Cyber Intelligence Report – December 1, 2014

Executive Cyber Intelligence Bi-Weekly Report by INSS-CSFI - December 1, 2014




#OpSaveAlAqsa cyber-attack campaign against Israel still running

#OpSaveAlAqsa, the cyber protest coordinated by hacktivist group, AnonGhost, succeeded in publishing the personal details of around 270 thousand Israeli students. The group hacked into “Snunit,” an educational site for children that is a project of Hebrew University. The leaked data included names, passwords, home address, phone numbers, emails, I.D. numbers, etc. Madsec, the Israeli cybersecurity company who discovered the hack, explained the hacked details might be used for hacking accounts, such as Facebook or bank accounts. “Snunit” iterated that the stolen data was from fifteen-year-old servers and that most of the information was currently out of date. The education site filed an official complaint with the Israeli police.


Bots are great weapon for cyber terrorist

In early 2014, the New York Times published an article referring to the existence of bots in social media sites (millions of lines of code that emulate humans on social media sites). Social media bots are most infamous for emulating fake followers on Twitter and Instagram. As a follow up, a new article was published illustrating the bots’ improvement. While advanced programmers develop their own Bot Management tools, such as Zeus (a program offering a simple dashboard to control an army of bots), a new program is in development in order to make bots more commonly accessible to “recruit” thousands of fake followers. Creating fake accounts used to be more difficult and required skillful programming capabilities. As it is not illegal to own or create a bot, certain web sites, such as Swenzy or Fiverr, sell “likes,” “followers,” “downloads,” and “comments” on social media networks. Reports have shown celebrities, politicians, and companies repeatedly purchase fake followers in order to enhance their online persona. While social networks have claimed to be handling the issue of removing bots from people’s accounts, the more worrisome issue is removing viruses and malware that have been reported as being attached to these bots. Importantly, these tools are also accessible to terrorist groups and rogue states. In Syria, certain bot-groups have intimidated anyone tweeting in opposition. Simply put, these bots are a demonstration of the effectiveness of psychological warfare used against the masses, and the propaganda of groups such as ISIS or Al-Qaeda in their respective cyber uses in order to influence public opinion and appear more powerful than they are.


Russian telecom companies under cyber attack

Russian large telecom companies are under cyber attack through a cyber snooping operation reminiscent of the Stuxnet worm. It has been billed as the world’s most sophisticated computer malware. Cyber security company, Symantec, stated the malware, referred as “Regin,” is likely coordinated by a western intelligence agency and in some respects is more advanced in engineering than Stuxnet, which was developed by US and Israel government hackers in 2010 to target the Iranian nuclear program. The discovery of “Regin” came from the Kaspersky Labs, the Russian company that uncovered Stuxnet.


Syrian Electronic Army claims hack of different news site

The Syrian Electronic Army (SEA) claimed responsibility of various news websites’ cyber attacks including CBC News and the Telegraph. The reason behind the attack, SEA expressed, was because Western media published false information about the Syrian Air Force killing civilians in air bombs. (The SEA claims the bombs were aimed towards ISIS forces, and the strikes were successful.) The attack featured a pop-up message to all visitors stating: “You’ve been hacked by the Syrian Electronic Army (SEA).” Despite the pop-up message, no personal data was accessed, and no foreign malware or virus was transmitted onto visitors’ computers or devices while readers accessed the websites during the incident. This attack was possible because the specific websites used a Gigya platform, a company offering customer identity management to businesses. The SEA did a variation of this hacking before when they attacked the Reuters website through a third base program. By being able to hack into Gigya, SEA was able to hack into different news websites using their services. According to the SEA Twitter account, the attacks were meant to coincide with the US Thanksgiving holiday.

Egyptian Cyber Army is new hacker group in Middle East

ISIS faced cyber attacks 24 hours after ISIS’s leader, Al-Baghdadi, survived a US attack and was heard in a new ISIS audio recording that had him calling for revenge and to attack and hurt all parties against ISIS’s agenda, including the US and El-Sisi’s Egypt. The audio recordings were replaced with a song and a message with a logo from a group referring to themselves as the “Egyptian Cyber Army” (ECA). Influenced by the makings of the Syrian Electronic Army, all the group members are Egyptian sympathisers of the Abdel Fattah el-Sisi led Egyptian government. ECA’s apparent main goal is to attack ISIS propaganda online. Another goal of the group is to defend al-Sisi’s government against opponents such as the Muslim Brotherhood. Even though the group’s actions suggest they are a pro-government cyber organization, it is unclear who is really behind the group and whether they are sanctioned by the Egyptian government, but they are believed to have people inside “Al-Furqan,” the media arm of ISIS. According to Khaled Abubakr, a representative of ECA: “We are an idea, not only a team,” analyzed to mean they live on the ideas of ruining ISIS and the Muslim Brotherhood’s actions.


Executives in Asian luxury hotels fall prey to Darkhotel cyber-espionage

The wireless networks of luxury hotels in Asia have been comprised. A recent study by the Kaspersky Lab highlights the importance of having up-to-date security software for laptops and mobile devices that are used when traveling abroad, specifically in Asia. The attack, referred to as Darkhotel, has already infiltrated thousands of devices, dating as far back as 2009. Many manufacturing operations executives from industries such as automotive, cosmetics, chemical, and others have been hit. Other victims of the attack came from investment capital, private equity, law-enforcement, and NGOs. The cyber attack was initiated by a request to download an update to legitimate software like Adobe Flash, Google Toolbar, or Microsoft Messenger. The attack would only occur after the sign-in, making further communication vulnerable. Kurt Baumgartner, principal security researcher at Kaspersky Lab, explained the malware had several irregular features. The key logger module is designed to remove itself if it detects the default language, Korean. In another unusual feature, after the initial breach the malware is able to go dormant for up to six months before it tries to contact a remote control server that enables Darkhotel to evade any examination by IT upon the victim’s return from a trip to Asia. 90% of victims have been from Japan, Taiwan, China, Russia, and South Korea. Business travellers to Asia from Germany, Hong Kong, Ireland, and the United States have also been comprised.


Kenya ranked 4th globally in list of countries hit worst by fraud
Kenya is ranked the 4th globally (behind Nigeria, Egypt, and Namibia) among countries hit by fraud. According to the Third Global Fraud Survey by Ernest & Young (EY), most fraud incidents are perpetrated by middle-level managers. The report indicates that over 27% of Kenyan managers in the private sector admit their organizations have experienced significant fraud.

South Africa Cyber response group to develop policy
The South African government has established a Cyber Response Committee (CRC) to coordinate and monitor the development of policies and strategies aimed at combating cyber threats against state departments and institutions. The committee is chaired by the State Security Agency (SSA) and consists of representatives from various departments: justice and constitutional development, science and technology, telecommunications and postal services, defence, and the South African Police Service. Minister of police Nkosinathi Nhleko recently announced the details of the CRC during a briefing of developments within the Justice, Crime Prevention, and Security (JCPS) Cluster in Parliament.


UK companies would hire ex-hackers to counter cyber attacks

The company KPMG has recently released a report explaining that UK companies would consider hiring ex-hackers in order to counter cyber threats and enable them to keep a step ahead of cyber criminals and hacktivist. According to a survey conducted by KPMG on 300 Information Technology and Human Resources specialists, 74% admitted that cyber threats they are currently facing require well skilled and trained cyber specialists. Moreover, in response to the question of “whether or not they will hire a hacker as their security administrator with cybercrimes on the rise?” 53% answered yes. Moreover, 52% declared they would even think about hiring someone with a cyber-criminal background. The real problem for cyber security specialists is the fact that they do not think enough about the human aspect in cybercrimes, which can be just as essential in processing the malware. Therefore, a hacker would have an appropriate comprehension of how to counter cyber attacks than a cyber security specialist would because they are more aware of how cyber criminals and hackers work. Hackers deciding to perform ethical hacking for private companies are considered as “white hat” in opposition to the “black hat.” It is not the first time that the UK is thinking about hiring ex-hackers. Indeed, in 2013, the UK Secretary of State for Defense Philip Hammond announced that hundreds of cyber security experts including ex-hackers would be recruited by the Ministry of Defense as cyber reservists and would be trained by the British intelligence communication agency GCHQ. In 2013, the cost of cybercrimes to the UK economy was $11.4 billion.

UK guide to help cyber defense companies export products

The UK government published a guide written by Senior UK IT specialists in cooperation with the Institute of Human Rights and Businesses to help cyber security companies detect and evaluate the risks of cyber security products exportations. The guide’s intent aims at helping UK cyber defense companies to export their solutions and promote the UK technologies around the world. Moreover, the guide is aiming to provide guidelines on political, legal frameworks and evaluating business risks. The UK government has been concerned about certain companies perpetrating human rights abuses while exporting their products. The UK has been one of the leading and advanced countries in cyber defense strategy; however, in terms of exportations, they are not yet at the top, so this new guide may help them to catch up. Being one of the top cyber security countries does not always mean that the cyber security exportations will be high, taking into account certain things, such as the political context, the cyber strategy adopted by the targeted country, and its need in terms of cyber.

NATO and Cyber Defence Exercise in Estonia

NATO Cooperative Cyber Defense Centre of Excellence organized the first cyber defense training, “Cyber Coalition 2014,” which took place in Tartu, Estonia. The objective of the exercise was to examine the preparedness of NATO‘s critical infrastructure in the field of cyber threats with the simulation of real cyber attacks. The training and defense exercises were created for the purpose to fend off cyber attacks and improve NATO cyber defense capabilities. Moreover, this exercise will allow others to be prepared to deal with real attacks in advance and take additional measures. “This exercise will test our systems to make sure that NATO keeps pace with that evolving threat and that the skills and expertise of our cyber specialists are fully up to the task,” said Ambassador Sorin Ducaru. Cyber defence is one of the most critical part of national infrastructure; protection is one of the main task of NATO security policy. “NATO launched its first training in cyberspace among the priorities highlighted in the Enhanced NATO Policy on Cyber Defence, endorsed at the Wales Summit, to training and exercises,” said Ambassador Ducaru. These exerciese were conducted by experts from technical, academic, and government environment and representatives from academia and industry.

Prague hosts Technologian Platform on Energy Security International Conference

The Technologian Platform on Energy Security in the Czech Republic is the public-private partnership project related to the initiative of the Economic Committee and the Parlament of the Czech Republic and Ministry of Industry and Trade in the Czech Republic. This project supports scientific research and technological activities including cyberspace in various aspects of the energy industry. On November 6, this initiative organized the conference titled, “Energy & Cyber Security in the EU,” which focused on the main issues of national cyber security and energy towards the policy of the EU. Between the main topics, which were discussed in the three main blocks of the conference, were the new implementation projects in the EU and the analysis of the new threats in the field of the cyber security in energy industry and cyber threats regarding the Critical Infrastructure Protection and National Security.

inss150About the Cyber Intelligence Report:

This document was prepared by The Institute for National Security Studies (INSS) – Israel and The Cyber Security Forum Initiative (CSFI) – USA to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities, and follow-on measures. This product may contain U.S. person information that has been deemed necessary for the intended recipient to understand, assess, or act on the information provided. It should be handled in accordance with the recipient’s intelligence oversight and/or information handling procedures. Some content may be copyrighted. These materials, including copyrighted materials, are intended for “fair use” as permitted under Title 17, Section 107 of the United States Code (“The Copyright Law”). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-mail at: [email protected]. CSFI and the INSS would like to thank the Cyber Intelligence Analysts who worked on collecting and summarizing this report.