This report was prepared by The Institute for National Security Studies (INSS) and The Cyber Security Forum Initiative (CSFI) to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities, and follow-up measures.
BlackShade arrests cause largest international cyber crackdown
The FBI charged over 100 people worldwide for reportedly being involved in the enabling of over half a million computers in more than 100 different countries to be infected by a malicious malware, BlackShade.
The arrests are being considered the largest international cyber crackdown in law enforcement. BlackShade Remote Access Tool, or RAT, targeted Microsoft Windows operating systems and allowed cybercriminals to control and hijack the webcam and make recordings of the user, intercept keystrokes, steal personal information and other harmful uses by tricking users into clicking links that would install the malicious malware.
BlackShade has existed and has been sold on PayPal since 2010 to thousands of users, making it one of the most popular tools used in the hacking community. “Blackshade was a tool created and marketed principally for buyers who wouldn’t know how to hack their way out a paper bag,” Brian Krebs of Krebs on Security detailed.
The ability for any random person, with little knowledge in hacking, gaining the ability to breach computers has become a concerning theme as Preet Bharara, U.S. Attorney for the Southern District of New York, stated: “We now live in a world where, for just $40, a cybercriminal halfway across the globe can – with just a click of a mouse – unleash a RAT that can spread a computer plague not only on someone’s property, but also on their privacy and most personal spaces.”
The program has been connected to attacks on Syrian dissidents in 2010 and breaches against French organizations. However, even with the arrests made, it is very unlikely for BlackShade to disappear as the source code of BlackShade was released online in 2010, enabling different variants and tools to be sold in different forms in the cybercriminal community. Additionally, different versions of BlackShade still exist and are being sold by different vendors.
Five Chinese military officers indicted for cyber espionage activities
In the last few weeks, the U.S. ministry of Justice indicted five Chinese military officers for cyber spying activities beginning in 2006. The Chinese hackers were involved in the Chinese military hacking group known as the Chinese PLA 61398 cyber unit.
They hacked U.S. computers for economic espionage purposes by targeting nuclear, metal, and solar industries. According to FBI sources, the Chinese hackers used military and intelligence resources to pilfer large quantities of data about U.S. industries, including strategic plans from U.S. businesses.
The FBI managed to track hackers to a building based in Shanghai. The Chinese government denies this accusation; nevertheless, the U.S. claims to have secured proof the Chinese army did perform this specific cyber spying operation.
Chinese Foreign Ministry spokesman, Qin Gang, declared: “The United States fabricated facts in an indictment of five officers for so-called cyber theft by China, a move that seriously violates basic norms of international relations and damages Sino-U.S. cooperation and mutual trust. China has lodged a protest with the United States, urged the U.S. to correct the error immediately and withdraw its so-called prosecution.”
He also added, “China is a staunch defender of cyber security” and denied the Chinese government, military, and “associated personnel” have ever “engaged or participated in the theft of trade secrets through cyber means.” He called the U.S. accusations “purely fictitious, extremely absurd.” This affair is disturbing the diplomatic relations between the countries and will probably affect their economic exchanges.
Physical cyber infrastructure failure
While the Israeli government heavily invests in cyber security, the physical side of Israel cyber systems have been neglected. In Israel, a recently published state comptroller report noted the “gov.il” systems are exposed to physical threats such as natural disasters (earthquakes, fires) and also human attacks.
The computers and servers systems referred to as Government Infrastructure in the Internet Era are providing services to about 50,000 government employees and was defined by Shin Bet of the Israeli Security Agency as a national critical infrastructure in 2011.
In an exercise conducted by the Shin Bet, an operative was successful in penetrating into the building and hiding a bomb like device in the server room. “Gov.il” responded by claiming all the deficiencies were corrected.
Israeli insurance industry involved in cyber security
For the first time in Israel, the insurance and pension industry will participate in a wide range exercise, testing their organization’s computer functioning capabilities during an emergency, “pc.co.il” reported. The exercise was intended to be part of the Department of Defence drill “tuning point;” however, when the drill was cancelled due to budget difficulties, the Ministry of Finance decided to implement the exercise themselves.
The exercise will include 24 participating insurance companies and 150 pension funds, as well as check the institute’s IT department’s disaster response program (DRP) and their functions in alternative locations.
Russia involved in cyber spying operation in Belgium
According to Belgian news agency, Belga, Russia carried out cyber espionage operations attacking the Belgian Ministry of Foreign Affairs networks. The cyber-attack has apparently been in response to the events in Ukraine, Belga reported.
After the attack, emergency meetings were held, which included officials such as Belgian Prime Minister, Foreign Minister, Defense Minister, and Department of Justice Minister. Belgian Foreign Affairs Ministry confirmed the invasion on Saturday, stressing “the sent computer virus copied information and documents from our database, which were related to the Ukrainian crisis.”
The Wall Street Journal Twitter hacked by the SEA
The Wall Street Journal Twitter handle has been one of the lastest major news organizations to be hacked by the Syrian Electronic Army (SEA). SEA uploaded an offensive picture of security expert, Ira Winkler, referring to him as a cockroach, and targeting him in response to his remarks at the RSA cyber security conference, where Winkler mentioned the SEA is not capable of sophisticated cyber-attacks and that most of their hacking operations are aimed to create propaganda and less in causing actual harm.
Nevertheless, a new report produced by IntelCrawler explained that over time, SEA has moved away from creating infamous phishing attacks and more towards global espionage. Apparently, certain SEA targets are “’C level executives in technology and media companies, allied military procurement officers, United States defense contractors, and foreign attachés and embassies.”
By perfecting their methods, SEA has been able to gain additional access to networks, and many SEA breaches have been unreported or recognized making it difficult to perceive the causality of each attack.
Iranian espionage through social media revealed
Iranian hackers have used social media to conduct a three-year-old cyber espionage campaign referred to as Newscaster, iSight Partners revealed. The campaign focused on 2,000 people in the military and political leaders in the United States, Israel, and other countries by fabricating social media sites (Facebook, Linkedin, Twitter, etc.) and a fake news website called NewsOnAir.org.
The Iranian hackers gained trust through befriending them through the fake personas, eventually sending malicious malware that would steal email information. The reasoning behind the hack is unclear; however, iSight Partners suggested it could be for the development of weapons systems or to provide insight into US military actions and negotiations with Middle Eastern countries.
China and APAC
South Korea developing new cyber technologies in cooperation with U.S.
A few weeks ago, South Korea signed an agreement with the U.S. to develop new cyber defense technologies. According to the South Korean government, the goal of this joint development program is to develop an IT-based crisis management system.
This agreement was signed during the eighth Korea-U.S. Science and Technology meeting in Washington. South Korea is not the only country in Asia with whom the U.S. has cyber security cooperation. Indeed, Japan is also one the biggest U.S. partners in the region.
Anonymous planning major cyber-attack on World Cup corporate sponsors
Anonymous disclosed their next cyber operation to be on corporate sponsors of the World Cup in Rio de Janeiro, Brazil, this summer, including Adidas, Emirates Airline, Coca-Cola, and Budweiser. Hacker Che Commodore (operating alias) explained Anonymous refuses to stay quiet while the Brazilian government spends an extraordinary amount of money on the Games while the rest of the country lives below the universal poverty line.
Already, the cyber hacktivists breached Brazil’s Foreign Ministry computer networks, leaked confidential emails, and posted over 300 documents online. The Foreign Ministry closed down their email systems and instructed all 3,000 users to change passwords as Brazilian Federal police continue to investigate.
The Foreign Ministry insisted no crucial information was leaked and that only 55 email accounts were hacked. Nevertheless, Che Commodore asserts: “We have already conducted late-night tests to see which of the sites are more vulnerable. We have a plan of attack.” It will be a testament to Brazil’s readiness and Anonymous’ capabilities to see if the group can breach major networks.
UK: A bilateral agreement with Israel on Cyber Defense
In London, the United Kingdom has signed a new bilateral agreement for joint research on cyber defense with Israel. This agreement is based on a 7 million NIS ($2 million) budget. The agreement includes the Israeli National Cyber Bureau and the Ministry of Science, Technology, and Space.
According to the Israeli Economics Minister Fund they “will enable Israeli and British researchers to strengthen collaboration and conduct joint projects, which will place them at the forefront of global scientific research.”
Moreover, Dr. Eviatar Matania, head of the National Cyber Bureau, stated this cooperation would benefit the two countries. Today along with the U.S., Israel and the U.K. are the most advanced countries in terms of cyber defense. Indeed, the UK dedicated a significant budget to its cyber defense.
There are about 20 UK universities, including Oxford, London, York, Cardiff, Glasgow, and Liverpool, which offer cyber security degrees and have cyber research laboratories. On their side, Israel is globally known for its cyber capabilities as the Israel Defense Force is forming top elite cyber security specialists, Israeli Universities have constructed great research programs in the field, and Israel’s development is moving forward in creating the biggest cyber capital in the Middle East.
French Ministry of Defense establishing new data center
The French Ministry of Defense has inaugurated its new data center based in Rennes. This new data center is part of the information and communication systems modernization project of the French Department of Defense systems.
The new ultra-secure center will host multiple computer systems all dedicated to its three armies. As with the two other data centers France already has, this new center is integrated into the French Ministry plan called “Cloud Defense.”
Since 2013, France started to modernize its cyber defense. After inaugurating its new defense cyber security center in Paris, France appointed a doctor in cryptography to take over the French National Information Security System Agency. This new appointment shows a real desire of change, professionalism, and modernization to face new international cyber threats.
Russian hackers cripple Ukraine’s network ahead of presidential vote
Ukrainian Security Service reported a ‘virus’ designed to delete the results of the presidential voting system had breached the systems of Ukraine’s Central Election Commission. Two days before the elections, the СyberBerkut hacker’s group hacked the Central Election Commission internal network and disabled its electronic information and analytical system.
A day before the elections, Valentin Nalivaychenko, the head of the Security Service of Ukraine, claimed they had removed a virus. But CyberBerkut claimed responsibility, declaring on their website the whole system does not work, and the exchange of information between the center and the regions is carried out exclusively by employees on the phone and via e-mail.
The day of the election, Arsen Avakov, Head of the Interior Ministry, confirmed the CEC electronic system was out of order, making the elections a mockery, as well as illegitimate.
Since the beginning of the crisis in Ukraine, there has been a significant spike in “callbacks,” – transmission to an already hacked computer to the attacker’s first-stage command-and-control (C2) server – both from Russia and Ukriane, Kenneth Geers of FireEye reported. The increase in malicious malware activity can be attributed to a number of reasons, including “lone hackers, ‘patriotic hackers,’ cyber criminals, Russian and Ukrainian government operations, and cyber operations initiated by other nations.”
However, Geers suggest the escalation in callbacks can likely be linked to the tensions rising between the two countries, and “computer network operations are being used as one way to gain competitive advantage in the conflict.”
These materials, including copyrighted materials, are intended for “fair use” as permitted under Title 17, Section 107 of the United States Code (“The Copyright Law”). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-‐mail at: email@example.com.
CSFI and the INSS would like to thank the Cyber Intelligence Analysts who worked on collecting and summarizing this report.
- Locating ICS and SCADA Systems on .EDU Networks with SHODAN
- Privacy, National Security and Mass Surveillance: The Role of Crypto
- Cyber Counterintelligence: From Theory to Practice
- Defensive Cyberspace Operations and Intelligence
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock