Entering The Peripheries Of Cyber War

By Tech Channel MEA
While the high point of the November Sony hack was characterised by announcement of cyber sanctions against North Korea, the social media infiltration of Syrian opposition devices in 2013, directly gave the Syrian army an upper hand in the battle field across 2014.
In some ways the saga of the Sony Pictures Entertainment hack, first coming into the public eye in November 2014, and the just released FireEye report of a threat group compromising the devices of the Syrian opposition army across the second half of 2013, are a breed apart in terms of covertness. Yet both of these attacks can be classified as near acts of cyber war, with definite visibility of state sponsored activities and significant state level accrued benefits. The North Korean based hackers were seemingly successful in altering the launch of a satirical film about their premier, and the Syrian army and air force in a surprising volte-face, effectively routing the Syrian opposition forces across most of 2014.
The US government accused the North Korean government of orchestrating the Sony Pictures Entertainment hack and announced its intention to apply cyber sanctions against the military dictatorship. Much of the month of January 2015 was marked by charges and counter-charges between the two governments as well as the US government reasserting its case to the US IT security industry about the origin of the Sony hack. The US government FBI presented its broad justification for naming North Korea as the source and supporter of the November Sony hack based on its own forensic and other intelligence sources, and continued with the announcement of state level sanctions against North Korea. This led to further official threats of retaliation by the North Korean government.
And yet while the overall decibels of the Sony Pictures Entertainment hack has been much higher than others, its ability to fit into the definition of a state sponsored cyber attack, as spelt out by regional IT security industry experts appears to be much less.
A state sponsored cyber attack is focussed, planned out for a long period of time and involves sophisticated malware. Explains Guillaume Lovet, Senior Manager EMEA, FortiGuard Labs, “The attack is targeted like a fisherman going after one very specific fish with a gun-spear, rather than throwing a large net out at sea. The attack, its preparation, and its operational phase typically span years, like a real industrial project. The sophistication of the malware pieces involved is also usually a good indicator.”
Writing in IEEE Spectrum in February 2013, David Kushner describes the high levels of sophistication that would have gone into developing the Stuxnet and Flame malwares, both associated a few years ago with state sponsored cyber attacks.
Roel Schouwenberg, Principal Security Researcher, Kaspersky Lab, was most impressed by Stuxnet’s having performed not one, but four zero-day exploits, hacks that take advantage of vulnerabilities previously unknown to the white-hat community. It is not just a ground breaking number – they all complement each other beautifully. Schouwenberg and his colleagues at Kaspersky soon concluded that the code was too sophisticated to be the brainchild of a ragtag group of black-hat hackers. Schouwenberg believes that a team of 10 people would have needed at least two or three years to create it.
And again,
… the most worrisome thing about Flame was how it got onto machines in the first place – via an update to the Windows 7 operating system. Flame spreading through Windows updates is more significant than Flame itself, says Schouwenberg, who estimates that there are perhaps only 10 programmers in the world capable of engineering such behaviour. It is a technical feat that is nothing short of amazing, because it broke world-class encryption, says F-Secure’s Hypponen. You need a supercomputer and loads of scientists to do this.
Along with being highly targeted, highly planned, highly prolonged and highly sophisticated, a state sponsored cyber attack is seldom meant to be announced with fanfare and accomplishment. “Having such a public attack is actually not necessarily the trademark of state sponsored cyber hacking, as governments very often try to act in a covert manner, depending of course on what they want to achieve. If it is cyber espionage the agenda is to obtain information from an adversary, but to stay as low under the radar as possible,” clarifies Nicolai Solling, Director of Technology Services at Help AG, about the speculation around the source of the November 2014, Sony Pictures Entertainment hack.
While the connection to the North Korean government in the case of the Sony Pictures Entertainment hack, makes it self-fulfilling in terms of being the logical and obvious choice for source attribution, on the other hand it is also a disqualification of sorts, by being too obvious and not covert enough of a source. Adds Solling, “It was executed with great level of sophistication and the impact was very high. Till today there has been no formal response as to who were behind the Sony hack. So while there may be political reasons to link the hack to a certain state, this is only speculation.”
“This is exactly the challenge with large scale attacks because it is hard to pinpoint if a government backed it or not. The only way anyone knows of a national objective is when someone takes ownership,” explains Megha Kumar, Software Research Manager at IDC MEA.
By contrast the social engineering attack on the Syrian opposition army in late 2013 has been enormously covert and low profile and has presumably remained undiscovered for close to a year. The attack and subsequent data collection is not just cyber espionage aimed at achieving an information edge, rather the activity which took place in the centre of a conflict, provided military intelligence for an immediate battlefield advantage. The intelligence stolen and gathered probably served a critical role in the operational plans and strike decisions of the Syrian army and air force against the opposition during those months.
In the second half of 2013 and especially towards the end of 2013, computers of the Syrian opposition army fighters were compromised. The primary entry point appears to be through downloads made during Skype chats, phishing web site and a Facebook social media site. The attackers stole 31,107 logged Skype chat sessions that included discussions of plans and logistics of the Syrian opposition’s attacks on Assad’s forces. The data included Skype account databases, Skype chat logs and history, planning documents, spreadsheets, photos, lists of names and birthdates, weapons and serial numbers, blood types, phone numbers, communications about strategy, logistical issues, supply routes, assessments of engagements with the enemy, politics of Syrian opposition, opposition political structures, political support, allegiances, Facebook user account information, amongst others. The attackers manually created a directory on its server for each opposition computer containing stolen Skype databases, indicating that the victims shared computers.
The attackers of the Syrian opposition used female Skype contacts to chat with their targets and infect their devices with malware. The female Skype contact also had a matching Facebook profile with the same photo. Her Facebook profile, populated with pro-opposition content, contained many posts with malicious links. The female contact’s photo sent to opposition army members was actually an executable, self-extracting RAR archive, renamed with the .PIF file extension. When the victim opened the photo, a woman’s picture was displayed while the SFXRAR executed and ultimately installed the DarkComet Remote Access Trojan in the background. From this point forward the victim’s computer was under the attacker’s control. The attackers also maintained a pro-opposition website containing links to malicious downloads and Facebook profiles with embedded malicious links as well.