DOCSLIB.ORG

Mcafee Strategic Intelligence/Shamoon 2 Frequently Asked Questions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ANNOUNCEMENT FAQ McAfee Strategic Intelligence/Shamoon 2 Frequently Asked Questions Q. What is the news? activity of a nation-state actor. Taken together, this A. McAfee has linked a series of cyber-attacks in new series of Shamoon cyber espionage campaigns Saudi Arabia to a common malicious actor rather are significantly larger, well-planned, well-resourced, than to individual cyber gangs in the region. and coordinated at a level beyond the limited McAfee Strategic Intelligence researchers have capacity of disparate independent hacker gangs. released evidence that a series of cyber-attacks Q. How can McAfee make these claims? targeting the Persian Gulf and, specifically, Saudia McAfee Strategic Intelligence surveyed the evolution Arabia between 2012 and the present are the work A. of Shamoon-based attacks, from the 2012 attacks of hacker groups supported and coordinated by a on the Persian Gulf energy sector, to the latest common malicious actor, and not the random efforts campaigns in Saudia Arabia in 2016 and 2017. of a variety of individual cyber gangs in the region. McAfee found commonalities between the Shamoon The latest Shamoon campaigns go beyond a malware samples, tactics and even infrastructure few targets in energy, to many in other critical used in these attacks: sectors that run Saudi Arabia. Whereas earlier Shamoon campaigns targeted a relatively small ■ The new attacks used 90% of the original code number of energy sector organizations to disrupt from the 2012 attacks the operations of the region’s critical industry, the ■ The macro code used in the latest spear-phishing new attacks are focused on a greater number of campaign was also used in the attacks launched organizations in the energy, government, financial by Rocket Kitten in Spring 2016 services and critical infrastructure sectors of Saudi Arabia to disrupt that entire country. ■ Some of the new attacks also used some of the same infrastructure previously used by the Oil-RIG The large-scale, sophisticated, coordinated campaign in late 2015. nature of the latest campaigns suggest the Connect With Us 1 McAfee Strategic Intelligence/Shamoon 2 ANNOUNCEMENT FAQ Q. Why is this different from previous Shamoon ■ Attack Wave 3: Began January 23, 2017, and discoveries and revelations? ongoing, with similar samples and methods and A. Past research has examined Shamoon attacks TTPs as in Waves 1 and 2. in depth, but haven’t brought forward evidence Q. What was the impact of these attacks? of a substantial overlap in code, tactics and In 2012, the actors moved quickly in and out of the infrastructure to the extent McAfee has today. A. victim’s network, inflicting system-wipe damage and Q. How do these attacks work? then disappearing. A. Step 1. Once a target is identified, the attackers send In 2016, the actors penetrated networks and spear-phishing emails to individuals working within established remote control to gather intelligence for the organization. The recipients of these messages future planned wiping attacks. are chosen carefully, with the assumption that they Unless thwarted, the attackers could have exfiltrated will enable network access to the most sensitive any data of value to them, and then erased the information and systems in the organization. systems’ data and made them unable to boot up Step 2. The email recipient is lured into clicking on and operate. a link within the email or opening a Microsoft Office file embedded with macros that allow the attackers Q. What does this discovery mean? to create backdoor access to the organizations. A. These findings are the latest evidence of rogue state or stateless actors developing increasingly sophisticated Step 3. The attackers conduct reconnaissance and powerful cyberwarfare and cyber espionage across the network to identify valuable information capabilities to project geopolitical and strategic and critical systems. power that would otherwise be beyond their reach. Step 4. Once the reconnaissance is complete, Such actors may seek to acquire cyber capabilities the attackers weaponize the attack and wipe the from the Black Market in the same way North Korea hard drives of the master boot records (MBRs). In looked to Pakistan’s Abdul Qadeer Khan to acquire the 2016 to present case, the attackers launched nuclear technologies. multiple simultaneous waves of attacks: They may choose to collaborate with other ■ Attack Wave 1: Wiped systems on November 17, aspiring actors as Iran and North Korea have in the 2016, at 20:45 Saudi time. development of ballistic missiles. ■ Attack Wave 2: Wiped systems on November 29, 2016, at 01:30 Saudi time. 2 McAfee Strategic Intelligence/Shamoon 2 ANNOUNCEMENT FAQ What we know for certain is that cyber tools, tactics, Engagement: The group will also be the primary knowledge, talent and infrastructure are similarly vehicle within McAfee for engagement with law available to actors wishing to acquire them. enforcement, academia, and other organizations, including efforts to take down criminal networks, Q. What else did McAfee announce today? develop new approaches to fighting cybercrime, A. McAfee announced the formation of McAfee and recruit more young people to join the ranks of Strategic Intelligence, a new research team charged cybersecurity professionals. with investigating the technology and tactics of the latest cyberwarfare and cybercrime campaigns, and Q. How does McAfee Labs’ research charter and working with law enforcement to take action against mission differ from that of Strategic Intelligence? networks of cybercriminals. A. McAfee Labs gathers threat intelligence data from The creation of Strategic Intelligence firmly millions of sensors across key threats vectors— establishes McAfee’s commitment to understanding file, web, and network—delivers real-time threat the cyber threat landscape, and will complement intelligence, critical analysis, and expert thinking to the work of McAfee Labs, one of the world’s most improve system protection and reduce risks. prominent sources of threat intelligence data, and McAfee Labs develops core threat detection the technology vulnerability research conducted by technologies that are incorporated into the broadest the Advanced Threat Research team. security product portfolio in the industry. McAfee Labs also engages with McAfee’s many Q. What is McAfee Strategic Intelligence’s mission? cyber threat intelligence sharing partners, including A. The McAfee Strategic Intelligence team will the Cyber Threat Alliance, an independent industry investigate the latest threats, their design, and how organization committed to facilitating the exchange they are built into cyber-attack campaigns, and of the latest threat data. Cyber Threat Alliance inform McAfee customers on how they can protect partners include Check Point, Cisco, Fortinet, Palo themselves and learn from these attacks moving Alto Networks, and Symantec. forward. Areas of research will include advanced malware, ransomware, financial fraud, general cybercrime, cyber espionage, cyberwarfare, and protection of industrial control systems. 3 McAfee Strategic Intelligence/Shamoon 2 ANNOUNCEMENT FAQ Q. How does McAfee Advanced Threat Research’s By researching security vulnerabilities in the areas charter and mission differ from that of Strategic of hardware, firmware, virtualization technologies Intelligence? and crypto software, the McAfee Advanced Threat A. McAfee’s Advanced Threat Research group conducts Research team plays an important role within research into vulnerabilities within the foundational McAfee, particularly as connected environments hardware and software technologies of the industry. because more diverse. Increasingly, people around the world depend Upon discovery of vulnerabilities, the team on technology for their daily affairs. Making coordinates the responsible disclosure and timely this technology trustworthy requires a deep mitigations with affected technology vendors. understanding of how attacks work. 2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or itssubsidiaries in the US and other countries. Other Santa Clara, CA 95054 marks and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC. 3699_0417 888.847 8766 APRIL 2017 www.mcafee.com 4 McAfee Strategic Intelligence/Shamoon 2.
Recommended publications
  • Attacking from Inside

    Attacking from Inside

    WIPER MALWARE: ATTACKING FROM INSIDE Why some attackers are choosing to get in, delete files, and get out, rather than try to reap financial benefit from their malware. AUTHORED BY VITOR VENTURA WITH CONTRIBUTIONS FROM MARTIN LEE EXECUTIVE SUMMARY from system impact. Some wipers will destroy systems, but not necessarily the data. On the In a digital era when everything and everyone other hand, there are wipers that will destroy is connected, malicious actors have the perfect data, but will not affect the systems. One cannot space to perform their activities. During the past determine which kind has the biggest impact, few years, organizations have suffered several because those impacts are specific to each kinds of attacks that arrived in many shapes organization and the specific context in which and forms. But none have been more impactful the attack occurs. However, an attacker with the than wiper attacks. Attackers who deploy wiper capability to perform one could perform the other. malware have a singular purpose of destroying or disrupting systems and/or data. The defense against these attacks often falls back to the basics. By having certain Unlike malware that holds data for ransom protections in place — a tested cyber security (ransomware), when a malicious actor decides incident response plan, a risk-based patch to use a wiper in their activities, there is no management program, a tested and cyber direct financial motivation. For businesses, this security-aware business continuity plan, often is the worst kind of attack, since there is and network and user segmentation on top no expectation of data recovery.
  • The Middle East Under Malware Attack Dissecting Cyber Weapons

    The Middle East Under Malware Attack Dissecting Cyber Weapons

    The Middle East under Malware Attack Dissecting Cyber Weapons Sami Zhioua Information and Computer Science Department King Fahd University of Petroleum and Minerals Dhahran, Saudi Arabia [email protected] Abstract—The Middle East is currently the target of an un- have been designed by the same unknown entity 1. The next precedented campaign of cyber attacks carried out by unknown malware of this lineage was Flame [7] which was discovered parties. The energy industry is praticularly targeted. The in May 2012 by Kaspersky Lab while investigating another attacks are carried out by deploying extremely sophisticated malware. The campaign opened by the Stuxnet malware in piece of malware called Wiper [8]. Flame features very 2010 and then continued through Duqu, Flame, Gauss, and unusual characteristics such as large size, large number of Shamoon malware. This paper is a technical survey of the modules, self adapting, etc. As Duqu, Flame’s objective is attacking vectors utilized by the three most famous malware, data collection and espionnage. Gauss [9] is another data namely, Stuxnet, Flame, and Shamoon. We describe their main stealing malware discovered in June 2012 by Kaspersky Lab modules, their sophisticated spreading capabilities, and we discuss what it sets them apart from typical malware. The focusing on banking information. Flame and Gauss exhibit main purpose of the paper is to point out the recent trends striking similarities and several technical evidences indicate infused by this new breed of malware into cyber attacks. that they come from the same “factories” that produced Stuxnet and Duqu [9]. The latest malware-based attack Keywords-Malwares; Information Security; Targeted At- tacks; Stuxnet; Duqu; Flame; Gauss; Shamoon targeting the middle east was the Shamoon attack on Saudi Aramco [10].
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX

    A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX

    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
  • Fractional Dynamics of Stuxnet Virus Propagation in Industrial Control Systems

    Fractional Dynamics of Stuxnet Virus Propagation in Industrial Control Systems

    mathematics Article Fractional Dynamics of Stuxnet Virus Propagation in Industrial Control Systems Zaheer Masood 1, Muhammad Asif Zahoor Raja 2,* , Naveed Ishtiaq Chaudhary 2, Khalid Mehmood Cheema 3 and Ahmad H. Milyani 4 1 Department of Electrical and Electronics Engineering, Capital University of Science and Technology, Islamabad 44000, Pakistan; [email protected] 2 Future Technology Research Center, National Yunlin University of Science and Technology, 123 University Road, Section 3, Douliou 64002, Taiwan; [email protected] 3 School of Electrical Engineering, Southeast University, Nanjing 210096, China; [email protected] 4 Department of Electrical and Computer Engineering, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] * Correspondence: [email protected] Abstract: The designed fractional order Stuxnet, the virus model, is analyzed to investigate the spread of the virus in the regime of isolated industrial networks environment by bridging the air-gap between the traditional and the critical control network infrastructures. Removable storage devices are commonly used to exploit the vulnerability of individual nodes, as well as the associated networks, by transferring data and viruses in the isolated industrial control system. A mathematical model of an arbitrary order system is constructed and analyzed numerically to depict the control mechanism. A local and global stability analysis of the system is performed on the equilibrium points derived Citation: Masood, Z.; Raja, M.A.Z.; for the value of a = 1. To understand the depth of fractional model behavior, numerical simulations Chaudhary, N.I.; Cheema, K.M.; are carried out for the distinct order of the fractional derivative system, and the results show that Milyani, A.H.
  • FROM SHAMOON to STONEDRILL Wipers Attacking Saudi Organizations and Beyond

    FROM SHAMOON to STONEDRILL Wipers Attacking Saudi Organizations and Beyond

    FROM SHAMOON TO STONEDRILL Wipers attacking Saudi organizations and beyond Version 1.05 2017-03-07 Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East. The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012. Dormant for four years, one of the most mysterious wipers in history has returned. So far, we have observed three waves of attacks of the Shamoon 2.0 malware, activated on 17 November 2016, 29 November 2016 and 23 January 2017. Also known as Disttrack, Shamoon is a highly destructive malware family that effectively wipes the victim machine. A group known as the Cutting Sword of Justice took credit for the Saudi Aramco attack by posting a Pastebin message on the day of the attack (back in 2012), and justified the attack as a measure against the Saudi monarchy. The Shamoon 2.0 attacks observed since November 2016 have targeted organizations in various critical and economic sectors in Saudi Arabia. Just like the previous variant, the Shamoon 2.0 wiper aims for the mass destruction of systems inside targeted organizations. The new attacks share many similarities with the 2012 wave, though featuring new tools and techniques. During the first stage, the attackers obtain administrator credentials for the victim’s network. Next, they build a custom wiper (Shamoon 2.0) which leverages these credentials to spread widely inside the organization. Finally, on a predefined date, the wiper activates, rendering the victim’s machines completely inoperable.
  • Lawrence A. Husick, Esq. Co-Chair, FPRI Center on Terrorism May 1, 2015 We Were Warned…

    Lawrence A. Husick, Esq. Co-Chair, FPRI Center on Terrorism May 1, 2015 We Were Warned…

    Cyberthreats: The New Strategic Battleground Lawrence A. Husick, Esq. Co-Chair, FPRI Center on Terrorism May 1, 2015 We were warned… “Electronic Pearl Harbor…is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.” Dep. Defense Secretary John Hamre, 1999 Unrestricted Warfare Cols. Qiao Liang and Wang Xiangsui, People’s Liberation Army of China, 1999 Computer virus, worm, trojan Information poisoning Financial manipulation Direct cyberattack on US Based on US Strategic Concept of MOOTW (Military Operations Other Than War) CyberWar “There’s no agreed-on definition of what constitutes a cyberattack. It’s really a range of things that can happen, from exploitation and exfiltration of data to degradation of networks, to destruction of networks or even physical equipment…” - Dep. Defense Sec. Wm. J. Lynn, III, Oct. 14, 2010 Cyberdefense “There is virtually no effective deterrence in cyber warfare, since even identifying the attacker is extremely difficult and, adhering to international law, probably nearly impossible. - Dr. Olaf Theiler, NATO Operations China • PLA Unit 61398, located in Shanghai’s Pudong area • Attacked over 1,000 servers using 849 addresses • One victim was accessed for 4 years, 10 months • Largest single data theft: 6.5TB “The [Mandiant] report, … lacks technical proof. … Second, there is still no internationally clear, unified definition of what consists of a ‘hacking attack’. There is no legal evidence behind the report subjectively inducing that the everyday gathering of online (information) is online spying.” CyberThreat CyberCrime CyberSpying CyberWar CyberThreat CyberCrime CyberSpying CyberWar CyberThreat $ Data Disruption Also: • CyberEspionage • CyberTerrorism • CyberActivism • CyberAnarchy MAD to MUD (Gale & Husick, Feb.
  • Crowdstrike Global Threat Intel Report

    Crowdstrike Global Threat Intel Report

    TWO THOUSAND FOURTEEN CROWDSTRIKE GLOBAL THREAT INTEL REPORT www.crowdstrike.com TWO THOUSAND FOURTEEN CROWDSTRIKE GLOBAL THREAT INTEL REPORT INTRODUCTION .........................................................................4 Table of KEY FINDINGS ............................................................................7 STATE OF THE UNION .............................................................9 Contents: NOTABLE ACTIVITY ............................................................... 13 Criminal ................................................................................ 13 State ...................................................................................... 19 Hacktivist/Nationalist ............................................................. 25 2014 Zero-Day Activity ........................................................... 34 Event-Driven Operations ......................................................... 39 KNOW THE ADVERSARY ....................................................49 Effect of Public Reporting on Adversary Activity ........................ 49 HURRICANE PANDA .................................................................50 GOTHIC PANDA ..........................................................................55 Overview of Russian Threat Actors ........................................... 57 2015 PREDICTIONS.................................................................61 CONCLUSION ........................................................................... 73 2 Introduction Intelligence
  • Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’S College London, UK Published Online: 23 Dec 2014

    Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’S College London, UK Published Online: 23 Dec 2014

    This article was downloaded by: [Columbia University] On: 08 June 2015, At: 08:43 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK Journal of Strategic Studies Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/fjss20 Attributing Cyber Attacks Thomas Rida & Ben Buchanana a Department of War Studies, King’s College London, UK Published online: 23 Dec 2014. Click for updates To cite this article: Thomas Rid & Ben Buchanan (2015) Attributing Cyber Attacks, Journal of Strategic Studies, 38:1-2, 4-37, DOI: 10.1080/01402390.2014.977382 To link to this article: http://dx.doi.org/10.1080/01402390.2014.977382 PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.
  • Despite Infighting and Volatility, Iran Maintains Aggressive Cyber Operations Structure

    Despite Infighting and Volatility, Iran Maintains Aggressive Cyber Operations Structure

    CYBER THREAT ANALYSIS | Despite Infighting and Volatility, Iran Maintains Aggressive Cyber Operations Structure By Insikt Group® CTA-IR-2020-0409 CYBER THREAT ANALYSIS | IRAN Recorded Future’s Insikt Group® is conducting ongoing research on the organizations involved in Iran’s cyber program. This report serves to provide greater insight into the major military and intelligence bodies involved in Iran’s offensive cyber program. Although offensive cyber capabilities include domestic attacks, we researched those organizations with declared international missions. Due to the secretive nature of some organizations and lack of verifiable information, we incorporated competing hypotheses to adhere to industry analytic standards. For the purposes of this research, we investigated the Islamic Revolutionary Guard Corps (IRGC), including the Basij, as well as the Ministry of Intelligence and Security (MOIS), and the Ministry of Defense and Armed Force Logistics (MODAFL). Although the report suggests links between a select number of advanced persistent threat (APT) groups and certain intelligence organizations, we are unable to conclusively assign them to specific agencies due to gaps in information about each group. The sources for our research primarily include intelligence surfaced in the Recorded Future® Platform, industry research released by Symantec, FireEye, ClearSky, and PaloAlto, among others, and open source news reports. Executive Summary While the Iranian cyber program remains at the forefront of Tehran’s asymmetric capabilities, its intelligence apparatus is colored by various dysfunctions and seemingly destabilizing traits. In particular, the politicization of its various intelligence agencies and ensuing domestic feuds have reportedly polarized officer-level rank and file throughout the various security crises of the Islamic Republic.
  • Iranian Cyber-Activities in the Context of Regional Rivalries and International Tensions

    Iranian Cyber-Activities in the Context of Regional Rivalries and International Tensions

    CSS CYBER DEFENSE PROJECT Hotspot Analysis: Iranian cyber-activities in the context of regional rivalries and international tensions Zürich, May 2019 Version 1 Risk and Resilience Team Center for Security Studies (CSS), ETH Zürich Iranian cyber-activities in the context of regional rivalries and international tensions Authors: Marie Baezner © 2019 Center for Security Studies (CSS), ETH Zürich Contact: Center for Security Studies Haldeneggsteig 4 ETH Zürich CH-8092 Zürich Switzerland Tel.: +41-44-632 40 25 [email protected] www.css.ethz.ch Analysis prepared by: Center for Security Studies (CSS), ETH Zürich ETH-CSS project management: Tim Prior, Head of the Risk and Resilience Research Group Myriam Dunn Cavelty, Deputy Head for Research and Teaching, Andreas Wenger, Director of the CSS Disclaimer: The opinions presented in this study exclusively reflect the authors’ views. Please cite as: Baezner, Marie (2019): Hotspot Analysis: Iranian cyber-activities in context of regional rivalries and international tensions, May 2019, Center for Security Studies (CSS), ETH Zürich. 1 Iranian cyber-activities in the context of regional rivalries and international tensions Table of Contents 1 Introduction 4 2 Background and chronology 5 3 Description 9 3.1 Attribution and actors 9 Iranian APTs 9 Iranian patriotic hackers 11 Western actors 12 3.2 Targets 12 Iranian domestic targets 12 Middle East 12 Other targets 13 3.3 Tools and techniques 13 Distributed Denial of Service (DDoS) attacks 13 Fake personas, social engineering and spear phishing 13
  • Cyber Threat Data Model and Use Cases Final Report

    Cyber Threat Data Model and Use Cases Final Report

    CAN UNCLASSIFIED TA-35—Cyber Threat Data Model and Use Cases Final Report Dr. Antoine Lemay International Safety Research (ISR) Prepared by: ISR 38 Colonnade Road North Ottawa, Ontario Canada K2E 7J6 Contractor's document number: ISR Report 6099-01-03 Version 2.0 PSPC Contract Number: W7714-156105-T35 Technical Authority: Melanie Bernier, Defence Scientist Contractor's date of publication: September 2017 Defence Research and Development Canada Contract Report DRDC-RDDC-2017-C290 November 2017 CAN UNCLASSIFIED CAN UNCLASSIFIED IMPORTANT INFORMATIVE STATEMENTS The information contained herein is proprietary to Her Majesty and is provided to the recipient on the understanding that it will be used for information and evaluation purposes only. Any commercial use including use for manufacture is prohibited. Disclaimer: This document is not published by the Editorial Office of Defence Research and Development Canada, an agency of the Department of National Defence of Canada, but is to be catalogued in the Canadian Defence Information System (CANDIS), the national repository for Defence S&T documents. Her Majesty the Queen in Right of Canada (Department of National Defence) makes no representations or warranties, expressed or implied, of any kind whatsoever, and assumes no liability for the accuracy, reliability, completeness, currency or usefulness of any information, product, process or material included in this document. Nothing in this document should be interpreted as an endorsement for the specific use of any tool, technique or process examined in it. Any reliance on, or use of, any information, product, process or material included in this document is at the sole risk of the person so using it or relying on it.
  • A History of Cyber Incidents and Threats Involving Industrial Control Systems Kevin Hemsley, Ronald Fisher

    A History of Cyber Incidents and Threats Involving Industrial Control Systems Kevin Hemsley, Ronald Fisher

    A History of Cyber Incidents and Threats Involving Industrial Control Systems Kevin Hemsley, Ronald Fisher To cite this version: Kevin Hemsley, Ronald Fisher. A History of Cyber Incidents and Threats Involving Industrial Control Systems. 12th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2018, Arlington, VA, United States. pp.215-242, 10.1007/978-3-030-04537-1_12. hal-02076302 HAL Id: hal-02076302 https://hal.archives-ouvertes.fr/hal-02076302 Submitted on 22 Mar 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License Chapter 12 A HISTORY OF CYBER INCIDENTS AND THREATS INVOLVING INDUSTRIAL CONTROL SYSTEMS Kevin Hemsley and Ronald Fisher Abstract For many years, malicious cyber actors have been targeting the indus- trial control systems that manage critical infrastructure assets. Most of these events are not reported to the public and their details along with their associated threats are not as well-known as those involving enterprise (information technology) systems. This chapter presents an analysis of publicly-reported cyber incidents involving critical infras- tructure assets. The list of incidents is by no means comprehensive.