Skupina APT28 Ako Hrozba Pre Národnú Bezpečnosť Slovenskej Republiky

Total Page:16

File Type:pdf, Size:1020Kb

Skupina APT28 Ako Hrozba Pre Národnú Bezpečnosť Slovenskej Republiky FAKULTA SOCIÁLNÍCH STUDIÍ Skupina APT28 ako hrozba pre národnú bezpečnosť Slovenskej republiky Diplomová práca BC. DOMINIK PLÁVKA Vedúci práce: Mgr. Jakub Drmola, Ph.D. Katedra politologie odbor Bezpečnostní a strategická studia Brno 2021 SKUPINA APT28 AKO HROZBA PRE NÁRODNÚ BEZPEČNOSŤ SLOVENSKEJ REPUBLIKY Bibliografický záznam Autor: Bc. Dominik Plávka Fakulta sociálních studií Masarykova univerzita Katedra politologie Názov práce: Skupina APT28 ako hrozba pre národnú bezpečnosť Slovenskej republiky Študijný program: Bezpečnostní a strategická studia Študijní odbor: Bezpečnostní a strategická studia Vedúci práce: Mgr. Jakub Drmola, Ph.D. Rok: 2021 Počet strán: 130 Kľúčové slová: kybernetická bezpečnosť, národná bezpečnosť, ešpionáž, kritická infraštruktúra, APT, APT28, Slovenská republika 2 SKUPINA APT28 AKO HROZBA PRE NÁRODNÚ BEZPEČNOSŤ SLOVENSKEJ REPUBLIKY Bibliographic record Author: Bc. Dominik Plávka Faculty of Social Studies Masaryk University Department of Political Science Title of Thesis: APT28 group as a threat to the national security of Slovak Republic Degree Programme: Security and Strategic Studies Field of Study: Security and Strategic Studies Supervisor: Mgr. Jakub Drmola, Ph.D. Year: 2021 Number of Pages: 130 Keywords: Cyber security, national security, espionage, critical infrastructure, APT, APT28, Slovak Republic 3 SKUPINA APT28 AKO HROZBA PRE NÁRODNÚ BEZPEČNOSŤ SLOVENSKEJ REPUBLIKY Abstrakt Témou predloženej diplomovej práce je hrozba vyplývajúca zo skúse- ností s doterajšími aktivitami hackerskej skupiny APT28. Ruskou federá- ciou podporovaný aktér svojimi kapacitami a schopnosťami reprezen- tuje výrazné ohrozenie pre štáty, ktorých národné záujmy sú v strete s tými ruskými. Slovenská republika ako člen NATO a EÚ tak predstavuje potenciálny cieľ pre útoky tejto skupiny. Diplomová práca sa na základe aplikovania teoretického rámca zraniteľností a dvoch hlavných hrozieb v kybernetickom priestore pre štáty zaoberá analýzou toho, že do akej miery znamená skupina APT28 reálne ohrozenie pre národnú bezpeč- nosť Slovenska a v ktorom ohľade sa krajina môže cítiť najohrozenejšia. 4 SKUPINA APT28 AKO HROZBA PRE NÁRODNÚ BEZPEČNOSŤ SLOVENSKEJ REPUBLIKY Abstract The topic of the submitted diploma thesis is the threat resulting from the experience with the previous activities of the hacking group APT28. The actor supported by the Russian Federation with his capacities and capa- bilities represents a significant threat to states whose national interests are in conflict with those of Russia. The Slovak Republic, as a member of NATO and the EU, thus represents a potential target for this group's at- tacks. Based on the application of the theoretical framework of vulnera- bilities and two main threats in cyberspace for states, the diploma thesis analyzes the extent to which the APT28 group represents a real threat to Slovakia's national security and by which means the country may feel most threatened. 5 SKUPINA APT28 AKO HROZBA PRE NÁRODNÚ BEZPEČNOSŤ SLOVENSKEJ REPUBLIKY Čestné prehlásenie Prehlasujem, že som diplomovú prácu na tému Skupina APT28 ako hrozba pre národnú bezpečnosť Slovenskej republiky vypracoval sám. Všetky pramene a zdroje informácií, ktoré som použil k vypracova- niu tejto práce, boli citované v texte a sú uvedené v zozname použitých zdrojov. V Brne 5. januára 2021 ....................................... Bc. Dominik Plávka 7 SKUPINA APT28 AKO HROZBA PRE NÁRODNÚ BEZPEČNOSŤ SLOVENSKEJ REPUBLIKY Poďakovanie Rád by som sa touto cestou poďakoval vedúcemu mojej práce, doktorovi Drmolovi, za rady a pomoc pri jej napísaní. Počas všetkých týchto (až príliš veľa) rokov na BSS pre mňa veľa zname- nal ľudský a prívetivý prístup od našich pedagógov, pani sekretárky a priateľské vzťahy so spolužiakmi, ďakujem za to. BSS hey hey hey! Za nenahraditeľnú pozíciu v mojom živote a absolútnu podporu pri štú- diu si nesmierne vážim svojich rodičov, Bebe a Simonku. ĎAKUJEM!!! 9 OBSAH Obsah Zoznam obrázkov 13 Zoznam tabuliek 14 Zoznam skratiek 15 Úvod 17 1 Metodologické ukotvenie práce 19 1.1 Výber prípadov ........................................................................................... 19 1.2 Cieľ práce ...................................................................................................... 21 1.3 Postup práce ................................................................................................ 21 1.4 Konceptualizácia práce ............................................................................ 22 1.5 Prehľad literatúry ...................................................................................... 25 1.6 Limity práce ................................................................................................. 26 2 Teoretické ukotvenie práce 28 2.1 Definovanie kľúčových pojmov ........................................................... 28 2.2 Definovanie APT ......................................................................................... 33 2.3 Zaradenie APT skupín medzi aktérov v kybernetickom priestore ........................................................................................................ 36 2.4 Atribúcia APT skupín ............................................................................... 39 2.5 Teoretický rámec od Forresta Hare ................................................... 42 3 Kybernetická bezpečnosť na Slovensku 48 3.1 Legislatívne a kompetenčné ukotvenie ............................................ 48 3.2 Kybernetické útoky APT aktérov voči Slovensku ......................... 50 4 Ruské národné záujmy a Slovensko 52 4.1 Ruské národné záujmy ............................................................................ 52 4.2 Ruské záujmy a bezpečnosť Slovenska ............................................. 55 11 OBSAH 5 Skupina APT28 57 5.1 Vznik skupiny .............................................................................................. 57 5.2 Atribúcia skupiny ....................................................................................... 58 5.3 Obete a objektívy skupiny ...................................................................... 62 5.4 Vektory a nástroje útokov ...................................................................... 64 5.5 Priebeh útoku .............................................................................................. 67 5.6 Signifikantné operácie a kampane APT28 ....................................... 68 6 Definovanie pozície Slovenska v rámci zraniteľností od F.Hare 78 6.1 Sila štátu ........................................................................................................ 78 6.2 Sociálno-politická súdržnosť ................................................................ 81 6.3 Kritická slabosť Slovenska a aktivity APT28 .................................. 83 7 Ohrozenie bezpečnosti Slovenska dvoma spôsobmi útokov 92 7.1 Preniknutie do strategických informačných systémov ............... 92 7.2 Narušenie fungovania kritickej infraštruktúry .............................. 97 8 APT28 a predikcie do bezprostrednej budúcnosti 103 Záver 107 Príloha 1 110 Použité zdroje 113 Počet znakov: 184 993 12 ZOZNAM OBRÁZKOV Zoznam obrázkov Obrázok 1: Vzorec fungovania kybernetických aktérov Obrázok 2: Presah názvov toho istého aktéra pri skúmaní inými or- ganizáciami Obrázok 3: Krajiny v Ruskom zamýšľanej sfére vplyvu Obrázok 4: Mapa krajín doteraz zasiahnutých útokmi APT28 (z roku 2020) Obrázok 5: Spearphishingový email od APT28 použitý pri útoku na DNC v 2016 13 ZOZNAM TABULIEK Zoznam tabuliek Tabuľka 1 – Zraniteľnosti a typy štátov podľa Barryho Buzana Tabuľka 2 – Kybernetické zraniteľnosti a typy štátov podľa F. Hare 14 ZOZNAM SKRATIEK Zoznam skratiek APT – Advanced Persistent Threat APT28 – Advanced Persistent Threat 28 BIS – Bezpečnostní informační služba CIA – Confidentiality, Integrity, Availability COVID-19 – CoronaVirus Disease - 2019 DDOS – Distributed Denial Of Service DNC – Democratic National Committee FBI – Federal Bureau of Investigation GRU – Glavnoje razvedyvatelnoje upravlenije IAAF – International Association of Athletics Federations NATO – North Atlantic Treaty Organization NBÚ – Národný bezpečnostný úrad NSA – National Security Agency NÚKIB – Národní úřad pro kybernetickou a informační bez- pečnost OSCE – Organization for Security and Co-operation in Eu- rope OPCW – Organisation for the Prohibition of Chemical Wea- pons OSINT – Open-Source Intelligence OSN – Organizácia spojených národov SIS – Slovenská informačná služba SK-CERT – Slovak Computer Emergency Response Team V4 – Vyšehradská štvorka 15 ÚVOD „Malicious activities in the information Úvod space contradict the principles of the Russian foreign policy, national in- Pojem „kybernetická bezpečnosť“ sa v po- terests and our understanding of in- sledných rokoch stal akýmsi buzzwordom, ku terstate relations. Russia does not ktorému sa v súčasnosti tak radi vyjadrujú conduct offensive operations in the cy- politici a spájajú ho so všetkým, čo je tech- ber domain.“ Embassy of Russia in the USA nicky možné zapojiť do elektrickej zásuvky. (Facebook 2020). Okrem prázdnych fráz o potrebe vytvorenia bezpečného kybernetického priestoru sa však v reálnom živote často sami nesprávajú „bezpečne“, čoho následkom sú aj viaceré incidenty spomenuté v tejto práci. A práve tieto typy udalostí tvoria gro obáv pred kybernetickými ak- térmi, ktorým ich schopnosti a kapacity umožňujú preniknúť skrz bez- pečnostné perimetre do systémov alebo zariadení tak jednotlivcov ako aj organizácií a cieľavedome z nich exfiltrovať
Recommended publications
  • Cyber Law and Espionage Law As Communicating Vessels
    Maurer School of Law: Indiana University Digital Repository @ Maurer Law Books & Book Chapters by Maurer Faculty Faculty Scholarship 2018 Cyber Law and Espionage Law as Communicating Vessels Asaf Lubin Maurer School of Law - Indiana University, [email protected] Follow this and additional works at: https://www.repository.law.indiana.edu/facbooks Part of the Information Security Commons, International Law Commons, Internet Law Commons, and the Science and Technology Law Commons Recommended Citation Lubin, Asaf, "Cyber Law and Espionage Law as Communicating Vessels" (2018). Books & Book Chapters by Maurer Faculty. 220. https://www.repository.law.indiana.edu/facbooks/220 This Book is brought to you for free and open access by the Faculty Scholarship at Digital Repository @ Maurer Law. It has been accepted for inclusion in Books & Book Chapters by Maurer Faculty by an authorized administrator of Digital Repository @ Maurer Law. For more information, please contact [email protected]. 2018 10th International Conference on Cyber Conflict CyCon X: Maximising Effects T. Minárik, R. Jakschis, L. Lindström (Eds.) 30 May - 01 June 2018, Tallinn, Estonia 2018 10TH INTERNATIONAL CONFERENCE ON CYBER CONFLicT CYCON X: MAXIMISING EFFECTS Copyright © 2018 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1826N-PRT ISBN (print): 978-9949-9904-2-9 ISBN (pdf): 978-9949-9904-3-6 COPYRigHT AND REPRINT PERmissiONS No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]).
    [Show full text]
  • 10Th International Conference on Cyber Conflict Cycon X: Maximising Effects
    2018 10th International Conference on Cyber Conflict CyCon X: Maximising Effects T. Minárik, R. Jakschis, L. Lindström (Eds.) 30 May - 01 June 2018, Tallinn, Estonia 2018 10TH INTERNATIONAL CONFERENCE ON CYBER CONFLicT CYCON X: MAXIMISING EFFECTS Copyright © 2018 by NATO CCD COE Publications. All rights reserved. IEEE Catalog Number: CFP1826N-PRT ISBN (print): 978-9949-9904-2-9 ISBN (pdf): 978-9949-9904-3-6 COPYRigHT AND REPRINT PERmissiONS No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the NATO Cooperative Cyber Defence Centre of Excellence ([email protected]). This restriction does not apply to making digital or hard copies of this publication for internal use within NATO, or for personal or educational use when for non-profit or non-commercial purposes, providing that copies bear this notice and a full citation on the first page as follows: [Article author(s)], [full article title] 2018 10th International Conference on Cyber Conflict CyCon X: Maximising Effects T. Minárik, R. Jakschis, L. Lindström, (Eds.) 2018 © NATO CCD COE Publications NATO CCD COE Publications LEGAL NOTICE: This publication contains the opinions of the respective authors only. They do not Filtri tee 12, 10132 Tallinn, Estonia necessarily reflect the policy or the opinion of NATO Phone: +372 717 6800 CCD COE, NATO, or any agency or any government. NATO CCD COE may not be held responsible for Fax: +372 717 6308 any loss or harm arising from the use of information E-mail: [email protected] contained in this book and is not responsible for the Web: www.ccdcoe.org content of the external sources, including external websites referenced in this publication.
    [Show full text]
  • Cyber-Attacks to Critical Energy Infrastructure
    Cyber-attacks to critical energy infrastructure and management issues: overview of selected cases Tomas Plėta, Manuela Tvaronavičienė, Silvia Casa, Konstantin Agafonov To cite this version: Tomas Plėta, Manuela Tvaronavičienė, Silvia Casa, Konstantin Agafonov. Cyber-attacks to critical en- ergy infrastructure and management issues: overview of selected cases. Insights into Regional Develop- ment, Entrepreneurship and Sustainability Center, 2020, 2 (3), pp.703 - 715. 10.9770/ird.2020.2.3(7). hal-03271856 HAL Id: hal-03271856 https://hal.archives-ouvertes.fr/hal-03271856 Submitted on 27 Jun 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. INSIGHTS INTO REGIONAL DEVELOPMENT ISSN 2669-0195 (online) http://jssidoi.org/IRD/ 2020 Volume 2 Number 3 (September) http://doi.org/10.9770/IRD.2020.2.3(7) Publisher http://jssidoi.org/esc/home CYBER-ATTACKS TO CRITICAL ENERGY INFRASTRUCTURE AND MANAGEMENT ISSUES: OVERVIEW OF SELECTED CASES* Tomas Plėta ¹, Manuela Tvaronavičienė ², Silvia Della Casa ³, Konstantin Agafonov 4 1,2 Vilnius Gediminas Technical University, Saulėtekio al. 11, LT-10223 Vilnius, Lithuania 2General Jonas Zemaitis Military Academy of Lithuania, Šilo 5a, LT-10322, Vilnius, Lithuania 3Daugavpils University, Parades Str. 1-421, Daugavpils, LV-5401, 3 NATO Energy Security Center Of Excellence, Šilo g.
    [Show full text]
  • Strategic Culture and Cyber Strategy
    University of Central Florida STARS Honors Undergraduate Theses UCF Theses and Dissertations 2021 Strategic Culture and Cyber Strategy Andrew S. Olejarski University of Central Florida Part of the Political Science Commons Find similar works at: https://stars.library.ucf.edu/honorstheses University of Central Florida Libraries http://library.ucf.edu This Open Access is brought to you for free and open access by the UCF Theses and Dissertations at STARS. It has been accepted for inclusion in Honors Undergraduate Theses by an authorized administrator of STARS. For more information, please contact [email protected]. Recommended Citation Olejarski, Andrew S., "Strategic Culture and Cyber Strategy" (2021). Honors Undergraduate Theses. 877. https://stars.library.ucf.edu/honorstheses/877 STRATEGIC CULTURE AND CYBER STRATEGY by ANDREW S. OLEJARSKI A thesis submitted in partial fulfillment of the requirements for the Honors in the Major Program in Political Science in the College of Sciences and in the Burnett Honors College at the University of Central Florida Orlando, Florida Spring 2021 Thesis Chair: Ted Reynolds, Ph.D. ABSTRACT The intent of this paper is to explore the relationship between strategic culture theory and how it interacts with war-parallel usage of cyber methods. Cyber methods, at times incorrectly classified as “cyberwarfare”, as a means of statecraft are becoming increasingly prevalent, and developing an understanding of how states use them, particularly during conflicts, would be a great boon to the field of security studies. Strategic culture theory, an international relations theory focusing on the relationship between culture and strategy, may be an effective means to analyze conflict-parallel use of cyber methods.
    [Show full text]
  • Combating Ransomware Chapter Title 1
    IST Combating Ransomware Chapter Title 1 Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force Prepared by the Institute for Security and Technology IST Combating Ransomware Chapter Title 2 Contents A Note from RTF Co-Chairs 3-4 Executive Summary 5-6 Introduction 7-19 Ransomware as a National Security Threat 8 Understanding Ransomware 11 Ransom Payments 12 Cyber Insurance and Ransomware 13 The Role of Cryptocurrency 14 A Global Challenge 15 The Threat Actors 16 Existing Efforts to Mitigate Ransomware Attacks 18 A Comprehensive Framework for Action: 19-48 Key Recommendations from the Ransomware Task Force Goal 1: Deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy 21 Goal 2: Disrupt the ransomware business model and decrease criminal profits 28 Goal 3: Help organizations prepare for ransomware attacks 35 Goal 4: Respond to ransomware attacks more effectively 42 A Note on Prohibiting Ransom Payments 49-50 Conclusion 51 Summary of Recommendations 52-54 Acknowledgments 55-56 Appendices 57-72 Appendix A: Cyber Insurance 58-61 Appendix B: The Cryptocurrency Payment Process 62-67 Appendix C: Proposed Framework for a Public-Private Operational Ransomware Campaign 68-72 Glossary 73-76 Endnotes 77-81 Short cut: To go directly to each section in the PDF please click on the section title in the Contents. This report is published under a 4.0 International Creative Commons License (see terms here). IST Combating Ransomware A Note from the RTF Co-Chairs 3 A Note from the RTF Co-Chairs We are honored to present this report from the Ransomware Task Force.
    [Show full text]
  • A Report on Attackers in the Energy Industry CONTENTS
    The state of the station A report on attackers in the energy industry CONTENTS Introduction 3 Outmoded and out there 4 Changing the game 4 The names 5 The profiles 5 Two groups, one spillover 9 A plethora of opportunity 10 Attack targets and the reasons behind them 10 The ‘How’ 11 Investigating and naming 12 Still succeeding 12 Mitigating 13 Conclusions 15 THE STATE OF THE STATION 2 INTRODUCTION Interconnected systems in the energy industry increase cyber vulnerabilities, with cyber attacks often going undetected for some time. Malicious actors are increasingly targeting critical infrastructure (CNI) sites and distribution facilities for energy, and cyber attacks have real-world effects. As energy companies save costs against the backdrop of a lower oil price, consolidating operations can weaken business resilience and redundancy levels. This gives rise to new, single critical points of failure, with any disruption across the supply chain potentially having increased consequences. Cyber attacks using individual vulnerabilities and exploits have, and always will be directed against the vast number of Programmable Logic Controllers (PLCs) in existence. However, connecting Industrial Control Systems (ICS) to the Internet and enterprise business networks is increasing. These factors, plus fewer backups in place with an increased dependency on fewer facilities, are only part of the picture. OUTMODED AND OUT THERE Many Operational Technology (OT) components connection was usual. Cyber security was not a have built-in remote operation capabilities, but are realistic threat when they were manufactured, and partly or entirely lacking in security protocols such legacy protocols and systems never had built-in as authentication.
    [Show full text]
  • Information Security in 2020 – Annual Report of the National Cyber
    Information security in 2020 Annual report of the National Cyber Security Centre Finland Traficom Publications 25/2021 1 Contents EDITORIAL 3 Cyber weather phenomena 4 Network functionality 5 Espionage and influencing 9 Malware and vulnerabilities 10 Data breaches and data leaks 12 Phishing and scams 14 Internet of Things and automation systems 15 Our services 16 Coordination Centre – first aid for information security violations 17 Need for vulnerability coordination has increased 18 Security regulation 19 Assessments 21 Satellite systems are already visible in the everyday lives of people 22 Cooperation and sharing information 26 The coronavirus crisis electrified the international cybersecurity cooperation 28 More reliability with training 28 Cybersecurity Label 29 The free Traficom Anycast service will improve the reliability of .fi domains 30 Safer 5G with lessons learned 31 KYBER 2020 and the revamped HAVARO service 31 Kybermittari – A new cyber threat management tool for managers 32 Our key figures 34 Cyber weather 2020 and a look towards 2021 36 10 information security forecasts for 2021 36 Cyber weather in 2020 38 2 EDITORIAL Cybersecurity became a permanent item on the management’s agenda The safety of mobile networks, especially 5G, was The difficult year still had some good news, too. one of the hottest discussion topics around the Jouko Katainen (Ilmarinen), Jussi Törhönen (Enfo), world. Instructions on measures to minimise the Tomi Vehkasalo (Aditro), Jani Raty (Aditro) received cybersecurity risks of 5G networks were drawn up the ‘Tietoturvan suunnannäyttäjä’ (Information secu- in the EU post-haste. New legislation was prepared rity trendsetter) award for their active cooperation in Finland to protect the critical parts of communi- with the National Cyber Security Centre Finland.
    [Show full text]
  • Check Point Threat Intelligence Bulletin
    May 25 - 31, 2020 YOUR CHECK POINT THREAT INTELLIGENCE REPORT TOP ATTACKS AND BREACHES The US NSA has warned that Russia’s Sandworm APT group, an arm of Russian military intelligence, has been exploiting a vulnerability in the Exim mail traffic agent since August of last year, giving it remote code execution abilities. Sandworm is believed to have been responsible for the Ukraine grid disruptions in 2015. Check Point IPS provides protection against this threat (Exim Mail Server Remote Code Execution (CVE-2019-10149)) New ransomware called FuckUnicorn has been targeting Italian health entities through emails with links to a COVID-19-related app for PC. The links direct users to a malicious domain imitating the site of the Italian Pharmacist Federation. Researchers suspect the actors behind this attack are Italians. In a supply chain attack, threat actors have used GitHub projects to spread the Octopus Scanner backdoor. 26 open-source NetBeans Java projects included the malware, intended to steal information from developers. Popular math app, Mathway, has been breached and its database of 25M users is offered for sale in various forums. The hacker behind that attack, ShinyHunters, responsible for multiple recent attacks, is believed to have sold access to more than 200 million user details. Michigan State University has been compromised by the NetWalker ransomware. Threat actors shared images of the stolen information and threatened to leak sensitive data unless ransom is paid. Six of Cisco’s Virtual Internet Routing Lab Personal Edition (VIRL-PE) backend servers have been compromised by exploiting critical SaltStack vulnerabilities, patched last month.
    [Show full text]
  • North American Electric Cyber Threat Perspective January 2020
    North American Electric Cyber Threat Perspective January 2020 Summary The electric utility industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes. A power disruption event from a cyberattack can occur from multiple components of an electric system including disruptions of the operational systems used for situational awareness and energy trading, targeting enterprise environments to achieve an enabling attack through interconnected and interdependent IT systems, or through a direct compromise of cyber digital assets used within OT environments. Attacks on electric systems – like attacks on other critical infrastructure sectors – can further an adversary’s criminal, political, economic, or geopolitical goals. As adversaries and their sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive attack on the electric sector significantly increases. The number of publicly known attacks impacting ICS environments around the world continues to increase, and correspondingly the potential risk due to a disruptive cyber event impacting the North American electric sector is currently assessed as high. This report highlights multiple threats and adversaries focusing on critical infrastructure and their capabilities. Dragos anticipates the threat landscape associated with the sector will remain high as the detected intrusions continue to rise. Of the activity groups that Dragos is actively tracking, nearly two-thirds of the groups performing ICS specific targeting and disruption activities are focused on the North American electric sector. Additionally, existing threats to ICS are expanding and establishing new interest in electric utility operations in North America.
    [Show full text]
  • Enisa Threat Landscape for Supply Chain Attacks
    ENISA THREAT LANDSCAPE FOR SUPPLY CHAIN ATTACKS JULY 2021 ENISA THREAT LANDSCAPE FOR SUPPLY CHAIN ATTACKS July 2021 ABOUT ENISA The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. More information about ENISA and its work can be found here: www.enisa.europa.eu. CONTACT For contacting the authors please use [email protected]. For media enquiries about this paper, please use [email protected]. EDITORS Ifigeneia Lella, Marianthi Theocharidou, Eleni Tsekmezoglou, Apostolos Malatras – European Union Agency for Cybersecurity Sebastian Garcia, Veronica Valeros – Czech Technical University in Prague ACKNOWLEDGEMENTS We would like to thank the Members and Observers of ENISA ad hoc Working Group on Cyber Threat Landscapes for their valuable feedback and comments in validating this report. We would like to also thank Volker Distelrath (Siemens) and Konstantinos Moulinos (ENISA) for their feedback. LEGAL NOTICE Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise.
    [Show full text]
  • Conceptualizing a Continuum of Cyber Threat Attribution
    Table of Contents Introduction 2 Defining an Attribution Continuum 3 Behavioral Attribution 4 Primary Attribution 5 General Attribution 6 Attribution Action Constraints 8 The “Mushy Middle” of Attribution 9 Reviewing Russian-Related Intrusion Operations and SUNBURST 10 HAFNIUM Operations and Widespread Vulnerability Exploitation 12 The Multitude of Possible Midpoint Errors 16 Orienting Cyber Threat Intelligence to Defensible Attribution Actions 17 A Note on Names 19 Conclusion 21 Introduction Few topics in the field of Cyber Threat Intelligence (CTI) prompt as much passion and debate as the concept of threat attribution. From numerous conference talks, to blogs and papers, to various applications in CTI analysis, the question of threat attribution repeatedly emerges. While CTI attribution discussions can take many forms and aim at specific audiences—for example, policy-makers and state strategy1—this discussion will focus on the technical analyst’s perspective. In adopting this viewpoint, the question of attribution typically manifests in a very binary fashion.2 Whereas attribution, as described below, represents various gradations, most discussion limits itself to “yes or no” discussions as to the value and need for CTI attribution, when the actual answer (as with most things in CTI) is, “it depends.” In this paper, a concept of attribution that moves the CTI community away from binary conceptions of CTI attribution value and instead approaches a continuum of attribution types will be introduced. In doing so, multiple possibilities emerge for CTI attributive statements, of different values and significance for different parties—as 1 “Publicly attributing cyber attacks: a framework” - Florian J. Egloff & Max Smeets, Journal of Strategic Studies (https://www.tandfonline.com/doi/pdf/10.1080/01402390.2021.1895117) 2 “Achieving Effective Attribution: Case Study on ICS Threats” - Robert M.
    [Show full text]
  • MANAGING CYBER RISK with HUMAN INTELLIGENCE a Practical Approach
    MANAGING CYBER RISK WITH HUMAN INTELLIGENCE A Practical Approach Citi GPS: Global Perspectives & Solutions May 2019 Citi is one of the world’s largest financial institutions, operating in all major established and emerging markets. Across these world markets, our employees conduct an ongoing multi-disciplinary conversation – accessing information, analyzing data, developing insights, and formulating advice. As our premier thought leadership product, Citi GPS is designed to help our readers navigate the global economy’s most demanding challenges and to anticipate future themes and trends in a fast-changing and interconnected world. Citi GPS accesses the best elements of our global conversation and harvests the thought leadership of a wide range of senior professionals across our firm. This is not a research report and does not constitute advice on investments or a solicitations to buy or sell any financial instruments. For more information on Citi GPS, please visit our website at www.citi.com/citigps. Citi GPS: Global Perspectives & Solutions May 2019 Elizabeth Petrie Walter H Pritchard, CFA Elizabeth Curmi Managing Director, Citi U.S. Software Analyst, Global Thematic Analyst, Technology & Cyber Risk Citi Research Citi Research +1 (202) 776-1518 +1 (415) 951-1770 [email protected] [email protected] +44-20-7986-6818 [email protected] Jeremy E Benatar, CFA Catherine T O'Neill Dr. Andrew Coburn U.S. Software Team, European Media Analyst, Chief Scientist Citi Research Citi Research Cambridge Centre for Risk Studies,
    [Show full text]