United Kingdom Threat Landscape

Total Page:16

File Type:pdf, Size:1020Kb

United Kingdom Threat Landscape United Kingdom Threat Landscape 1 © 2018 Anomali, Inc. All rights reserved. General Inormation Government: Parliamentary constitutional monarchy; a Commonwealth realm Capital: London Chief of State: Prime Minister Theresa May Natural Resources: Coal, petroleum, natural gas, iron ore, lead, zinc, gold, tin, limestone, salt, clay, chalk, gypsum, potash, silica sand, slate, arable land Societal Grievances: Brexit, gay marriage, LGBT rights, forced deportation, racism, surveillance, gender workplace diversity, women’s rights, future of the NHS, US President Trump APT Groups: APT3, Lazarus, APT10, APT17, Comment Crew, Axiom, Night Dragon, APT15, FIN4, APT28 Hacktivist Groups: Anonymous, Null Hacking Crew, Lizard Squad, Syrian Electronic Army, TurkHackTeam, AnonGhost, Lulzsec Extremist Groups: New IRA1, ISIS, National Action (NS131/Scottish Dawn), Al-Qaeda Criminal Groups: Albanian Mafia, Tottenham Mandem, Rathkeale Rovers Malware Families: Ramnit, Dridex, Trickbot, Carbanak, Odinaff, WannaCry, Dyre International Threat Landscape Libya and again operations over Iraq and Syria.”8 The UK’s decision to leave the European Union has caused The United Kingdom (UK) is a permanent member of the concern amongst foreign policy analysts that believe the 2 United Nations Security Council , a founding member UK’s global diplomatic influence will decline because the 3 of the North Atlantic Treaty Organization (NATO) , the UK will no longer vote on decisions impacting the EU9. Council of Europe, the Organization for Security and Co-operation in Europe (OSCE), the Organisation for The UK has contributed to the war against ISIS in Iraq Economic Co-operation and Development (OECD), and and Syria and is home to a number of individuals who the World Trade Organisation (WTO), among others. sought to join ISIS. Because of this, and because of The Commonwealth of Nations, which brings together the UK’s historic links to the current disposition of the 53-member states, is a legacy of the former territories Middle East, the UK is a target for international terror of the British Empire4. The UK is also part of the “Five groups. The close relationship between the United States 10 Power Defence Arrangement.”5 Despite declining and the UK also increases this risk . Regional power economic and military power, the UK still retains politics between NATO aligned states and their rivals, “considerable economic, cultural, military, scientific such as Russia, have the potential to incite attacks. and political influence internationally.”6 The UK’s lighter, Although direct conflict is unlikely, proxy conflicts smaller forces and ability to deploy quickly are one of its and attacks through domains such as cyberspace strategic military strengths7. Recent military operations are increasingly likely. The UK’s sophistication and have included “Afghanistan and Iraq, peacekeeping innovation in a number of critical sectors also serve as operations in the Balkans and Cyprus, intervention in targets for intellectual property theft. Political influence, international engagement (military and diplomatic), 1 http://www.independent.co.uk/news/uk/home-news/what-is-the-new-ira-why-has-the-terror-threat-been-raised-from-northern-ireland-to-the- uk-a7024276.html 2 http://www.un.org/en/sc/members/ 3 https://www.gov.uk/government/news/65-years-of-nato 4 http://thecommonwealth.org/member-countries 5 https://www.iiss.org/en/shangri-la%20voices/blogsections/2017-b8c0/developing-the-five-power-defence-arrangements-c523 6 https://ukdefencejournal.org.uk/study-finds-uk-is-second-most-powerful-country-in-the-world 7 https://www.theguardian.com/commentisfree/2018/jan/19/nuclear-weapons-uk-defence-review-russia 8 https://ukdefencejournal.org.uk/study-finds-uk-is-second-most-powerful-country-in-the-world/ 9 https://www.ft.com/content/2bea5eb8-d6c2-11e7-a303-9060cb1e5f44 10 http://www.oxfordresearchgroup.org.uk/sites/default/files/PR%20briefing%20February%202017_0.pdf 2 © 2018 Anomali, Inc. All rights reserved. and industrial and economic dynamism are all areas in a terrorist ‘attack is highly likely’12. The threat from which rival nation states will seek to pre-empt, gain a Northern Ireland has elevated in recent years due to the competitive edge, or undermine. emergence of the “New IRA”. There are also concerns about increases in knife crime and an embedded culture Domestic Threat landscape of violent gangs13. Terrorism, espionage, cyber-attacks and Dissident Republican groups are amongst those threats Cyber Threat Landscape Overview highlighted by the Centre for the Protection of National In February 2017, the UK was listed as the 38th most Infrastructure (CPNI) as threats to the UK11. The goal of attacked country via cyber means globally (up from 53rd the CPNI is to provide advice for the protection of UK in January 2017) ranking it higher than the US (90th), national infrastructure. The threat level to the United Germany (67th) and France (67th) according to Checkpoint Kingdom is currently at ‘severe’, which means that Software14. The UK had the fourth highest detection rate Port Description Quantity Number 47808 BACnet 297 502 Modbus 331 102 Siemens 50 20000 DNP 6 1962 PLC 4 9600 Omron 47 789 Red Lion 41 2455 CoDeSys 28 1911, 4911 Tridium 1153 44818 EtherNet/IP 1319 18245, General 59 18246 Electric 5904 Hart-IP 0 5006, 5007 Mitsubishi 2 Electric 2404 IEC 649 20547 ProConOS 216 Table of Visible UK ICS Ports (Source: SHODAN) UK ICS Ports Exposed – 15 Feb 2018 (Source: SHODAN) 11 https://www.cpni.gov.uk/national-security-threats 12 https://www.gov.uk/terrorism-national-emergency 13 http://www.telegraph.co.uk/news/2017/04/29/knife-crime-14-gang-warfare-becoming-embedded-culture/ 14 https://www.helpnetsecurity.com/2017/03/14/top-five-most-wanted-malware/ 3 © 2018 Anomali, Inc. All rights reserved. Civil Nuclear Chemical Communications Water Defence CNI Transport Emergency Services Space Energy Health Finance Government Food of ransomware in 2016 according to Malwarebytes, and Summary of Findings the ninth highest for Android malware. Overall, the UK saw the second highest detection rates for all types of Many of the sectors in the UK CNI have a large number malware, almost twice as many detections as Russia15. of companies, including small to medium enterprises (SMEs), that support the success of the industry. This diversification is likely to lend strength to the resilience Industrial Controls Map of the UK against a specific targeting of those sectors. Visible open network communication ports in the UK for However, there are geographical “clusters” that possess protocols related to Industrial Controls Systems (ICS) are an abundance of key sites. The chemicals, civil nuclear, shown in the image and table below. ICS are used in a and energy sector are dependent on some of these wide number of critical national infrastructure sectors. physical clusters and/or physical infrastructure for continued operation. The Grangemouth, Hull, Teesside and Critical National Infrastructure Runcorn areas are examples of this. Despite diversification in some areas, there are some bodies like the Defence The following sections provide insight into the cyber do- Equipment and Supply organization that oversee main of the sectors deemed to be Critical National Infra- procurement for the whole of defence. The procurement 16 structure (CNI). CNI “are those facilities, systems, sites, process necessarily underlines future ambitions and information, people, networks, processes necessary for current weaknesses in military capability. EDF Energy 17 a country to function and upon which daily life depends.” owns all of the currently active nuclear reactors. The They include the following areas: Chemicals, Civil Nuclear, emergency services are going through a communications Communications, Defence, Emergency Services, Energy, upgrade in which the network will be replaced by EE and Finance, Food, Government, Health, Space, Transport and Motorola alongside the provision of hand-held devices Water. The functional well-being of the state is dependent made by Samsung. on the services in these areas, therefore an attack on any of the sectors will have a particularly high impact on the nation. 15 https://www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf 16 The CNI sectors have been taken from the UK CPNI as a template for a general national profile. 17 https://www.cpni.gov.uk/critical-national-infrastructure-0 4 © 2018 Anomali, Inc. All rights reserved. Chemical Lead Government Department: Department for Business, Energy and Industrial Strategy Represented by: Chemical Industries Association (CIA), Association of the British Pharmaceutical Industry (ABPI) Locations of Industry: Hull, Teesside, Runcorn and Grangemouth (the four main “clusters”) Subsectors: Petrochemicals, basic inorganics, polymers and consumer chemicals, specialty chemicals Top Trading Region: EU Important Trading Partners: USA, Singapore, Canada, China, Brazil Downstream Impact Pharmaceuticals, Aerospace and automotive Initiatives Industry 4.0 (automation and data exchange) Summary of Industry Threats to Industry The UK chemicals sector includes the manufacture of The chemicals sector has experienced growth but is specialty chemicals, polymers, commodity chemicals, facing increasing competition from the United States and consumer chemicals. Ninety-seven percent of and China. Brexit and increased energy costs have the industry is made up of 2,500 Small and Medium invigorated efforts to become more energy efficient and Enterprise (SMEs), with large multinational
Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange ibarnes@lockton.com for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Minimizing the Risk of Ransomware
    Minimizing the Impact of Ransomware Authors: Tushar Nandwana, OneBeacon Technology Risk Control and Joe Budzyn – OneBeacon Insurance Group Published: July 2018 1 Ransomware has featured prominently in the news over the last few years. Ransomware – Hospitals, municipalities, businesses, law enforcement agencies, individuals and A Growing Threat even entire regions of the world have been affected by it. Some have paid the ransom and recovered their computer data; others have lost their data forever. In March 2018, the city of Atlanta, Georgia was hit by SamSam ransomware which prevented city residents from paying their bills and accessing court information online. The demand was for $51,000 but it ultimately cost the city several million dollars from other costs to rectify. SamSam also infected the Colorado Department of Transportation twice in February 2018. Numerous other U.S. municipalities and healthcare organizations have been hit by this ransomware2. WannaCry wreaked havoc on the world in May 2017. With its worm‐like, self‐ propagating behaviour, it spread to thousands of systems within hours using the Eternal Blue exploit to target Windows machines. WannaCry resulted in an estimated $4B in economic losses to the affected businesses and infected 30,000 machines worldwide3. In June 2017 we also saw Petya and NotPetya which used the same exploit as WannaCry, but were more intent on destruction rather than ransom. NotPetya targeted systems specifically in the Ukraine4. FedEx ended up reporting a $300M loss, not from the ransom payout but due to the downtime and economic loss sustained by its Ukrainian subsidiary, TNT Express5. Petya caused Danish shipping giant AP Moller $300M in lost revenue6.
    [Show full text]
  • Advanced Persistent Threats
    THREAT RESEARCH Defending Against Advanced Persistent Threats Introduction As the name “Advanced” suggests, APT (advanced persistent threat) is one of the most sophisticated and organized forms of network attacks that keep cybersecurity professionals up at night. Unlike many hit & run traditional cyberattacks, an APT is carried out over a prolonged period of time by skilled threat actors who strategize multi-staged campaigns against their targets, employing clandestine tools & techniques such as Remote Administration Tools (RAT), Toolkits, Backdoor Trojans, Social Engineering, DNS Tunneling etc. These experienced cybercriminals are mostly backed & well-funded by nation states and corporation-backed organizations to specifi cally target high value organizations with the following objectives in mind: a Theft of Intellectual Property & classifi ed data i.e. Cyber Espionage a Access to critical & sensitive communications a Access to credentials of critical systems a Sabotage or exfi ltration of databases a Theft of Personal Identifi able Information (PII) a Access to critical infrastructure to perform internal reconnaissance To achieve the above goals, APT Groups use novel techniques to obfuscate their actions and easily bypass traditional security barriers that are not advancing at the same rate as the sophisticated attack patterns of cybercriminals. To understand the evolved behavioral pattern of APT Groups in the year 2020, a review of their latest activities revealed interesting developments and a few groundbreaking events¹: a Southeast Asia
    [Show full text]
  • ERP Applications Under Fire How Cyberattackers Target the Crown Jewels
    ERP Applications Under Fire How cyberattackers target the crown jewels July 2018 v1.0 With hundreds of thousands of implementations across the globe, Enterprise Resource Planning (ERP) applications are supporting the most critical business processes for the biggest organizations in the world. This report is the result of joint research performed by Digital Shadows and Onapsis, aimed to provide insights into how the threat landscape has been evolving over time for ERP applications. We have concentrated our efforts on the two most widely-adopted solutions across the large enterprise segment, SAP and Oracle E-Business Suite, focusing on the risks and threats organizations should care about. According to VP Distinguished Analyst, Neil MacDonald “As financially motivated attackers turn their attention ‘up the stack’ to the application layer, business applications such as ERP, CRM and human resources are attractive targets. In many organizations, the ERP application is maintained by a completely separate team and security has not been a high priority. As a result, systems are often left unpatched for years in the name of operational availability.” Gartner, Hype Cycle for Application Security, 2017, July 2017 1 1 Gartner, Hype Cycle for Application Security, 2017, Published: 28 July 2017 ID: G00314199, Analyst(s): Ayal Tirosh, https://www.gartner.com/doc/3772095/hype-cycle-application-security- 02 Executive Summary With hundreds of thousands of implementations across the globe, Enterprise Resource Planning (ERP) applications support the most critical business processes and house the most sensitive information for the biggest organizations in the world. The vast majority of these large organizations have implemented ERP applications from one of the two market leaders, SAP and Oracle.
    [Show full text]
  • Sample Iis Publication Page
    https://doi.org/10.48009/1_iis_2012_133-143 Issues in Information Systems Volume 13, Issue 1, pp. 133-143, 2012 HACKERS GONE WILD: THE 2011 SPRING BREAK OF LULZSEC Stan Pendergrass, Robert Morris University, wspst2@mail.rmu.edu ABSTRACT Computer hackers, like the group known as Anonymous, have made themselves more and more relevant to our modern life. As we create and expand more and more data within our interconnected electronic universe, the threat that they bring to its fragile structure grows as well. However Anonymous is not the only group of hackers/activists or hacktivists that have made their presence known. LulzSec was a group that wreaked havoc with information systems in 2011. This will be a case study examination of their activities so that a better understanding of five aspects can be obtained: the Timeline of activities, the Targets of attack, the Tactics the group used, the makeup of the Team and a category which will be referred to as The Twist for reasons which will be made clear at the end of the paper. Keywords: LulzSec, Hackers, Security, AntiSec, Anonymous, Sabu INTRODUCTION Information systems lie at the heart of our modern existence. We deal with them when we work, when we play and when we relax; texting, checking email, posting on Facebook, Tweeting, gaming, conducting e-commerce and e- banking have become so commonplace as to be nearly invisible in modern life. Yet, within each of these electronic interactions lies the danger that the perceived line of security and privacy might be breached and our most important information and secrets might be revealed and exploited.
    [Show full text]
  • PARK JIN HYOK, Also Known As ("Aka") "Jin Hyok Park," Aka "Pak Jin Hek," Case Fl·J 18 - 1 4 79
    AO 91 (Rev. 11/11) Criminal Complaint UNITED STATES DISTRICT COURT for the RLED Central District of California CLERK U.S. DIS RICT United States ofAmerica JUN - 8 ?018 [ --- .. ~- ·~".... ~-~,..,. v. CENT\:y'\ l i\:,: ffl1G1 OF__ CAUFORN! BY .·-. ....-~- - ____D=E--..... PARK JIN HYOK, also known as ("aka") "Jin Hyok Park," aka "Pak Jin Hek," Case fl·J 18 - 1 4 79 Defendant. CRIMINAL COMPLAINT I, the complainant in this case, state that the following is true to the best ofmy knowledge and belief. Beginning no later than September 2, 2014 and continuing through at least August 3, 2017, in the county ofLos Angeles in the Central District of California, the defendant violated: Code Section Offense Description 18 U.S.C. § 371 Conspiracy 18 u.s.c. § 1349 Conspiracy to Commit Wire Fraud This criminal complaint is based on these facts: Please see attached affidavit. IBJ Continued on the attached sheet. Isl Complainant's signature Nathan P. Shields, Special Agent, FBI Printed name and title Sworn to before ~e and signed in my presence. Date: ROZELLA A OLIVER Judge's signature City and state: Los Angeles, California Hon. Rozella A. Oliver, U.S. Magistrate Judge Printed name and title -:"'~~ ,4G'L--- A-SA AUSAs: Stephanie S. Christensen, x3756; Anthony J. Lewis, x1786; & Anil J. Antony, x6579 REC: Detention Contents I. INTRODUCTION .....................................................................................1 II. PURPOSE OF AFFIDAVIT ......................................................................1 III. SUMMARY................................................................................................3
    [Show full text]
  • LAZARUS UNDER the HOOD Executive Summary
    LAZARUS UNDER THE HOOD Executive Summary The Lazarus Group’s activity spans multiple years, going back as far as 2009. Its malware has been found in many serious cyberattacks, such as the massive data leak and file wiper attack on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South Korea, dubbed Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean media and financial companies in 2013. There have been several attempts to attribute one of the biggest cyberheists, in Bangladesh in 2016, to Lazarus Group. Researchers discovered a similarity between the backdoor used in Bangladesh and code in one of the Lazarus wiper tools. This was the first attempt to link the attack back to Lazarus. However, as new facts emerged in the media, claiming that there were at least three independent attackers in Bangladesh, any certainty about who exactly attacked the banks systems, and was behind one of the biggest ever bank heists in history, vanished. The only thing that was certain was that Lazarus malware was used in Bangladesh. However, considering that we had previously found Lazarus in dozens of different countries, including multiple infections in Bangladesh, this was not very convincing evidence and many security researchers expressed skepticism abound this attribution link. This paper is the result of forensic investigations by Kaspersky Lab at banks in two countries far apart. It reveals new modules used by Lazarus group and strongly links the tools used to attack systems supporting SWIFT to the Lazarus Group’s arsenal of lateral movement tools. Considering that Lazarus Group is still active in various cyberespionage and cybersabotage activities, we have segregated its subdivision focusing on attacks on banks and financial manipulations into a separate group which we call Bluenoroff (after one of the tools they used).
    [Show full text]
  • Bakalářská Práce 2013
    Masarykova univerzita Filozofická fakulta Ústav české literatury a knihovnictví Kabinet informa čních studií a knihovnictví Bakalá řská diplomová práce 2013 Alena Brožová Masarykova univerzita Filozofická fakulta Kabinet informa čních studií a knihovnictví Informa ční studia a knihovnictví Alena Brožová AntiSec: hacktivistická kampa ň za svobodu na internetu Bakalá řská diplomová práce Vedoucí práce: PhDr. Pavla Ková řová 2013 Prohlašuji, že jsem diplomovou práci vypracovala samostatn ě s využitím uvedených pramen ů a literatury. …………………………………………….. Podpis autora práce Zde bych cht ěla pod ěkovat vedoucí práce PhDr. Pavle Ková řové za pomoc a cenné rady v pr ůběhu tvorby bakalá řské diplomové práce. Bibliografický záznam BROŽOVÁ, Alena. AntiSec: hacktivistická kampa ň za svobodu na internetu . Brno: Masarykova univerzita, Filozofická fakulta, Ústav české literatury a knihovnictví, Kabinet informa čních studií a knihovnictví, 2013, 59 s. Vedoucí bakalá řské práce PhDr. Pavla Ková řová. Anotace Bakalá řská diplomová práce „AntiSec: hacktivistická kampa ň za svobodu na internetu“ se zabývá hackerskými útoky v rámci operace AntiSec, které byly uskute čněny pod záštitou propagace svobodného internetu, svobody informací a svobody projevu. Práce se zabývá etickou oprávn ěností provedení útok ů v souvislosti s pravidly definovaných etických teorií a kodex ů. Pro toto hodnocení jsou využity principy dimenzionální analýzy. Výsledkem práce je souhrn informací o prob ěhnuté operaci s důrazem na eti čnost provedených útok ů. Annotation Bachelor thesis „AntiSec: hacktivism campaign for freedom on the internet“ deals with hacker attacks in Operation AntiSec which were made under the auspices of promoting free internet, freedom of information and freedom of expression. The work deals with the ethical legitimacy of carrying out attacks in relation to the rules of defined ethical theories and codes.
    [Show full text]
  • View Final Report (PDF)
    TABLE OF CONTENTS TABLE OF CONTENTS I EXECUTIVE SUMMARY III INTRODUCTION 1 GENESIS OF THE PROJECT 1 RESEARCH QUESTIONS 1 INDUSTRY SITUATION 2 METHODOLOGY 3 GENERAL COMMENTS ON INTERVIEWS 5 APT1 (CHINA) 6 SUMMARY 7 THE GROUP 7 TIMELINE 7 TYPOLOGY OF ATTACKS 9 DISCLOSURE EVENTS 9 APT10 (CHINA) 13 INTRODUCTION 14 THE GROUP 14 TIMELINE 15 TYPOLOGY OF ATTACKS 16 DISCLOSURE EVENTS 18 COBALT (CRIMINAL GROUP) 22 INTRODUCTION 23 THE GROUP 23 TIMELINE 25 TYPOLOGY OF ATTACKS 27 DISCLOSURE EVENTS 30 APT33 (IRAN) 33 INTRODUCTION 34 THE GROUP 34 TIMELINE 35 TYPOLOGY OF ATTACKS 37 DISCLOSURE EVENTS 38 APT34 (IRAN) 41 INTRODUCTION 42 THE GROUP 42 SIPA Capstone 2020 i The Impact of Information Disclosures on APT Operations TIMELINE 43 TYPOLOGY OF ATTACKS 44 DISCLOSURE EVENTS 48 APT38 (NORTH KOREA) 52 INTRODUCTION 53 THE GROUP 53 TIMELINE 55 TYPOLOGY OF ATTACKS 59 DISCLOSURE EVENTS 61 APT28 (RUSSIA) 65 INTRODUCTION 66 THE GROUP 66 TIMELINE 66 TYPOLOGY OF ATTACKS 69 DISCLOSURE EVENTS 71 APT29 (RUSSIA) 74 INTRODUCTION 75 THE GROUP 75 TIMELINE 76 TYPOLOGY OF ATTACKS 79 DISCLOSURE EVENTS 81 COMPARISON AND ANALYSIS 84 DIFFERENCES BETWEEN ACTOR RESPONSE 84 CONTRIBUTING FACTORS TO SIMILARITIES AND DIFFERENCES 86 MEASURING THE SUCCESS OF DISCLOSURES 90 IMPLICATIONS OF OUR RESEARCH 92 FOR PERSISTENT ENGAGEMENT AND FORWARD DEFENSE 92 FOR PRIVATE CYBERSECURITY VENDORS 96 FOR THE FINANCIAL SECTOR 96 ROOM FOR FURTHER RESEARCH 97 ACKNOWLEDGEMENTS 98 ABOUT THE TEAM 99 SIPA Capstone 2020 ii The Impact of Information Disclosures on APT Operations EXECUTIVE SUMMARY This project was completed to fulfill the including the scope of the disclosure and capstone requirement for Columbia Uni- the disclosing actor.
    [Show full text]
  • APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda
    APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda • Executive Summary Slides Key: • APT Group Objectives Non-Technical: managerial, strategic • APT Groups Targeting Health Sector and high-level (general audience) • Activity Timeline Technical: Tactical / IOCs; requiring • TTPs in-depth knowledge (sysadmins, IRT) • Malware • Vulnerabilities • Recommendations and Mitigations TLP: WHITE, ID#202006091030 2 Executive Summary • APT groups steal data, disrupt operations, and destroy infrastructure. Unlike most cybercriminals, APT attackers pursue their objectives over longer periods of time. They adapt to cyber defenses and frequently retarget the same victim. • Common HPH targets include: • Healthcare Biotechnology Medical devices • Pharmaceuticals Healthcare information technology • Scientific research • HPH organizations who have been victim of APT attacks have suffered: • Reputational harm Disruption to operations • Financial losses PII/PHI and proprietary data theft • HC3 recommends several mitigations and controls to counter APT threats. TLP: WHITE, ID#202006091030 3 APT Group Objectives • Motivations of APT Groups which target the health sector include: • Competitive advantage • Theft of proprietary data/intellectual capital such as technology, manufacturing processes, partnership agreements, business plans, pricing documents, test results, scientific research, communications, and contact lists to unfairly advance economically. • Intelligence gathering • Groups target individuals and connected associates to further social engineering
    [Show full text]
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX
    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
    [Show full text]
  • 20190409-Old Cranwellians-Apr19 V1.4-O with Images
    RAF News Brief 2019/2 Organisation Operational Service Medal In 2017, Her Majesty The Queen agreed the introduction of a new Operational Service Medal (OSM) for Op SHADER. In February 2019, Her Majesty The Queen graciously approved an extension of the medal without clasp for personnel assessed as making a significant and direct operational contribution, but outside the joint operational area for Op SHADER. Under new rules, personnel from all three services serving from outside the traditional area of operations, such as operators of RAF Reaper Remotely Piloted Air System (RPAS) aircraft, can now receive the Op SHADER medal without clasp. The award of the medal reflects the changing nature of modern conflict and recognises the vital contribution that personnel working from outside the operational area of Iraq and Syria have made to the campaign. This will be the first time that RPAS crews have received formal medallic recognition. Ground crew serving at RAF Akrotiri in Cyprus, where UK airstrikes over Iraq and Syria are launched from are also eligible, as well as Army and Navy personnel providing logistic and communications support. Chief of the Air Staff, Air Chief Marshal Sir Stephen Hillier, said: “I am delighted to see this wider recognition of the RAF’s vital contribution to Op SHADER. Under the previous criteria, only about 14% of RAF personnel who had supported Op SHADER were entitled to receive the OSM. Under the new criteria, that proportion rises to over two-thirds. I extend my personal thanks and congratulations to all those who will now receive the OSM for their outstanding Op SHADER contribution.” Update on Defence Estate Optimisation Programme The MOD published an update to the Defence Estate Optimisation Programme in March 2019, setting new information for 33 military sites across the UK.
    [Show full text]