�ݺ�ߣ

Yoram Golandsky | November 2010
www.security-art.com
All rights reserved to Security Art ltd. 2002-2010
Cyber[Crime|War]
Connecting the Dots
Yoram Golandsky
CEO, Security Art

2
Agenda
• CyberWar [Attack | Defense]
• CyberCrime [Attack | Defense]
• History revisited
• Connecting the dots...
• Future

All rights reserved to Security Art ltd. 2002-2010 3
Picking up where we left off
At least as far as last years research is concerned...

4
We took a trip down the rabbit
hole
Only to find that
we are facing a
business as
organized as a
Fortune 500 one

With markets for each
aspect of the business
to cater for tools,
services and even
bringing in leads

BUT!
Something didn't make too much sense in the
data

Hungry yet?
That was just the appetizer...

Question 1: What is this?

Perceptions may be
deceiving...
War Crime

War Crime
• Government / state
• Official backing
• Official resources
• Financing
• Expertise?
• Exploits/Vulns?
• Private
• Semi-official backing (org.
crime)
• Official resources
• Self financing?
• Established expertise (in-
house + outsourced)
• Market for exploits

13
CyberWar
“Cyberwarfare, (also known as
cyberwar and Cyber Warfare), is the
use of computers and the Internet in
conducting warfare in cyberspace.”
Wikipedia

It did not happen yet
EstoniaGeorgia being an exception?
“There is no Cyberwar”

This is not the only way! Neither is this...
But civilian are
always at stake!

Many faces of how CyberWar is perceived...
From McAfee’s “Virtual Criminology Report 2009”
Image caption:
“countries developing advanced offensive cyber capabilities”

We’ll focus on current players:
And no, here size does NOT matter...

18
USA
• Thoroughly documented activity around cyberwar
preparedness as well as military/government agencies with
readily available offensive capabilities
• Massive recruiting of professional in attack/defense for
different departments:
• USCC (United States Cyber Command - includes AirForce,
Marines, Navy and Army service components)
• NSA
• Other TLA’s...

19
Russia
• GRU (Main Intelligence Directorate of the Russian
Armed Forces)
• SVR (Foreign Intelligence Service)
• FSB (Federal Security Services)
• Center for Research of Military Strength of Foreign
Countries
• Several “National Youth Associations” (Nashi)

20
China
• PLA (People’s Liberation Army)
• Homework: read the Northrop Grumman report...
• General Staff Department 4th Department -
Electronic Countermeasures == Offense
• GSD 3rd Department - Signals Intelligence ==
Defense
• Yes... Titan Rain...

21
Iran
• Telecommunications Infrastructure co.
• Government telecom monopoly
• Iranian Armed Forces

22
Israel
• This is going to be very boring... Google data only :-(
• IDF (Israel Defense Forces) add cyber-attack
capabilities.
• C4I (Command, Control, Communications, Computers
and Intelligence) branches in Intelligence and Air-Force
commands
• Staffing is mostly homegrown - trained in the army and
other government agencies.
• Mossad? (check out the jobs section on
mossad.gov.il...)

CyberWar - Attack
Highly selective targeting of military
(and critical) resources
In conjunction with a kinetic
attack
OR
Massive DDOS in order to
“black-out” a region, disrupt
services, and/or push political
agenda (propaganda)

24
CyberWar - Defense
• Never just Governmentmilitary
• Targets are likely to be civilian
• Physical and logical protections = last survival act
• Availability and Integrity of services – Survivability
• Can manifest in the cost of making services
unavailable for most civilians

CyberCrime
25

You want
money, you
gotta play like
the big boys
do...

27
CyberCrime - Attack
• Channels: web, mail, open services
• Targeted attacks on premium resources (corporate)
• Commissioned, or for extortion purposes
• Carpet bombing for most attacks (consumer)
• Segmenting geographical regions and market segments
• Secondary infections through controlled outposts
• Bots, infected sites

CyberCrime - target locations

CyberCrime - Locations
Major Cybercrime group locations

CyberCrime - Ammunition
~APT

32
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit |
Trojan ]
• Seriously?
• Firewalls / IDS / IPS
• Seriously?
• Brought to you by the numbers 80, 443,
53...
• SSL...

How do these connect?
Claim: CyberCrime is being used to
conduct CyberWar
Is it?: Let’s start with some history...

History - Revisited...
Estonia
You read all about it.
Bottom line: civilian infrastructure was targeted
Attacks originated mostly from civilian networks

Israel
September 6th, 2007
Source: http://en.wikipedia.org/wiki/Operation_Orchard
Source: Der Spiegel
Operation Orchard

Georgia
More interesting, specially in our case...
Highly synchronized Kinetic and Cyber attacks
Targets still mostly civilian
Launched from civilian networks

Russian Crime/State Dilemma
McColo
ESTDomains
Atrivo
RBN
RealHost
Micronnet
Eexhost

Russian
Government
Crime
ESTDom RBN
HostFresh
UkrTeleGroup
ESTDomains
McColo
Atrivo
Hosted by
Customer
Network provider

39
Remember Georgia?
• Started by picking on the president...
• Then the C&C used to control the botnet was shut down
as:
• Troops cross the border towards Georgia
• A few days of silence...
flood http www.president.gov.ge
flood tcp www.president.gov.ge
flood icmp www.president.gov.ge

40
Georgia - cont.
• Six (6) new C&C servers came up and drove attacks at
additional Georgian sites
• BUT - the same C&C’s were also used for attacks on
commercial sites in order to extort them (botnet-for-
hire)
www.president.gov.ge
www.parliament.ge
apsny.ge
news.ge
tbilisiweb.info
newsgeorgia.ru
os-inform.com
www.kasparov.ru
hacking.ge mk.ru
newstula.info
skandaly.ru
Additional sites attacked:
•Porn sites
•Adult escort services
•Nazi/Racist sites
•Carder forums
•Gambling sites
•Webmoney/Webgold/etc…

Iran
2009 Twitter DNS hack attributed to Iranian activity.
Political connections are too obvious to ignore (elections)
UN Council
Decisions
Protests by
leadership
opposition in Tehran
Timing was right on:

43
Iran-Twitter connecting dots
• Twitter taken down December 18th 2009
• Attack attributed eventually to cyber-crime/vigilante
group named “Iranian Cyber Army”
• Until December 2009 there was no group known as
“Iranian Cyber Army”...
• BUT - “Ashiyane” (Shiite group) is from the same place
as the “Iranian Cyber Army”

45
Iran-Twitter - Ashiyane
• Ashiyane was using the same pro-Hezbolla
messages that were used on the Twitter
attack with their own attacks for some
time...
• AND the “Iranian Cyber Army” seems to be
a pretty active group on the Ashiyane
forums www.ashiyane.com/forum
Let’s take a quick look at how Ashiyane operates...

On [Crime|War] training
Ashiyane forums
WarGames
46

47
47
Wargames targets includes:

Back to linking [Crime|War]
What else happened on the 18th?
More recently - Baidu taken down
with the same MO (credentials)

Ashiyane
Iranian Cyber
Army
DDoS
Botnet
Herding
Site
Defacement
Credit Card
Theft
Strategic
Attacks
Mapping Iran’s [Crime|War]
Iran
Iraq
US
$$ UK
US CN
Crime
War

50
Iran - the unspoken
• Stuxnet
• There, I’ve said it

The Future (Ilustrated)
CLOUDS

52
Summary
Good Bad
Formal training on
cybersecurity by nations
Commercial
development of malware
still reigns
Ugly
Good meet Bad: money changes hands,
less tracks to cover, criminal ops already
creating the weapons...

53
Summary
The Future
Lack of legislation and cooperation on multi-national level
is creating de-facto “safe haven” for cybercrime. <- FIx
this!
Treaties and anti-crime activities may prove to be
beneficial. <- nukes? (i.e. treaties...)

54
Thanks!
www.security-art.com
yoram@security-art.com
twitter.com/securityart
blog.security-art.com

�ݺ�ߣ

Cybercrime|Cyberwar - connecting the dots

More Related Content

Cybercrime|Cyberwar - connecting the dots

Editor's Notes