1. Energy Sector Cyber-threats HACKTIVISTS, ESPIONAGE, AND CYBERWAR Michael McDonnell, GCIA, GCWN, MLIS Director Enterprise Services Vcura Canada Incorporated michaelmcdonnell@vcura.com http://linkedin.com/in/itpromichael

2. Poland 2014 ENERGY COMPANIES NOTIFIED OF BREACHES EXPLORING THE DARKNET 2

3. Poland (2014) Spear-phishing Attacks EXPLORING THE DARKNET 3

4. Sandworm Targets: Government & Corporate EXPLORING THE DARKNET 4

5. Sandworm and SCADA EXPLORING THE DARKNET 5

6. Hactivists, Espionage, & Cyberwar Hactivists #OpPetrol #OpFuelStrike Operation Green Rights Schamoon Espionage Night Dragon Dragonfly LightsOut Energetic Bear The Mask Clandestine Fox Cyberwar Stuxnet Duqu, Flame Schamoon Kharg Island

7. Hackivists

8. Operation Green Rights (2011)

9. #OpFuelStrike (2012)

10. #OpFuelStrike (2012)

11. #OpFuelStrike (2012) OOOOPS!

12. #OpPetrol (2013) Why this Op ? Because Petrol is sold with the dollar ($) and Saudi Arabia has betrayed Muslims with their cooperation. So why isn't Petrol sold with the currency of the country which exports it? Because the Zionists own us like this !/ Historically, the Currency of Muslims was not the paper money that you know today, it was Gold and Silver. The new world order installed their own rules so that they can control us like robots.

13. AnonGhost & #OpPetrol

14. #OpPetrol (2014)

15. Schamoon (2012)

16. Cutting Sword of Justice Too vague & convenient

17. Its the Cold War All Over Again

18. [Enter the] Night Dragon (McAfee, 2008) Target confidential information, in particular oil resource data lost data detailing the quantity, value, and location of oil discoveries around the world Marathon Oil ConocoPhillips Royal Dutch Shell BP Exxon Mobil BG Group Chesapeake Energy Others

19. Night Dragon (2008) aka China Social Engineering Spear Phishing Exploitation Active Directory Compromise Remote Admin Tools (RATS)

20. Night Dragon (2008) Anatomy of an Hack

21. Norway 2014 ENERGY COMPANIES NOTIFIED OF BREACHES

22. StatOil Confiscated 40 Infected Computers

23. Norway 2014 Victim 300 Oil companies warned of attacks by NorCERT 50 were confirmed to be breached, including StatOil Stolen passwords, industrial drawings, and contracts Attacker Energetic Bear / Dragonfly (The Russians) Started March 2014 & still ongoing!

24. Targeted Attacks They (the hackers) have done research beforehand and gone after key functions and key personnel in the various companies. Emails that appear to be legitimate are sent to persons in important roles at the companies with attachments. If the targeted employees open the attachments, a destructive program will be unleashed that checks the target's system for various holes in its security system. If a hole is found, the program will open a communications channel with the hackers and then the "really serious attack programs" can infect the targeted companys computer system. -- Hans Christian Pretorious, NMS Director of Operations

25. Dragonfly aka Energetic Bear aka Russia

26. Norway it was Dragonfly aka Russia

27. LightsOut (2013, 2014)

28. LightsOut, Dragonfly, Havex

29. Clandestine Fox (2014)

30. Clandestine Fox (2012)

31. Careto: The Mask (2014)

32. Schamoon/Disttrack/Wiper (2012)

33. The Escalation of Espionage EXPLORING THE DARKNET 37

34. Cyber-espionage is growing month-to-month The number of cyber espionage operations is growing from one month to the next. Some of these operations stand out for various reasons: sophisticated malware, skills of the cybercriminals, or the resources that enable them to continue their espionage activities for a long period or buy expensive zero-days. Any of the above may indicate that an espionage operation is connected with the work of government-controlled structures but proving this connection is extremely difficult it is the work of investigation agencies, rather than IT security companies Alex Gostev Chief Security Expert Kaspersky Labs October 2014 EXPLORING THE DARKNET 38

35. Verizon DBIR 2014 Attacker Motivations EXPLORING THE DARKNET 40

36. Verizon DBIR 2014 2013 vs Past EXPLORING THE DARKNET 41

37. DBIR 2014: by Industry EXPLORING THE DARKNET 42

38. Espionage and Records Management The purpose of records management is part of an organization's broader activities that are associated with the discipline or field known as Governance, Risk, and Compliance (or "GRC") and is primarily concerned with the evidence of an organization's activities as well as the reduction or mitigation of risk that may be associated with such evidence. Anthony Tarantino (2008-02-25). Governance, Risk, and Compliance Handbook. ISBN 978-0-470-09589-8. EXPLORING THE DARKNET 43

39. APT Life Cycle EXPLORING THE DARKNET 44

40. Norway 2014 Poland 2014 Calgary 2012 ENERGY COMPANIES NOTIFIED OF BREACHES

41. Stuxnet (2010, 2012)

42. Stuxnet (2010)

43. Stuxnet Alive and Well

44. Stuxnet

45. Duqu, Flame, Guass

46. Wiper (2012)

47. USB Virus (2012)

48. Questions? HTTP: / /LINKEDIN.COM/ IN/ ITPROMICHAEL Michael McDonnell, GCIA, GCWN, MLIS Director Enterprise Services Vcura Canada Incorporated michaelmcdonnell@vcura.com http://linkedin.com/in/itpromichael