- CyberWar -

Last update 30.08.2017 22:39:08

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5 



U.S. Takes Off the Gloves in Global Cyber Wars: Top Oficials
22.9.2018 securityweek
CyberWar

The United States is taking off the gloves in the growing, shadowy cyber war waged with China, Russia and other rivals, a top White House official said Thursday.

National Security Advisor John Bolton said the country's "first fully articulated cyber strategy in 15 years" was now in effect.

The new more aggressive posture follows a decision by President Donald Trump to revoke rules established by his predecessor Barack Obama to require high-level authority for any big military cyber operations.

"Our hands are not tied as they were in the Obama administration," Bolton said.

"For any nation that's taking cyber activity against the United States, they should expect… we will respond offensively, as well as defensively," Bolton said.

"Not every response to a cyber attack would be in the cyber world," he added.

Bolton referred to China, Iran, North Korea and Russia as major sources of threats, saying "Americans and our allies are under attack every day in cyberspace."

Hostile intrusions target everything from US infrastructure to government bureaucracies, businesses and elections, according to Bolton.

Among the most notorious incidents is the hacking, allegedly by Russian military agents, of Democrat figures' email accounts just before the 2016 elections, in which Republican Trump took a surprise win against the heavily favored Hillary Clinton.

- Multi-pronged offense -

On the defensive side, US efforts will include "network hardening" and improved cyber security, the Pentagon said.

But the new strategy of what the Pentagon called "countering, disrupting, degrading and deterring" attacks emphasizes much more than better firewalls.

US Treasury Secretary Steven Mnuchin said that the department "has used its cyber sanctions authorities to impose costs on Russia, North Korea, Iran and others for a wide range of behavior."

And Secretary of Homeland Security Kirstjen Nielsen said that the domestic security department would push "for electronic surveillance and computer crime laws to be updated to keep pace with the rapidly evolving environment."

"Transnational criminal groups are employing increasingly sophisticated digital tools and techniques," she said.

The State Department, meanwhile, focused on what it said would be increased efforts to build up internet security in allied countries "because of the interconnected nature of cyberspace."

"When our partners improve their cyber security practices, it ultimately makes other states, including the United States, safer and more resilient against cyber threats," the State Department said.


Talking UK Cyberwar With Sir David Omand
14.9.2018 securityweek CyberWar

Over the last few days, UK national press has run headlines such as "IT'S CYBER WAR! Prime Minister May vows to take on President Putinís novichok spy network" (Daily Mail); and "Novichok poisoning: Theresa May 'orders cyberwar' on Russia's spy network as she calls UN security meeting" (Evening Standard).

This presents a very simplistic view of Britain's attitude towards cyberwarfare; and implies a scale that almost certainly will not happen.

The background is the use of chemical weapons by the Russian GRU in the UK against Sergei Skripal, a former member of the GRU, and his daughter Yulia. Last week Alexander Petrov and Ruslan Boshirov -- believed to be aliases -- were accused of their attempted murder. Britain is not seeking extradition of the two suspects because of Russian constitutional restrictions on extraditing Russian citizens, but has issued an Interpol red notice for their arrest if they ever leave Russia. Nevertheless, it is widely felt that some form of retaliation is politically necessary -- and hence, ultimately -- the warnings on imminent cyberwar against Russia.

Talking UK Cyberwar with Professor Sir David OmandThere may well be cyber retaliation by Britain's intelligence agencies against the GRU, but it will be limited in scope and probably unattributable -- and nothing that can be classified as cyberwar. This is because the UK does not separate cyberwar from kinetic war. In May 2018, UK attorney general Jeremy Wright QC MP outlined his interpretation of international law and cyber activity. It implies that a cyber attack that resulted in actual or threatened loss of life could legally elicit a kinetic military response.

Of necessity, the UK will ensure that any cyber retaliation falls short of cyberwar that could lead to loss of life because that would invite a legal kinetic response from Russia. For the UK, cyberwar and kinetic action are both aspects of one condition: warfare.

SecurityWeek talked to Professor Sir David Omand to get a better understanding of the UK viewpoint. Sir David is a former Director of GCHQ, and former Security and Intelligence Co-ordinator in the Cabinet Office. He is visiting professor at the Department of War Studies at King's College, London.

Sir David draws a distinction between the current conditions affecting the West and Russia (which he describes as 'hostile cyber activities in peacetime'), and actual armed conflict. "No serious armed conflict in the future will be without its offensive and defensive cyber components," he told SecurityWeek. "The former to support military operations by confusing and distracting enemy commanders, degrading command, control and communications, blinding key sensors and weapons, and interfering with supply chains. The latter is essential to ensure that the adversary does not similarly degrade our capabilities with his cyber means."

The military has to be prepared for armed conflict even if it is not current and hopefully never will be current. "Offensive cyber for MOD will involve careful preparation with GCHQ in peacetime, but there will be good arguments for not disclosing the cyber components until it is really necessary to support military operations. Defensive cyber on the other hand is a constant concern for MOD to ensure the security and integrity of all defense systems in peacetime so that an adversary cannot be in a position to take advantage should it come to armed conflict. All this is not ëcyber warí; it is what we must expect serious military operations in armed conflict conditions to be like in the 21st century."

The "good arguments for not disclosing the cyber components until it is really necessary to support military operations" explains the lack of any government support for Microsoft's proposed Cyber Geneva Convention, which requires international cyber disarmament.

The implication from Sir David is that the UK is prepared for cyberwar, but it is not yet happening. Rather, he continued, "I use the acronym CESSpit: Crime, Espionage, Sabotage and Subversion perverting Internet technology. Acquisitive Crime conducted through cyber means (including traditional crimes amplified and conducted at scale through the Internet) is rising. Espionage using digital methods as well as traditional ones is ubiquitous. These are risks that just have to be managed and defended against but cannot be eliminated." It is largely, but not entirely, conducted by non-aligned cyber criminals.

"Sabotage, using cyber-attacks to damage infrastructure or the integrity of information," he continued, "comes from hostile states, non-state groups, and hackers with a grievance. These are crimes that should result in legal sanctions of some kind (as the US has done with North Korean hackers over the Sony attack). Finally, we have Subversion, the attempt to undermine our democratic institutions, and our confidence in them, as we have seen with Russian attacks on the US, French and other elections and democratic processes. Traditionally subversion is conducted by a combination of intimidation, propaganda and dirty tricks. All three components can be delivered today by digital means, more easily than with the traditional methods of the Cold War."

It is how the UK is willing to respond to this CESSpit that defines the UK attitude towards cyberwar. The first priority is to be able to defend against such attacks. "We need to organize to defend ourselves robustly with passive and active defenses against crime, espionage, sabotage and subversion, bringing together the resources of government, the private sector and academia. That is a key task for the new UK National Cyber Security Centre, part of GCHQ."

The key question here is whether -- and if so, when -- active defense can tip over into active retaliation. "There is the risk," continued Sir David, "that a hostile state or group will miscalculate where our thresholds for response are, or will imagine that their sabotage or subversive activity can be conducted unattributively leaving us unable to respond. Or, as has happened with some cyber-attacks, the malware may infect far beyond the intended target with serious damage, or loss of life as the result."

While absolute attribution of cyber activity is almost impossible by pure cyber detection, western governments have the resources of national SigInt agencies -- the Five Eyes and allied nations such as France, Germany, the Netherlands, Sweden, Israel and more. With that attributive capability comes the sting in Sir David's comments.

"No potential adversary should imagine that in those circumstances a British government might not respond in kinetic terms. But the manner and timing of such a response must be for decision in the light of the circumstances with a full range of options, cyber and military open to the government. No potential adversary should be able to game our reaction in advance or imagine the UK or its NATO allies would only think of response to cyber-attacks as necessarily being confined to the cyber dimension alone."

These conditions explain the precarious nature of UK/Russia relations right now. There has been no loss of life directly attributed to Russia -- the Skripals both recovered. A third innocent victim of Novichok has died, but this has yet to be blamed directly on Russia. But the threat to life was certainly present -- which means that the UK attitude to international law gives it the right to retaliate both kinetically and by cyber.

It will wish to avoid an armed conflict with Russia -- leaving a cyber retaliation as the primary option. But even this has to be limited in scope so as not to give Russia the same legal option of retaliating kinetically.


Talking Global Cyberwar With Kaspersky Lab's Anton Shingarev
8.9.2018 securityweek CyberWar

Cyber War

Theory Suggests we Need to Come to the Very Brink of Cyberwar Before Humanity Backs Down and Finds a Solution

Security firms take a keen interest in the evolution of no-longer fanciful cyberwar -- they will be our first line of defense. Kaspersky Lab takes a particular interest, being both a defender and one of the first victims of this evolution. SecurityWeek spoke to Anton Shingarev, Kaspersky Lab's VP of public affairs.

First, we must understand where we currently stand. Discounting the rogue nations like North Korea and perhaps Iran (more on which later), there is no current cyberwar. There is intrusive surveillance and cyber espionage between potential adversaries -- but that has always been the case.

In May 1960 a U.S. high altitude spy plane was shot down by Russia while flying in Russian air space. That was very intrusive surveillance with a serious result -- but it did not lead to all-out kinetic warfare between the adversaries. The Cold War never became a Hot War (apart from what could be considered firefights in Korea and Vietnam) because of an intricate set of bi-lateral and international agreements.

We may have entered the early stages of a state of Cold Cyberwar, but Shingarev hopes and expects that the same type of bilateral and international cyber agreements will prevent a Hot Cyberwar developing and ultimately spilling into a full-scale kinetic war.

This won't prevent serious and damaging effects on the way. Just as the physical globe was balkanized into the major spheres of influence (the U.S. sphere, the Russian sphere, the so-called non-aligned group, and always on the outside, perhaps China), so too is the global internet being balkanized (and to a certain extent along similar geo-political lines).

Kaspersky Lab is a victim of this balkanization. Different regions are promoting local technology over global technology firms, and increasingly distrusting technologies they cannot control. At its worst, whole nations are firewalling themselves from the global internet -- such as China, Iran and North Korea. Even without such firewalls, individual nations place controls on foreign technologies.

Kaspersky Lab is an example. While not being prohibited from use by the people and commerce in general, it is increasingly excluded from western government agencies https://www.securityweek.com/trump-signs-bill-banning-kaspersky-products . There is no proof of wrongdoing, nor is any needed. It is simply a political effect of geo-political balkanization in an era of cold cyberwar. Nor is it one-sided. Other countries prohibit or limit foreign products, and many countries are demanding back doors into a range of communications products.

Right now, things seem to be getting worse. Across the globe, more than 30 countries have officially announced they have a military cyber-division, and verbal threats and counter threats are common. In May of this year, Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) made the case https://www.securityweek.com/uk-warns-aggressive-cyberattack-could-trigg... for pre-emptive cyber strikes without ruling out pre-emptive kinetic strikes. In the face of "continuous full spectrum competition and confrontation", he said the UK's response "should be to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities."

In the U.S., in August 2018, the Wall Street Journal reported that President Trump had reversed Obama-era rules on the deployment of cyber weapons -- effectively making it easier for the Pentagon to launch its own cyber-attacks. In October 2017, it was reported that the U.S. Cyber Command had launched a DDoS attack against North Korea's military spy agency, the Reconnaissance General Bureau (RGB).

But despite worsening global tensions, despite increasing balkanization and protectionism, despite Kaspersky Lab being an early victim of this Cold Cyberwar, Anton Shingarev remains hopeful that it can be contained and will not spill over into active kinetic warfare. He draws a parallel with the nuclear threat that came with the original Cold War.

Each side stockpiled nuclear weapons to threaten the other. "But once it was realized that use of these weapons would only guarantee mutual destruction, the world pulled back through bilateral and international agreements," he said. It hasn't rid the world of nuclear weapons, but they are now kept primarily as a deterrence, maintaining the threat of mutual destruction in order to keep the peace.

We haven't reached that stage in cyber yet. Nations are stockpiling cyber weapons in a threatening manner. There are no bilateral or international agreements (apart from existing international law) that will prevent a first or pre-emptive strike. We haven't yet reached the brink of mutual cyber destruction.

Shingarev has no confidence in current attempts to find an international solution. Microsoft has been to the forefront of these, first proposing international norms of behavior and then wrapping these into a call for a Cyber Geneva Convention. "Nothing has happened," said Shingarev -- and nothing is likely to happen. Microsoft is calling for international cyber disarmament, which is as likely as the decades-old calls for international nuclear disarmament.

Shingarev believes the way forward will come from bilateral agreements between the world's cyber superpowers, like the 1991 START (Strategic Arms Reduction Treaty) between the U.S. and Russia. Such agreements will be supported by mutual assistance treaties, like the UN and even NATO. These treaties will protect members from rogue countries who refuse to join a no cyber-strike agreement, or simply ignore it. In theory, it could mean that rogue states like North Korea and perhaps Iran would be punished by the rest of the world, while tiny nation states like Singapore would be protected from aggressors.

Such an approach has succeeded in preventing a nuclear war. Shingarev believes it could prevent an all-out cyberwar that could potentially spill into a kinetic war. But it is brinkmanship of the first order -- the theory suggests we need to come to the very brink of that cyberwar before humanity backs down and finds a solution.


Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station
19.7.2018 securityaffairs CyberWar

Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.
According to the Interfax-Ukraine media outlet, the VPNFilter hit the LLC Aulska station in Auly (Dnipropetrovsk region), according to the experts the malware aimed at disrupting operations at the chlorine station.

“Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident,” the SBU said on its Facebook page on Wednesday.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
A packet sniffer for traffic analysis and potential data exfiltration.
The monitoring of MODBUS SCADA protocols.
Communication with obfuscated addresses via TOR
The main concerns are for a self-destruct mode that could cause severe damages across all infected devices simultaneously, a feature that could potentially result in widespread Internet outage over a targeted geographic region.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors.

Another similarity is the geographic distribution of the infections, both BlackEnergy and VPNFilter infected a large number of devices in Ukraine.

VPNFilter malware

According to the experts, many infected devices have been discovered in Ukraine, and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware had infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

At the time of first discovery, the US Justice Department seized a domain used as part of the command and control infrastructure, its press release explicitly referred the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”),” reads the press release published by the DoJ.

“The SBU said its agents together with a telecoms provider and workers of the station managed to prevent a potential man-made disaster, adding Russia special forces were behind cyber attacks with the same virus on the public and private sectors in May 2018.” concluded the Interfax-Ukraine.


F-35 Stealth Fighter Data Stolen in Australia Defence Hack
15.10.2017 securityweek CyberWar
Sensitive data about Australia's F-35 stealth fighter and P-8 surveillance aircraft programmes were stolen when a defence subcontractor was hacked using a tool widely used by Chinese cyber criminals, officials said Thursday.

The 50-person aerospace engineering firm was compromised in July last year but the national cyber security agency, the Australian Signals Directorate (ASD), only became aware of the breach in November, technology website ZDNet Australia reported.

Some 30GB of "sensitive data" subjected to restricted access under the US government's International Traffic in Arms Regulations rules were stolen, ASD's Mitchell Clarke told a security conference Wednesday according to ZDNet.

Clarke, who worked on the case and did not name the subcontractor, said information about the F-35, the US' latest generation of fighter jets, as well as the P8, an advanced submarine hunter and surveillance craft, were lifted.

Another document was a wireframe diagram of one of the Australian navy's new ships, where a viewer could "zoom in down to the captain's chair".

The hackers used a tool called "China Chopper" which according to security experts is widely used by Chinese actors, and had gained access via an internet-facing server, he said.

In other parts of the network, the subcontractor also used internet-facing services that still had their default passwords "admin" and "guest".

Those brought in to assess the attack nicknamed the hacker Alf after a character on the popular Australian soap "Home and Away", Clarke said. The three month period where they were unaware of the breach they dubbed "Alf's Mystery Happy Fun Time".

Defence Industry Minister Christopher Pyne told reporters in Adelaide "the information they have breached is commercial".

"It is not classified and it is not dangerous in terms of the military," he said.

Pyne added that Australia was increasingly a target for cyber criminals as it was undertaking a massive Aus$50 billion (US$39 billion) submarine project which he described as the world's largest.

The nation has also committed to buy 72 F-35A aircraft for Aus$17 billion.

He would not comment who might be behind the breach, only stating that the government was spending billions of dollars on cyber security.

Western governments have long accused hackers in China of plundering industrial, corporate and military secrets.

The revelations came just days after Assistant Minister for Cyber Security Dan Tehan said there were 47,000 cyber incidents in the last 12 months, a 15 percent jump from the previous year.

A key worry was 734 attacks that hit private sector national interest and critical infrastructure providers during the period, Tehan said.

Last year, the government's Cyber Security Centre revealed that foreign spies installed malicious software on the Bureau of Meteorology's system and stole an unknown number of documents.


Ukraine Police Warns of New NotPetya-Style Large Scale CyberAttack
14.10.2017 thehackernews CyberWar
Remember NotPetya?
The Ransomware that shut down thousands of businesses, organisations and banks in Ukraine as well as different parts of Europe in June this year.
Now, Ukrainian government authorities are once again warning its citizens to brace themselves for next wave of "large-scale" NotPetya-like cyber attack.
According to a press release published Thursday by the Secret Service of Ukraine (SBU), the next major cyber attack could take place between October 13 and 17 when Ukraine celebrates Defender of Ukraine Day (in Ukrainian: День захисника України, Den' zakhysnyka Ukrayiny).
Authorities warn the cyber attack can once again be conducted through a malicious software update against state government institutions and private companies.
The attackers of the NotPetya ransomware also used the same tactic—compromising the update mechanism for Ukrainian financial software provider called MeDoc and swapping in a dodgy update including the NotPetya computer virus.
The virus then knocked computers in Ukrainian government agencies and businesses offline before spreading rapidly via corporate networks of multinational companies with operations or suppliers in eastern Europe.

Presentation by Alexander Adamov, CEO at NioGuard Security Lab
The country blamed Russia for the NotPetya attacks, while Russia denied any involvement.
Not just ransomware and wiper malware, Ukraine has previously been a victim of power grid attacks that knocked its residents out of electricity for hours on two different occasions.
The latest warning by the Ukrainian secret service told government and businesses to make sure their computers and networks were protected against any intrusion.
"SBU notifies about preparing for a new wave of large-scale attack against the state institutions and private companies. The basic aim—to violate normal operation of information systems, that may destabilize the situation in the country," the press release reads.
"The SBU experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017."
To protect themselves against the next large-scale cyber attack, the SBU advised businesses to follow some recommendations, which includes:
Updating signatures of virus protection software on the server and in the workstation computers.
Conducting redundancy of information, which is processed on the computer equipment.
Providing daily updating of system software, including Windows operating system of all versions.
Since the supply chain attacks are not easy to detect and prevent, users are strongly advised to keep regular backups of their important files on a separate drive or storage that are only temporarily connected for worst case scenarios.
Most importantly, always keep a good antivirus on your system that can detect and block any malware intrusion before it can infect your device, and keep it up-to-date for latest infection-detection.


Security Service of Ukraine of a new wave of large-scale NotPetya-like attack
14.10.2017 securityaffairs CyberWar

The Security Service of Ukraine warning their citizens of a new “large-scale” cyber attack similar to NotPetya that could take place between Oct 13 and 17
In June the NotPetya ransomware compromised thousands of businesses and organizations worldwide, most of them in Ukraine.

Now, the Ukrainian authorities warning their citizens of a new “large-scale” cyber attack similar to NotPetya.

The Ukrainian Secret Service, SBU, published a press release on Thursday, warning an imminent massive cyber attack that could take place between October 13 and 17 when Ukraine celebrates Defender of Ukraine Day.
“SBU notifies about preparing of a new wave of large-scale attack against the state institutions and private companies. According to the secret service, big state and private companies are the aims of the offenders.” reads the SBU press release.

“The basic aim – to violate normal operation of information systems, that may destabilize the situation in the country. The SBU experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017.”

According to the authorities, a threat actor can launch a cyber attack by compromising the supply chain of a software used by government entities. Once again attackers can use a malicious software update to infect installs in the country. The attack scenario is the same exploited by NotPetya hackers when hackers compromised the update mechanism for the Ukrainian financial software provider called MeDoc.
The tainted MeDoc update allowed the NotPetya rapidly spreading through Ukrainian government agencies and businesses, the operations of multinational companies were seriously affected.
The Ukrainian Secret Service blamed Russia nation-state hackers for the NotPetya attacks, researchers who analyzed the ransomware discovered the malicious code was a wiper malware disguised as a ransomware.
NotPetya
Back to the present, the security warning is urging organizations to improve their defense. The SBU provided a set of recommendations to follow to improve the resilience to cyber attacks:
To update signatures of virus protection software on the server and in the workstation computer;
To conduct redundancy of information, which is processed on the computer equipment;
To provide daily updating of system software, including OS Windows of all versions.


USS John S McCain incident, some experts speculate it was a cyber attack
23.8.2017 securityaffairs CyberWar

On Monday, the USS John S McCain collided a Liberian-flagged tanker near Singapore, some experts speculate the incident was caused by a cyber attack.
On Monday, the USS John S McCain collided a Liberian-flagged tanker near Singapore. The incident had serious consequences on the US operation, the Chief of Naval Operations Adm. John Richardson ordered a pause, at the same time the U.S. Navy started an investigation. US Military fears the incident might have been caused by a cyber attack.

This is the fourth accident involving U.S. Navy ships in the Pacific this year.

Follow
Adm. John Richardson ✔@CNORichardson
2 clarify Re: possibility of cyber intrusion or sabotage, no indications right now...but review will consider all possibilities
10:04 PM - Aug 21, 2017
152 152 Replies 815 815 Retweets 1,519 1,519 likes
Twitter Ads info and privacy

Richardson explained that the investigation aims to exclude the “possibility of cyber intrusion or sabotage.”

According to an unnamed U.S. Navy official quoted by the CNN, the USS John S McCain destroyer experienced “a steering failure” while it was sailing the Strait of Malacca. The problem was the root cause of the collision.

“The McCain suffered a steering failure as the warship was beginning its approach into the Strait of Malacca, causing it to collide with a commercial tanker, a Navy official told CNN.
The official said it was unclear why the crew couldn’t use the ship’s backup steering systems to maintain control.” reported the CNN.
“Earlier, another US Navy official told CNN there were indications the destroyer experienced a loss of steering right before the collision, but steering had been regained afterward.”
USS John S McCain incident
Admiral Swift said there is no sign of cyber attack, according to The New York Times, the official confirmed that there were no signs of failure in the ship’s steering system or of a cyber attack.

Anyway, some experts like former Navy information warfare specialist Jeff Stutzman believe that the incident was not caused by human errors.

“According to McClatchy, other recent incidents include one Jan. 31, in which a guided missile cruiser, the USS Antietam, ran aground off the coast of Japan, and another May 9, when the USS Lake Champlain was struck by a South Korean fishing vessel.” reported McClatchy.

“The USS Fitzgerald, a $1.5 billion vessel, collided with a container ship June 17, resulting in the deaths of seven sailors. The commanding officer and two other officers were formally removed from duties.” “I don’t have proof, but you have to wonder if there were electronic issues,” Stutzman told McClachy.

“When you are going through the Strait of Malacca, you can’t tell me that a Navy destroyer doesn’t have a full navigation team going with full lookouts on every wing and extra people on radar.” He added, “There’s something more than just human error going on.”

According to professor Todd E. Humphreys, an expert on GPS, “Statistically, it looks very suspicious.”

Humphreys and his team conducted several studies focused on vulnerabilities in GPS and the way they could be exploited to hijack ships and UAVs. In 2013, demonstrated that just using a cheap apparatus composed of a small antenna, an electronic GPS “spoofer” built in $3,000 and a laptop he is able to take total control of sophisticated navigation system aboard a 210-foot super-yacht in the Mediterranean Sea.

GPS spoofing could have a serious effect on the vessel navigation.

“In a little noticed June 22 incident, someone manipulated GPS signals in the eastern part of the Black Sea, leaving some 20 ships with little situational awareness. Shipboard navigation equipment, which appeared to be working properly, reported the location of the vessels 20 miles inland, near an airport.” reported McClatchy.

“That was the first known instance of GPS “spoofing,” or misdirection.”

“We saw it done in, I would say, a really unsubtle way, a really ham-fisted way. It was probably a signal that came from the Russian mainland.” said Humphreys.

The Navy, Humphreys said, does not use commercial GPS, and “there is no indication that faulty satellite communications were a culprit in the USS McCain accident.”

Even if some ships used on Automatic Identification System (AIS) to avoid collisions, there is the concrete risk that someone could hack the AIS.

According to Chinese authorities, the USS John S McCain incident was caused by the ineptitude of US Navy.

“The latest incident occurred just two months after the USS Fitzgerald and a Philippine container ship collided in waters off Japan, killing seven US sailors.” states the China Daily.

“It may be hard for people to understand why US warships are unable to avoid other vessels since they are equipped with the world’s most sophisticated radar and electronic tracking systems, and aided by crew members on constant watch. But investigations into the cause of the USS Fitzgerald collision shed some light on the way US warships tend to sail without observing maritime traffic rules and the sloppiness of their crews.”

Itay Glick, who worked as for an Israeli intelligence agency in a cyberwarfare unit and founder of cyber security firm Votiro believe that the incident could be the result of a cyber attack.

“I don’t believe in coincidence,” Mr Glick told news.com.au.

“Both USS McCain and USS Fitzgerald were part of the 7th Fleet, there is a relationship between these two events and there may be a connection.”

Mr Glick believes foreign states like Russia and China may have the capability to launch an attack on the warships.

“China has capabilities, maybe they are trying things, it is possible,” he said.

He explained that such kind of attacks could be the result of GPS spoofing or a malware based attack on its computer network.

“I don’t believe in coincidence. Both USS John S McCain and USS Fitzgerald were part of the 7th Fleet; there is a relationship between these two events, and there may be a connection,” he said.


US Warship Collisions Raise Cyberattack Fears

23.8.2017 securityweek CyberWar
A spate of incidents involving US warships in Asia, including a deadly collision this week off Singapore, has forced the navy to consider whether cyberattackers might be to blame.

While some experts believe that being able to engineer such a collision would be unlikely, given the security systems of the US Navy and the logistics of having two ships converge, others say putting the recent incidents down to human error and coincidence is an equally unsatisfactory explanation.

The USS John S. McCain collided with a tanker early Monday as the warship was on its way for a routine stop in the city-state, tearing a huge hole in the hull and leaving 10 sailors missing and five injured.

The Navy announced Tuesday that remains of some of the sailors were found by divers in flooded compartments on the ship.

The Chief of US Naval Operations Admiral John Richardson said on Monday he could not rule out some kind of outside interference or a cyberattack being behind the latest collision, but said he did not want to prejudge the inquiry. His broader remarks suggested a focus on "how we do business on the bridge".

"We're looking at every possibility," Richardson said, when asked about the possibility of a cyberattack, adding "as we did with Fitzgerald as well."

Just two months earlier in June, the USS Fitzgerald and a Philippine-flagged cargo ship smashed into each other off Japan, leaving seven sailors dead and leading to several officers being disciplined.

There were also two more, lesser-known incidents this year -- in January USS Antietam ran aground near its base in Japan and in May, USS Lake Champlain collided with a South Korean fishing vessel. Neither caused any injury.

Admiral Scott Swift, commander of the US Pacific Fleet, has refused to rule out sabotage in Monday's incident, saying all possibilities are being examined.

"We are not taking any consideration off the table," he told reporters in Singapore Tuesday, when asked about the possibility of a cyberattack in the latest incident.

- High tensions -

Analysts are divided on the issue, with some believing US Navy crews may simply be overstretched as they try to tackle myriad threats in the region, and pointing to the difficulties of sailing through waterways crowded with merchant shipping.

But others believe something more sinister may be going on.

Itar Glick, head of Israeli-based international cybersecurity firm Votiro, said the spate of incidents suggested that US Navy ships' GPS systems could have been tampered with by hackers, causing them to miscalculate their positions.

"I think that hackers could try to do this, and if they are state sponsored they might have the right resources to facilitate this kind of attack," he told AFP.

Glick, who says he used to work on cybersecurity for Israeli intelligence, said that China and North Korea would be the most likely culprits.

Tensions are running high between North Korea and Washington as Pyongyang makes strides in its weapons programme, conducting two successful intercontinental ballistic missile (ICBM) test launches in July.

Pyongyang has also been blamed for recent cyberattacks, including the 2014 hack of Sony Pictures and the theft of millions of dollars from the Bangladesh central bank.

The US has repeatedly accused China of carrying out cyberattacks on American companies, particularly to steal intellectual property. Beijing however says it is also the victim of such attacks.

- 'Spoofing' -

Glick pointed to a recent incident in June of apparent large-scale GPS interference in the Black Sea to illustrate that such disruptions are possible.

The interference -- known as "spoofing", which disrupts GPS signals so ships' instruments show inaccurate locations -- caused some 20 vessels to have their signals disrupted, according to reports.

Jeffery Stutzman, chief of intelligence operations for US-based cybersecurity firm Wapack Labs, told AFP he thought the possibility of a cyberattack being behind the latest incident was "entirely possible".

"I would be very doubtful that it was human error, four times in a row," he said, referring to the four recent incidents.

Still, other observers believe such a scenario to be unlikely.

Zachary Fryer-Biggs, from defence consultancy Jane's by IHS Markit, said that even if something went wrong with the GPS system of a ship, other safety mechanisms should stop it from crashing, such as having people on watch.

"The collision only occurs if several other safety mechanisms fail," he said.

Daniel Paul Goetz, from US-headquartered cybersecurity firm Lantium, added that causing a collision would be complicated, as it would involve knowing the exact location, speed and bearing of both ships involved.

Goetz, who says his background is in US military intelligence, also pointed to the level of technology used to protect the navy from such threats.

"The US military uses a GPS system that is highly secured, highly encrypted -- the chances that somebody could take over US military ship is very close to zero," he said.


Russian Oil Giant Rosneft Says Hit by 'Powerful' Cyberattack

27.6.2017 securityweek CyberWar
Russian oil giant Rosneft said Tuesday that its servers had suffered a "powerful" cyberattack, as the company is locked in a bitter court fight with the Russian conglomerate Sistema.

"A powerful hacking attack has been carried out against the company's servers," Rosneft said on Twitter, adding that it "hopes" the incident was "not connected to current legal proceedings".


Russian Gov is threatening to ban Telegram because it refused to comply data protection laws
27.6.2017 securityaffairs CyberWar

Russia threatens to ban the Telegram instant messaging app because the company refused to be compliant with the country’s new data protection laws.
The Russian Government is threatening to ban the popular Telegram instant messaging app because the company refused to be compliant with the country’s new data protection laws.

Telegram has 6 million Russian users and in order to protect their privacy, the company refused to comply with the data protection laws.


The Russian Personal Data Law was implemented since September 1st, 2015, it requests foreign tech companies to store the personal data of Russian citizens within the country. The Law was designed for protecting Russian citizens from surveillance activities of foreign agencies such as the NSA.

Since January 1, the new Russian Data Protection Laws request foreign tech companies to store past six months of the personal data of Russians and encryption keys within the country. The companies are obliged to provide the access to the retained data if requested by authorities.

“There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram,” Alexander Zharov said, head of communications regulator Roskomnadzor (state communications watchdog).

“And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information.”

According to the FSB, the Russian intelligence agency, the terrorists who killed 15 people in Saint Petersburg in April were communicating through the Telegram encrypted messaging service.

The Russian intelligence asked Telegram to share users’ chats and crypto keys on demand to allow government investigations on terrorists abusing the instant messaging app as a communication channel.

The use of the popular encrypted messaging app is widespread among the militants of the terrorist organization in Russia and abroad, The use of Telegram has eclipsed the use of other social media platforms, including Twitter.

Social media continue to ban the content posted by members of the ISIS in the attempt to block their propaganda online.

Twitter continues to close hundreds of thousands of accounts for violating the company’s policies on violent extremism. In August Twitter published a blog post that revealed it has shut down 360,000 terrorist-related accounts since last year.

The reason for the widespread use of Telegram is related to the lack repressive measures of the company against ISIS activities through its application.

“[Telegram is] the app of choice for many Isis, pro-Isis and other jihadi and terrorist elements.” states a report published by the Middle East Media Research Institute (MEMRI).

A previous report published by the MEMRI JTTM, titled “Jihadis Shift To Using Secure Communication App Telegram’s Channels Service” published October 29, 2015, noted that numerous jihadis and jihadi organizations had opened their own channels on Telegram.

Back to the present, the Telegram founder Pavel Durov confirmed that also other intelligence agencies asked for a backdoor in the popular encrypted messaging app.

10 Jun
Yasha Levine ✔ @yashalevine
No backdoor needed. Enough bugs to go around. But there is a lot of backroom chatter between crypto app makers and their USG backers. https://twitter.com/durov/status/872891017418113024 …
Follow
Pavel Durov ✔ @durov
@yashalevine During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI.
1:45 PM - 11 Jun 2017
545 545 Retweets 481 481 likes
Twitter Ads info and privacy
Telegram wasn’t the only company targeted by Russian data protection laws, in November LinkedIn was banned in the country for not complying with the laws.


Pro-ISIS group defaced US Government websites in 3 states
27.6.2017 securityaffairs CyberWar

Several government websites were hacked by a pro-ISIS group that is calling itself Team System DZ, including those of the Ohio Governor John Kasich.
Several government websites in Ohio and Maryland, including the one belonging to Ohio Governor John Kasich, had to be shut down Sunday after being defaced by pro-ISIS hackers. The hackers breached the websites and published messages supporting the Islamic State group.

The message posted on Kasich’s website also played an Islamic call to prayer.

The Kasich website (www.governor.ohio.gov) was taken offline on Sunday, now it is up and running again.

pro-isis group defacement

The hackers belong to a group that is calling itself Team System DZ, the group targeted the websites in as retaliation for the politic of the US President Donald Trump.

“You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries,” “I Love Islamic state.” states the message posted by the group.

The hackers have written the message in gold lettering on a black background.

The hackers also published the basic statement of the Islamic faith written in Arabic:

“there is no god but Allah and Muhammad is the prophet of Allah.”

Tom Hoyt, a spokesman for the Ohio Department of Administrative Services, said all affected servers were “taken offline” and law enforcement is investigating the cyberattacks.

“We also are working with law enforcement to better understand what happened,” Hoyt said.

Hackers also targeted a website for Howard County, Maryland.

“There was no breach of data and no personal information was compromised,” according to a statement from Howard County Executive Allan H. Kittleman. “Howard County government is working with law enforcement agencies and an investigation is underway. We apologize for any inconvenience.”

“Government websites in Ohio, Maryland and New York have been hacked with what appears to be pro-ISIS propaganda.” reported the CNN.

“On Sunday, visitors to governor.ohio.gov were greeted with a black background and an Arabic symbol while an Islamic call to prayer played in the background.”
The official website for the Town of Brookhaven, New York, also was hacked and hackers published the same messages appeared on the other websites targeted by the pro-ISIS group.
Some of the websites are still down at the time I was writing.


Govt Websites in Ohio, Maryland Hacked With Pro-IS Messages

26.6.2017 securityweek  CyberWar
Several government websites in the US states of Ohio and Maryland had to be shut down Sunday after being hacked to display messages supporting the Islamic State group.

Among the affected websites was one belonging to Ohio Governor John Kasich.

Posted on the websites was a message from a group calling itself Team System DZ, vowing revenge against US President Donald Trump.

"You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries," it read, adding: "I Love Islamic state."

The messages were written in gold lettering against a black backdrop.

The hacked websites also displayed the Muslim profession of faith written in white lettering in Arabic, proclaiming that "there is no god but Allah and Muhammad is the prophet of Allah."

The message posted on Kasich's website also played an Islamic call to prayer.

A website for Howard County, Maryland, several miles outside Washington DC, was also affected.

Some of the websites remained out of service early Monday, while Kasich's www.governor.ohio.gov site was back up and running after being taken offline Sunday.


Al-Jazeera claims to be facing a large-scale cyber attack due to Qatar crisis
9.6.2017 securityaffairs CyberWar
Al-Jazeera claims to be the victim of a large-scale cyber attack as Qatar crisis continues. The attack comes after the hack of the state news service.
The Qatar-based broadcaster Al-Jazeera announced all its systems were under a large-scale cyber attack. The news was spread in a statement released on social media by the broadcaster.

Media reported that some viewers in the region were not able to receive the signal of the Al-Jazeera television.

Al Jazeera English ✔ @AJEnglish
BREAKING: Al Jazeera Media Network under cyber attack on all systems, websites & social media platforms. More soon: http://aljazeera.com
6:43 PM - 8 Jun 2017
4,742 4,742 Retweets 1,766 1,766 likes
Twitter Ads info and privacy
According to a source at Al-Jazeera, the broadcaster was attempting to mitigate the hack.

“An attempt has been made, and we are trying to battle it,” said the source.

The cyber attack comes while in the Gulf area winds of crisis are blowing after the recent hack of the Qatar’s state-run news agency. Qatar hack is sparking diplomatic tensions in the Gulf, Saudi Arabia, the United Arab Emirates, Egypt and Bahrain cut ties to the country.

al-jazeera cyber-attack

The states are accusing Qatar of financing of extremist groups and its ties to Iran, Saudi Arabia’s local opponents.

Qatar asked help to the FBI who is investigating the hack, US intelligence believes Russian hackers were involved in the cyber attacks and disinformation campaign against the state.


Experts, Microsoft Push for Global NGO to Expose Hackers

9.6.2017 securityweek CyberWar
As cyberattacks sow ever greater chaos worldwide, IT titan Microsoft and independent experts are pushing for a new global NGO tasked with the tricky job of unmasking the hackers behind them.

Dubbed the "Global Cyber Attribution Consortium", according to a recent report by the Rand Corporation think-tank, the NGO would probe major cyberattacks and publish, when possible, the identities of their perpetrators, whether they be criminals, global hacker networks or states.

"This is something that we don't have today: a trusted international organization for cyber-attribution," Paul Nicholas, director of Microsoft's Global Security Strategy, told NATO's Cycon cybersecurity conference in Tallinn last week.

With state and private companies having "skills and technologies scattered around the globe" Nicholas admits it becomes "really difficult when you have certain types of complex international offensives occurring."

"The main actors look at each other and they sort of know who they think it was, but nobody wants to make an affirmation."

Microsoft already floated the idea of an anti-hacking NGO in a June 2016 report that urged the adoption of international standards on cybersecurity.

The report by Rand commissioned by Microsoft called "Stateless Attribution - Toward international accountability in Cyberspace" analyzes a string of major cyberattacks.

They include offensives on Ukraine's electricity grid, the Stuxnet virus that ravaged an Iranian nuclear facility, the theft of tens of millions of confidential files from the US Office of Personnel Management (OPM) or the notorious WannaCry ransomware virus.

- Duping investigators -

"In the absence of credible institutional mechanisms to contain hazards in cyberspace, there are risks that an incident could threaten international peace and the global economy," the report's authors conclude.

They recommend the creation of an NGO bringing together independent experts and computer scientists that specifically excludes state actors, who could be bound by policy or politics to conceal their methods and sources.

Rand experts suggest funding for the consortium could come from international philanthropic organisations, institutions like the United Nations, or major computer or telecommunications firms.

Pinning down the identity of hackers in cyberspace can be next to impossible, according to experts who attended Cycon.

"There are ways to refurbish an attack in a way that 98 percent of the digital traces point to someone else," Sandro Gaycken, founder and director of the Digital Society Institute at ESMT Berlin, told AFP in Tallinn.

"There is a strong interest from criminals to look like nation-states, a strong interest from nation-states to look like criminals," he said.

"It's quite easy to make your attack look like it comes from North Korea."

According to experts at Cycon, hackers need only include three lines of code in Cyrillic script in a virus in order to make investigators wrongly believe it came from Russian hackers.

Similarly, launching attacks during working hours in China raises suspicions about Chinese involvement.

Hackers can also cover their tracks by copying and pasting bits and pieces of well known Trojan viruses, something that points the finger at their original authors.


Qatar's Al-Jazeera Says Battling Cyber Attack

9.6.2017 securityweek  CyberWar
Qatar-based broadcaster Al-Jazeera said Thursday that it was under a widescale cyber attack which had targeted "all systems", according to a statement released on social media by the broadcaster.

"Al Jazeera Media Network under cyber attack on all systems, websites & social media platforms," it said on Twitter.

The attack was also confirmed by a source at Al-Jazeera, who said the broadcaster was attempting to repel the hack.

"An attempt has been made, and we are trying to battle it," said the source.

Following the initial reports of a cyber attack, some viewers in the region said they could no longer receive Al-Jazeera television.

Al-Jazeera, one of the largest news organisations in the world, has long been a source of conflict between Qatar and its neighbours, who accuse the broadcaster of bias and fomenting trouble in the region.

The alleged cyber attack comes during a time of heightened tensions in the Gulf, which has seen Saudi Arabia, the United Arab Emirates, Egypt, Bahrain and other allies cut ties with Qatar.

They severed relations over what they said is Doha's alleged financing of extremist groups and its ties to Iran, Saudi Arabia's regional arch-rival.

Long-running tensions broke out into the open last month after Qatar claimed its state news site was hacked by unknown parties who posted "false" statements attributed to the emir in which he speaks favorably of Iran and the Palestinian Islamist group Hamas.

The remarks were widely reported as true across the region.

Earlier this month, Qatar said the FBI was helping it investigate the source of the alleged hacking.

Subsequently there were a media report suggesting that Qatar had been targeted by Russian hackers -- a claim dismissed by Moscow.


A new report warns UK’s Trident submarines ‘vulnerable to catastrophic hack’
5.6.2017 securityaffairs CyberWar
According to a report published by the London-based think tank Basic, the UK Trident submarines are vulnerable to cyber-attacks.
According to a report published by the London-based think tank British American Security Information Council (Basic), the UK Trident submarine fleet is vulnerable to cyber-attacks.
According to the report “Hacking UK Trident, A Growing Threat,” a cyber attack against a submarine could have ‘catastrophic’ consequences, including loss of life.

“A successful attack could neutralise operations, lead to loss of life, defeat or perhaps even the catastrophic exchange of nuclear warheads (directly or indirectly).” reads the report. “But the very possibility of cyber-attack and the growing capability to launch them against SSBNs, could have a severe impact upon the confidence of maintaining an assured second-strike capability and therefore on strategic stability between states”

hacking trident submarines
Military officials consider Trident submarines safe from hacking because they leverage air-gapped networks, but authors of the report expressed skepticism.

The researchers believe that vessels are not vulnerable to cyber attacks during normal operations while are in the sea, but they could be targeted with a malware-based attack at other points, such as during maintenance while docked at a naval base.

Trident submarines use same Windows software deployed at the NHS that were recently destroyed by the WannaCry attack.

The UK defence secretary Des Browne confirmed that such kind of attacks on a large-scale could have unpredictable effects.
“The WannaCry worm attack earlier this month affecting 300,000 computers worldwide, including vital NHS services, was just a taste of what is possible when cyber-weapons are stolen.” said Des Browne.

“To imagine that critical digital systems at the heart of nuclear weapon systems are somehow immune or can be confidently protected by dedicated teams of network managers is to be irresponsibly complacent.”

The report details the attack vectors that could be exploited to destroy or endanger operations, but it highlights that it takes sophisticated, well-resourced and sustained cyberattacks to trigger the vulnerabilities in remote submarine subsystems.

“These attacks are beyond the scope of all but the most well-resourced and extensive non-state groups. Essentially, the principal threat comes from other states’ cyber operations alongside extensive and highly sophisticated intelligence activities.” states the report.

The authors of the study estimate that the capital costs for the UK government to improve cybersecurity for the Trident submarines would run to several billions of pounds over the next 15 years.


'Tallinn Manual 2.0' - the Rulebook for Cyberwar

3.6.2017 securityweek  CyberWar

Tallinn - With ransomware like "WannaCry" sowing chaos worldwide and global powers accusing rivals of using cyberattacks to interfere in domestic politics, the latest edition of the world's only book laying down the law in cyberspace could not be more timely.

The Tallinn Manual 2.0 is a unique collection of law on cyber-conflict, says Professor Michael Schmitt from the UK's University of Exeter, who led work on the tome.

Tallinn Manual 2.0 Cover

Published by Cambridge University Press and first compiled by a team of 19 experts in 2013, the latest updated edition aims to pin down the rules that governments should follow when doing battle in virtual reality.

The manual was among the hot topics this week as over 500 IT security experts from across the globe gathered at NATO's Cycon cyber security conference in Tallinn.

Launched in 2009, the annual event is organised by NATO's Cooperative Cyber Defence Centre of Excellence based in the Estonian capital.

In 2007, Estonia was among the first countries to suffer a massive cyber attack, with authorities in Tallinn blaming the Baltic state's Soviet-era master Russia.

"The very next year, in the war between Russia and Georgia, again we saw a lot of cyber activity," said Schmitt, speaking to AFP at Cycon. Estonia was targeted just three years after it joined NATO and the EU in 2004.

The attack raised a slew serious questions about how to apply and enforce NATO's Article 5 collective defence guarantee in cyberspace, said Schmitt, who also chairs the Stockton Center for the Study of International Law at the United States Naval War College.

He said that NATO allies faced an unprecedented dilemma: did the attack "mean that NATO states had to somehow come to the rescue of Estonia or not?"

Was it "an attack on the civilian population, a violation of international humanitarian law or not? No one had the answers," he added.

"Because of that (attack) the international community started looking at cyber, going: 'Oh my God, I can't answer any question!' That's why this manual was started."

- 'Digital wild west' -

Schmitt says his team's work is intended to tame the "digital wild west" that emerged with the advent of cyberspace.

But the virtually limitless range of possibilities in cyber-conflict raises a long laundry list of legal questions and dilemmas and the Tallinn Manual certainly cannot answer them all.

The legal experts, mostly professors of international law, filled its 642 pages with existing jurisprudence applying to cyberspace from across the globe, and did not shy away from laying out conflicting views on certain issues.

For example: should cyber-espionage be subject to the same laws as conventional spying? Can a state obtain the online IDs and passwords of prisoners of war and use them?

Does a cyberattack trigger a legitimate right to self-defence? Can you retaliate? What kind of status do victims have? What can you do when there is no evidence to prove guilt when attackers can easily cover their tracks?

"This book is intended to be a secondary source of law: it explains the law, but it doesn't create it. States make law," Schmitt told AFP.

"My goal is that this books sits on the desk of every legal advisor for defence and foreign ministers, the intelligence services, so that legal advisors can sit with policy makers and say: in this situation, we can do this, or the law is not clear, you need to make a political decision here.

"But at least the discussion is mature. It's not 'oh my God, what's happening to us?'."


The Israeli Government announces it thwarted a major cyberattack
27.4.2017 securityaffairs CyberWar

The Israeli Government announces it thwarted a major cyberattack against 120 targets just days after harsh criticism of new cyber defense bill.
According to haaretz.com, Israeli Government revealed it repelled a major cyberattack
aimed at 120 targets.

The unusual announcement was made by the Prime Minister’s Office (PMO) in a very unusual announcement on Wednesday. Israel speculates the involvement of a foreign state behind the major cyberattack that hit the in recent days.

“The notice from the PMO comes only two days after the heads of the Shin Bet security service, the Mossad and the IDF’s deputy chief of staff, along with other senior defense officials, wrote a letter to Prime Minister Benjamin Netanyahu, warning that the numerous powers given to the Cyber Defense Authority could hamper the ability to thwart cyber attacks on Israel.” states Haaretz.

The defense officials ask the Prime Minister to halt the legislation of the bill and to review it in order to propose a new version.

“The draft bill seeks to grant extensive powers to the Cyber Authority, whose purpose has not been clearly defined, and it could seriously harm the core security activity of the security community in the cyber field,” said the letter signed by Shin Bet security service head Nadav Argaman, Mossad chief Yossi Cohen, Deputy Chief of General Staff Maj. Gen. Yair Golan (who is responsible for cyber defense issues in the army) and Defense Ministry Director General Udi Adam.

ity in the cyber field,” said the letter signed by Shin Bet security service head Nadav Argaman, Mossad chief Yossi Cohen, Deputy Chief of General Staff Maj. Gen. Yair Golan (who is responsible for cyber defense issues in the army) and Defense Ministry Director General Udi Adam.

Israel

The Israeli Cyber Defense Authority was responsible for defending the country networks against the attacks, recently it warned the Government of a massive planned cyber attack on Israel.

According to the Cyber Defense Authority, hackers impersonated a legitimate unnamed organization is a spear phishing campaign.

The phishing messages were crafted pretending to be sent from the servers of an academic institution and private a company. The phishing emails reached 120 Israeli institutions, government offices, and individuals, attackers exploited weaponized documents trying to exploit a vulnerability in Microsoft Word.

In response to the cyber attack, the Cyber Defense Authority issued directives for all Israeli citizens, businesses, and institutions, to instruct them on how to neutralize the attack and reduce the exposure to the cyber threats.

The criticized bill aims to regulate the activity of the Cyber Defense Authority, according to Buky Carmeli, the head of Authority, the law is on issuing protection guidelines to thousands of companies, organizations, and public agencies.

Carmeli says the diffusion of guidelines is crucial to protect the country from cyber attacks as well as to establish regulations for the cybersecurity and emergency management.


The Stuxnet vulnerability is still one of the most exploited flaws in the wild by hackers
21.4.2017 securityaffairs CyberWar

A new report published by Kaspersky confirms that Stuxnet exploits targeting a Windows Shell Vulnerability is still widely adopted by threat actors.
The case that I’m going to present you demonstrates the importance of patch management and shows the effects of the militarization of the cyberspace.

Unpatched software is an easy target for hackers that can exploit old vulnerabilities to compromise the systems running them. Let’s consider for example the exploit code used in the notorious Stuxnet cyber weapon that hit the centrifuges at the Iranian nuclear plant at Natanz.
The flaw exploited by the Stuxnet worm was first patched by Microsoft in 2010, but threat actors in the wild continue to exploit it in a huge number of cyber attack.

According to Kaspersky Lab, the flaw used by Stuxnet to target Windows machines, tracked as CVE-2010-2568 has been weaponized to remotely execute code on unpatched Windows computers.

The dangerous trend continues, in August 2014 experts from Kaspersky revealed that in the period between November 2013 and June 2014, the Windows Shell vulnerability (CVE-2010-2568) exploited by Stuxnet was detected 50 million times targeting nearly 19 million machines all over the world.

In 2015, and in 2016, roughly one of four of the Kaspersky users was targeted by an exploit code leveraging on the CVE-2010-2568.

“To take just one example, when we looked at our most recent threat statistics we found that exploits to CVE-2010-2568 (used in the notorious Stuxnet campaign) still rank first in terms of the number of users attacked. Almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability.” states a report published by Kaspersky.

Stuxnet attack

Of course, the CVE-2010-2568 vulnerability only affects very old OS, including Windows XP and Windows Server 2008, and unpatched versions of Windows 7.

Attackers most used the Stuxnet exploit code to create malicious codes that can “self-replicate” over a targeted network.

Concluding, the militarization of the cyberspace has serious consequences on Internet users, even if the malware was spread many years ago.

I suggest the reading of the research published by Kaspersky that provides interesting data on most exploited vulnerabilities and threat actors leveraging on them.


Moving threat landscape: The reality beyond the cyberwarfare
18.4.2017 securityaffairs CyberWar

It started quietly as a probability not a reality. Now within months cyberwarfare has become a reality plausible as the air we breathe.
The revelation of governments hacking units has brought light for a new domain of conflict: Cyberwarfare. Once a secret these government agencies were public revealed like the Equation Group as well as the tailored access operations (TAO).

The same tools that are taking place in debates about digital privacy are now operating as you read this, in some digital battle over the internet. This is only the tip of the iceberg and with every disclosure more, we realize that every technology is a risk at bay.

cyberwarfare

Beyond the inevitable costs for the global economy, the risks for human life are as certain as the damage of physical weapons. One simple program can turn a surveillance camera, a cellphone, a television, or anything into a weapon in a network of connected devices that can bring down massively critical infrastructure services.

Nowadays the development of new cryptologic technologies as well as the implementation of information security frameworks, and awareness is the only guarantee the human existence has to protect itself. If we consider the impact of a massive attack on critical infrastructure, we must also consider that every single service will stop and no one will be able to call asking for help.

More disturbing than the impacts of such attacks is the reality that it is already taking place.

The news of North Korea failing to launch a missile due to US Cyber Command attack bring down a new level of threat landscape and theater of operations for information security. Today the human domain is a target on these cyber operations, and apparently, every aspect of society can suffer damages, like hospitals or even the power grid.

We see today a completely new market of jobs and opportunities emerging alongside these threats to protect us from rogue nation state actors. It is necessary to corporations and partners to unite with law enforcement agencies to develop new tools and awareness to the average citizen. A new framework for cyber security, for pre-emptive readiness has to be taking into account as the first priority to every democratic country connected to the internet.

The US sabotage of North Korea missile is not the only news about cyberwarfare. The Mirai botnet and the dangers of IoT are another example of this ongoing threat on a blink of an eye, on a click of a button. As technologies evolve, we also must evolve the countermeasures to detain those threats. The possibility of state actors managing to interfere in democratic republics corroborates the impact in the civil society that can damage a whole nation and the world, as was in the news the Russia interference in Europe.

We are on a verge of a drastic change in awareness and preparedness in the cyber domain, and we must prepare ourselves for this new reality as it reaches out and affects everyone, everywhere. With the development of new technologies of information security, the creation of jobs can be a reality emerging from the chaos of destruction launched upon us as menaces from these rogue states.

It has been the legacy of Computer Science brings humanity to its better and worst in history. As of today, we must change the reality of that by advancing the importance of security and development of new technologies to withstand such menaces with no cost at all of human lives.

Sources:

http://www.bbc.com/news/business-39625468

http://www.telegraph.co.uk/news/2017/04/06/left-of-launch-attacks-may-bringing-north-korean-missiles/

http://www.csoonline.com/article/3190447/security/iot-malware-clashes-in-a-botnet-territory-battle.html#tk.rss_news

http://ndupress.ndu.edu/Media/News/Article/1130649/information-warfare-in-an-information-age/

http://www.defenseone.com/threats/2017/04/chinas-information-warriors-grow-more-disciplined-effective-us-cyber-leaders/136732/

http://cimsec.org/threat-defense-control-cyber-warfare/32106

http://www.bbc.com/news/world-europe-39401637

http://www.matthewaid.com/post/159634985471/north-korea-more-likely-to-launch-cyberattack-than


The failure of the missile launch by North Korea may have been caused by US cyber attack
17.4.2017 securityaffairs CyberWar

The failure of the missile launch made the North Korea may have been thwarted by a cyber attack powered by the US Cyber Command.
The crisis between the US and North Korea is increasing, Donald Trump warns his military may ‘have no choice’ to strike the rogue state.

According to The Sun, US cyber soldiers may have hacked the control system of the rocket causing the failure of the launch.
The nuclear test ballistic missile exploded within five seconds of the launch, according to the newspaper the US agents have used a stealth malware that caused a massive malfunction.

The launch occurred from near the port city of Sinpo, Kim Jong-un ordered it defiance of President Trump sending a naval task force to the region.

The US naval force in the area, led by the aircraft carrier USS Carl Vinson, is equipped with rockets capable of intercepting missiles, but they were not deployed.

It was a medium-range ballistic rocket, likely a Nodong, the experts highlighted that North Korea is forced to import the high-tech electronics used in its missiles, so it is likely that US hackers compromised the supply chain implanting an undetectable malware.

According to some experts, North Korea is vulnerable to cyber attacks because its scientists have to import electronic hardware.

The experts believe that US cyber units may have detected the launch and sent the instructions to the malware via satellite from the US National Security Agency headquarters in Maryland.

North Korea missile launch failed
Source; The Sun

Fantasy or reality?

A similar attack requests a huge effort in terms of HUMINT and technical activities, but it is perfectly feasible.

“It is perfectly feasible the US brought down this missile.” said Defence analyst Paul Beaver.

“Their cyber warfare capabilities are now highly advanced.

“As soon as military satellites watching Sinpo detected an imminent launch, a team at the National Security Agency would have got to work.”

“It’s possible for them to have sent a signal directly to the missile from Maryland which effectively zapped it out of the sky.”

“North Korea has had a string of launch failures and it may be no coincidence that they have happened as the US went to cyber war.”

President Trump did not comment the Kim’s missile failure.

Analysts believe that Kim will punish military commanders involved in the failed operation.

Kim has a history of punishing failure with terrible retribution, including executing his own officials with anti-aircraft guns.

Giving a look at the North Korea’s military programme we can notice a long series of technical failures, a part of the intelligence community attribute the incident to cyber attacks powered by the US Cyber Command.

Other ballistic tests failed in the last weeks, medium-range North Korean rockets crashed and exploded.

“Last year a Musudan missile fired to mark the anniversary of the birth of Kim’s grandfather Kim Il-sung blew up so soon after take-off it wrecked its launcher.” reported The Sun.

“In November 2015 an attempt to launch a ballistic missile from a submarine ended in failure when the weapon disintegrated under­water.”

“There are many things that can go wrong but it would be impossible to tell from outside if something had affected the internal guidance or control systems.” said Defence analyst Lance Gatling

“It has been openly mentioned that there is a possibility that the North’s supply chain for components has been deliberately infected, and they might never know.”