DOCSLIB.ORG

How Do We Keep the Lights on When Everyone Has Access to the Switch?

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
How Do We Keep the Lights on When Everyone Has Access to the Switch? How do we keep the lights on when everyone has access to the switch? 16 July 2016 Saturday ISSA-COS Mini-Seminar Colorado Technical University Colorado Springs, CO Wally Magda, SOHK WallyDotBiz LLC Industrial Control Systems: How do we keep the lights on…..? • No animals were harmed in the making of this presentation! 2 WallyDotBiz LLC © 2016 Industrial Control Systems: How do we keep the lights on…..? 3 WallyDotBiz LLC © 2016 Cellphone, BB, PDA Advisory • Please put alert generating devices into silent or vibrate mode if possible • Be kind to your colleagues; please take phone conversation out in the hall 4 WallyDotBiz LLC © 2016 DISCLAIMER • The author is not a lawyer and cannot give legal advice • The author does not endorse any specific product or entity • This presentation is simply the author’s professional perspective on Industrial Control Systems (ICS) Cyber and Physical Security • References used can be found in Helpful Links section 5 WallyDotBiz LLC © 2016 How do we keep the lights on when the switch is connected to the internet? 6 WallyDotBiz LLC © 2016 AGENDA • SCADA overview • Threat vectors into ICS devices • Possible consequences once in control • Horror stories and threat scenarios • Actions to protect business and customers 7 WallyDotBiz LLC © 2016 SCADA overview 8 WallyDotBiz LLC © 2016 SCADA overview • SCADA • Supervisory Control and Data Acquisition o “Typically” deployed across large geographic area like electric grid or natural gas pipelines o One type of many systems used to keep the lights on and energy flowing 9 WallyDotBiz LLC © 2016 SCADA overview Typical SCADA Diagram 10 WallyDotBiz LLC © 2016 SCADA overview Alphabet soup--Lots of acronyms for similar systems/devices We shall choose one for purposes of this presentation 11 WallyDotBiz LLC © 2016 SCADA overview • ICS • Industrial Control System o Broad set of control systems o General term that encompasses all 12 WallyDotBiz LLC © 2016 SCADA overview 13 WallyDotBiz LLC © 2016 SCADA overview 14 WallyDotBiz LLC © 2016 SCADA overview 15 WallyDotBiz LLC © 2016 SCADA overview • Typical ICS system found in many homes… 16 WallyDotBiz LLC © 2016 SCADA overview Temperature Display LED/iPhone/Dial-up Thermostat to set desired temp Turn on/off Gas Natural Gas Valve House temperature Igniter/Pilot Blower Heat Exchanger Burner & Blower Cold Air Hot Air Heat loss from home Natural Gas BTU Heat Content Typical Home Heating System Teenager 17 WallyDotBiz LLC © 2016 SCADA overview • HVAC • PACS • Manufacturing • Vehicles • Airplanes • Sprinkler/Irrigation • Pharmaceutical--Remote drug injection • Pacemakers 18 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 19 WallyDotBiz LLC © 2016 Threat vectors into ICS devices FUD The Good The Bad The Ugly 20 WallyDotBiz LLC © 2016 Threat vectors into ICS devices !!!! This ain’t FUD !!!! 21 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 22 WallyDotBiz LLC © 2016 Threat vectors into ICS devices ISSSource.com about a report from Rockwell Automation about a ransomware attack from a file being made available on the internet (no source given) called ‘Allenbradleyupdate.zip’ (April 2016) 23 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 24 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 25 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 26 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 27 WallyDotBiz LLC © 2016 Threat vectors into ICS devices Interdependencies 28 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 29 WallyDotBiz LLC © 2016 Threat vectors into ICS devices • Generation--coal, natural gas, oil, hydro, geo-thermal, wind, solar, steam, nuclear o Mix of natural gas exceeds 50% o No gas, no fuel supply, no electricity o Rinse, Lather and Repeat • Cyber attack can easily shut it down 30 WallyDotBiz LLC © 2016 31 WallyDotBiz LLC © 2016 Threat vectors into ICS devices • FTP • Telnet • SNMPv1 (v3 available for 14 years) • Firewall misconfiguration • VLAN misconfiguration • Wireless (MIJI) • Spearphishing 32 WallyDotBiz LLC © 2016 Threat vectors into ICS devices Sneaker Net 33 WallyDotBiz LLC © 2016 Threat vectors into ICS devices • Social Engineering 34 WallyDotBiz LLC © 2016 Possible consequences once in control 35 WallyDotBiz LLC © 2016 Possible consequences once in control Smart Grid home monitoring; connected to internet 36 WallyDotBiz LLC © 2016 Possible consequences once in control 37 WallyDotBiz LLC © 2016 Possible consequences once in control • Project Aurora 2.25 MW generator (2007) • Remote cyberattack destroys generator 38 WallyDotBiz LLC © 2016 Possible consequences once in control • Let the smoke out and it stops working! 39 WallyDotBiz LLC © 2016 Possible consequences once in control • Not to be confused with Operation Aurora • 2010 hack stealing Intellectual Property • 2003 Northeast electric grid outage, situational awareness lost in Ohio when computer systems slowed down • Not a hack but was contributing cyber component 40 WallyDotBiz LLC © 2016 Possible consequences once in control • Ping sweep causes robotic arm to swing wildly • Ping caused IC fab plant to hang • $50,000 worth of wafers destroyed • IT performing pen test on corporate network • Unintentionally stumbles into SCADA • Locks up gas pipeline SCADA • 4 hours gas service shutdown 41 WallyDotBiz LLC © 2016 Possible consequences once in control Feb 2016 42 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 43 WallyDotBiz LLC © 2016 Horror stories and threat scenarios Top 3 Public Enemies Electric 44 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 45 WallyDotBiz LLC © 2016 Horror stories and threat scenarios AIR GAP International Space Station (ISS) 46 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Houston! Windows Has Problems o 2008-Password Stealing Virus Infects Space Station Laptops (W32.Gammima.AG) o Not the first time o Payload laptops do NOT provide virus protection/detection software 47 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • NASA assures astronauts flight control systems were not in danger o But to be safe…. o Migrates all the computer systems related to the ISS over to Linux for . Security . Stability . Reliability reasons o Mistaken belief that Linux has no vulns 48 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 49 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • 787 vulnerable to hackers o Common Core System (CCS) o Saves weight—less line units o Wireless computer controls o FAA raised security concerns o Boeing claims they have addressed issues o Maintenance crews--wireless laptops 50 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Airports and airlines considered CI • Airlines do not have to report cyber attacks • Senator queries air industry about aircraft cybersecurity defenses • Oh my!!!! o Hack-able cars at risk in a cyber attack o Navigation, Wi-Fi, Bluetooth, cellular o Brakes & steering on Bluetooth!!!! 51 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Stuxnet via sneakernet (June 2010) o Natanz Fuel Enrichment Plant o Digitally Signed malware o HMI spoofed (operator intuition) o Slow attack under radar o Destroy centrifuges • Variants out in wild 52 WallyDotBiz LLC © 2016 Horror stories and threat scenarios o Stuxnet infected Chevron’s IT Network (Nov 8, 2012) o TELVENT hit by sophisticated cyber attack SCADA admin tool compromised (Sep 26, 2012) . Telvent supplies remote admin and monitoring tools . Intelligent transportation systems, train, metro, traffic lights . Warns customers of advanced persistent threat!!!! 53 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Power generation facility • Malware discovered USB drive • Two engineering workstations • No backups 54 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Turbine control system • Scheduled outage for maintenance • Third party tech USB for uploads • Mariposa botnet virus discovered USB drive • Delayed restart 3 weeks = $$$$$ 55 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Use case (optional) ICS-Cert Advisory (ICSA-10-090-01), revised 2014 o USUTIL2 notifies USUTIL1 of malware employee o Instructor shared at industry conference o Mariposa botnet-trojan . Username/passwords . Email o USUTIL1 malware tools did not detect o Windows system-still spreading but can’t phone home o Command & Control (C2) callbacks . hnox.org, socksa.com, ronpc.net . Initial contact 49 bytes, UDP 21039 56 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Netherland o Dike controls on internet--Shodan o Veere county admin using password “Veere” o Server running SunOS 5.8 not patched for 6 years 57 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Netherland o New low—Bavaria Beer Brewer site hacked o Large electronics company hacked o Dutch gov lost cyber security incident database . Backup tapes could not be read anymore 58 WallyDotBiz LLC © 2016 Horror stories and threat scenarios Courtesy of SHODAN 59 WallyDotBiz LLC © 2016 Horror stories and threat scenarios •FUD •Hacktivists •Specialized Search Engines • (SHODAN, SHINE, ERIPP) •Exploitation Tool Kits 60 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • 2012 Chines Hackers gain access to NASA’s Jet Propulsion Lab • Saudi Aramco Attack; 30,000+ computer systems data wiped (Shamoon-sneakernet) • 400% increase vuln reports since 2010 • Major spearphishing campaign US Oil & Natural Gas Pipelines 61 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 62 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
Load more

Recommended publications
  • Getting to Yes with China in Cyberspace
    Getting to Yes with China in Cyberspace Scott Warren Harold, Martin C. Libicki, Astrid Stuth Cevallos C O R P O R A T I O N For more information on this publication, visit www.rand.org/t/rr1335 Library of Congress Cataloging-in-Publication Data ISBN: 978-0-8330-9249-6 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2016 RAND Corporation R® is a registered trademark Cover Image: US President Barack Obama (R) checks hands with Chinese president Xi Jinping after a press conference in the Rose Garden of the White House September 25, 2015 in Washington, DC. President Obama is welcoming President Jinping during a state arrival ceremony. Photo by Olivier Douliery/ABACA (Sipa via AP Images). Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions.html. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors.
    [Show full text]
  • Advanced Persistent Threats
    Advanced Persistent Threats September 30, 2010 By: Ali Golshan ([email protected]) Agenda Page Current Threat Landscape 2 The Disconnect 10 The Risk 19 What now? 25 Section 1 Current Threat Landscape • Context • Common Targets for APTs • Recent Attacks • Shift in Purpose • Repercussions Section 1 - Current Threat Landscape Context Conventional Cyber Attacks • Conventional cyber attacks use known vulnerabilities to exploit the un-specific targets • Examples include malware (viruses, worms and Trojans), and traditional hacking and cracking methods Advanced Persistent Threats (APTs) • There is a new breed of attacks that is being referred to as Advanced Persistent Threats • APTs are targeted cyber based attacks using unknown vulnerabilities, customized to extract a specific set of data from a specific organization • APTs have the following characteristics that make them particularly dangerous: • Persistent: The persistent nature makes them difficult to be extracted • Updatable: The attacker can update the malware to be able to continuously evade security solutions even as they are upgraded Section 1 - Current Threat Landscape APTs target specific organizations to obtain specific information Since these are specialized attacks, they are customized for their targets, and are designed to extract very specific information based on the target. Most common targets are: Government agencies • Government agencies are targeted by Foreign Intelligence Services (FIS) • APTs can be used for theft of military level secrets and in cyber warfare for destabilization along with conventional warfare • 2007 McAfee report stated approximately 120 countries are trying to create weaponized internet capabilities • Example: The Russia-Georgia war of 2008 was the first example of a APT coinciding with conventional warfare.
    [Show full text]
  • Red Teaming the Red Team: Utilizing Cyber Espionage to Combat Terrorism
    Journal of Strategic Security Volume 6 Number 5 Volume 6, No. 3, Fall 2013 Supplement: Ninth Annual IAFIE Article 3 Conference: Expanding the Frontiers of Intelligence Education Red Teaming the Red Team: Utilizing Cyber Espionage to Combat Terrorism Gary Adkins The University of Texas at El Paso Follow this and additional works at: https://scholarcommons.usf.edu/jss pp. 1-9 Recommended Citation Adkins, Gary. "Red Teaming the Red Team: Utilizing Cyber Espionage to Combat Terrorism." Journal of Strategic Security 6, no. 3 Suppl. (2013): 1-9. This Papers is brought to you for free and open access by the Open Access Journals at Scholar Commons. It has been accepted for inclusion in Journal of Strategic Security by an authorized editor of Scholar Commons. For more information, please contact [email protected]. Red Teaming the Red Team: Utilizing Cyber Espionage to Combat Terrorism This papers is available in Journal of Strategic Security: https://scholarcommons.usf.edu/jss/vol6/iss5/ 3 Adkins: Red Teaming the Red Team: Utilizing Cyber Espionage to Combat Terrorism Red Teaming the Red Team: Utilizing Cyber Espionage to Combat Terrorism Gary Adkins Introduction The world has effectively exited the Industrial Age and is firmly planted in the Information Age. Global communication at the speed of light has become a great asset to both businesses and private citizens. However, there is a dark side to the age we live in as it allows terrorist groups to communicate, plan, fund, recruit, and spread their message to the world. Given the relative anonymity the Internet provides, many law enforcement and security agencies investigations are hindered in not only locating would be terrorists but also in disrupting their operations.
    [Show full text]
  • Share — Copy and Redistribute the Material in Any Medium Or Format
    Attribution-NonCommercial-NoDerivs 2.0 KOREA You are free to : Share — copy and redistribute the material in any medium or format Under the follwing terms : Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material. You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation. This is a human-readable summary of (and not a substitute for) the license. Disclaimer 국제학석사학위논문 Wired For War: An Analysis of United States Cyber Security Against a Rising China 하이테크 전쟁: 중국의 부상에 대응하는 미국의 사이버 안보에 관한 연구 2017년 8월 서울대학교 국제대학원 국제학과 국제협력 전공 에멧 존슨 Wired For War: An Analysis of United States Cybersecurity Against a Rising China 하이테크 전쟁: 중국의 부상에 대응하는 미국의 사이버 안보에 관한 연구 Thesis By Emmett Johnson Graduate Program in International Cooperation In Fulfillment of the Requirements For The Degree of Master in International Studies August 2017 Graduate School of International Studies Seoul National University Seoul, Republic of Korea Abstract Wired For War: An Analysis of United States Cyber Security Against a Rising China The United States hegemony is challenged by China. With China’s economic and military rise, it is inevitable a power transition will take place.
    [Show full text]
  • State Cyberspace Operations Proposing a Cyber Response Framework
    Royal United Services Institute for Defence and Security Studies Occasional Paper State Cyberspace Operations Proposing a Cyber Response Framework Gary D Brown State Cyberspace Operations Proposing a Cyber Response Framework Gary D Brown RUSI Occasional Paper, September 2020 Royal United Services Institute for Defence and Security Studies ii State Cyberspace Operations 189 years of independent thinking on defence and security The Royal United Services Institute (RUSI) is the world’s oldest and the UK’s leading defence and security think tank. Its mission is to inform, influence and enhance public debate on a safer and more stable world. RUSI is a research-led institute, producing independent, practical and innovative analysis to address today’s complex challenges. Since its foundation in 1831, RUSI has relied on its members to support its activities. Together with revenue from research, publications and conferences, RUSI has sustained its political independence for 189 years. The views expressed in this publication are those of the author, and do not reflect the views of RUSI or any other institution. They are not an official policy or position of the National Defense University, the Department of Defense or the US government. Published in 2020 by the Royal United Services Institute for Defence and Security Studies. This work is licensed under a Creative Commons Attribution – Non-Commercial – No-Derivatives 4.0 International Licence. For more information, see <http://creativecommons.org/licenses/by-nc-nd/4.0/>. RUSI Occasional Paper, September 2020. ISSN 2397-0286 (Online). Royal United Services Institute for Defence and Security Studies Whitehall London SW1A 2ET United Kingdom +44 (0)20 7747 2600 www.rusi.org RUSI is a registered charity (No.
    [Show full text]
  • Analyzing the Evolution of China's Cyber Espionage Campaigns
    Getting Harder to Catch Analyzing the Evolution of China’s Cyber Espionage Campaigns against the United States through a Case Study of APT1 -------- Winnona DeSombre – Comp116 Security Final Paper Advisor: Ming Chow 1. Abstract The relationship between China and the United States is arguably one of the more thorny dynamics in the sphere of international politics, complicated further by each country’s increasing cyber espionage and cyber warfare capabilities. As early as 2007, the US-China Economic and Security Review Commission has labeled China’s espionage efforts “the single greatest risk to the security of American technologies”1. However, as cyber security is a relatively new field in international relations, there is little set precedence for pressing charges or taking other action against individuals or groups conducting cyber attacks or espionage. This paper is composed of three parts: part one contains an overview of China-US relations within the context of the cyber realm and dilemmas in the international sphere regarding formulation of cyber security policy. Part two is a case study of the hacker unit APT1, a hacker unit argued to be the Chinese People’s Liberation Army Unit 61398, which covers both APT1’s history and an analysis of its cyber espionage campaigns. Part three reviews the general trends of APT1 within the context of the 2015 US-China Cyber Agreement and China-US relations regarding cyber security in general, and how the trends can possibly impact future actions of international actors and state-sponsored hacker groups. 2. To the Community: Defining Critical Infrastructure & Setting Policy Boundaries Policy often moves at a slower pace than technical innovation, especially when compared to the exponential rates of technological change in cyber capabilities.
    [Show full text]
  • Emerging ICT Threats
    SEVENTH FRAMEWORK PROGRAMME Information & Communication Technologies Secure, dependable and trusted Infrastructures COORDINATION ACTION Grant Agreement no. 216331 Deliverable D3.1: White book: Emerging ICT threats Contractual Date of Delivery 31/12/2009 Actual Date of Delivery 17/01/2010 Deliverable Security Class Public Editor FORWARD Consortium Contributors FORWARD Consortium Quality Control FORWARD Consortium The FORWARD Consortium consists of: Technical University of Vienna Coordinator Austria Institut Eurecom´ Principal Contractor France Vrije Universiteit Amsterdam Principal Contractor The Netherlands ICS/FORTH Principal Contractor Greece IPP/BAS Principal Contractor Bulgaria Chalmers University Principal Contractor Sweden Keyword cloud image on cover created by Wordle.net. D3.1: White book: Emerging ICT threats 2 Contents 1 Executive Summary and Main Recommendations 7 2 Introduction: Threat List 11 3 Threat Category: Networking 15 3.1 Overview . 15 3.2 Routing infrastructure . 17 3.3 IPv6 and direct reachability of hosts . 18 3.4 Naming (DNS) and registrars . 20 3.5 Wireless communication . 22 3.6 Denial of service . 24 4 Threat Category: Hardware and Virtualization 27 4.1 Overview . 27 4.2 Malicious hardware . 27 4.3 Virtualization and cloud computing . 29 5 Threat Category: Weak Devices 31 5.1 Overview . 31 5.2 Sensors and RFID . 32 5.3 Mobile device malware . 34 6 Threat Category: Complexity 39 6.1 Overview . 39 6.2 Unforeseen cascading effects . 39 6.3 Threats due to scale . 41 6.4 System maintainability and verifiability . 43 6.5 Hidden functionality . 44 6.6 Threats due to parallelism . 45 7 Threat Category: Data Manipulation 47 7.1 Overview . 47 7.2 Privacy and ubiquitous sensors .
    [Show full text]
  • WEB THREATS, SECURITY, and Ddos Due to the Constantly Changing Threat Landscape, Keeping Corporate Networks Secure Is Particularly Tricky These Days
    Sponsored by WEB THREATS, SECURITY, AND DDoS Due to the constantly changing threat landscape, keeping corporate networks secure is particularly tricky these days. Threats continue to increase and evolve as attackers attempt to stay one step ahead of their targets, employing new technology, social engineering scams, and the element of surprise. Distributed Denial-of-Service (DDoS) attacks continue to plague organizations, while newer strategies such as advanced persistent threats (APTs) and spear phishing are becoming more common. In these articles, Network World and its sister publications CSO, CIO, InfoWorld, and Computerworld offer news, advice, and commentary on securing modern enterprise IT environments. IN THIS eGUIDE 2 What it’s like 4 Ponemon 5 PayPal CISO: 8 The Internet 10 Spear 12 The DDoS 14 Phishing still 16 Internet to get hit with a study: Cyber DDoS one big needs its own phishers sharpen Hall of Shame rules, because Security DDoS attack attacks more security threat Weather Channel skills, craft ‘in- Distributed denial- we’re still gullible Resources Akamai often finds frequent, severe among many An Internet early- credible’ attacks, of-service attacks Despite more than a Additional tools, tips itself scrambling to Most respondents say PayPal CISO Michael warning system would says experts like those against decade of warnings, and documentation to WordPress now part stop a DDoS attack they expect to be hit Barrett also urges help organizations stay But rash of targeted users still readily fall help guide you through of the
    [Show full text]
  • The Question of State Sponsored Cyber Terrorism and Espionage Student Officer
    st th The Hague International Model United Nations Qatar 2020 | 21 ​ – 24 ​ of January 2020 ​ ​ ​ ​ ​ Forum: The Security Council Issue: The Question of State sponsored cyber terrorism and espionage Student Officer: Sebastian Santoni Position: President Introduction On the 27th of April 2007, Estonia experienced the first of a series of cyber attacks which would go on to shape laws, policies, and attitudes within and outside its borders. The country was bombarded by thousands of independent actors, resulting in the complete loss of most internet services for three weeks. The Estonian parliament, banks and media were all targeted in the midst of political disagreements with Russia. Although not the first incident of cyber terrorism, this was definitely one of the most destructive, managing to make an entire country go offline. In response, the world’s first ever regulations concerning actions in cyberspace were drafted, hoping to prevent such incidents from occurring in the future. However, incidents of cyber terrorism and espionage continued and remain a major threat to international security. Not only can they create mistrust and paranoia between nations, but also paralyse the organizations and resources core to their economic, social and political stability. This is especially true when such acts are initiated by countries and their related bodies, placing the world’s most sophisticated technology in the wrong hands. As members of the United Nations, it is the responsibility of countries to use their resources, voices and cooperation to strengthen international cyber security and work towards a world where state-sponsored cyber terrorism and espionage are void. Organizations such as the Kaspersky Lab and the Cooperative Cyber Defence Center of Excellence have made strides toward combating the issue, although they are restricted by an acute lack of relevant treaties and laws.
    [Show full text]
  • The Command Structure of the Aurora Botnet
    The Command Structure of the Aurora Botnet History, Patterns and Findings Executive Overview Following the public disclosures of electronic attacks launched against Google and several other businesses, subsequently referred to as “Operation Aurora”, Damballa conducted detailed analysis to confirm that existing customers were already protected and to ascertain the sophistication of the criminal operators behind the botnet. There has been much media attention and speculation as to the nature of the attacks. Multiple publications have covered individual aspects of the threat – in particular detailed analysis of forensically recovered malware and explanations of the Advanced Persistent Threat (APT). By contrast, Damballa has been able to compile an extensive timeline of the attack dating back to mid-2009 that identifies unique aspects to the Aurora botnet that have been previously unknown. Based upon this new information and our experience in dealing with thousands of enterprise-targeted botnets, Damballa believes that the criminal operators behind the attack are relatively unsophisticated compared other professional botnet operators. Even so, the results proved just as damaging as a sophisticated botnet since the threat was not quickly identified and neutralized. Key observations discussed in the main body of this analysis report: The major pattern of attacks previously identified as occurring in mid-December 2009 targeting Google appear to originate in July 2009 from mainland China. Hosts compromised with Aurora botnet agents and rallied to the botnet Command-and-Control (CnC) channels were distributed across multiple countries before the public disclosure of Aurora, with the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.
    [Show full text]
  • 2013  2013 5Th International Conference on Cyber Conflict
    2013 2013 5th International Conference on Cyber Conflict PROCEEDINGS K. Podins, J. Stinissen, M. Maybaum (Eds.) 4-7 JUNE 2013, TALLINN, ESTONIA 2013 5TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT (CYCON 2013) Copyright © 2013 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1326N-PRT ISBN 13 (print): 978-9949-9211-4-0 ISBN 13 (pdf): 978-9949-9211-5-7 ISBN 13 (epub): 978-9949-9211-6-4 Copyright and Reprint Permissions No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, and for personal or educational use when for non-profit or non- commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2013 5th International Conference on Cyber Conflict K. Podins, J. Stinissen, M. Maybaum (Eds.) 2013 © NATO CCD COE Publications Printed copies of this publication are available from: NATO CCD COE Publications Filtri tee 12, 10132 Tallinn, Estonia Phone: +372 717 6800 Fax: +372 717 6308 E-mail: [email protected] Web: www.ccdcoe.org Layout: Marko Söönurm Legal Notice: This publication contains opinions of the respective authors only. They do not necessarily reflect the policy or the opinion of NATO CCD COE, NATO, or any agency or any government.
    [Show full text]
  • GHOSTNET April 2016 Sreepriya Chalakkal
    STUDYOFGHOSTNET April 2016 sreepriya chalakkal 1 Introduction 4 2contentsHistory 5 2.1 Tibet-China conflict . 5 2.2 Cyber attack on Tibet . 5 3 Target and Motivation 6 4 Attack Strategy 7 5 Operation 8 5.1 Client and server design . 8 5.2 Dissecting the Ghost suite . 10 5.3 GhostRAT Network communication . 11 6 Detection Avoidance 11 7 Countermeasures 12 7.1 Field investigation . 12 7.2 Defense techniques . 12 7.3 Protection against APTs . 12 8 Conclusion 13 9 Bibiliography 14 Figure 1 The conflict region of Tibet . 6 Figurelist of2 figuresThe GhostNet Client . 9 Figure 3 GhostRAT capabilities . 10 Figure 4 GhostRAT components . 11 Figure 5 Detection with stream analysis . 13 1 My sincere thanks to Professor Karsten Bsufka and guide Leily Bah- namacknowledgement for all their support and encouragement. Leily Bahnam helped with giving valuable suggestions for my presentation. She also re- viewed my report and taught important lessons on scientific writing. Professor Karsten Bsufka helped with giving direction on different research areas in autonomous security. He also helped with provid- ing interesting reading materials that invoked in me more interest in the subject. It was a joyful experience to read about advanced persis- tent threats in general and also getting into the details of GhostNet. Having completed the seminar, I am motivated to study more about advanced persistent threats and botnets. I also realise the intricacies and details that needs to be taken care of while writing a scientific report. 2 The report discusses the history, motivation, operation and detection ofabstract an advanced persistent threat (APT) called GhostNet.
    [Show full text]