DOCSLIB.ORG

Operation Cleaver – a Precursor to Control System Attacks Jon Miller Agenda

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Operation Cleaver – a Precursor to Control System Attacks Jon Miller Agenda Operation Cleaver – A precursor to control system attacks Jon Miller Agenda Introduction What is Cylance What is the Problem Operation Cleaver Vulnerabilities Augmenting 2 | © 2015 Cylance, Inc. Introduction Jon Miller | Vice President of Strategy Internet Security Systems Accuvant Labs Cylance (5 years) (7 years) (2 Years) X-Force Penetration Testing Penetration Testing Internal Security Special Advisor to CTO Reverse Engineering Product Testing/Efficacy Weaponized 0day Sales SPEAR Research Team Customer Advocacy 3 | © 2015 Cylance, Inc. Introduction Stuart McClure | CEO / President & Founder Leader of Cylance Hacking Exposed Foundstone as CEO & Visionary Lead Author WW-CTO McAfee Creator Most Successful Security Book of All Time 4 | © 2015 Cylance, Inc. Introduction Ryan Permeh | Co-Founder & Chief Scientist THE brain behind the Eeye Retina Code Red mathematical architecture and new approach Securells McAfee to security. Chief Scientist 5 | © 2015 Cylance, Inc. What is the Problem? The Rise of Targeted Attacks 350 300 250 Targeted Attacks 200 150 100 50 Broad Attacks 0 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 '07 '07 '07 '08 '08 '08 '08 '09 '09 '09 '09 '10 '10 '10 '10 '11 '11 '11 '11 '12 '12 '12 '12 '13 '13 '13 '13 '14 '14 '14 '14 Source: CyberFactors, a subsidiary of CyberRisk Partners and CloudInsure.com http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 6 | © 2015 Cylance, Inc. What is the Problem? Adversaries Traditional Adversaries Nation State Organized Crime Intelligence Intellectual Espionage Financial Gain Identity Theft Property Theft 7 | © 2015 Cylance, Inc. What is the Problem? Adversaries Next Generation Adversaries Rogue Nation States Individual & Terrorist Actors Iran North Korea Syria ISIS Anonymous Etc 8 | © 2015 Cylance, Inc. Timeline 9 | © 2015 Cylance, Inc. 10 | © 2015 Cylance, Inc. 11 | © 2015 Cylance, Inc. Operation Cleaver Prevention is Everything 18-24 Month Long Iranian Offensive Solely Targeted at Global Critical Zh0up!n Infrastructure Companies Exploit Team Phish Based Malware Delivery Public Tools MS08-067 Pivoting (psexec, mimikatz, cain + abel, etc) SQL Injection Evolved into Using ASP Backdoors Their Own Zeus Variant Cred Harvesting (tiny_zbot) 12 | © 2015 Cylance, Inc. 13 | © 2015 Cylance, Inc. Operation Cleaver 16 Countries Targeted Canada Israel South Korea Energy & Utilities Aerospace Airports Oil & Gas Education Airlines Hospitals Education Kuwait Technology China Oil & Gas Heavy Manufacturing Aerospace Telecommunications Turkey England Mexico Oil & Gas Education Oil & Gas United Arab Emirates France Pakistan Government Oil & Gas Airports Airlines Hospitals Germany Technology United States Telecommunications Airlines Airlines Education India Saudi Arabia Chemicals Education Oil & Gas Transportation Energy & Utilities Airports Military / Government Defense Industrial base 14 | © 2015 Cylance, Inc. Operation Cleaver Critical Industries Targeted High Medium Level of Access of Level Low Level of Critical Impact 15 | © 2015 Cylance, Inc. 16 | © 2015 Cylance, Inc. Questions? .
Load more

Recommended publications
  • Iran: Capacity and Methods of Authorities to Monitor Online Activities and Religious Activities of Iranians Living Abroad Query Response [A-10098] 12 June 2017
    BEREICH | EVENTL. ABTEILUNG | WWW.ROTESKREUZ.AT ACCORD - Austrian Centre for Country of Origin & Asylum Research and Documentation Iran: Capacity and methods of authorities to monitor online activities and religious activities of Iranians living abroad Query Response [a-10098] 12 June 2017 This response was prepared after researching publicly accessible information currently available to ACCORD as well as information provided by experts within time constraints and in accordance with ACCORD’s methodological standards and the Common EU Guidelines for processing Country of Origin Information (COI). This response is not, and does not purport to be, conclusive as to the merit of any particular claim to refugee status, asylum or other form of international protection. Please read in full all documents referred to. Non-English language information is summarised in English. Original language quotations are provided for reference. © Austrian Red Cross/ACCORD An electronic version of this query response is available on www.ecoi.net. Austrian Red Cross/ACCORD Wiedner Hauptstraße 32 A- 1040 Vienna, Austria Phone: +43 1 58 900 – 582 E-Mail: [email protected] Web: http://www.redcross.at/accord TABLE OF CONTENTS 1 Capacity and methods of authorities to monitor online activities inside Iran ..................... 3 2 Capacity and methods of authorities to monitor online activities of Iranians abroad ...... 14 3 Iranian authorities’ monitoring of religious activities of Iranians living abroad, including Christian converts .........................................................................................................................
    [Show full text]
  • The Future of Iranian Terror and Its Threat to the U.S. Homeland
    The Future of Iranian Terror and Its Threat to the U.S. Homeland Statement before the House of Representatives Committee on Homeland Security Subcommittee on Counterterrorism and Intelligence Ilan Berman Vice President, American Foreign Policy Council February 11, 2016 Chairman King, Ranking Member Higgins, distinguished members of the Subcommittee: It is an honor to appear before you today to discuss Iran’s ongoing sponsorship of international terrorism and the impact that the new nuclear deal, formally known as the Joint Comprehensive Plan of Action (JCPOA), will have upon it. It is a topic that is of critical importance to the security of the United States and our allies abroad. While the Obama administration has argued that the signing of the JCPOA has enhanced both U.S. and global security, there is compelling evidence to the contrary: namely, that the passage of the agreement has ushered in a new and more challenging phase in U.S. Mideast policy. SHORTFALLS OF THE JCPOA While the JCPOA can be said to include some beneficial elements—including short- term constraints on Iranian uranium enrichment, a reduction in the number of centrifuges operated by the Islamic Republic, and a delay of the “plutonium track” of the regime’s nuclear program—there is broad consensus among national security practitioners, military experts, scientists and analysts that the agreement is woefully deficient in several respects. First, the new nuclear deal does not dismantle Iran’s nuclear capability, as originally envisioned by the United States and its negotiating partners. Contrary to the White House’s pledges at the outset of talks between Iran and the P5+1 nations in November 2013, the JCPOA does not irrevocably reduce Iran’s nuclear potential.
    [Show full text]
  • Iranian Cyber-Activities in the Context of Regional Rivalries and International Tensions
    CSS CYBER DEFENSE PROJECT Hotspot Analysis: Iranian cyber-activities in the context of regional rivalries and international tensions Zürich, May 2019 Version 1 Risk and Resilience Team Center for Security Studies (CSS), ETH Zürich Iranian cyber-activities in the context of regional rivalries and international tensions Authors: Marie Baezner © 2019 Center for Security Studies (CSS), ETH Zürich Contact: Center for Security Studies Haldeneggsteig 4 ETH Zürich CH-8092 Zürich Switzerland Tel.: +41-44-632 40 25 [email protected] www.css.ethz.ch Analysis prepared by: Center for Security Studies (CSS), ETH Zürich ETH-CSS project management: Tim Prior, Head of the Risk and Resilience Research Group Myriam Dunn Cavelty, Deputy Head for Research and Teaching, Andreas Wenger, Director of the CSS Disclaimer: The opinions presented in this study exclusively reflect the authors’ views. Please cite as: Baezner, Marie (2019): Hotspot Analysis: Iranian cyber-activities in context of regional rivalries and international tensions, May 2019, Center for Security Studies (CSS), ETH Zürich. 1 Iranian cyber-activities in the context of regional rivalries and international tensions Table of Contents 1 Introduction 4 2 Background and chronology 5 3 Description 9 3.1 Attribution and actors 9 Iranian APTs 9 Iranian patriotic hackers 11 Western actors 12 3.2 Targets 12 Iranian domestic targets 12 Middle East 12 Other targets 13 3.3 Tools and techniques 13 Distributed Denial of Service (DDoS) attacks 13 Fake personas, social engineering and spear phishing 13
    [Show full text]
  • The Growing Cyberthreat from Iran the Initial Report of Project Pistachio Harvest
    THE GROWING CYBERTHREAT FROM IRAN THE INITIAL REPORT OF PROJECT PISTACHIO HARVEST FREDERICK W. KAGAN AND TOMMY STIANSEN 1150 Seventeenth Street, NW 1825 South Grant Street, Ste. 635 April 2015 Washington, DC 20036 San Mateo, CA 94402 202.862.5800 650.513.2881 www.aei.org www.norse-corp.com THE GROWING CYBERTHREAT FROM IRAN THE INITIAL REPORT OF PROJECT PISTACHIO HARVEST Frederick W. Kagan and Tommy Stiansen April 2015 AMERICAN ENTERPRISE INSTITUTE CRITICAL THREATS PROJECT AND NORSE CORPORATION TABLE OF CONTENTS Executive Summary ....................................................................................................................................... v Introduction ................................................................................................................................................. 1 Intelligence Collection and Analysis Methodology ...................................................................................... 4 Iran: The Perfect Cyberstorm? ...................................................................................................................... 8 What Are the Iranians Doing? .................................................................................................................... 14 Cyberattacks Directly from Iran ................................................................................................................. 24 Conclusions ...............................................................................................................................................
    [Show full text]
  • The Iran Cyber Panic
    January 2020 THE IRAN CYBER PANIC How Apathy Got Us Here, and What to Do Now Authored By: Parham Eftekhari, Executive Director, ICIT 1 The Iran Cyber Panic How Apathy Got Us Here, and What to Do Now January 2020 This paper would not have been possible without contributions from: • Drew Spaniel, Lead Researcher, ICIT ICIT would like to thank the following experts for their insights during the development of this paper: • John Agnello, ICIT Contributor & Chief, Analytic Capability Development Branch, United States Cyber Command • Jerry Davis, ICIT Fellow & Former CIO, NASA Ames Research Center • Malcolm Harkins, ICIT Fellow & Chief Security and Trust Officer, Cymatic • Itzik Kotler, Co-Founder & CTO at SafeBreach • Ernie Magnotti, ICIT Fellow & CISO Leonardo DRS • Luther Martin, ICIT Contributor & Distinguished Technologist, Micro Focus Copyright 2020 Institute for Critical Infrastructure Technology. Except for (1) brief quotations used in media coverage of this publication, (2) links to the www.icitech.org website, and (3) certain other noncommercial uses permitted as fair use under United States copyright law, no part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. For permission requests, contact the Institute for Critical Infrastructure Technology. Copyright © 2020 The Institute for Critical Infrastructure Technology (ICIT) 2 Table of Contents Introduction .................................................................................................................................................. 3 How A Lack of Prioritization Led to National Panic....................................................................................... 4 Iran is Capable of a Significant Cyber Conflict – But How Far Will They Go? ............................................... 4 Iran’s Understanding of US Military Capabilities Point to Cyber Retaliation...........................................
    [Show full text]
  • Cyber, Intelligence, and Security
    Cyber, Intelligence, and Security Volume 4 | No. 1 | March 2020 The Secret War of Cyber Influence Operations and How to Identify Them David Tayouri Iran’s Activity in Cyberspace: Identifying Patterns and Understanding the Strategy Gabi Siboni, Léa Abramski, and Gal Sapir Ambiguous Approach—All Shades of Gray Raša Lazovic� Cybersecurity and Information Security: Force Structure Modernizations in the Chinese People’s Liberation Army Miranda Bass Chinese investments in Sri Lanka: Implications for Israel Shlomi Yass Criminal Law as a Tool for Dealing with Online Violence among Youth Limor Ezioni National Cybersecurity Strategies in the Healthcare Industry of Israel and the Netherlands: A Comparative Overview Stefan Weenk Cyber, Intelligence, and Security Volume 4 | No. 1 | March 2020 Contents The Secret War of Cyber Influence Operations and How to Identify Them | 3 David Tayouri Iran’s Activity in Cyberspace: Identifying Patterns and Understanding the Strategy | 21 Gabi Siboni, Léa Abramski, and Gal Sapir Ambiguous Approach—All Shades of Gray | 41 Raša Lazovic� Cybersecurity and Information Security: Force Structure Modernizations in the Chinese People’s Liberation Army | 59 Miranda Bass Chinese investments in Sri Lanka: Implications for Israel | 75 Shlomi Yass Criminal Law as a Tool for Dealing with Online Violence among Youth | 95 Limor Ezioni National Cybersecurity Strategies in the Healthcare Industry of Israel and the Netherlands: A Comparative Overview | 107 Stefan Weenk The purpose of Cyber, Intelligence, and Security is to stimulate Cyber, and enrich the public debate on related issues. Intelligence, Cyber, Intelligence, and Security is a refereed journal published twice a year within the framework of the Cyber Security and Security Program at the Institute for National Security Studies.
    [Show full text]
  • SINET 16 December 3-4, 2014 Washington, DC
    The CyberWire 621 East Pratt Street, suite 300 Baltimore MD 21202–3140 [email protected] www.thecyberwire.com @thecyberwire SINET 16 December 3-4, 2014 Washington, DC December 3 The Security Innovation Network (SINET) opens its 2014 Showcase 2014 at noon today. We’ll be live tweeting from the conference, which is made possible by a partnership between SINET and the Department of Homeland Security Science and Technology Directorate. The showcase highlights the SINET 16, “’best-of-class’ security companies that are addressing industry and government’s most pressing needs and requirements.” This year’s class includes (in alphabetical order) Click Security (advanced threat detection), Contrast Security (continuous application security), CrowdStrike (technologies and services focused on identifying advanced threats and targeted attacks), Cylance, Inc. (artificial intelligence, algorithmic science and machine learning), Cyphort, Inc. (advanced threat protection), GuruCul (security risk intelligence), Interset (insider and targeted outsider threat detection), Norse Corporation (live attack intelligence), PFP Cybersecurity (threat detection), PhishMe, Inc. (threat management for advanced targeted attacks), Pwnie Express (asset discovery, vulnerability scanning and penetration testing), SecureRF Corporation (cryptographic security for wireless sensors, embedded systems and other devices), Shape Security (advanced dynamic defense against malware, botnets and scripts), Skyhigh Networks (cloud visibility and enablement), vArmour (data center security) and ZeroFOX (social risk management). The Showcase will also be accompanied by workshops covering topics of particular interest to security entrepreneurs: perspectives on research and development, cyber threat trends, and emerging tactics, techniques, and procedures for defending the enterprise. We expect today’s session to close with a presentation from Cylance on “Operation Cleaver,” the extensive Iranian cyber campaign that the company says it has uncovered.
    [Show full text]
  • BENCHMARKING CYBER OPS 2018 an Initiative by Onnet for OOAT
    BENCHMARKING CYBER OPS 2018 An initiative by OnNet for OOAT //UNCLASSIFIED FOREIGN GOVERNMENT CYBER UNITS EXAMPLES • ISRAEL = UNIT8200 • US = U.S. CYBERCOM, NSATAO, DHS NCCIC • ISRAEL/US = “EQUATION GROUP” Name give by Kaspersky • UK = GHCQ-JTRIG, NCSC, MYNOC • SA = COMSEC • Australia = ASD • CANADA = CSEC • CHINA = PLA61398 • NKOREA = LAZARUSGROUP • RUSSIA = GRU6thDIR-FSO, GTsST • IRAN = INCA • DUTCH = JSCU AFRICA • Only cyber warfare unit known is under South African Government • Owned under National Intelligence Agency NIA • Formerly Electronic Communications Security ELS • Interagency with OIC, Office of Interception Centre EXAMPLES OF KNOWN NATION STATE CYBER WARFARE EVENTS • Estonia cyber attack by Russia • Crimea cyber attack by Russia • Operation Olympic games by TAO and Unit8200 (EquationGroup) against IRAN • Operation Nitro Zeus By TAO against IRAN by US • Operation Socialite by JTRIG/MYNOC, done by UK • Operation Rolling Thunder by JTRIG, operations by UK • Ethiopian use of HackingTeam software RCS to spy on ESAT journalists and Activists • Operation Aurora by Unit61398, operations in China • Operation Disttrack by ICA, Operations in Tehran to respond to US • Operation Turla Uroburos by Russian GRU6th Directorate in Russia • Operation DarkHotel Unit61398, from Israel EXAMPLES OF KNOWN NATION STATE CYBER WARFARE EVENTS • Sony pictures attack by LazarusGroup responding to a movie potraying Nkorea Leader • Red October – Unknown Nation State actor • Operation Ghostnet by Unit61398 from China • Operation NewsCaster by INCA in Tehran
    [Show full text]
  • Intelligence Brief #8
    FULCRUM GLOBAL The publishing arm of the Society for Defense and Strategic Studies (SDSS) at American Military University (APUS) INTELLIGENCE BRIEF #8 NAME OF PRIMARY ANALYST: Dustin Oaks SUBJECT: Iranian Relations, Cyberwar, and Trade deals with China COUNTRY/REGION: Iran BACKGROUND OF SUBJECT: The U.S. reinstatement of the Iran nuclear ban has resulted in renewed hostilities in U.S.-Iranian relations. This has resulted in Iran taking a systematic course of action against the United States and allies in defiance of the West, and this has great implications on the oil Industry and the trade agreements with China. CUSTOMER QUESTIONS: 1. Can Iran sustain a cyber war with the United States? 2. Is Iran seeking a negotiation similar to North Korea in terms of threatening nuclear attacks and attacking American Troops in the region? a. Economic assistance needed? 3. Can Iran survive sanctions? 4. Can Iran form a blockade in the Strait of Hormuz and would the U.S. survive it? a. Economic Impact on the oil Industry? 5. How will enhanced conflict between the U.S. and Iran impact China’s strategic interests and the ongoing U.S.-China trade war dispute? CURRENT ASSESSMENT: Iran’s Cyber Operations The Stuxnet malware/virus that attacked the internal network of the Iranian Natanz nuclear reactor plant resulted in an upgraded policy shift that initiated a targeted cyberwarfare offensive strategy that was focused on the U.S. and other members of the international community. The Iranians began their cyber operations in 2011 by compromising certificates of 1 Comodo and DigiNotar. The next stage of their cyberwarfare offensive known as Operation Cleaver targeted the critical infrastructures of sixteen nations.
    [Show full text]
  • Iran: Capacity and Methods of Authorities to Monitor Online Activities and Religious Activities of Iranians Living Abroad Query Response [A-10098] 12 June 2017
    BEREICH | EVENTL. ABTEILUNG | WWW.ROTESKREUZ.AT ACCORD - Austrian Centre for Country of Origin & Asylum Research and Documentation Iran: Capacity and methods of authorities to monitor online activities and religious activities of Iranians living abroad Query Response [a-10098] 12 June 2017 This response was prepared after researching publicly accessible information currently available to ACCORD as well as information provided by experts within time constraints and in accordance with ACCORD’s methodological standards and the Common EU Guidelines for processing Country of Origin Information (COI). This response is not, and does not purport to be, conclusive as to the merit of any particular claim to refugee status, asylum or other form of international protection. Please read in full all documents referred to. Non-English language information is summarised in English. Original language quotations are provided for reference. © Austrian Red Cross/ACCORD An electronic version of this query response is available on www.ecoi.net. Austrian Red Cross/ACCORD Wiedner Hauptstraße 32 A- 1040 Vienna, Austria Phone: +43 1 58 900 – 582 E-Mail: [email protected] Web: http://www.redcross.at/accord TABLE OF CONTENTS 1 Capacity and methods of authorities to monitor online activities inside Iran ..................... 3 2 Capacity and methods of authorities to monitor online activities of Iranians abroad ...... 14 3 Iranian authorities’ monitoring of religious activities of Iranians living abroad, including Christian converts .........................................................................................................................
    [Show full text]
  • Hacking Nation-State Relationships: Exploiting the Vulnerability of the Liberal International Order
    Fordham University DigitalResearch@Fordham Senior Theses International Studies Spring 5-16-2020 Hacking Nation-State Relationships: Exploiting the Vulnerability of the Liberal International Order Ray Marie Tischio Follow this and additional works at: https://fordham.bepress.com/international_senior Part of the International and Area Studies Commons Hacking Nation-State Relationships: Exploiting the Vulnerability of the Liberal International Order Ray Marie Tischio [email protected] International Studies: Global Affairs Track Fordham University Class of 2020 Thesis Advisor: Christopher Toulouse [email protected] Seminar Advisor: Dotan Leshem [email protected] ABSTRACT This thesis explores the implications of nation-state cyberwarfare and cyber conflict in the context of geopolitics and international studies. The emergence of nation-state cyber conflict has increased in frequency and severity in the last decade. In order to investigate what renders cyberwarfare a new and unique challenge to specific geopolitical climates and international systems at large, research on state-level cyber conflict within bilateral relationships—all of which cyber activity is significantly prevalent—is presented in the following three case studies: US- China, US-Iran, and US-Russia. Findings of these three case studies are used in subsequent analysis to articulate the specific ways in which state cyber conflict differs from conventional state kinetic warfare. Finally, after characterizing cyber conflict and the new challenges it presents to geopolitics, these defining qualities are situated into the current debate surrounding the deterioration of the liberal international order. I conclude that nation-state cyberwarfare exploits the postwar interconnected transparency of liberalism, and fundamentally challenges the continuity of US hegemony and the liberal order.
    [Show full text]
  • Operation Blockbuster: Unraveling the Long Thread of the Sony Attack 3 Caveats
    Novetta is an advanced analytics company that extracts value from the increasing volume, variety and velocity of data. By mastering scale and speed, our advanced analytics software and solutions deliver the actionable insights needed to help our customers detect threat and fraud, protect high value networks, and improve the bottom line. For innovative solutions for today’s most mission-critical, advanced analytics challenges, contact Novetta: Phone: (571) 282-3000 | www.novetta.com www.OperationBlockbuster.com Table of Contents Caveats ...........................................................................4 1. Executive Summary ................................................. 5 1.1 Key Takeaways ........................................................7 2. Operation Details .................................................... 8 2.1 Hunting Method ..........................................................................9 3. Lazarus Group Details ...........................................11 3.1 The SPE Attack and Conflicting Attribution ............... 12 3.2 Tactics, Techniques, and Procedures (TTPs) ........... 14 3.3 Targeting ......................................................................................16 3.4 Links to Previous Reporting .............................................. 20 The Lazarus Group Timeline ..................................................... 20 4. Malware Tooling .................................................... 24 TOC 4.1 Naming Scheme ......................................................................
    [Show full text]