Cyber[Crime|War] Charting dangerous waters (Iftach Ian Amit)
Abstract (source: Blackhat.com)
CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime’s best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.
Talk Abstract –> Cyber[Crime|War] Charting dangerous waters
Speaker Bio –> Iftach Ian Amit
Continuing on from last years Blackhat presentation.
You can’t tell from a bullet-hole, if it’s part of warfare, or crime. We’ve spent too long focusing in on the bullet, and not enough time considering the big picture.
- Government / state
- Official Backing
- Official resources
- Semi-official Backing (organized crime)
- Official Resources
- Established expertise
- Market for exploits
For people researching cybercrime for any length of time, APT is nothing new.
If you think there’s no Cyberwar (Like Eric Schmidt) then you just don’t know how to connect to dots.
In cyberwarfare, size doesn’t matter. Some of the main actors are only a small dot on the map.
Main players :
Some of these are very well documented and known, other not so much.
Staffing for the main players varies. Where the USA actively search for recruits (see Facebook), others like Isreal usually stick with homegrown (existing armed forces).
Highly selective targeting of military (and critical) resources – In conjunction with a kinetic attack
Massive DDoS in order to “black-out” a region, disrupt services, and/or push political agenda (propaganda)
- Never just military
- Physical and logical protections = last survival act
- Availability and Integrity of services
- Channels: Web, mail, open services
- Targeted attacks on premium resources
- Commissioned for extortion purposes
- Carpet bombing for most attacks
- Segment geographical regions and market segments
- Secondary infections
- All about money
- Anti[virus | malware | spyware | rootkit | trojan]
- Firewalls / IDS / IPS
- What about port 80, 443, …
- Encrypted traffic
Claim: Cybercrime is being used to conduct Cyberwar
Estonia – Very little information is available. What is available however points more towards (state sponsored) hacktivism than any kind of Cyberwar event.
Isreal – 2nd Lebanon war
- Palestinian TV Hacked for propaganda
- Most online attacks are attributed to hacktivists
- Attacks on Israeli and Arabic targets
Examples of Cybercrime and Cyberwar overlapping. ARHack forum… selling credit-cards by day, Politically motivated attacks by night.
Georgia – Began by picking on the president (flood attacks on the http://www.president.gov.ge website). This was quickly followed by a kinetic movement (troops moving into Georgia). Alongside the political targets in Georgia, the same botnet also attacked commercial sites (porn sites, escort services, carder forums, gambling sites, Nazi/Racist sites, …)
The same botnet was being used both purposes.
Iran Elections – 2009 twitter DNS hack attributed to Iranian Activity. Political connections are obvious. Timing was too exact. Connections between the Ashiyane group and the “Iranian Cyber Army” through their forums.
Ashiyane run Cyber[Crime|War] training on their forums. They name a target and tell people to attack it, access/destroy data. One of their listed targets was a natural gas company in the US. Commercial interests.
At the same time as the Twitter attack was being covered in the news, Iran occupied an oil field in Iraq. This wasn’t widely covered in the news. The Twitter attack was perfect synchronized to this action.
China – The Great Firewall is doing an OK job. Proving grounds for many cyber-attackers. Previously been used for bullet-proof hosting. After the RBN shutdown in 2008, China offered a good alternative.
The recent attacks from China on Google, Adobe, … have the same MO, and also show that the target was “intellectual property”. However, even if the attacks originated from China, where was the next hop? All evidence however points to known criminal groups.
The US government request an explanation from the Chinese government. This makes no sense if it was a criminal group using systems in China to perform the attack.
Connecting the dots: China responded saying that the origination of the attack was in the US. The systems in China were just 1 hop in the chain. Although it looks politically motivated, it doesn’t always have to be.
- Formal Training on cybersecurity by nations
- Commercial development of malware still reigns
- Good meets bad: Money changes hands. Less tracks to cover politically. Criminal organizations already manufacturing arms
- Still a lack of legislation and cooperation
For more information please see the Blackhat Europe website