Archive for February, 2013

Chinese Industrial Espionage

Mandiant revealed Chinese APT1 Cyber Espionage campaign

Few weeks after the discovery of the sophisticated cyber espionage campaign against principal US media The Mandiant® Intelligence Center™ released an shocking report that reveals an enterprise-scale computer espionage campaign dubbed APT1. The term APT1 is referred to one of the numerous cyber espionage campaign that stolen the major quantity of information all over the world.

The evidences collected by the security experts link APT1 to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398) but what is really impressive is that the operation have been started in the distant 2006 targeting 141 victims across multiple industries.

During the attacks the attackers have took over APT1 malware families and has revealed by the report APT1′s modus operandi (tools, tactics, procedures) including a compilation of videos showing actual APT1 activity.

The Mandiant has also identified more than 3,000 indicators to improve defenses against APT1 operations and is releasing a specific document that will address them including APT1 indicators such as domain names, IP addresses, and MD5 hashes of malware.

APt1 has systematically stolen hundreds of terabytes of data from victim organizations and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 is a persistent collector, once APT1 has established access, they periodically access to victim’s network stealing sensible information and intellectual property for a long time, typically maintaining access to victim networks for an average of 356 days.

The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.

Mandiant managers have decided to make an exception to its traditional non-disclosure policy due the risks related to the imposing cyber espionage campaign and its impact on global economy, many states and related industries are victims of the offensive.

hack

Following a meaningful declaration of the security firm:

“It is time to acknowledge the threat is originating from China, and we wanted to do our part to arm and prepare security professionals to combat the threat effectively. The issue of attribution has always been a missing link in the public’s understanding of the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.”

The cyber war has started a long time ago!

Why personal websites are being targeted for attacks

found this post on http://www.globswarm.com/2012/12/29/online-civilian-targets-expansion-range-of-conflicts/

The information contained in this article clearly explains the changing nature of

online attacks.   Over the past week I have found over 70000 sites that been attacked by Moroccan hunters

Targeting civilians online: Participatory warfare and changes in the nature of conflict.

By  | December 29, 2012 at 3:19 pm | No comments | InternetMiddle East

The recent Israeli operation in Gaza strip (“Pillar of Defense”) provided another proof for increasing role of the Internet in modern warfare. An argument that conflicts take place not only in physical, but also in virtual space cannot surprise anyone anymore. Online conflicts have two major forms. The first is so called “propaganda war” when hundreds of messages, picture, movies, comments and conversations represent opinions of all sides of the conflict. This form can be titled in different ways depending on whom you ask, if it’s “Citizen/Public diplomacy”, “Strategic communication” or “Explanation” (the literal translation of Israeli “Hasbara”).In any case, eventually the purpose of these efforts is to win hearts and minds through convincing wide audience that a particular side of conflict is right and it has legitimacy to do whatever it does. The second form is various types of cyber attacks. Unlike online propaganda it seeks to cause various types of damage if to online or to offline targets.

The recent escalation between Israelis and Palestinians demonstrated increasing activities in both dimensions of online warfare. On the one hand, thousands of pro-Palestinian and pro-Israeli Internet users actively participated in presentation of the positions of their sides in the conflict. Facebook and Twitter feeds were occupied by conflict related content and message proliferation. The impact of these activities on public opinion is more than debatable. While Israeli official claim success in the propaganda war, it looks  like that this argument relies on the degree of pro-Israeli activity, but not on the evaluation of the impact of these activities. One may argue that both sides are convincing those who already convinced, and proliferation of message primarily contribute to development of information cocoons/ echo chambers (as it was described by Cass Sunstein in “Infotopia”). These echo chambers include groups of Internet users who anyway support a particular side of conflict. In one of my masters papers that relied on analysis of online activities during the operation “Cast Lead” (2008-2009) I argued that it also leads to polarization of sides and further escalation of conflict.

On the other hand, one could witness significant escalation in activities of hackers. At this point, the impact of these attacks is far from the doom day scenarios of “Die hard 4”.  In some cases DDoS attacks blocked websites for few hours. In other cases hackers used defacement to replace website’s content with pro-Palestinian messages. However, in majority of cases the damage was minimal, no critical data was disrupted and major governmental websites were able to block these attacks.  Israeli website Ynet names the effectof these attacks “cosmetic disruption” and suggest that the targets was marginal and the major effect was psychological one. It was interesting to see, however, that following the operation Israeli Internal Security service (SHABAK) decided to expose its cyberdefense unit. “Yedioth Ahronon” newspaper published a a first article about the unit that was founded by an order of Ariel Sharon, disclosed creative methods of recruitment for these unit and provided some informatoin about interagency competition on this filed. According to the newspaper, the unit is responsible for protection of critical infrastructure, while other Israeli security services (e.g. AMAN and MOSAD) deal with offensive activities.

The described above can be defined as an expected gradual increase in the war-related online activities. However, beyond it, the recent cycle of escalation in Israeli-Palestinian conflict draw attention to two phenomena, that might mean not only change in degree but also in the structure of the online warfare. The first is increasing engagement of citizens in a variety of war-related activities including hacktivism. The second is a change of nature of targets of the hacker’s attacks.

Participatory warfare:

We all know that the Internet gave a rise to social media, citizen journalism and various forms of participatory culture as it was brilliantly conceptualized by Henry Jenkins. The same dynamics takes place in almost every dimension of social activity including conflicts. “Participatory warfare” or “citizen warfare” becomes more evident and significant factor in many conflicts, while anyone can participate in conflict without living his bedroom. In addition to the increase of number of participants in conflict it threatens the state’s monopoly over power; complicates attribution of actions and identification of participants, who are not only non-state but also individual actors. Apparently, it makes conflict to more unpredictable and non-linear.

Increasing engagement of citizens in warfare is also not really new phenomenon. We could see examples of online-based citizen participation in warfare during the war between Israel and Lebanon in 2006 or Russian-Georgian war in 2008. Either the participation was on the field propaganda or on the field of hactivism, we could see emergence of new mechanisms that made citizen participation to more coordinated, efficient and influential. It started from development of special platforms for citizens’ mobilization (one of the first examples is Israeli online manifestation tool “Giyus.org”) and continued with development new modes of state-citizen collaboration and synergy [the recent example for this type of collaboration is described here [heb]). The latter required not only technological innovation, but development of new policies and institutional changes in various governmental and military bodies (more details about this subject can be found in our report “State Cyber Advocacy” [eng] and my MA thesis “The Development of Network Diplomacy”).

In addition to more sophisticated modes of synergy, we can see that traditional and citizen warfare get closer to each other since they begin to share the same medium – gaming. In traditional warfare gamification begins from distant control. For instance, operators who control drones, attack targets while they are thousands kilometers away from the location of attack. Advanced technologies also enable to follow and control soldiers on the ground from operational room in other continent. The same type of meditation when the war on the screen is controlled through computer interface by individual in comfortable and friendly environment takes place in games. Eventually the experience of professional soldier and citizen-warrior will be the same experience in front of screen that will rely on mediation of ICT. We can already see that many hacktivism activities and participation in hacking is approached and framed as gaming.

It worth mentioning that military can also use gamification as a part of citizen engagement in warfare and facilitation of collaboration with “citizen warriors”.

For instance, IDF created an interactive game [ENG] that was suppose to motivate Internet users to distribute pro-Israeli content and improve Israeli image. The instructions of the game emphasized that it allows the gamer “to be a virtual part of the IDF.”and suggested badges with military ranks as prizes.

It’s not only that as a part of participatory warfare “citizen-warriors” penetrate to the space of traditional warfare. There is also an opposite process when traditional conflict related actors adapt tactics of citizens.  For instance, traditional enemies e.g. IDF and Hamas started to use public space of social media for direct exchange of messages [ENG] (also check “Battleground Twitter” by AlJazeera). While non-military actors increase engagement in warfare, traditional security actors start using channels and modes of communication that were traditionally occupied by citizens.

Another important feature of “participatory warfare” is expansion in the range of conflict. The concept of a range of conflict (socialization of conflict) was introduced by American political scientist Eric Schattschneider [eng]. In a book “The semisovereign people” he argued that “the outcome of all conflict is determined by the scope of its contagion” while “the number of people involved in any conflict determines what happens.” According to Schattschneider state actors design institutions in order to control the scope of conflict. Even if there is a military conflict with external enemy, the state still wants control the form and the degree of engagement in conflict.

The modern conflicts become more contagious and socialised, while traditional actors have no capacity to control the degree of engagement. The activities of hackers during recent escalation between Israelis and Palestinians is the best example for it. The hackers who attacked Israeli website were not only from Middle East, Arab or Muslim word (e.g. Pakistan or Morocco).Origins of some attacks were in Europe and U.S. Moreover, once the Anonymous network declared offensive #OpIsrael it turned to be clear that the attribution of attack’s source is a secondary issue. The source (the offensive network) doesn’t have national or geographical identity. The space of contagion has a different structure that is disconnected from national and geographical borders.

To conclude, the participatory warfare doesn’t mean only increasing participation of citizens and new modes of collaboration. New forms of conflict’s contagion lead to a situation when state actors lose control on the scope of conflict. In addition, in participatory warfare the lines between professional military and citizen warriors are blurring. Both share the same medium of computer mediated games. Participatory warfare leads to convergence of citizen-based and professional warfare.

Change in range of targets: personal websites under attack.

A personal website of Israeli photographer that was hacked by Moroccan Hunters.

There is another important change that was exposed by online attacks during the recent Israeli-Palestinian conflict. It is a change in the nature of targets of the hacker’s attacks. Traditionally the major targets are governmental websites, sites of security services, websites that belong to national infrastructure (electric company, banks) as well as any website that can be linked to government, politics or security. Media websites are also a popular target since in many cases they considered to be as a part of official propaganda of the rival side (e.g. in a conflict between Russia and Georgia in 2008 media websites on both sides were attacked).  On the other hand, the most popular targets are website that affiliated with militant groups.

This time wasn’t an exception. Israeli Minister of Finance Yuval Steinitz told that Israeli authorities identified more than 44 million hacking attempts. The most popular targets were obviously official websites of government (e.g. prime minister’s website and website of Foreign Affairs Ministry) as well as a website of  Israeli Defense Forces (IDF) including spokesperson unit and Home Front Command. Since these website are an expected target, they were also well protected. Therefore it’s difficult to take them down by DDoS or to penetrate its security and deface it. Some targets, however, were more vulnerable. Hackers successfully attack pages that belong to Deputy prime minister Silvan Shalom (including his Facebook and Twitter accounts), a member of Knesset Dani Danon, “Kadima” party, The Jerusalem Bank etc.

However, this time, the list of online targets included many websites that belong to non-government organizations and individuals. These website had no any affiliation with Israel authorities. The only reason they were attacked is because they were Israeli (e.g. websites in Hebrew, websites with Israeli domains or websites that belong to Israelis). The list of targets included not only organization e.g. website of Israeli Groupon, but just private websites that belong to individuals (e.g. blogs or professional portfolio).

A list of websites that were attacked as it was published on Pastebin.

As a part of the #OpIsrael offensive, Anonymous released a list of 663 Israeli website that were defaced and taken down. According to  Pierluigi Paganin whoprovided a detailed account of #OpIsrael operation “the complete list of web sites attacked has ben published on Pastebin, a second list related to a Phase 2 of the attacks has been also published on the same website”. The list requires more detailed analysis in order to categorise the targets, but the only common denominator of the website was that they were considered as “Zionist websites”.

Attacking personal websites just because their owners belong to the opposite side of conflict is relatively new phenomenon. It especially new since this time attacks against personal website become not to exception but a new tendency. On the one hand, it’s clear that personal websites are much more vulnerable than website that belong to official state-related organizations. Therefore, hacktivists who are frustrated by failure to shut down governmental websites, can shift their attention to a different group of targets. In my opinion, this shift, has significant and long term strategic consequences that can change the nature of cyberwarfare.

A list of websites that was targeted by Moroccan Hunters.

The cyberwarfare has different types of legitimacy. While one may suggest that defacement of a website by prime minister, DDoS of security organization website or even National Bank can be approached as a legitimate action, since these website has clear link to the enemy, attacking personal website of citizens is a different story.

Defacement of Israeli Groupon website.

I would argue, that attacks against private websites should be compared to attacking citizen targets in physical space. In both cases, citizens who are not directly involved in conflict or linked to warfare, become a target just because of their nationality and because they live in in a space of national state or in a space of national domain. From this perspective attacks against personal websites should be compared to firing Kassam rockets toward populated areas of Israeli cities or suicide attacks in public places.

Moreover,the impact of targeting online presence of individuals can’t be limited to online dimension. Today online identity should be considered as integral part of person’s identity  (a discussion about the role of blogs and personal websites for development of personality and integration of offline and online presence can be found in my paper “From we-media to I-media: Identity transformation in the virtual world” [eng]). One can argue that due to increasing importance of personal websites as a space of online identity of particular person, these attacks can be distinguished from physical attacks against owner of personal website .

Including personal website as a legitimate targets for attacks within cyberwarfare is a dangerous development. Online identities of citizens should be protected as well as the offline identities of their owners, since they can’t be separated anymore. While international law defines attacks against citizen targets offline as a crime, that same should be applied to the online dimension. We can’t stop cyberwars, that will become more and more significant from conflict to conflict, but we should try to define the field of legitimate cyberwarfare and what can be considered as a legitimate target online, as well as what is considered to be illegitimate civilian online target.

It is especially important since the role of personal websites and our individual presence online will continue to grow and become inseparable part of our offline life.  The right for security of private online identity should be approached as a part of human rights.

The shift in structure of targets as a part of #OpIsrael is just a first sign of what can happen in the future. Without new legal and normative framework for approaching personal spaces of online presence, the era of cyberwars will be followed by era of cyberterror. In this case cyber terror is not online activities by terror organizations, or even efforts of these organisations to attacks national infrastructure, but attacks against individuals just because they belong to particular nationality. At the same time, once personal website started to be a target within cyber warfare, what is also required are new measures for protection of online identities and individual presence in cyberspace.

When we discuss the role of Internet for conflicts we tend to focus on particular issues e.g.  new type of threats, new type of actors, a problem of attribution, while ignoring the larger context. The online dimension of the recent escalation in Israeli-Palestinian conflict demonstrated expansion in the range of conflict’s participants, expansion in spatial and social boundaries of conflict, and expansion of the range of targets. We can also witness that participatory warfare leads to increasing convergence in actions of professional and citizen warriors. Eventually, these trends are not limited to the online space. What actually happens is a general transformation of nature of conflicts that becomes ubiquitous and omnipresent. Protection against threat is important, but what is more important is that we have to think how we can draw the lines that will stop expansion of conflicts to the space of our daily and individual life. Once we define these lines, we will have to protect them.

Current Specials

Current Specials

Current Specials