Warware and Spear-Phishing: the Cyber-war and APTs Report

11/8/2011 Army Wants Ability to Fight in Cyberspace by 2020

2011-11-08T22:43:00.000-08:00

From National Defense mag, Nov. 8, 2011:

The Army wants to deploy a new arsenal of cyberwarfare weapons by 2020.

Lt. Gen. Rhett Hernandez, the commander of Army Cyber Command/Second Army, said the plan is to acquire both defensive and offensive capabilities -- including tools to conduct network damage assessments and ensure that there is no collateral harm done to nonmilitary entities.

Commanders in the field should have a "full range of cyberspace capabilities" at their hands including the ability to "seize, retain and exploit" enemy networks, he said Nov. 8 at the Milcom conference in Baltimore, Md.

The Army "seeks the same level of freedom to operate in cyberspace domain as we have in the land domain," he said. The command, which became operational in October 2010, is in its infancy.

<more - see article>

US-satellites hack: Chinese hackers suspected of interfering with US satellites

2011-10-29T02:43:00.000-07:00

Two US government satellites fell victim to cyber-attacks in 2007 and 2008, claims report highlighting control systems' vulnerability.

See article by Charles Arthur in Guardian, Oct 27, 2011. The article also mentions report from Oct. 2009 on China's ability to conduct cyberwar, prepared for the US-China Economic and Security Review Commission, and a forthcoming report by same commission which will discuss this satellites attack. The attack and (new) report are also discussed in a Business week article, also of Oct. 27.

2011-10-25T13:12:00.000-07:00

Nice prez by Richard Stiennon on Post Apocalyptic Cyber Realism. Richard lists several `apocalyptic scenarios` of the sort we have been warning years ago... and then gives examples showing such attacks `in the wild`. Few of the attacks he listed are not in my list, I should add them.

Oh, and I really should add the table I've done of many attacks. And maybe upload my draft-paper on the main Internet vulnerabilities and how we must fix them to reduce motivation and risk of cyberwar. But too busy now with several works about to be submitted (dnssec and dns security in general, TCP traffic analysis, DDoS, covert channel, more...), and making major improvements in my courses for the term beginning next Sunday... If you're really interested in any of these, ask me by email. Or wait, hope to post soon...

Claims of German Governmental Backdoor ("Case R2D2")

2011-10-19T06:59:00.000-07:00

From F-secure's `news from the lab', Oc. 8, 2011:

Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Government.

The announcement was made public on ccc.de with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF (in German).

The malware in question is a Windows backdoor consisting of a DLL and a kernel driver.

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

We do not know who created this backdoor and what it was used for.

We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government.

DuQu: a new APT Malware (from StuxNet authors?)

2011-10-19T05:17:00.000-07:00

Symantec, McAfee and F-Secure released information about what appears to be a new WarWare (info-warfare level malware), which they named "DuQu" (since it creates many files beginning with ~DQ). This time, the attack may have been exposed already at an early stage.

DuQu is an advanced Trojan RAT (Remote Administration Tool) - like Gh0st RAT and BlackShades RAT, but apparently more advanced.

Few more reports on it: Pedro Bueno at ISC diary, Kim Zetter at Wired,

From Symantec's report:
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different.
... Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility...
...
Two variants were recovered, ...based on file compile times, attacks using these variants may have been conducted as early as December 2010.

One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.

Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information.

.NYTimes reports: `U.S. Debated Cyberwarfare in Attack Plan on Libya`.

2011-10-19T04:51:00.000-07:00

Here is an interesting report of US supposedly considering using cyber-attack but then not doing it, among other reasons for concern of it being a precedent:

NYTimes reports: `U.S. Debated Cyberwarfare in Attack Plan on Libya`.
By ERIC SCHMITT and THOM SHANKER, Published: October 17, 2011

from the article: ....[The] exact techniques under consideration remain classified, the goal would have been to break through the firewalls of the Libyan government’s computer networks to sever military communications links and prevent the early-warning radars from gathering information and relaying it to missile batteries aiming at NATO warplanes.

But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. They were also unable to resolve whether the president had the power to proceed with such an attack without informing Congress.

Virus infected US airforce drones

2011-10-09T07:04:00.000-07:00

From Wired: A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.
...
This is definitely malware (virus, to be specific). But... details are insufficient to be sure this really is part of an intentional APT attack against US airforce, or just a virus keylogger which accidently hit their machines. Propagation apparently by removable media (USB memory sticks?). So, not adding it to my list yet.

The Spear-Phishing Report

2011-10-01T03:05:00.000-07:00

Phishing means - to me - attacks on computer users, based on tricking them into believing they communicate with a trusted entity - when in fact they communicate with the attacker. Spear-phishing attacks are phishing attacks, which target specific victims (rather than random users); spear-phishing attackers would usually use personal and/or corporate related aspects, to make their forgery more convincing. Phishing, and esp. spear-phishing, is often used as the initial step in sophisticated attacks, e.g., Advanced Persistent Threats (APT).

While researching for an article I'm writing discussing major threats to Internet Security (Internet Security: Still Vulnerable After All These Years), I've looked for a list of major, interesting spear-phishing attacks, and didn't find. I'm sure such lists exist already, but for now, after spending more than reasonable imho searching for existing list, I've decided to simply make a list here, update it when new attacks are published, and refer to other lists when I learn of them.

I will also list here relevant/related papers, articles and resources, e.g., InfoWar Monitor. And of course see my papers, e.g.: in Esorics'11, IEEE Security and Privacy mag. (2012), ACM Tran. on Internet Technnology (2009). [I need to add the links] See also my homepage.

Note: I want this list to focus on spear-phishing and therefore will try not to list here other attacks, interesting as they may be (e.g., DigiNotar... and many others).

So, without further ado, here is a first cut at a list of important, interesting spear-phishing attacks. I will appreciate updates, corrections or other feedback/suggestions. For now, I'll simply write a list of attacks, ordered by time of report (better defined than time of occurrence). I'll try to maintain the entries organized to allow import into spreadsheet for processing.

When: Sept. 2007
Victims: Booz Allen Hamilton
Type: corporations (consulting, gov)
Reported: Businessweek, April 10 2008
Comments:

When: Dec. 2009
Victims: Google, Adobe and 32 others
Type: corporations (internet/technology, financial, media and chemical sectors)
Reported: Wired, January 12 and 14, 2010, also McAfee's report: Protecting Your Critical Assets: Lessons Learned from “Operation Aurora”.
Comments: zero-day IE exploit.

When: 2007
Victims: ExxonMobil, ConocoPhillips and Marathon Oil
Type: coporations (oil)
Reported: Christian science monitor, Jan. 25, 2010
Comments:

When: 2009-2010
Victim: multiple Email Service Providers (ESPs)
Type: corporations (internet, email)
Reported: Nov. 28, 2010 by Matt Blumberg (Return Path's CEO)
Comments: attack also continue later, see e.g. Epsilon Interactive (March 2011)

When: Nov. 2009- ? 2010
Victim: multiple
Type: corporations (global - oil, energy, and petrochemical)
Reported: McAfee report, Global Energy Cyberattacks: “Night Dragon”, version 1.4, Feb 10, 2011
Comments:

When: Jan. 2011
Victim: three dept. of Canadian govt', incl. Defence Research and Development Canada
Type: gov, defense
Reported: CBC news Feb 16th, 2011
Comments:

When: March 2011
Victims: RSA, Locheed-Martin
Type: security-vendor, defense
Reported: by RSA. Also, e.g., Wired, March 17 2011
Comments: exposed information related to secure-ID authentication devices; this was later used to break into Locheed-Martin. RSA replaced all devices.

When: Feb. 2011
Victim: Australian government, parliament, incl. PM office
Type: gov
Reported: Wired, March 29, 2011
Comments:

When: Nov. 2010
Victims: Condé Nast
Type: corporations (media)
Reported: Wired, April 4 2011
Comments: $8M

When: March 2011
Victims: Epsilon Interactive and via it 24 finanical corporations and 87 retailers
Type: corporations (internet, email, financial, retail)
Reported by: CAUCE article: Epsilon Interactive breach the Fukushima of the Email Industry, April 4 2011
Comments: see also CAUCE's list of breached companies and article in PCWorld

When: April 2011
Victims: Oak Ridge National Laboratory
Type: gov-sec-lab
Reported: Wired, April 20 2011
Comments: zero-day IE exploit

When: 2010-2011
Victims: US Government
Type: gov
Reported: Wired, June 1st, 2011
Comments:

When: May-June 2011
Victim: HBGary Federal
Type: small security-vendor
Reported: Parmy Olson, Forbes: Anonymous Takes Revenge On Security Firm, June 2nd, 2011.
Comments: resulted in resignation of CEO.

When: 1H 2011
Victim: International Monetary Fund (IMF)
Type: financial, gov
Reported: NYT, June 11 and Wired, June 13, 2011
Comments:

When: 2006-2011
Victim: more than 70 global companies, governments, and non-profit organizations
Type: gov, corporations, non-profit
Reported: Dmitri Alperovitch, McAfee report: Revealed: Operation Shady RAT, Aug. 2011, version 1.1.
Comments: I think this the worst so far.

When: 2011
Victim: Mitsubishi Heavy Industries
Type: corporation (defense)
Reported: Fahmida Y. Rashid, eWeek IT Security & Network Security News, Mitsubishi Heavy Network Most Likely Compromised by Spear-Phishing Attack, Sept. 21, 2011
Comments:

When: Sept. 2011
Victims: GoDaddy
Type: security-vendor
Reported by: Fahmida Y. Rashid, GoDaddy Attack Started With Spear-Phishing, in eWeek
IT Security & Network Security News, Sept. 23, 2011.