SenseCy 2014 Annual Cyber Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

Executive Summary

Clearly, 2014 was an important year in the cyber arena. The technical level of the attacks, the variety of tools and methods used and the destructive results achieved have proven, yet again, that cyber is a cross-border tool that is rapidly gaining momentum.

This year, we witnessed attacks on key vectors: cyber criminals setting their sights on targets in the private sector, hacktivists using cyber tools for their ideological struggles, state-sponsored campaigns to facilitate spying on high-profile targets, and cyber conflicts between countries.

The following is an excerpt from an annual report prepared by our Cyber Intelligence analysts. To receive a copy, please send a request to: info@sensecy.com

Insights

Below are several of our insights regarding cyber activity this past year:

  • The financial sector was and continues to be a key target for cyber criminals, with most of the corporations hacked this year in the U.S. being attacked through infection of Point-of-Sale (POS) systems. Despite the high level of awareness as to the vulnerability of these systems following the Target breach at the end of 2013, ever more organizations are continuing to fall victim to these types of attacks, as the cybercrime community develops and sells dedicated tools for these systems.
  • In 2014, we saw another step up in the use of cyber as a cross-border weapon, the use of which can be highly destructive. This was evidenced in the attack on JPMorgan, which according to reports was a response to sanctions imposed by the U.S. on Russia. The ensuing Sony breach and threats to peoples’ lives should the movie The Interview be screened exacerbated the state of asymmetrical war in cyber space, where on the one hand, we see countries attacking companies, and on the other, groups of hackers attacking countries. This trend becomes even more concerning following the reports of the deaths of three workers at a nuclear reactor in South Korea, after it became the target of a targeted cyber-attack, evidently by North Korean entities.
  • This past year was rife with campaigns by anti-Israel hacktivist campaigns, whose motivation for attacking Israel’s cyber networks was especially strong. Again, it was clearly demonstrated that the relationship between physical and virtual space is particularly strong, when alongside Operation Protective Edge (July-August 2014), we witnessed a targeted cyber campaign by hacktivist organizations from throughout the Muslim world (but not only) and by cyber terror groups, which in some cases were able to score significant successes. We believe that in 2015, attacks by hacktivist groups will become higher quality (DDoS attacks at high bandwidth, for example) and the use of vectors, which to date have been less common, such as attacks against mobile devices, will become increasingly frequent.
  • Involvement of the internal factor in cyber-attacks: According to some speculations published recently in the global media regarding the massive Sony breach, former company employees  may have abused their positions and status to steal confidential information and try to harm the organization. This underscores the importance of information security and internal compartmentalization in organizations with databases containing sensitive information.

The Past Year on the Russian Underground

In 2014, we saw active underground trading of malware and exploits, with some of them being used in attacks inside and outside Russia that gained widespread media coverage in sources dealing with information security.

The following is a list of categories of malware and the main services offered for sale in 2014 on the Russian-speaking underground forums. Note that in this analysis, we only included important tools that were well-received by the buyers, which indicates their reliability and level of professionalism. Additionally, only tools that were sold for over a month were included. Let us also note that the analysis does not include special PoS firmware, but only programs designed to facilitate remote information theft through takeover of the terminal.

Malware_Russian Underground

Prices

The average price of a tool offered for sale in 2014 was $1,500. Since 2013, the average price has increased by $500. The following graph lists the average price in each of the categories outlined above (in USD):

Average_Price_by_Category

Key Trends Observed on the Russian Underground this Past Year

Trojan Horses for the Financial Sector

Malware designed to target financial institutions is a highly sought-after product on the Russian underground, and this past year we observed the development of malware based on Kronos source code – Zeus, Chthonic (called Udacha by the seller) and Dyre malware. Additionally, the sale of tools designed to sell login details for banking sites via mobile devices were also observed.

In this context, it should be noted that the modular structure of many types of financial malware allows flexibility by both the seller and the buyer. Most financial malware is sold in this format – meaning, various modules responsible for the malware’s activity can be purchased separately: Formgrabber module, Web-Injections module and more.

MitM Attacks

This type of attack vector, known to cyber criminals as Web injections, is most common as a module in Trojan horses for the financial sector. Members of many forums offer their services as injection writers, referring to creation of malware designed to be integrated into a specific banking Trojan horse (generally based on Zeus), tailored to the specific bank, which imitates the design of its windows, etc. In 2014, we saw this field prosper, with at least seven similar services offered on the various forums.

Ransomware

This year we witnessed a not insignificant amount of ransomware for sale on Russian-speaking forums. It would appear that the forums see a strong potential for profit through this attack vector and therefore invest in the development of ransomware. Furthermore, note that some of the ransomware uses the Tor network to better conceal the command and control servers. Since CryptoLocker was discovered in September 2013, we have seen numerous attempts at developing similar malware both for PCs and laptops.

Additional trends and insights are detailed in the full report.

Understanding the Cyber Intelligence Ecosystem

Technology Evolution

The intelligence world has undergone dramatic change in recent years. The growth in traffic, online platforms, applications, devices and users has made the intelligence gathering process much more complex and challenging.

Today, each individual makes multiple simultaneous online appearances. We operate social media accounts, such as Facebook and Twitter (in Russia there is VK and Odnoklassniki and in China RenRen and QZone). We are also active on professional networks, such as LinkedIn. We participate in discussion groups and forums. We share pictures and videos via dedicated websites, and we process transactions by way of ecommerce sites, etc. This makes it much harder today to track the online footsteps of an individual and connect the dots between his diverse online representations, especially if he uses multiple aliases and email addresses.

Man versus Machine

In today’s virtual world, web-crawlers and automated collection tools have limitations. Don’t get me wrong – they are very important and we are dependent on automated tools in our daily work, but in some areas they simply cannot compete with a human analyst.

I will give you an example – in order to access a particular Russian closed hacking forum, you must write 100 posts, receive a recommendation from the administrator of the forum and finally, pay 50 dollars in Bitcoin. Such a task cannot be accomplished by a crawler or an automated tool. You must have an analyst that understands the relevant ecosystem and who is also familiar with the specific slang or lingo of the forum members. You must know that “Kaptoxa” (“Potato” in Russian) on a deep-web hacking forum does not really mean “Potato”, but rather refers to the BlackPOS – a Point-of-Sale (POS) malware used in the Target attack at the end of last year.

BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)
BlackPOS is offered for sale on a Russian closed hacking forum (February 2013)

Cyber Activity Areas

If we take a look at the threat actors in the world of cyber security, we can roughly divide them into four categories: hacktivists (such as Anonymous-affiliated groups around the world); cyber terrorists (for example, the cyber unit of Hezbollah, and lately we have seen clear indications of al-Qaeda (AQ) attempts to develop a cyber unit within their organization).

Collaboration between Al-Qaeda and Tunisian hackers
Collaboration between Al-Qaeda and Tunisian hackers

A third category is cyber criminals (we have recently heard about cybercrime activities organized by groups in Ukraine, Eastern Europe, China and Latin America). The final category is governments, or state-sponsored groups (such as the Chinese PLA Unit 61398, also known as APT1, or the Izz ad-Din al-Qassam Cyber Fighters, an Iranian hacker group that launched “Operation Ababil” two years ago against the American financial sector).

Today, it is clear that every industry or sector is a potential target for cyber attack, or, as the Director of the FBI said two years ago, “There are only two types of companies: those that have been hacked and those that will be.”

And indeed, we are witnessing attacks on media organizations, public records (and in recent months attacks against healthcare services, mainly for the purpose of extortion), academic institutions, banks, the energy sector, and, of course, government agencies.

These diverse threat actors use the Internet to chat, plan their attacks, publish target lists, and even upload and share attack tools. But where can we find them? They have different online platforms.

Unlike APT campaigns that have almost no online footprint, the strength of hacktivism is its capability to recruit large masses for its operations, using social networks. In recent hacktivist campaigns we have identified Facebook as a “Command and Control” (C&C) platform for the attackers, where they plan the operation, publish a target list and share attack tools.

OpFIFA 2014 Campaign
OpFIFA 2014 Campaign

Cyber terrorists are mostly active on closed, dedicated forums where you must login with a username and password after receiving admin approval. We have experience with such forums in Arabic, Persian and even Turkish.

Cyber criminals, on the other hand, can be found on Darknet platforms, where you need to use a special browser to gain access. They can also be found on password-protected forums that sometimes require an entrance fee, payable in Bitcoin or other crypto-currencies. On these platforms we can find sophisticated attack tools for sale, pieces of advanced code, zero-day exploits, stolen data dumps and more.

Silk Road - the infamous online market on Darknet
Silk Road – the infamous online market on Darknet

Regarding governments or state-sponsored groups, I do not believe that they chat online, and generally speaking they do not leave footprints on the Web. However, we occasionally uncover activities by nation-state actors, such as the Syrian Electronic Army (SEA) or Iranian-affiliated groups.

I would like to argue that in today’s world we must use traditional methods of intelligence gathering, specifically operating covert agents, or virtual spies, throughout the Web – in closed discussion rooms, on secret Facebook pages, in the deep-web and Darknet platforms – in order to obtain quality, relevant and real-time intelligence.

Targeting SCADA Systems

Introduction

Recent years have witnessed an increased awareness within the worldwide security community of risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber threats. As automation continues to evolve and assumes a more important role worldwide, the use of ICS/SCADA systems is likely to increase accordingly.

In this post I would like to present an analysis of several cyber incidents pertaining to ICS/SCADA systems and originating from threat elements in the Middle East.

Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility

On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the Iranian hacker group Parastoo, directed at the American authorities. The message headline connects the group to a “military-style” attack on an electric power station, the PG&E Metcalf substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear, despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures using cyber vectors.

Cryptome message
Cryptome message

On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power substation in California and cut the fiber-optic cables in the area around the station. The act neutralized some local 911 services and temporarily disrupted cell phone service in the area. The perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten were damaged and several others shut down.

It should be noted that there have been several attacks against different infrastructure facilities in the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the electric power industry is focusing on the threat of cyber attacks.

About Parastoo

The Iranian hacker group Parastoo first emerged on November 25, 2012, when they posted a message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked personal details of its officials. In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and the personal identities of thousands of customers, including individuals associated with the U.S. military, that work with IHS Inc., a global information and analytics provider.

The Syrian Electronic Army Hacks into Israeli SCADA Systems

On May 6, 2013 the cryptome.org website reported a successful attack by the “Syrian Electronic Army” (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force (IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.

Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa’ar, near Nahariya. Control of this system would present the hacker with numerous capabilities, among which is the destruction of the agricultural yield.

Screenshot from the PDF released by the attackers
Screenshot from the PDF released by the attackers

We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible that the system clock was incorrectly set, but it is more likely that the system was breached a year ago and the published “Retaliatory Strike” was retained as a contingency plan for exactly such an attack by Israel.

The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not behind the attack. On other occasions, this Twitter account has been used as a platform for claims of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the group’s official website or forums (apart from the denial). It should be noted that there are numerous examples of fictitious claims of responsibility intended to deflect identification of the attacker MO (Modus Operandi) of state-sponsored hacker groups.

SEA denial on their Twitter account
SEA denial on their Twitter account

This incidence is another link in a chain of events demonstrating an impressive ability to locate and exploit SCADA systems that appear to be susceptible to the Muslim hackers’ skills. However, in our view, this event is unprecedented. For the first time in public, a critical computerized infrastructure facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering plateau.

Jihadist Cyber Terror Group to Target SCADA Systems

On June 11, 2011, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab, launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The campaign, which takes place over the thread itself, begins with a clear definition of the group’s tasks and priorities. Mukhaddab says:

Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack, for instance, the sites of Shi’a, Christians, apostates, slanderers, liar sites and forums or anything else. I repeat: it will only target the U.S., the U.K. and France.

Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top priority target, in order to “destroy power, water and gas supply lines, airports, railway stations, underground train stations, as well as central command and control systems” in these three countries. The second priority includes control systems of general financial sites, such as central savings organizations, stock markets and major banks. Third on the group’s agenda are websites and databases of major corporations dominating the economies of these countries, while fourth and last are less specified “public sites affecting the daily routine of citizens, in order to maximize the terror effects on the population”.

Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough understanding of SCADA systems, preferably with experience in hacking them; acquaintance with writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in networks, communication protocols and various kinds of routers and firewalls, specifically mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability of entering them easily, searching for required scripts, tools, or software, and providing them to fellow members, if asked to; complete mastery of English or French scientific language, and scientific background in computer engineering; mastery of the Russian language; and mastery of the Chinese language. Members who want to volunteer are asked to post a response in the thread, specifying the categories that fit their capabilities.

To date, close to a hundred volunteers have already signed on to Mukhaddab’s Electronic Jihad group. We have yet to see indications that this newly formed group has started to engage in online hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in the near future.

Related Posts:


Cybercriminals Target iOS Devices April 28, 2014 by Tanya Koyfman

Cyber Threats to a Bank – Part 1: Cybercriminals Target Financial Institutions November 27, 2014 by Tanya Koyfman

AnonGhost Targets Universities around the World December 4, 2014 by CyInfo

Cyber Criminals “TARGET” Point of Sale Devices  January 15, 2014 by assafkeren