#OpIcarus Cyber Campaign – Round 5

Hacktivists recently launched the fifth phase of the #OpIcarus cyber campaign (also dubbed #OpSacred) against the financial sector around the world. This campaign was first launched in February 2016, and as in previous phases, the official target list contains mainly websites of central banks around the world. In addition, the initiators share links to download known DDoS tools, such as Continue reading “#OpIcarus Cyber Campaign – Round 5”

#OpSafePharma 3.0: Italian Hacktivists Attack the Healthcare Sector

The #OpSafePharma is a hacktivist campaign targeting the Italian healthcare and pharma industries, protesting their treatment of ADHD. Hacktivists affiliated with Anonymous Italia perform DDoS attacks and leak information stolen from databases of websites related to the abovementioned sectors. The campaign, which started in March 2016, was relaunched at the beginning of June following a decrease in the number of attacks against Italian targets in the past month.

On August 21, 2016, Anonymous Italia and its affiliated hacktivist collective AntiSec-Italia, relaunched the campaign, this time dubbed #OperationSafePharma, targeting four different healthcare-related Italian institutions with website defacement attacks and substantial data leakages. The outcomes of the operation, namely the screenshots of the defaced websites and the addresses of the downloadable data leakages, uploaded on dedicated file sharing platforms, were announced on the social media outlets of AntiSec-Italia, specifically on their Facebook page and Twitter account.

AntiSec-Italia published the outcomes of the operation on its Facebook page
AntiSec-Italia published the outcomes of the operation on its Facebook page

 

 

 

 

 

 

 

 

 

 

 

 

The Data Leakage

The hacktivists leaked approximately 2.5 GB of data, stolen from the databases of two prominent Italian healthcare institutions, and provided links to file-sharing platforms where they uploaded the dumps.

We acquired the leaked databases and, upon verification, we assess that they mostly contain internal communications, as well as a great volume of personal data relating to the in-house personnel of the two healthcare institutions, mainly CVs of the physicians and administrative executives working in the facilities. We did not find any indications that medical records of patients treated in these healthcare facilities were disclosed or compromised during the data leakage. Notably, the most recent documents we detected within the stolen files are dated August 5, 2016.

A partial list of the folders included in one of the leaked databases.
A partial list of the folders included in one of the leaked databases.
Sample of leaked data, notably personal documents of a patient who applied to be treated by a different physician
Sample of leaked data, notably personal documents of a patient who applied to be treated by a different physician

Website Defacements

The group defaced four distinct websites, explaining in a public statement – recycled from previous operations – the rationale underpinning the protest.

Screenshots of the defacements related to two of the affected Italian medical facilities
Screenshots of the defacements related to two of the affected Italian medical facilities

Assessment

Our assessment is that this latest iteration of #OperationSafePharma originates more from a one-time opportunity window that the hacktivist group AntiSec-Italia spotted in vulnerable websites associated with Italian medical centers and hospitals, than a concerted effort by multiple Anonymous-affiliated collectives to launch a massive hacktivist campaign against the Italian healthcare sector as a whole. We base this assumption on the analysis conducted using our automated SMA (Social Media Analytics) toolset, which indicated a spike in the activity of the attackers.

Nonetheless, the achievements of the operation, in particular the exfiltration of sensitive databases belonging to prominent Italian healthcare institutions, display noteworthy technical capabilities by the initiators of the offensive.

As yet, we have not identified any preparations for future hacktivist campaigns against the Italian healthcare or financial sector, nonetheless we continue to monitor Italian hacktivist threat actors on a daily basis.

Intelligence Review of #OpIsrael Cyber Campaign (April 7, 2015)

Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.

AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.

As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.

Participants discuss why the campaign is smaller than in 2013
Participants discuss why the campaign is smaller than in 2013

Following is a summary of the main results of the attacks that we have identified so far:

  • Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
  • Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
  • Publication of details from dozens of credit cards, some of them recycled.

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

Anonymous versus ISIS

Alongside the war being waged against ISIS in Iraq and Syria, there is another battle front against ISIS in cyber space. Anonymous has declared war against ISIS platforms, to destroy ISIS propaganda and influence throughout the web. Anonymous supporters and opponents of ISIS are using social networks to spread their message. The following is a short summary of Anonymous efforts to block ISIS ideology on Facebook, Twitter and YouTube:
On October 4, 2014, a cyber-campaign was launched against ISIS. 110 Facebook users joined the event page that was created to organize DDoS attacks against websites affiliated with ISIS.

Event Page against ISIS
Event Page against ISIS

However, a more potent campaign against ISIS and its supporters is running on Twitter and Facebook, under the hashtags #OpIceISIS and #No2ISIS. There is also a Twitter account named Operation Ice ISIS.

There is also another anti-ISIS campaign on Twitter calling for an ISIS Media Blackout. The most active Twitter account in this operation named Bomb Islamic State.

Some tweets say that supporting ISIS is like supporting Assad or even Israel.

It should be noted that we also found an anti-ISIS group on the Darknet. The founder of the group, that has 32 members, invited all who wishes to eradicate ISIS to join the group.

ISIS in Cyber Space

We tried to search for ISIS cyber forces, if there is such thing, and we found some evidence on Twitter indicating the existence of an Islamic State Electronic Brigades. These brigades also have a YouTube channel and chat room. Here you can see a screenshot of an image in Arabic announcing that ISIS Electronic Brigades hacked the Twitter account @SawaTblanc.

Furthermore, the trend to support ISIS among hackers from the Muslim world is becoming more popular by the day. On Facebook, you can find many hacker groups affiliated with ISIS, such as the Army of the Electronic Islamic State that has 146 members. This group tried to launch a cyber-campaign against Arab TV Channels on September 27, 2014. There is another Facebook group that gives hacking lessons to ISIS supporters. Moreover, a Twitter account named Lizard Squad claimed that he uploaded an ISIS flag to Sony servers.

It should be noted that there can sometimes be conflicts among Arab hacker groups affiliated with Anonymous that also support the ISIS agenda, such as Anonymous Official Arabe, who posted on its Facebook page that they would not hack ISIS websites, despite their Anonymous affiliation.In conclusion, our examples show that ISIS has a presence in cyber space but there is also high motivation to hack their platforms to delete their spreading influence.

Anonymous versus ISIS – Hacktivism against Cyber Jihad

For the past few weeks, members of Anonymous and supporters of ISIS have been battling each other over the social media networks.

First, several Twitter accounts were created under the hashtag #No2ISIS to protest against ISIS activity in Iraq. Then, on June 21, 2014, an Anonymous-affiliated group called TheAnonMessage uploaded a public press release via YouTube about a cyber-attack targeting countries that support ISIS, such as Saudi Arabia, Qatar and Turkey.

On July 1, 2014, the Twitter account @TheAnonMessenger tweeted that the #No2ISIS cyber operation would continue until Anonymous decided otherwise.

The pro-Islamic Hilf-ol-Fozoul Twitter account also accused ISIS of being a protégé of the U.S.

Contrastingly, several Muslim hackers that support ISIS responded to the Anonymous declarations by adding the hashtag #OpAnonymous to their tweets. To boot, a very active hacker nicknamed Kjfido tweeted this message to Anonymous members.

Kjfido presents himself as a cyber-jihadist and an official member of the ISIS Electronic Army.It should be mentioned that there is no evidence that the ISIS Electronic Army actually exists, although there is a Twitter account by the name @electonic_ISIS that tweets about ISIS activity and its agenda.

Recycled Fuel? OpPetrol Campaign Rerun This June

Hacktivist collective Anonymous announced a cyber campaign called #OpPetrol, planned to be executed on June 20th, 2014. This is a re-run of a similar campaign with an identical name which was launched at the same exact date last year, aimed at the international oil and gas industry at various geographies. The most prominent group seems to be AnonGhost that recently defaced hundreds of websites and leaked a large amount of credit cards details.

Image

The campaign is likely to include a mix of DDoS, defacement and data dumps. The countries that are targeted are:

  • US
  • Canada
  • England
  • Israel
  • China
  • Italy
  • France
  • Russia
  • Germany

In addition, specific Oil and Gas companies in various locations, from the Gulf to Norway are on the target list. Last year’s campaign did not cause any substantial damage and we assume this re-run will achieve similar results.

Evolution of Hacktivist Campaigns

In the next week we are going to see a major hacktivist operation, aimed against Israel, called #OpIsraelBirthday which is supposed to start on the 7th of April. The operation is dubbed “birthday“ since it comes to commemorate the last OpIsrael that took place on the same date last year. In recent weeks, there was a lot of internal debate in SenseCy about what has changed from then to now and what can we expect to see in the coming operation. I think that the results of this debate might be interesting to you as well:

–          DDoS Attacks – DDoS attacks are nothing new, but recently, attackers have started utilizing a new-old approach in the form of reflection attacks. If a year ago the height of the attack topped at 30Gb/sec attacks, it’s more than plausible to assume that we’re going to see one order of magnitude higher than that. This might be ok for a large sized country but for Israel this might cause problems in the ISP infrastructure itself and not just create a denial of service to the target site.

–          Self-Developed Code – If up until now, most of what we have seen coming from the anti-Israel hacktivism groups was reuse of anonymous code, with maybe slight improvements in the UI interface, lately we have started to identify unique/ original code developed by the groups themselves, albeit some of it is dependent on existing code and available libraries but this might be an indicator for things to come.

 AnonGhost DDoSer

AnonGhostDDoSer – Developed by AnonGh0st for OpIsraelBirthday

 

–          Dumps vs. Defacements – It seems that the general objective now is less the defacement of sites and more the ability to create harm and panic through the publication of stolen data dumps. We see more and more details regarding allegedly hacked sites (some of them important) with the promise that the databases will be published on the 7th of April. This is probably the first time these hacktivist groups are trying to achieve a more widespread impact that is, at least in spirit, similar to the terror effect.

–          Shells and RATs – It seems that SQL injections and cross site scripting is shifting from being the end result to being the means in which the hacktivist groups place web shells on their targets or infect the targets with RATs and other malware. It might, in effect, suggest a more coherent effort to cause more sophisticated damages to their targets.

All in all, it seems that the motivation for the attack remains similar, but the magnitude and scope of the upcoming operation seems to be larger and more dangerous than the last one (in terms of tools available and number of participants). However, companies and organizations that are aware of the threat can, in turn, take actions to handle and mitigate these attacks.

What Does “Cyber Intelligence” Mean, And Why Is It Needed?

Hi All,

SenseCy Blog has been up and running for a week now and we are extremely happy with the traction we’ve achieved so far.

Its time to elaborate about what we mean when we say “Cyber intelligence”.

As far as cyber defense goes, organizations have traditionally relied on technology and procedures to mitigate cyber threats.

But as recent events show, this thinking is no longer valid. Without knowing what threats are out there, and who is targeting them, organizations find it impossible to tweak their defensive mechanism and procedures and fail time and again to secure their data from breaches.

So what attributes one must look for in cyber intelligence services?

  • Up-to-date intelligence needs to be on-time, relevant and accurate, based on the needs of a specific organization.
  • Derived from research sources, including Deep Web, open-source, closed groups and password-protected forums (this is where the real information resides), covering multiple languages.
  • A mixture of both technical and operational intelligence (not just “Another variant of malware was detected”)
  • “Analyst approved” intelligence, meaning that information has been correlated, aggregated and analyzed from leading to near-zero false positives.
  • Have operational value – “What do I do next?” question answered.
Example of operational intelligence derived from password-protected groups

With such intelligence at its disposal, the organization could better mitigate evolving threats and achieve much greater efficiency and effectiveness from its technology.  

In future posts, we will explore the production and analysis aspects of Cyber Intelligence and show some real-life examples of our work.

Keep in touch!

The SenseCy Team

Facebook Event against the World Cup in Brazil

A new trend has emerged – Hacktivist campaigns against high-profile sporting events.

Anonymous Caucasus, also known as “The Electronic Army of the Caucasus Emirate”, an Islamist hacker group, has already threatened to carry out cyber attacks before and during the Sochi 2014 Winter Olympic Games.

The next major sporting event is the World Cup, schedule to take place in June 2014 in Brazil. In recent days Anonymous hackers have launched cyber attacks against Brazilian government websites in protest against the 2014 World Cup.

The hacktivists have also created an event page on Facebook threatening that every Saturday until the beginning of the games on June 12, 2014, they will wage cyber attacks against different websites that are affiliated with the Brazilian government and FIFA, the international governing body of association football.

Thus far, hundreds of people have joined the event and the number of participants will most likely increase during the next months.

Facebook event against the 2014 World Cup
Facebook event against the 2014 World Cup