25 report cyber 2017 december - ict 25 december 2017 english (n… · cyber report no. 25 by the...
TRANSCRIPT
מנהלים תקציר 1
Cyber Report 25
December 2017
2
Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the
prominentusesmadeofcyberspacebyterroristorganizationsandtheirsupporters inDecember
2017.Thisisnotanexhaustivelistbutratheranidentificationofthemaintrendsastheyarosefrom
thefield,andtheiranalysisisdividedintofiveareas.
1. Intheoperationaldomain,jihadistorganizationscontinuedtousecyberspaceforavarietyof
needs,themostprominentamongthembeingpropagandaandfinancing.Thedisseminationof
propagandaonsocialnetworkscontinuedasusualduringthisperiod,whilethefinancialaspect
showedadrastictrendoftheincreaseduseofdigitalcurrency.
2. Inthedefensivedomainofterrorists incyberspace,therewasnosignificant innovation.The
trend of distributing content on issues of security and encryption, privacy and anonymity,
warnings against phishing, and the safe use of mobile devices continued; most of the
publicationsconsistedofrecycledcontentthatwasobservedanddocumentedoverthepast
year,mainlythroughtheTelegramchannelsofthe“ElectronicAfaqHorizons”institution.
3. domainoffensive the In, the following stoodout during theperiodunder review: Caliphate
Cyber Ghosts, which is associated with the Islamic State (IS) and hacker groups
supported/directedbyIran.Inaddition,thethirdissueofthemagazine,Kybernetiq,whichis
distributedbyglobaljihadsupportersanddedicatedentirelytocyber-terrorism,waspublished.
Terroristorganizationscontinuedtheireffortstoimprovetheiroffensivecapabilities,butthey
havenotyetbeenfullydeveloped.
4. Inthedomainbetweencyber-crimeandcyber-terrorism,therewasatrendofhackergroups
operatingunderstatedirection–themainplayersbeingRussia,IranandNorthKorea.While
theattacksbyRussiaandIranwereaimedatespionageandintelligencegathering,NorthKorea
launchedcyber-attacksforeconomicgain.Atthesametime,therewasanapparenttrendof
high-level data security risk stemming from the employment of subcontractors in critical
projects/areas.
5. Copingwithcyber-attacks,bothcrime-basedandterrorism-based,requiresglobalcooperation
andout-of-the-boxthinking.Thecountermeasuresusedarelawandorder,includingregulation
and prosecution for oversights/crimes occurring in the area, primarily for economic crime;
setting a policy of refusing to negotiate with cyber-criminals; financing R&D projects of
3
technological solutions designed to make it harder for attackers; promoting cooperation
betweentheprivatesectorandthegovernmentsector.
4
TableofContents.1 UsesOperational................................................................................................5
Propaganda..................................................................................................5
Financing:IncreasingUseofDigitalCurrency..............................................6
2. TheDefensiveDomain......................................................................................10
3. TheOffensiveDomain......................................................................................11
AttackGroups.............................................................................................12
DigitalMagazines.......................................................................................13
4. Cyber-CrimeandCyber-Terrorism....................................................................14
AttacksDirectedbyStates.........................................................................14
PointofVulnerability:Subcontractors.......................................................16
5. Coping...............................................................................................................17
Law,StatuteandRegulation......................................................................17
PolicySurrender-Non.................................................................................18
CooperationctoralSe-Inter.........................................................................18
SolutionsTechnologicalR&D.....................................................................19
5
1. UsesperationalODuringtheperiodunderreview,jihadistorganizationscontinuedtousecyberspaceforavarietyof
operationalneeds,themostprominentamongthembeingpropagandaandfinancing.Thecontent
ofthepropagandaservesadoublepurpose;tosowfear(psychologicalwarfare)andtoserveasa
catalyst for the execution of “lone wolf” attacks. The dissemination of propaganda on social
networkscontinuedasusualwhilethefinancialaspect,incontrast,gainedtremendousmomentum
duringthisperiod.
Propaganda
The online propaganda mechanism of terrorist organizations continued to distribute content
encouraging the execution of terrorist attacks. IS supporters customarily design banners that
encourageattacksinaccordancewithcurrentevents,andduringtheperiodunderreviewChristmas
waspresentedasasetdatetocarryoutattacks.Theorganization’sofficialandunofficialmedia
institutions produced psychological warfare videos alongside banners about the organization’s
mediamethodology.Thefollowingareexamplesofdetectedinstances:
- During the month of December, IS supporters published a series of banners that contained
threatstocarryoutattacksincrowdedlocationsintheWest,suchasmarkets,malls,etc.,against
thebackdropofChristmascelebrations.Alongsidethis,threatstoharmJewswerealsopublished
againstthebackdropofTrump'sdeclarationthatJerusalemisthecapitalofIsrael(Telegram).
- TheISproducedavideofromAl-Hayatmediainstitutioncontainingaseriesofthreatstocarry
outterroristattacksonUSsoil.Themessagesinthevideodealtwiththefollowingcontent:the
MuslimNation lived intheeraoftheArmageddon;thesoldiersoftheCaliphatemay“sustain
blows”hereandtherebuttheystillremainstrong;theterroristwhocarriedouttheattackinLas
VegasconvertedtoIslamandsworeallegiancetotheIS;Arabrulersarecooperatingwiththe
enemiesofIslam.1
1http://www.dailymail.co.uk/news/article-5132459/ISIS-threatens-attacks-new-propaganda-video.htmlhttp://www.dailymail.co.uk/news/article-5132459/ISIS-threatens-attacks-new-propaganda-video.html
6
celebrationsChristmasofckdropbatheagainstWesttheinattacksterroristoutcarrytoThreats
- TheFursanal-I'lammediagroup,whichisinvolvedinmediafortheIS,publishedabannercalling
on anyonewhowishes to assist in disseminatingmedia for the organization tomaintain the
methodology that characterizes the organization and not to disseminate information that
misrepresentstheorganization'spath(GooglePlus).
I'lam-alFursanofbannerThe
Financing:IncreasingUseofDigitalCurrency
Theuseofdigitalcurrencyforthepurposeoffinancingterrorismincreaseddrasticallyduringthe
periodunder review.Beloware a series of documented instancesof financing campaignsusing
digitalcurrencythatwereidentifiedduringthisperiod:2
2Forthefullreportontheuseofdigitalcurrencybyjihadists,see:http://www.ict.org.il/images/Jihadists%20Use%20of%20Virtual%20Currency.pdf
7
- TheTelegramaccount, “Technical Support for theElectronicAfaq Institution”, amediagroup
associated with the IS that focuses on the publication of materials concerning cyberspace,
publishedabannerwitharecommendationtomakeonlinepurchasesusingtheonlinecurrency,
Zcash.
ArecommendationforZcash
- The Web site, Akhbar al-Muslimin which publishes news from the IS, launched an online
fundraisingcampaigninNovember2017.Thesite’sadministratorsaddedalinktoeverymedia
articlethatitpublishedencouragingdonationsintheformofbitcoinvirtualcurrencytohelpfund
thesite’soperation,providedthatthedonationdoesnotcomezakat funds.Astudythatwas
publishedbythe IntelligenceandTerrorism InformationCenter in thebeginningofDecember
revealedthatclickingonthelinkleadstoapagedesignatedfordonationonthebitcointrading
site, coingate.3An independentexaminationconductedby the ICTCyberDesk found that the
diversiontocoingateisnolongeractive;instead,thelinkdivertstoaninternalpageonthesite
thatwascreatedonDecember7,2017,andanyclickon the linkproducesadifferentbitcoin
address.
3http://www.terrorism-info.org.il/app/uploads/2017/12/H_235_17.pdf
8
Examplesofvariousbitcoinwalletsproducedwitheveryclickonthefundraisinglink
- InDecember2017,theHaqqsite,whichisaffiliatedwiththeIS,publishedanarticleaboutthe
saleofcoinsmintedbytheISonaWebsite.4Inthesummerof2014,theISdeclaredtheminting
oflocalcoinsbasedontheirintrinsicworth–gold,silverandcopper.Thelaunchofthenewcoin
waspublishedinDABIQmagazineandinapropagandafilmtitled,“ReturnoftheGoldDinar”(Al-
Hayat).ItwasexplainedinthesepublicationsthattheinitiativeisintendedtokeepISsupporters
fromusingtheWesternbankingsystem,whichisbasedonacointhatisnotmadeofprecious
metals,butratherisprintedonpapernotesandwhosevalueisbeingmanipulatedbythecentral
banks.ThefalloftheIShasmadethecoinsredundantforconventionaluseaslocalcurrencyin
theterritoryoftheCaliphateandtheyareapparentlysoldandexchangedascollectors'coins.The
ICTCyberDeskdiscoveredaWebsitecalled,“isis-coins.com”inwhichthesecoinsaresold.The
siteispresentedasanofficialsiteoftheIslamicState’sFinanceDepartmentcontainingthecoins
mintedbytheISinaccordancewiththespecificationsdescribedinthefilmtitled,“Returnofthe
GoldDinar”.Setsofsevencoinsareavailableforsaleonthesite:twogoldcoins,threesilvercoins,
andtwocoppercoins,atacostof$950persetandpaidforusingthevirtualbitcoincurrency.The
sitewasregisteredintheWhoisRegistryonOctober19,2017throughaRussianbrokeragefirm
(Moscow) thatprevents the identificationof thesite’sowners.However, there isevidenceof
discussionaboutthissiteincoincollectors’forumsstartingin2015,5andweassumethatthesite
wasupanddownperiodicallyduringthisperiod.The2015versionofthesite,assavedinWeb
Archive, ismissingthepagethatofferscoinsforsale.Thecredibilityofthesitewasexamined
fromvariousangles:theofficialsymboloftheIS,thesymboloftheIslamicState’sMinistryof
Finance(Baytal-Mal),andfromthelinguistic-philologicalangleintheArabiclanguage.Although
4http://www.terrorism-info.org.il/app/uploads/2018/01/H_003_18.pdf5https://en.numista.com/forum/topic37660.html
9
thefindingsrevealedthattheseareauthenticcharacteristics,itshouldbeemphasizedthatitis
impossibletoconfirmorrefutetheassumptionthattheISistheownerofthesite(documentation
onthenextpage).
Fromlefttoright:ascreenshotfromtheWebArchivesite(May8,2015);ascreenshotfromtheisis-coins.comsite(January17,2018)
- Al-Sadaqah launched a fundraising campaign using digital currency. This is an independent
organizationthatoperatestoassistthemujahideeninSyria,andsuppliesthemwithweapons,
financialsupportandhelpwithadditionaljihad-relatedprojects.
Al-Sadaqah’scampaigninSyria
10
2. TheDefensiveDomain
During theperiodunder review, therewasno significant innovation in thedefensivedomainof
terrorists in cyberspace. The trend of distributing content on issues of security and encryption,
privacyandanonymity,warningsagainstphishingandsafeuseofmobiledevicescontinued;most
ofthepublicationsconsistedofrecycledcontentthatwasobservedanddocumentedoverthepast
year,mainlythroughtheTelegramchannelsofthe“ElectronicAfaqHorizons”institution,amedia
groupaffiliatedwiththeISthatfocusesonthepublicationofmaterialsconcerningcyberspace.The
followingareseveralexamplesoftherecycledcontent(source:Telegram):
- AguidebookontheuseoftheKasperskyanti-virussoftware.Theguidebookwasprovidedintheframeworkofacoursetitled,“ComputerSecurityCourse:ElectronicandAnti-VirusProtection”.
For example, it stated that the software allows the user to browse anonymously, prevents
tracking,enablesdataencryption,andmore.
AguidebookonhowtousetheKasperskyanti-virussoftware
- AguidebookexplainingthesafeandsecureuseofAndroiddevices.
AguidebookonsafeuseonAndroiddevices
11
- Anexplanationaboutransomware.
Anexplanationaboutransomware
- AguidebookonhowtousethePidginsoftware,anencryptedchatsoftwareontheWindows
operatingsystem.
ThePidginsoftware
3. TheOffensiveDomain
Terroristorganizationscontinuedtheireffortstoimprovetheiroffensivecapabilities,buttheyhave
notyetbeenfullydeveloped.However, itshouldbetaken intoaccountthattheseorganizations
may hire the services of hacker groups or acquire offensive capabilities with the assistance of
terrorist-supportingcountries.Thefollowingarehackergroups:
12
HackerGroups
- An IS-supporting hacker group named Caliphate Cyber Ghosts published a video and several
banners on its Telegram account threatening to launch an electronic attack on December 8
againstallcoalitioncountriesparticipatinginthewaragainsttheIS,especiallyagainsttheUS.The
groupclaimedthatitsmembershadmanagedtopenetrateclassifiedWebsitesoftheUSArmy,
MinistryofInterior,StateDepartmentandotheroffices,andtosteallargeamountsofclassified
material.Thegroupaddedthatitintendedtopublishsomeofthestoleninformationandtosend
the rest to lone terrorists inorder toassassinate the individualsmentioned in the list and to
intensifythescopeoftheattacks.Initsconcludingremarks,thegroupstressedthattheISwould
ultimatelydefeatitsenemies.Inanothermessage,thesamegroupannouncedthatithadhacked
into several US government and civilian Web sites during the second half of the month of
December.
AscreenshotfromtheCaliphateCyberGhosts’video
- Iranisstrengtheningitscyberwarfareprogram.IranisoneoftheleadingcyberrivalsoftheUS.
ItdevelopeditsprogramonlyafewyearsafterRussiaandChina,andsofar,hasdemonstrated
lessabilitythanthelatter.Nevertheless,Iranhascarriedoutseveralcyber-attacksthatcauseda
greatdealofdamage,andhasbecomeafundamentalthreatthatwilldevelopandgrow.Like
Russia and China but unlike other countries, Iran openly encourages its hackers to attack its
13
enemies. Thus, the country not only recruits hackers to its ranks but even encourages
independentattacks(December12,2017).6
DigitalMagazines
Digitalmagazinesserveasaneffectivetoolfortransmittinginformationinamoderncommunication
channel(notthroughtelevision/radio).Mostofthemagazinespublishedbyterroristorganizations
carrypropagandamessages, suchas INSPIRE,DABIQ andRumiyah; Several (three) issuesof the
magazine,Kybernetiq,whichisdedicatedentirelytocyber-terrorism,werepublished:
- ThethirdissueofthecyberwarfaremagazineKybernetiq,waspublished.KybernetiqisaGerman-
languagedigitalmagazine thatcoverscyberwarfare.Themagazine isdirectlyassociatedwith
global jihad supporters and, contrary to popular perception, it cannot be unequivocally
determined that it is associatedwith the IS. Three issues of themagazinewere published at
intervalsofaboutoneyearfromeachother.Thethirdissuewasdesignedatahighlevelanditis
clearthatitappealstoaWesternaudience-bothinlightofthechoiceofthewritinglanguage
andtheuseofpopcultureasa recurringgraphicmotif.Each issueopenswithapreface that
relatestoWesternmediaandendswithaSci-Fistylestory.Themainchaptersdealwithanalyses
of organized cyber-attacks, a discussion of programming languages, attack tools, Pen-Tests,
digital forensics,botnets,howtocopewiththechallengesofcomputerizationbytheGerman
intelligence,andrecommendations for technological solutions forprivacyprotection incyber-
space.ThemagazinecanbedownloadedfromadedicatedsitethatisaccessibleviaTOR(onion
domainsuffix).
Issueno.3ofKybernetiq
6http://www.newsweek.com/irans-cyber-warfare-program-now-major-threat-united-states-745427
14
4. Cyber-CrimeandCyber-Terrorism
Inrecentyears,cyber-attackshavebeenusedforpoliticalpurposes.Theseattacks,whicharecarried
outbyhackergroups,areactuallydirectedbycountriesthatbenefitfromthedifficultyin(legally)
attributingtheattacktothegroup.Terroristorganizationsdevelopandlearnfromtheseattacksand
mayevenhiretheservicesofthehackers.Therefore,itisimportanttoexamineandanalyzetheline
thatfallsbetweencrimeandterrorismincyberspace.
AttacksDirectedbyStates
Duringtheperiodunderreview,therewasaprominenttrendofhackergroupsoperatingunder
statedirectionandattackingpoliticaltargets.ThemainplayerswereRussia,IranandNorthKorea.
While theattacksbyRussiaand Iranwereaimedatespionageand intelligencegathering,North
Korealaunchedcyber-attacksforeconomicgain.Thefollowingarestate-directedcyber-attacksthat
wereidentifiedduringtheperiodunderreview:
- TheRussianhackergroup,FancyBear,carriedoutacyber-attackagainstjournalistictargetsandmediapersonnelthatregularlypublishedcontenthostiletotheKremlin.Thegoaloftheattack
was spying, and in that framework the grouphacked into theGmail accounts of at least 200
journalistsandbloggersontheInternet,startinginmid-2014.Appearingonthelistofthegroup’s
targetswereAmerican,RussianandUkrainian,andeasternEuropeanmediapersonnel.Thelist
oftargetsisevidenceoftheconclusionmadebytheAmericanintelligencecommunitythatFancy
Bear acted (favorably) in the service of the Russian government when it intervened in the
Americanpresidentialelections;theKremlindeniestheaccusations(December22,2017).7
- Thecompany,FireEye,identifiedanespionageattackagainstagovernmentorganizationinthe
MiddleEast.ThecompanyestimatesthattheattackwascarriedoutbytheIranianhackergroup,
APT34,which is involved ina long-range cyberespionageoperation that focusesprimarilyon
intelligencegatheringefforts in Iran's interests; ithasoperatedsinceat least2014.Thisgroup
carriedoutextensiveattacksagainstavarietyofsectors,includinggovernmentsandtheenergy,
chemicalandcommunicationsindustries,andhasfocuseditsactivitiesontheMiddleEast.Itis
7https://www.usatoday.com/story/news/world/2017/12/22/election-hackers-pursued-reporters-russia-united-states/975920001/http://abcnews.go.com/International/wireStory/russian-hackers-targeted-200-journalists-globally-51948081https://nypost.com/2017/12/22/russian-hackers-targeted-hundreds-of-journalists-around-the-world/https://www.apnews.com/c3b26c647e794073b7626befa146caad
15
estimated that APT34 operates under the direction of the Iranian government based on
infrastructuredetailsthat includereferencestoIran,theuseof Iranianinfrastructure,andthe
choiceoftargetsthatarecompatiblewiththeinterestsofthenation-state.TheAPT34groupuses
amixofpublicandnon-publictools,andoftencarriesoutphishingoperationsthroughhacked
accounts,sometimescombinedwithsocialengineeringtactics(December7,2017).8
- The cryptographic currency trading platform, YouBit (formerly Yapizon), filed a request for
bankruptcy after it again fell victim to hacking by cyber criminals. The breach wiped out
approximately17%ofitsassets.InApril2017,theSouthKoreanplatformsufferedabreachinthe
framework of which approximately 4,000 bitcoin were stolen. As a result of the breach, an
investigation was launched by the country’s intelligence services for fear of North Korean
involvementaimedatincreasingthestatecoffersbymeansofcryptographiccurrency(December
20,2017).9
- TheWhiteHouseformallyaccusedNorthKoreaoflaunchingthe“WannaCry”ransomwareattack
that tookplace inMay2017.The ransomwaredisrupted theactivitiesofhospitals,banksand
commercialcompaniesaroundtheworld.TheUS isnot theonlycountry tohavereachedthe
conclusionthattheattackwascarriedoutbyNorthKorea;BritainandMicrosoftreachedsimilar
conclusions in independent analyses carried out after the attack. The North Korean Foreign
Ministrydeniedtheallegations(December17,2017).10
8https://www.infosecurity-magazine.com/news/iranian-blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.htmlhttps://www.infosecurity-magazine.com/news/iranian-statesponsored-apt-34/https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/https://www.reuters.com/article/us-far-eastern-fine/taiwans-far-eastern-international-fined-t8-million-over-swift-hacking-incident-idUSKBN1E60Y39https://bitcoinist.com/youbit-bankruptcy-hackers-assets/https://cryptovest.com/news/another-bitcoin-exchange-hacked-youbit-files-bankruptcy-after-losing-users-coins/https://themerkle.com/youbit-hacked-again-closes-its-doors/10https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537https://www.reuters.com/article/us-northkorea-missiles-cyber/north-korea-rejects-u-s-accusation-says-it-is-not-linked-to-any-cyber-attacks-idUSKBN1EF0BDhttps://www.cbsnews.com/news/north-korea-wannacry-cyberattack-tom-bossert-oped/http://edition.cnn.com/2017/12/18/politics/white-house-tom-bossert-north-korea-wannacry/index.htmlhttps://www.reuters.com/article/us-usa-cyber-northkorea/u-s-blames-north-korea-for-wannacry-cyber-attack-idUSKBN1ED00Q
16
PointofVulnerability:Subcontractors
TheNSAhasahistoryofinformationleaks(andattacktools)carriedoutbysubcontractors,themost
famousofwhichwasthecaseofEdwardSnowden.Thefollowingisalistofsimilarincidentsthat
exposetheriskposedtoinformationsecurityresultingfromtheuseofsubcontractors:
- LeDucHoangHai,31,aVietnamesehacker,hackedintothecomputersystemofPerthAirport
andstolesensitivedataaboutaviationinfrastructureandsecurityinPerthAirport.Theincident
tookplaceinMarch2016whenthehackerobtainedentrypermitstothesystemsofathird-party
contractorthatallowedhimaccesstotheaviationsystems.Haistolesignificantamountsofdata
concerningtheairport,includingsketchesanddetailsregardingphysicalsecurityintheairport’s
buildings.However,therewasnobreachofradarorotheraircrafttakeoffandlandingsystems,
sopassengerswerenotatrisk.AninvestigationofthebreachledtoVietnamandtheAustralian
FederalPoliceactivateditscolleaguesinVietnamtoarrestHai.Hewassentencedtofouryears
inprison. In addition to thebreachof PerthAirport, itwasdiscovered thatHai hadattacked
infrastructureandWebsites inVietnam, including thoseofbanks, telecommunicationandan
onlinemilitarynewspaper(December11,2017).11
- TheheadoftheGermanintelligenceagency,BfV,warnedthatChinesecyberspiesareusingsocial
networkstoattackEuropeanentities.Accordingtohim, it isa large-scaleattemptto infiltrate
parliaments,governmentministriesandgovernmentagencies.TheGermanintelligenceagency
reportedthatover10,000GermansweretargetsforChineseintelligenceagentswhoposedas
consultants,headhunters(inthefieldofplacement)orresearchers,especiallyonthenetworking
site, LinkedIn. It also reported thatChinesehackers are investing in attacks against European
companiesthroughtrustedsuppliersandthrough"supplychain"attacksdesignedtocircumvent
corporateprotections.Suchattacksaredirectedagainst ITworkersandotheremployeeswho
serveas trustedserviceproviders,andenablemalicioussoftwaretobesent throughthemto
networksoforganizationsthattheattackerswanttoattack(December10,2017).12
11http://www.ibtimes.co.uk/perth-airport-hack-vietnamese-hacker-steals-significant-amount-security-data-building-plans-1650933http://www.computerweekly.com/news/450431587/Perth-airport-security-plans-stolen-by-Vietnamese-hackerhttp://www.dailymail.co.uk/news/article-5165727/Hacker-Vietnam-stole-security-data-Perth-Airport.htmlhttps://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-stolen-in-perth-airport-hacking-ng-b88686393z12http://www.bbc.com/news/world-europe-42304297
17
5. Coping Copingwithcyber-attacks,bothcrime-basedandterrorism-based,requiresglobalcooperationand
out-of-the-boxthinking.Newtools(attacktools)requirenewlaws.Thefollowingaredescriptions
ofcountermeasuresusedbyglobalplayerstoeradicatethephenomenonofcyber-attacks:
Law,OrderandRegulation
Thelawcrystallizesoutofaneedthatarisesinaparticularsocietytowhichitprovidesananswer.
Therefore,thelawoftentendstobeformulatedlateinrelationtothedateoftheincident.Thelegal
battleagainstcyber-attacksmaybebasedontheintroductionof"ordinary"lawsoncyberspaceand,
alternatively,onspecificlegislationtailoredtothedetailsofanattackincyberspace,whichofcourse
requirespriorpreparation.Belowisalistofseveralcasesdemonstratingcopingmethodsthatwere
usedduringtheperiodunderreview:
- Taiwan’s financial regulator fined the Far Eastern International Bank $266,524 as a result ofdeficiencies related to thebreachof itsSWIFTsystem. InOctober2017,Taiwan’s localmedia
reportedthathackershadstolenapproximately60milliondollarsfromthebankandthatallof
the money, with the exception of $500,000, was returned by the bank. The bank’s own
investigation as well as the investigation by the regulator, revealed that in this incident the
informationsecuritysystemwasnotfullyprepared,theaccountwasnotadequatelymanaged,
and the bank did not reinforce its SWIFT security system. For these reasons and others, the
regulatornotedthatthebankdidnotsecureitsinternalcontrolsystemforinformationsecurity
and,asaresult,violatedaclauseinTaiwan’sbankinglaw.Theregulatoralsostatedthatitwould
worktoimproveitsregulatorysysteminconnectionwithinformationsecurity,includinginviting
externalexpertstoparticipate.13
- TheFederalCourtinCentralIslip,NewYork,filedanindictmentagainstZoobiaShahnazfromLong
Islandforbankfraudandmoneylaunderingforthepurposeofsupportingterrorism(December
14, 2017). The defendantwas suspected of defrauding several financial entities, stealing and
https://www.ft.com/content/31c2884e-ddc8-11e7-a8a4-0a1e63a52f9chttp://www.dailymail.co.uk/news/article-5164365/German-intelligence-warns-increased-Chinese-cyberspying.htmlhttps://mobile.nytimes.com/aponline/2017/12/10/world/europe/ap-eu-germany-china-spying.html?partner=IFTTT&referer=https://t.co/S4R4Q7ERId?amp=113http://focustaiwan.tw/news/aeco/201712120025.aspxhttp://ktwb.com/news/articles/2017/dec/12/taiwans-far-eastern-intl-fined-t8-million-over-swift-hacking-incident/?platform=hootsuitehttps://www.fireeye.com/
18
laundering over $85,000 of illegal returns using Bitcoin digital currency and other digital
currenciesbetweenMarchandJuly2017.Thefundsweretransferredoutofthecountrytostraw
entities in Pakistan, China and Turkey, and were intended to support the IS. The defendant
attemptedtofleetheUStoSyriaandwasarrestedbytheauthoritiesafterquestioninginJFK.14
Non-SurrenderPolicy
Oneofthemostprominentcyberspacethreatsinrecenttimesistheransomwareattack.Thisattack
isextremelyattractivetoterroristelementsbecauseofthedualitythatitoffers-boththeexecution
ofelectronicjihadandameansoffinancing.Similartophysicalransom(orhostage)scenarios,an
online scenario requires thedelineationof a clear responsepolicy similar to thatused inNorth
Carolina.Belowarethedetailsofthecase:
- Mecklenburg County, North Carolina, United States, refused to pay hackers a ransom in the
amountof$23,000 inexchange for the releaseof informationheld in the county’s computer
system,whichhadbeenhacked.Thehackers,whoappeartohaveoperatedfromIranorUkraine,
frozethesiteandtheotherelectronicservicesofMecklenburgCounty,anddemandedaransom
torestorethesituationtoitsformerstate.Thecountrydecidednottosurrendertothehackers’
demands.Inviewofthedecision,thecountrywillnowuseavailablebackupdatatorebuildits
system,givingprioritytothedepartmentsthatinfluencethecourt,healthandsocialservices,and
environmentalservices.15
Inter-SectoralCooperation
Counterterrorism and cyber threats share a common characteristic - both require broad
cooperation. Cooperation can be between countries, between organizations and even cross-
sectoral.Thefollowingarerelevantcollaborationsthattookplaceduringtheperiodunderreview:
- ESET'ssecurityresearchers, incooperationwithMicrosoft, lawenforcementagencies,theFBI,
Interpol, Europol and other information security agencies, took part in amajor campaign to
toppleabotnetknownasAndromeda,whichhasbeeninfectingvictimssince2011.Cooperation
between the entities began on November 29, 2017, and as a result of the joint effort law
14https://www.justice.gov/usao-edny/pr/long-island-woman-indicted-bank-fraud-and-money-laundering-support-terrorists15http://www.hickoryrecord.com/news/state/north-carolina-county-won-t-pay-hacker-ransom/article_5efc9665-28cb-5c60-b564-9f10a8f039b9.htmlhttp://www.wbtv.com/story/37007041/county-computer-hackers-demanding-substantially-more-than-first-reportedhttp://abcnews.go.com/US/wireStory/latest-carolina-sheriff-affected-county-hacking-51617202
19
enforcementagenciesaroundtheworld wereabletocarryoutanarrestandblocktheactivities
ofafamilyofmalwareresponsibleforinfecting1.1millionsystemsadayandwhichdistributed,
amongotherthings,theknownransomware,PetyaandCerber.MicrosoftandESETinvestigators
sharedtechnicalanalyses,statisticalinformationandthedomainaddressesandCommandand
Controlserversinordertohelpdisruptthemaliciousactivityofthegroup.Overthelastyear-and-
a-half, ESET also shared information about Andromeda thatwas obtained from the constant
monitoringofmalwareandbotnetnetworks.Inaddition,lawenforcementauthoritiesinBelarus
arrestedasuspectinthecreationofAndromeda'smaliciouscode,whichwouldnothavebeen
possiblewithouttheinformationprovidedtothem.Duringthefirst48hoursfollowingtheseizure
ofthecommandandcontrolserversbytheauthorities,itwasdiscoveredthatthenetworkwas
currentlyspreadoutover223countries,withmorethan2millioninfectedcomputersattempting
toconnecttoit.16
- EugeneKaspersky,thefounderofthesecuritycompanybearinghisname(KasperskyLab),made
itclearthathewouldleaveRussiaifitsintelligenceserviceswouldeveraskhiscompanytospy
for it. According to Kaspersky, if the Russian government would ask him and ask him or his
employeestodosomethingimproper,hewouldtakehisbusinessoutofRussiasincehiscompany
never helped spy agencies, Russians or any other country. Kaspersky mentioned that the
company'sproductsweredesignedtostopattacksandidentifymaliciouscode,nottospyonthe
company’s customers. The statements of theRussian information security giant cameon the
heelsofthefindingsofaninvestigationthatitpresentedinNovember2017,whichcontradicts
claimsofthecompany’sinvolvementinRussianespionageintheUnitedStates.17
SolutionsTechnologicalR&D
- DARPA (The Defense Advanced Research Projects Agency of the US Department of Defense)
awardedagrantintheamountof$3.6MtoateamfromtheUniversityofMichigantofundthe
technologicaldevelopmentofanun-hackablecomputer.ThenameoftheprojectisMorpheus
andthesoftwareisintendedtopresentanewwaytodesignhardwaresothatinformationpasses
16https://www.reuters.com/article/us-cybercrime-botnet-belarus/belarus-arrests-suspected-ringleader-of-global-cyber-crime-network-idUSKBN1DZ1VYhttps://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/17https://www.theguardian.com/technology/2017/nov/30/eugene-kaspersky-russian-spies-us-government-http://www.zdnet.com/article/eugene-kaspersky-we-would-quit-moscow-if-russia-asked-us-to-spy/
20
quicklyandrandomly,andisthendestroyed.Thegoalofthetechnologyistomakeitharderfor
attackers toget thecritical informationtheyneedtobuildasuccessfulattack,andtoprotect
hardwareandsoftware.18
18https://www.digitaltrends.com/computing/darpa-u-michigan-morpheus-unhackable-computer/https://www.extremetech.com/extreme/261052-darpa-university-michigan-team-build-unhackable-chiphttps://news.engin.umich.edu/2017/12/unhackable-computer-under-development-with-3-6m-darpa-grant/
21
ABOUTICTCYBER-DESK
TheCyberDeskReviewisaperiodicreportandanalysisthataddressestwomainsubjects:
cyber-terrorism(offensive,defensive,andthemedia,andthemaintopicsofjihadistdiscourse)
andcyber-crime,wheneverandwhereveritislinkedtojihad(funding,methodsofattack).The
CyberDeskReviewaddressesthegrowingsignificancethatcyberspaceplaysasabattlefieldin
currentandfutureconflicts,asshownintherecentincreaseincyber-attacksonpolitical
targets,crucialinfrastructure,andtheWebsitesofcommercialcorporations
ABOUTTHEICT
Foundedin1996,theInternationalInstituteforCounter-Terrorism(ICT)isoneofthe
leadingacademicinstitutesforcounter-terrorismintheworld,facilitatinginternational
cooperationintheglobalstruggleagainstterrorism.ICTisanindependentthinktank
providingexpertiseinterrorism,counter-terrorism,homelandsecurity,threat
vulnerabilityandriskassessment,intelligenceanalysisandnationalsecurityanddefense
policy.ICTisanon-profitorganizationlocatedattheInterdisciplinaryCenter(IDC),
Herzliya,Israelwhichreliesexclusivelyonprivatedonationsandrevenuefromevents,
projectsandprograms.
22
CYBER-DESKTEAM
ICTDirector,ExecutiveDeputyAzani,EitanDr.
Dr.MichaelBarak,TeamResearchManager,ICT
ICTResearcher,SeniorYaakov,BenUriAdv.
NadineLiv,Researcher,ICT
CYBER-DESKCONTRIBUTORS
Adv.DeborahHousen-Couriel,Cybersecurityandinternationallawexpert
Dr.TalPavel,ExpertontheInternetintheMiddleEast
OrenElimelech,CyberSecurityExpert,Researcher&Consultant
ShukMr.iPeleg,HeadofInformationSecurityandCyberatMATAF,Israel
Dr.MenashriHarel,ResearchFellow,ICT,&Cyber,InformationSecurity&Technological
IntelligenceExpert,Israel
NirTordjman,Researchfellow,ICT
The research was facilitated by a special technology for the collection
and analysis of information gathered from the DarkNet, developed by
Athena from Mer Group in cooperation with SixGill.