By Tech Channel MEA
While the high point of the November Sony hack was characterised by announcement of cyber sanctions against North Korea, the social media infiltration of Syrian opposition devices in 2013, directly gave the Syrian army an upper hand in the battle field across 2014.
In some ways the saga of the Sony Pictures Entertainment hack, first coming into the public eye in November 2014, and the just released FireEye report of a threat group compromising the devices of the Syrian opposition army across the second half of 2013, are a breed apart in terms of covertness. Yet both of these attacks can be classified as near acts of cyber war, with definite visibility of state sponsored activities and significant state level accrued benefits. The North Korean based hackers were seemingly successful in altering the launch of a satirical film about their premier, and the Syrian army and air force in a surprising volte-face, effectively routing the Syrian opposition forces across most of 2014.
The US government accused the North Korean government of orchestrating the Sony Pictures Entertainment hack and announced its intention to apply cyber sanctions against the military dictatorship. Much of the month of January 2015 was marked by charges and counter-charges between the two governments as well as the US government reasserting its case to the US IT security industry about the origin of the Sony hack. The US government FBI presented its broad justification for naming North Korea as the source and supporter of the November Sony hack based on its own forensic and other intelligence sources, and continued with the announcement of state level sanctions against North Korea. This led to further official threats of retaliation by the North Korean government.
And yet while the overall decibels of the Sony Pictures Entertainment hack has been much higher than others, its ability to fit into the definition of a state sponsored cyber attack, as spelt out by regional IT security industry experts appears to be much less.
A state sponsored cyber attack is focussed, planned out for a long period of time and involves sophisticated malware. Explains Guillaume Lovet, Senior Manager EMEA, FortiGuard Labs, “The attack is targeted like a fisherman going after one very specific fish with a gun-spear, rather than throwing a large net out at sea. The attack, its preparation, and its operational phase typically span years, like a real industrial project. The sophistication of the malware pieces involved is also usually a good indicator.”
Writing in IEEE Spectrum in February 2013, David Kushner describes the high levels of sophistication that would have gone into developing the Stuxnet and Flame malwares, both associated a few years ago with state sponsored cyber attacks.
Roel Schouwenberg, Principal Security Researcher, Kaspersky Lab, was most impressed by Stuxnet’s having performed not one, but four zero-day exploits, hacks that take advantage of vulnerabilities previously unknown to the white-hat community. It is not just a ground breaking number – they all complement each other beautifully. Schouwenberg and his colleagues at Kaspersky soon concluded that the code was too sophisticated to be the brainchild of a ragtag group of black-hat hackers. Schouwenberg believes that a team of 10 people would have needed at least two or three years to create it.
… the most worrisome thing about Flame was how it got onto machines in the first place – via an update to the Windows 7 operating system. Flame spreading through Windows updates is more significant than Flame itself, says Schouwenberg, who estimates that there are perhaps only 10 programmers in the world capable of engineering such behaviour. It is a technical feat that is nothing short of amazing, because it broke world-class encryption, says F-Secure’s Hypponen. You need a supercomputer and loads of scientists to do this.
Along with being highly targeted, highly planned, highly prolonged and highly sophisticated, a state sponsored cyber attack is seldom meant to be announced with fanfare and accomplishment. “Having such a public attack is actually not necessarily the trademark of state sponsored cyber hacking, as governments very often try to act in a covert manner, depending of course on what they want to achieve. If it is cyber espionage the agenda is to obtain information from an adversary, but to stay as low under the radar as possible,” clarifies Nicolai Solling, Director of Technology Services at Help AG, about the speculation around the source of the November 2014, Sony Pictures Entertainment hack.
While the connection to the North Korean government in the case of the Sony Pictures Entertainment hack, makes it self-fulfilling in terms of being the logical and obvious choice for source attribution, on the other hand it is also a disqualification of sorts, by being too obvious and not covert enough of a source. Adds Solling, “It was executed with great level of sophistication and the impact was very high. Till today there has been no formal response as to who were behind the Sony hack. So while there may be political reasons to link the hack to a certain state, this is only speculation.”
“This is exactly the challenge with large scale attacks because it is hard to pinpoint if a government backed it or not. The only way anyone knows of a national objective is when someone takes ownership,” explains Megha Kumar, Software Research Manager at IDC MEA.
By contrast the social engineering attack on the Syrian opposition army in late 2013 has been enormously covert and low profile and has presumably remained undiscovered for close to a year. The attack and subsequent data collection is not just cyber espionage aimed at achieving an information edge, rather the activity which took place in the centre of a conflict, provided military intelligence for an immediate battlefield advantage. The intelligence stolen and gathered probably served a critical role in the operational plans and strike decisions of the Syrian army and air force against the opposition during those months.
In the second half of 2013 and especially towards the end of 2013, computers of the Syrian opposition army fighters were compromised. The primary entry point appears to be through downloads made during Skype chats, phishing web site and a Facebook social media site. The attackers stole 31,107 logged Skype chat sessions that included discussions of plans and logistics of the Syrian opposition’s attacks on Assad’s forces. The data included Skype account databases, Skype chat logs and history, planning documents, spreadsheets, photos, lists of names and birthdates, weapons and serial numbers, blood types, phone numbers, communications about strategy, logistical issues, supply routes, assessments of engagements with the enemy, politics of Syrian opposition, opposition political structures, political support, allegiances, Facebook user account information, amongst others. The attackers manually created a directory on its server for each opposition computer containing stolen Skype databases, indicating that the victims shared computers.
The attackers of the Syrian opposition used female Skype contacts to chat with their targets and infect their devices with malware. The female Skype contact also had a matching Facebook profile with the same photo. Her Facebook profile, populated with pro-opposition content, contained many posts with malicious links. The female contact’s photo sent to opposition army members was actually an executable, self-extracting RAR archive, renamed with the .PIF file extension. When the victim opened the photo, a woman’s picture was displayed while the SFXRAR executed and ultimately installed the DarkComet Remote Access Trojan in the background. From this point forward the victim’s computer was under the attacker’s control. The attackers also maintained a pro-opposition website containing links to malicious downloads and Facebook profiles with embedded malicious links as well.
The December 2013 attacker’s tools differed from those used previously to target the Syrian opposition army members. These attackers employed a diverse malware toolset that implied access to development resources. They used both widely available and custom malware to breach their targets. Although the December 2013 attackers used a known tactic of deploying DarkComet Remote Access Trojan, they used a multistage dropper not observed previously. The group also used a key logger and custom tools with shell code payloads.
Despite the array of software tools and techniques at their disposal, the attackers did not use software vulnerabilities to deliver malware to their targets. Instead, they relied on a variety of social engineering techniques to trick victims into infecting themselves. They regularly asked targets about the devices they were using, whether PC or Android phone, so they could deploy malware specifically for that device. This is the first instance of any attackers targeting the Syrian opposition using Android malware. This attack is also unique to date in leveraging the Metasploit Framework, custom malware tools YABROD and CABLECAR, and Android malware. Targeting Android devices was beneficial in the case of Syrian opposition members, where members rely heavily on mobile devices for communications.
The attackers used social engineering to trick victims into infecting themselves by running malware disguised as a legitimate file. In some cases the file appeared to be valid software installation program. In other cases, the group used the non-printable Unicode right-to-left override character to make executable files appear as PDFs, JPGs, or other non-malicious content. In each case, the lure file was actually a self-extracting RAR archive, typically containing a decoy file and a second, password-protected SFXRAR that contained the actual malware.
While there is insufficient information to determine the identity of the attackers or the nature of ties to Syrian backed forces, there are indications that the group was resourced outside Syria. The malware used by this threat group does not share any command and control servers with previously reported activity documented by research groups including Kaspersky, Trend Micro, CitizenLab, and the Electronic Frontier Foundation. Amongst the records of the activity are numerous references to Lebanon.
The malware that the female Skype contacts and social media profiles encouraged their victims to download shared the same host server as malware distributed through a website 220.127.116.11, seemingly indicative of being supportive to the Syrian opposition.
Excerpted and rewritten from FireEye Threat Intelligence, Behind the Syrian conflict’s digital front lines, February 2015.
State sponsored cyber attacks are intrinsically meant to remain low profile and prolonged because of their long term and significant national objectives. However there is another breed of attacks that also achieve national objectives in an indirect way but do not necessarily have state actors behind them.
Attacks below the state sponsored level are more like a wide net thrown out at sea and then subsequently checked to ascertain the catch, summarises Lovet from FortiGuard Labs. “The duration spans over months rather than years, and the coding is much more amateurish. The attacks that are both loud and ethically debatable, such as DDoS attacks, are usually not directly state owned, even if states unofficially support them.” The catch in the net, are then assessed to check for the types of vulnerabilities they posses, and the focus is on the most interesting, vulnerable machines, belonging to a state-owned agency.
“A lot of attacks that we see today may or may not be linked to a state or government. Quite often these groups are acting autonomously but may be inspired by a government. If you want to make a parallel it is like small partisan groups who associate and align themselves with a higher target, but perform operations by themselves,” explains Help AG’s Solling. The benefit for governments having such semi-state sponsored cyber attack programmes is that they can deny any involvement at any time.
Other than state and national level objectives, cyber attackers are increasingly turning to cyber crime. “The adoption of specialised skill sets and professionalised business practices by these criminals is steadily increasing the complexity of cyber crime by providing actors of all technical abilities with the necessary tools and resources to conduct cyber crime,” says Florian Malecki, International Product Marketing Director, Network Security Dell. “Not only are criminals advancing their abilities to attack a system remotely, but they are becoming adept at tricking victims into compromising their own systems.”
Industrial control systems, which operate the physical processes of a country’s pipelines, railroads, and other critical infrastructures, are at elevated risk of cyber exploitation. “Critical infrastructure faces a growing cyber threat due to advancements in the availability and sophistication of malwares and the fact that new technologies raise new security issues that cannot always be addressed prior to adoption,” explains Malecki. As a result the increasing automation of critical infrastructures provides more cyber access points for adversaries to exploit. The severe consequences of systems failure triggered by a cyber attack in a critical infrastructure organisation can be as devastating as a large scale, state sponsored attack, using conventional warfare.