cybercrime|cyberwar - connecting the dots
DESCRIPTION
Cybercrime, Cyberwar, and Cyberespionage are dengerously overlapping, see how they connect.TRANSCRIPT
Yoram Golandsky | November 2010
www.security-art.com
All rights reserved to Security Art ltd. 2002-2010
Cyber[Crime|War]Connecting the DotsYoram GolandskyCEO, Security Art
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
2
Agenda
•CyberWar [Attack | Defense]
•CyberCrime [Attack | Defense]
•History revisited
•Connecting the dots...
•Future
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 3
Picking up where we left offAt least as far as last years research is concerned...
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
4
We took a trip down the rabbit hole
Only to find that we are facing a business as organized as a Fortune 500 one
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 5
With markets for each aspect of the
business to cater for tools, services and even bringing in
leads
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 6
BUT!
Something didn't make too much sense in the data
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 7
Boss, is Boss, is this this
supposed supposed to be on to be on
the the internet?internet?
I think this
I think this is from is from my my powerpoin
powerpoint!t!
We We probably probably
need to call need to call
someone...someone...
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 8
Finally de-Finally de-
classified..classified..
..
(public (public
domain)domain)
The initial The initial ““tracetrace”” or lo- or lo-jack used jack used
(see (see rabbithole rabbithole talk from 09)
talk from 09)
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 9
Hungry yet?That was just the appetizer...
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 10
Question 1: What is this?
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 11
Perceptions may be deceiving...
War Crime
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 12
War Crime
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
13
CyberWar
“Cyberwarfare, (also known as cyberwar and Cyber Warfare), is the use of computers and the Internet in conducting warfare in cyberspace.”
Wikipedia
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 14
It did not happen yetEstonia\Georgia being an
exception?
“There is no Cyberwar”
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 15
This is not the only way! Neither is this...
But civilian are always at stake!
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 16
Many faces of how CyberWar is perceived...
From McAfee’s “Virtual Criminology Report 2009”Image caption:
“countries developing advanced offensive cyber capabilities”
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 17
We’ll focus on current players:
And no, here size does NOT matter...
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
18
USA
• Thoroughly documented activity around cyberwar preparedness as well as military/government agencies with readily available offensive capabilities
• Massive recruiting of professional in attack/defense for different departments:
• USCC (United States Cyber Command - includes AirForce, Marines, Navy and Army service components)
• NSA
• Other TLA’s...
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
19
Russia
• GRU (Main Intelligence Directorate of the Russian Armed Forces)
• SVR (Foreign Intelligence Service)
• FSB (Federal Security Services)
• Center for Research of Military Strength of Foreign Countries
• Several “National Youth Associations” (Nashi)
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
20
China
• PLA (People’s Liberation Army)
• Homework: read the Northrop Grumman report...
• General Staff Department 4th Department - Electronic Countermeasures == Offense
• GSD 3rd Department - Signals Intelligence == Defense
• Yes... Titan Rain...
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
21
Iran
• Telecommunications Infrastructure co.
• Government telecom monopoly
• Iranian Armed Forces
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
22
Israel
• This is going to be very boring... Google data only :-(
• IDF (Israel Defense Forces) add cyber-attack capabilities.
• C4I (Command, Control, Communications, Computers and Intelligence) branches in Intelligence and Air-Force commands
• Staffing is mostly homegrown - trained in the army and other government agencies.
• Mossad? (check out the jobs section on mossad.gov.il...)
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 23
CyberWar - AttackHighly selective targeting of military (and critical) resources
In conjunction with a kinetic attack
OR
Massive DDOS in order to “black-out” a region, disrupt services, and/or push political agenda (propaganda)
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
24
CyberWar - Defense
• Never just Government\military
• Targets are likely to be civilian
• Physical and logical protections = last survival act
• Availability and Integrity of services – Survivability
• Can manifest in the cost of making services unavailable for most civilians
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 25
CyberCrime
25
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 26
You want money, you gotta play like the big boys do...
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
27
CyberCrime - Attack
• Channels: web, mail, open services
• Targeted attacks on premium resources (corporate)
• Commissioned, or for extortion purposes
• Carpet bombing for most attacks (consumer)
• Segmenting geographical regions and market segments
• Secondary infections through controlled outposts
• Bots, infected sites
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 28
CyberCrime - target locations
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 29
CyberCrime - Locations
Major Cybercrime group locations
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 30
CyberCrime - Ammunition
~APT
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 31
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
32
CyberCrime - Defense
•Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
•Seriously?
•Firewalls / IDS / IPS
•Seriously?
•Brought to you by the numbers 80, 443, 53...
•SSL...
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 33
How do these connect?
Claim: CyberCrime is being used to conduct CyberWar
Is it?: Let’s start with some history...
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 34
History - Revisited...
Estonia
You read all about it.
Bottom line: civilian infrastructure was targetedAttacks originated mostly from civilian networks
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 35
History - Revisited...
Israel
September 6th, 2007Source:
http://en.wikipedia.org/wiki/Operation_Orchard
Source: Der Spiegel
Operation Orchard
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 36
History - Revisited...
Georgia
More interesting, specially in our case...
Highly synchronized Kinetic and Cyber attacksTargets still mostly civilianLaunched from civilian networks
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 37
Russian Crime/State Dilemma
McColo
ESTDomainsAtrivo
RBNRealHost
Micronnet
Eexhost
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 38
Russian Russian GovernmentGovernmentCrimeCrime
ESTDomESTDom RBNRBN
HostFreshHostFresh
UkrTeleGrouUkrTeleGroupp
ESTDomainsESTDomains
McColoMcColo
AtrivoAtrivo
Hosted byCustomer
Network provider
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
39
Remember Georgia?
• Started by picking on the president...
• Then the C&C used to control the botnet was shut down as:
• Troops cross the border towards Georgia
• A few days of silence...
flood http www.president.gov.ge flood tcp www.president.gov.ge flood icmp www.president.gov.ge
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
40
Georgia - cont.• Six (6) new C&C servers came up and drove
attacks at additional Georgian sites
• BUT - the same C&C’s were also used for attacks on commercial sites in order to extort them (botnet-for-hire)
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 41
History - Revisited...
Iran
2009 Twitter DNS hack attributed to Iranian activity.Political connections are too obvious to ignore (elections)
UN Council Decisions
Protests by leadership
opposition in Tehran
Timing was right on:
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 42
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
43
Iran-Twitter connecting dots
• Twitter taken down December 18th 2009
• Attack attributed eventually to cyber-crime/vigilante group named “Iranian Cyber Army”
• Until December 2009 there was no group known as “Iranian Cyber Army”...
• BUT - “Ashiyane” (Shiite group) is from the same place as the “Iranian Cyber Army”
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 44
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
45
Iran-Twitter - Ashiyane•Ashiyane was using the same pro-
Hezbolla messages that were used on the Twitter attack with their own attacks for some time...
•AND the “Iranian Cyber Army” seems to be a pretty active group on the Ashiyane forums www.ashiyane.com/forum
Let’s take a quick look at how Ashiyane operates...
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 46
On [Crime|War] trainingAshiyane forums
WarGames
46
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
4747
Wargames targets includes:
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 48
Back to linking [Crime|War]
What else happened on the 18th?
More recently - Baidu taken down with the same MO
(credentials)
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 49
AshiyaneAshiyane
Iranian Iranian Cyber ArmyCyber Army
DDoSDDoS
Botnet Botnet HerdingHerding
Site Site DefacementDefacement
Credit Card Credit Card TheftTheft
Strategic Strategic AttacksAttacks
Mapping Iran’s [Crime|War]
Iran Iran IraqIraq USUS
$$$$ UKUK
USUS CNCN
Crime
War
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
50
Iran - the unspoken
•Stuxnet
•There, I’ve said it
Yoram Golandsky | November 2010
All rights reserved to Security Art ltd. 2002-2010 51
The Future (Ilustrated)
CLOUDS
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
52
SummaryGood Bad
Ugly
Good meet Bad: money changes hands, less tracks to cover, criminal ops already creating the weapons...
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
53
SummaryThe Future
Lack of legislation and cooperation on multi-national level is creating de-facto “safe haven” for cybercrime. <- FIx this!
Treaties and anti-crime activities may prove to be beneficial. <- nukes? (i.e. treaties...)
All rights reserved to Security Art ltd. 2002-2010
Yoram Golandsky | November 2010
54
Thanks!
www.security-art.com
twitter.com/securityart
blog.security-art.com