent than others.
This legitimacy and the free-hand policy have indirectly created an interesting trend in the Iranian cyber arena – rather than hiding and masking their activities, Iranian hackers or hacking groups are presenting themselves as security firms. This new ‘security firm’ disguise, ‘Hackurity’ if you will, may appear legitimate from the outside, but a review of the individuals supporting these firms or managing them, reveals a very different picture.
Such was the case in the Iranian DataCoders Security Team and cyber security firm.
Additional examples revealed the possibility that the group is also operating under an Arab alias.
At the beginning of August 2013, an unknown hacker group calling itself ‘Qods Freedom’ claimed to have waged several high-volume cyber-attacks against official Israeli websites and banks. In their Facebook account, they presented themselves as Palestinians hackers from Gaza. Taking into consideration Palestinian hacker capabilities, as well as an examination of the defacement signature left by ‘Qods Freedom’ has led us to believe that the group has connections with Iran. One of the Iranian groups that used the same signature on the exact same day was the Iranian DataCoders Security Team.
It appears that the Iranian DataCoders is going to a lot of trouble to maintain its legitimacy as a new security firm, rather than sticking to its former title as a hacker group.
According to a list posted in 2012 on an Iranian computer blog, the group is ranked among the top three Iranian hacker groups at that time, and is mostly active in the fields of training, security, penetration testing, and network exploits and vulnerabilities.
The group leader is Ali Alipour, aka Cair3x, who operates an active blog, where he describes himself as “Head of the Ajax Security Team.” Alipour is a former member of one of the oldest and most prominent hacker groups in Iran – “Ashiyane Digital Security Team” – and is accredited with perpetrating some of the exploits and defacements by the group. He was also listed on several forums as “one of Iran’s most terrible hackers“.
‘Pars-Security’ provides various services to the private and business sectors, including penetration testing, security and web programming. One of their most popular products is a technical guide entitled “Configuration and Server Security Package,” produced in cooperation with AjaxTM.
Although the ‘About us’ section on the site discloses that the company enjoys the support of the AjaxTM members, there is good reason to believe that the company is actually run by the Ajax Security Team themselves.
Another example of the tight relations between the ‘formats’ of Iranian hacker groups and security firms is the Mihan Hack Security Team. Since 2013, this group’s forum has been inactive, and was probably disabled by the group itself. With its forum and old website down, Mihan Hack has begun to reposition itself as a legitimate security firm.
The above-mentioned groups are just an example of the ‘hackurity groups’ trend in Iran. Our monitoring of the Iranian cyber arena has revealed more and more hacker groups once renowned for their defacement activities and hacking tool development, who have started to position themselves as ‘white hat’ security advisors and small Information Security (IS) consulting companies. The idea of active hackers supporting security firms and providing security services is not new, but is especially intriguing in Iran. The ‘former’ hacker groups that might be government-affiliated or supported are opening their own security firms rather than supporting existing firms and promoting self-developed products.
This action, accompanied by a decline in the declared activities of the group can divert attention from undercover activities and allows the group to operate more freely – a valuable resource for any hacker group, especially an Iranian one, due to the ever-growing global interest in Iran’s cyber activity.