SenseCy 2015 Annual Cyber Threat Intelligence Report

Written and prepared by SenseCy’s Cyber Intelligence analysts.

SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.

The following is an excerpt from the report. To receive a copy, please send a request to: info@sensecy.com

Executive Summary

2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.

Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.

Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).

Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.

Insights

The following are several of our insights regarding activities in different cyber arenas this past year:

Islamic Hacktivism

During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.

Trade on Russian Underground Forums

The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.

Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.

Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.

Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.

Exploits and exploit kits on the Russian underground
Exploits and exploit kits on the Russian underground

The English-Language Underground

Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.

The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.

Sales of hacking tools in the English-language underground
Sales of hacking tools in the English-language underground

The Iranian Underground

With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.

One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.

Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.

That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.

Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum
Screenshot from the IDC-Team forum showing, among other things, the list of “Hottest Threads” and “Most Viewed Threads” on the forum

ISIS – Cyber-Jihad

On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.

2015 Activity Timeline: Allegedly ISIS-Affiliated Cyber-Attacks

What are the real ISIS capabilities in the cyber domain?

Any ISIS activities become a hot topic after destructive events organized by the Islamic State (IS) during 2015. The whole world is concerned about ISIS plans and afraid of another bloody attacks.

One of the most discussed topic is the Islamic State offensive capabilities in the cyber space. In 2015 various organizations were hit by a number of cyber-attacks allegedly launched by IS hackers. Nevertheless, some cyber security experts presume that a sophisticated group of Russian hackers stands behind the attacks against a French TV station in April 2015 and the hijacking of the CENTCOM Twitter account in January 2015. Anyway, let’s have a look at the timeline of cyber-attacks that are related to ISIS in 2015. Investigate the Infographic. We will appreciate your opinion regarding ISIS cyber capabilities.

Infographic_ISIS

During January 2016 we will publish our annual Cyber Threat Intelligence report, in which you could find fascinating information regarding ISIS cyber activities, recent developments in the Russian underground, technical analysis of self-developed malicious tools that we identified this year, new trends in Darknet platforms, and more.

Anonymous versus ISIS

Alongside the war being waged against ISIS in Iraq and Syria, there is another battle front against ISIS in cyber space. Anonymous has declared war against ISIS platforms, to destroy ISIS propaganda and influence throughout the web. Anonymous supporters and opponents of ISIS are using social networks to spread their message. The following is a short summary of Anonymous efforts to block ISIS ideology on Facebook, Twitter and YouTube:
On October 4, 2014, a cyber-campaign was launched against ISIS. 110 Facebook users joined the event page that was created to organize DDoS attacks against websites affiliated with ISIS.

Event Page against ISIS
Event Page against ISIS

However, a more potent campaign against ISIS and its supporters is running on Twitter and Facebook, under the hashtags #OpIceISIS and #No2ISIS. There is also a Twitter account named Operation Ice ISIS.

There is also another anti-ISIS campaign on Twitter calling for an ISIS Media Blackout. The most active Twitter account in this operation named Bomb Islamic State.

Some tweets say that supporting ISIS is like supporting Assad or even Israel.

It should be noted that we also found an anti-ISIS group on the Darknet. The founder of the group, that has 32 members, invited all who wishes to eradicate ISIS to join the group.

ISIS in Cyber Space

We tried to search for ISIS cyber forces, if there is such thing, and we found some evidence on Twitter indicating the existence of an Islamic State Electronic Brigades. These brigades also have a YouTube channel and chat room. Here you can see a screenshot of an image in Arabic announcing that ISIS Electronic Brigades hacked the Twitter account @SawaTblanc.

Furthermore, the trend to support ISIS among hackers from the Muslim world is becoming more popular by the day. On Facebook, you can find many hacker groups affiliated with ISIS, such as the Army of the Electronic Islamic State that has 146 members. This group tried to launch a cyber-campaign against Arab TV Channels on September 27, 2014. There is another Facebook group that gives hacking lessons to ISIS supporters. Moreover, a Twitter account named Lizard Squad claimed that he uploaded an ISIS flag to Sony servers.

It should be noted that there can sometimes be conflicts among Arab hacker groups affiliated with Anonymous that also support the ISIS agenda, such as Anonymous Official Arabe, who posted on its Facebook page that they would not hack ISIS websites, despite their Anonymous affiliation.In conclusion, our examples show that ISIS has a presence in cyber space but there is also high motivation to hack their platforms to delete their spreading influence.

Anonymous versus ISIS – Hacktivism against Cyber Jihad

For the past few weeks, members of Anonymous and supporters of ISIS have been battling each other over the social media networks.

First, several Twitter accounts were created under the hashtag #No2ISIS to protest against ISIS activity in Iraq. Then, on June 21, 2014, an Anonymous-affiliated group called TheAnonMessage uploaded a public press release via YouTube about a cyber-attack targeting countries that support ISIS, such as Saudi Arabia, Qatar and Turkey.

On July 1, 2014, the Twitter account @TheAnonMessenger tweeted that the #No2ISIS cyber operation would continue until Anonymous decided otherwise.

The pro-Islamic Hilf-ol-Fozoul Twitter account also accused ISIS of being a protégé of the U.S.

Contrastingly, several Muslim hackers that support ISIS responded to the Anonymous declarations by adding the hashtag #OpAnonymous to their tweets. To boot, a very active hacker nicknamed Kjfido tweeted this message to Anonymous members.

Kjfido presents himself as a cyber-jihadist and an official member of the ISIS Electronic Army.It should be mentioned that there is no evidence that the ISIS Electronic Army actually exists, although there is a Twitter account by the name @electonic_ISIS that tweets about ISIS activity and its agenda.