Archive

Archive for the ‘Cyberattack’ Category

Schadenfreude and Shame in Security

December 23, 2014 Comments off

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

  • Opportunism and fear mongering by politicians and our own industry.
  • Vandalism portrayed as terrorism.
  • The inadequacy of traditional investigative methods in cybercrime.
  • Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.
  • Pre-determined attribution in hacking and geopolitics.
  • A geopolitical reaction to issues stemming from poor corporate oversight.
  • The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).
  • The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.

South Korean Media and Banks under Cyberattack

March 20, 2013 Comments off

Update March 22, 2013 18:00 (UTC+9): New information from the Korean Communications Commission (KCC) said that the earlier report connecting attacks to a Chinese IP address was wrong. Instead the IP address was used by an employee of Nonghyup bank. Reports claim that Shinhan and Jeju banks are fully operational, Nonghyup is partially recovered and the broadcasters are only about 10% recovered. Also it appears that 20% of Nonghyup ATMs are still offline after the attack. There’s an interesting first-hand account of the events from a MBC employee.

On March 20, 2013, several banking and media sites in South Korea came under attack. The attacks knocked critical systems offline at banks and media outlets. Initial suspicion pointed the finger at North Korean government, but it now appears that a hacking group may be behind the attacks. Reports are still coming in and some details may change as better understanding is gained. We will update the situation as it evolves.

At approximately 2:20PM in Seoul, computers at three media outlets – KBS, MBC, YTN – and two banks – Shinhan and Nonghyup – froze or rebooted. The banks’ ATM networks were affected, and companies using them for processing credit cards reverted to cash-only transactions. At the media outlets the computer problems did not prevent television broadcasts, but many employees were unable to use their computers. It’s estimated that an estimated 32,000 computers were infected with destructive malicious software.

Many of these computers – maybe all of them – will not come back online without lots of work. The malicious software is reported to make all the data inaccessible, either by deleting it directly or by destroying the Master Boot Record (MBR) – the table of contents, so to speak. South Korean officials and people within the affected companies are largely calling these events a “network paralysis” rather than a cyberattack or a Distributed Denial of Service (DDOS).

There has been a suggestion that the attack may be related to suspicious files discovered last week that appear to target KBS and MBC.  SBS, another Korean broadcaster, may have also been targeted but is not reported to have suffered damage yet. Some of the malware may have the ability to damage Unix systems as well as Windows.

The South Korean government has raised cyber alert status in the country. The South Korean Army has changed their INFOCON (Information Operations Condition) from 4 to 3, indicating higher threat of attack. The normal status is 5. The Korean Computer Emergency Response Team (KrCERT) changed their status from 2 to 3, reflecting a “substantial” risk of attack.

A subsidiary of the technology maker, LG, called U Plus provides Internet service to all of the affected organizations. It is not known whether this link is related to the attack or whether it is coincidental. Initial reports claimed that U Plus claimed their systems were hacked – some stories quoting an unnamed spokesperson for the company and some attributing the information to social media posts claiming to be from an employee. CNBC quotes a U Plus spokesperson named Lee Jung-hwan as saying that no attacks were detected on their network. It may be that an attack on U Plus happened but was unrelated to the attacks against the media and banking companies.

There were likely several ways that the malicious software spread. Security systems detected and blocked the malware as it came through email. Analysis of the malicious code itself reveals a mechanism for spreading the malware within the affected companies through a Software Management Server used to distribute updates to computers. It is likely that multiple methods of propogation were used.

Initially most reports suggested that North Korea may be behind the attack. Yesterday Pyongyang derided the joint military actions of the US and South Korea and recent rhetoric from the North has been very aggressive. Last week North Korea suffered Internet outages, the cause of which are still not publicly known. But they claimed to be victims of a US and South Korean cyberattack. The South Korean government earlier claimed that the malicious code had been traced back to a location in China. However they have retracted the claim, saying that the data they had was misleading and the system was related to Nonghyup bank.

However, evidence is starting to emerge pointing to a hacking group called Whois Team. A website was posted by the group claiming to have stolen all the information and deleted it from the computers. At the moment no official reports from the US or Korean governments have identified the group they think is responsible for the attack. However Seoul has said no Korean government computers have been affected.

These aren’t the first cyberattacks on South Korean institutions. In 2009 DDOS attacks hit several companies, including the banks affected today. And in 2011 DDOS attacks again hit Seoul. However, these are different in that they are not tying up the Internet resources, but are knocking out computer systems in a way that will keep them offline for a while. Analysis of the malicious software revealed the word HASTATI – the first line of attack in the Roman army. A new variant appears to have been found with the word PRINCIPES embedded, which is the second of three waves in a Roman army.

Analysis

The information above is all from press reports. But there is doubtless much more to the events than has been reported. Most of this is likely because of the confusion that surrounds the early stages of these kinds of events. We are going to try to do some analysis, but because of language and knowledge barriers in media reporting we may come up with some conclusions that aren’t quite right. We apologize in advance and will try to be conservative with our analysis. Here are our hypotheses.

This was not an APT. Several reports have suggested that this attack was perpetrated by an Advanced Persistent Threat (APT). We suspect that this attack is one that was targeted at the victims specifically, but that the techniques were not all that advanced. Truly advanced attackers typically do not destroy the assets they have taken control of within a week of breaking in. Instead, they try to remain undetected for months or years and take information or affect normal operations for some more strategic advantage.

This was probably not North Korea. Several reports have suggested that this attack was carried out by North Korea. We suspect that this is not the case. The value to North Korea is not in shutting the systems down, but in gaining intelligence from them. And if the attack were their doing, then the “skull” website would either be unrelated or a false flag. That doesn’t seem likely. Instead, we believe that this attack was carried out by a group of amateur hackers. The allusions to Roman army structure, however, may be a sign that this activity is a military action but it seems implausible that North Koreans would use a Roman term, given their level of nationalism. But it is entirely plausible that North Korea enticed the Whois Team to carry out the attack.

There may be a Middle-Eastern and North African connection. The type of malicious software used, called “wipers”, has been seen in other attacks. Two of these attacks highlighted by Kaspersky have a Middle-Eastern connection. The skulls image that the Whois Team used has also been used in other attacks against Middle Eastern targets by French-speaking Muslim groups Xrapt0r and Mauritania Hacking Team (links withheld). It’s too early to say if there is a link, but circumstantially it appears that there is. If there is a connection, it may be that the attackers were hired by others in order to cover their tracks. It is also possible that the link is a false flag, designed to throw investigators off.

The LG U Plus link is significant. We don’t believe it is a coincidence that the same service provider counted all of the victims as customers. There are hundreds of ways that an attacker could use this relationship to infect customers with malware. It may not be related to Internet services, but others such as desktop maintenance or server administration. It’s too early to say. But that link could be a red herring. It’s not clear to us whether LG U Plus provides services for other major Korean banks and media outlets or not. It may, in fact, be that LG U Plus is simply the largest Internet and Computer Services company in Korea and that everybody uses them.

This event will end up costing hundreds of millions of dollars. The way in which these computers were affected means there will likely have to be a lot of work that goes into fixing them. That means lost productivity – the largest cost – as well as time from the IT department and other cleanup costs. And there will doubtless be outside investigations to pay for, government oversight questions to answer and purchases made to prevent this kind of thing from happening again. The companies will undoubtedly lose revenue because of these attacks. And any data that isn’t backed up will be lost or will have to be recreated.

There may be more waves of attack. The second (PRINCIPES) variant found strengthens the case that the attacks will proceed in waves. As of yet it is not known if the second variant was a part of the first wave or whether it will cause an impact later. To complete the Roman military structure a third variant should be expected, using the word TRIARII.