The eyes of the world are trained on events unfolding between Russia and the Ukraine these days – partly curious, partly concerned, with others directly supportive of one of the sides, either through actions or by disseminating the agenda they believe in. Everyone understands that this conflict (or should we already use the term “war”?), may have a huge impact on the balance of power in Eastern Europe, and further afield. For the time being, we can only assume what Russia’s true goals are in this conflict and to what extent it can deteriorate. But one thing is already clear – this is a confrontation not only in the battlefield, with tanks and guns, but also in cyberspace, where the weapons are site defacements, data leaks and damage to the networks of financial and critical infrastructures. And it is not so obvious which of them is the more merciless and destructive…
This is not the first time that Russia has resorted to cyber-attacks against her enemies. April 2007 is still burned into the collective memory of Estonia, when thousands of sites belonging to Estonian organizations came under cyber-attack over a three-week period, which withheld many essential services from the general public.
Another conflict that served as a background to numerous cyber-attacks was the Russia–Georgia war in 2008. South Ossetian, Russian, Georgian, and Azerbaijani informational and governmental websites were hacked, resulting in defacements with political messages and denial of service to numerous websites. It was not clear whether the attack was an organized, government supported warfare or a riot of individuals and groups touting pro-Russian views.
The current confrontation in the Crimean Peninsula has only been underway for a few days, but it is already widely backed by supporters from both sides in cyberspace. Many websites with Russian and Ukrainian URLs have already been hacked and #OpUkraine and #OpRussia campaigns launched on social networks, mainly VK, Odnoklassniki and Facebook.
The Ukranians, imbued with patriotic feelings, are trying to hack Russian sites and leak data. The Ukranian site Bimba, which calls itself the “cyber weapon of the Maidan revolution,”announced its recruitment of cyber volunteers wishing to work for the benefit of the Ukraine.
The VK group #опПокращення // #OpUkraine, identified with Anonymous, uploaded a paste to the pastebin.com site, containing an anti-Russian message and a link to a download of an internal SQL data from Crownservice.ru (publishes tenders for governmental jobs), in a file called Putin Smack Down Saturday.
Other hacker groups in the Ukraine hacked regime websites, in expression of their support for the revolution. In general, a large number of internal cyberattacks among the different Ukrainian groups have been executed since the clashes began at the end of 2013. One of the more prominent was the hacking of the email of Ukraine opposition leader, Vitali Klitschko.
Russia tried to get even, although in a less obvious manner. Starting February 28, reports about cyberattacks in the Crimean Peninsula were published by some sources. Local communication companies experienced problems in their work that may have been caused by cyberattacks, as well as landline and Internet services. Moreover, Russia’s Internet monitoring agency (Roskomnadzor) has blocked Internet pages linked to the Ukraine protest movement.
Aside from Russians and Ukrainians, this conflict has attracted hackers from other countries, and we have already seen Turkish, Tunisian, Albanian and Palestinian hacker groups attacking Russian sites in support of the Ukrainian revolution.
At the time of writing, news sites have reported two more attacks on Russian sites by Ukrainian activists. This is a surprising, dynamic duel, and cyberspace is likely the stage upon which it will be played out.
Hackers are creative people. Everybody knows that. They have to be technically creative in order to outsmart security mechanisms, perform their antics and get away without being caught (sometimes). But artistic creativity? Not the first thing we associate with hacking. However, after witnessing their creative works of art, we felt compelled to share these with you.
So you are welcome to enjoy the works of the “Russian classical painters”, the “surrealist hacktivists designers” and the “Iranian masters”:
Recent years have witnessed an increased awareness within the worldwide security community of risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber threats. As automation continues to evolve and assumes a more important role worldwide, the use of ICS/SCADA systems is likely to increase accordingly.
In this post I would like to present an analysis of several cyber incidents pertaining to ICS/SCADA systems and originating from threat elements in the Middle East.
Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility
On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the Iranian hacker group Parastoo, directed at the American authorities. The message headline connects the group to a “military-style” attack on an electric power station, the PG&E Metcalf substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear, despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures using cyber vectors.
On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power substation in California and cut the fiber-optic cables in the area around the station. The act neutralized some local 911 services and temporarily disrupted cell phone service in the area. The perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten were damaged and several others shut down.
It should be noted that there have been several attacks against different infrastructure facilities in the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the electric power industry is focusing on the threat of cyber attacks.
The Iranian hacker group Parastoo first emerged on November 25, 2012, when they posted a message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked personal details of its officials. In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and the personal identities of thousands of customers, including individuals associated with the U.S. military, that work with IHS Inc., a global information and analytics provider.
The Syrian Electronic Army Hacks into Israeli SCADA Systems
On May 6, 2013 the cryptome.org website reported a successful attack by the “Syrian Electronic Army” (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force (IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.
Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa’ar, near Nahariya. Control of this system would present the hacker with numerous capabilities, among which is the destruction of the agricultural yield.
We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible that the system clock was incorrectly set, but it is more likely that the system was breached a year ago and the published “Retaliatory Strike” was retained as a contingency plan for exactly such an attack by Israel.
The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not behind the attack. On other occasions, this Twitter account has been used as a platform for claims of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the group’s official website or forums (apart from the denial). It should be noted that there are numerous examples of fictitious claims of responsibility intended to deflect identification of the attacker MO (Modus Operandi) of state-sponsored hacker groups.
This incidence is another link in a chain of events demonstrating an impressive ability to locate and exploit SCADA systems that appear to be susceptible to the Muslim hackers’ skills. However, in our view, this event is unprecedented. For the first time in public, a critical computerized infrastructure facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering plateau.
Jihadist Cyber Terror Group to Target SCADA Systems
On June 11, 2011, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab, launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The campaign, which takes place over the thread itself, begins with a clear definition of the group’s tasks and priorities. Mukhaddab says:
Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack, for instance, the sites of Shi’a, Christians, apostates, slanderers, liar sites and forums or anything else. I repeat: it will only target the U.S., the U.K. and France.
Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top priority target, in order to “destroy power, water and gas supply lines, airports, railway stations, underground train stations, as well as central command and control systems” in these three countries. The second priority includes control systems of general financial sites, such as central savings organizations, stock markets and major banks. Third on the group’s agenda are websites and databases of major corporations dominating the economies of these countries, while fourth and last are less specified “public sites affecting the daily routine of citizens, in order to maximize the terror effects on the population”.
Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough understanding of SCADA systems, preferably with experience in hacking them; acquaintance with writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in networks, communication protocols and various kinds of routers and firewalls, specifically mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability of entering them easily, searching for required scripts, tools, or software, and providing them to fellow members, if asked to; complete mastery of English or French scientific language, and scientific background in computer engineering; mastery of the Russian language; and mastery of the Chinese language. Members who want to volunteer are asked to post a response in the thread, specifying the categories that fit their capabilities.
To date, close to a hundred volunteers have already signed on to Mukhaddab’s Electronic Jihad group. We have yet to see indications that this newly formed group has started to engage in online hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in the near future.
On January 7, 2014, a relatively new hacker group calling itself the Islamic Cyber Resistance (ICR) claimed they had accessed the Local Area Network (LAN) of the Israel Airports Authority (IAA) and leaked sensitive information regarding domestic and international flight maps.
According to the group, they accessed flight management plans and the ATIS/VOLMET system (Automatic Terminal Information Service), where they could have manipulated data communications, such as flight routing and weather conditions.
The ICR has leaked a great amount of data, most of which is not up-to-date. Our analysis additionally revealed that the leaked data does not originate from the IAA local network, but either from its open and public network or from a different server that contains such information.
Nonetheless, it appears that this group may pose a threat to Western entities, as well as non-Shi’a, and I will explain.
ICR executed their first act on February 25, 2013, when the group leaked the personal details of Bahraini intelligence and high-ranking military personnel. This was accompanied by an image demonstrating the group’s support of Hezbollah leader Hassan Nasrallah.
On August 10, 2013, the ICR and the Syrian Electronic Army (SEA), a pro-Assad hacker group, hacked a Kuwait mobile operator (Zain Group) and leaked information that included passwords.
On October 22, 2013, the ICR leaked the email addresses of the International Atomic Energy Agency (IAEA). It should be noted that information regarding the IAEA was also leaked in 2012 by the Iranian hacker group Parastoo.
On December 16, 2013, the ICR leaked personal details of 2,014 Israelis affiliated with various security bodies as well as secret documents from the Saudi BinLadin Group (SBG) and Saudi Arabian security officials. They stated that this attack was the group’s revenge for the assassination of Hezbollah Commander Hassan al-Lakkis on December 4, 2013.
According to the semi-official Iranian Fars News Agency, the group has declared that it is not affiliated with Hezbollah. However, the cyber-attack coined “Remember Hassan Lakkis Operation” and the image of Hassan Nasrallah attached to one of the leaks indicates a connection between the group and Hezbollah, or at least the group’s support for the organization.
Moreover, the name of the group in English is the same as one of the names for Hezbollah (Al-Muqawama al-Islamiyya – “Islamic Resistance”). Additionally, a news report in Persian about the ICR attached an image labeled “HizbullahCyber”, another indication of a possible connection between the ICR and Hezbollah.
The ICR has no Facebook or Twitter accounts. However, it seems that wikileak.ir is the main platform for their leaks. Additionally, the Twitter account @quickleak.org often tweets about the group’s operations and should therefore be considered a good source of information about the group’s activity.