1. Iftach Ian Amit | April 2011
Cyber[Crime|War]
Connecting the Dots
Iftach Ian Amit
VP Consulting, Security Art
Board Member - CSA Israel
IL-CERT Dreamer
DC9723
All rights reserved to Security Art ltd. 2002-2010 www.security-art.com
2. Iftach Ian Amit | April 2011
The Disclaimer
This is “hacker” me, and my own personal opinion only. This has got nothing to do with work
stuff. The “work” me is often suited and talks in acronyms and industry best practices stuff.
All rights reserved to Security Art ltd. 2002-2010 2
3. Iftach Ian Amit | April 2011
Agenda
• Who am I?
• CyberWar [Attack | Defense]
• CyberCrime [Attack | Defense]
• History revisited
• Connecting the dots...
• Future
All rights reserved to Security Art ltd. 2002-2010 3
4. Iftach Ian Amit | April 2011
Who Am I
All rights reserved to Security Art ltd. 2002-2010 4
5. Iftach Ian Amit | April 2011
This is NOT going to be
All rights reserved to Security Art ltd. 2002-2010 5
6. Iftach Ian Amit | April 2011
Picking up where we left off
At least as far as last year’s research is concerned...
All rights reserved to Security Art ltd. 2002-2010 6
7. Iftach Ian Amit | April 2011
Boss, is this
supposed to
be on the
internet?
We probably
need to call
someone...
I thi
is fr nk t
his
pow om
erpo my
All rights reserved to Security Art ltd. 2002-2010 7
int!
8. Iftach Ian Amit | April 2011
Final ly de-
classif ied...
(on p ublic
dom ain)
The initia
“trace” o l
r lo-
jack used
track dow to
n the
thief...
All rights reserved to Security Art ltd. 2002-2010 8
9. Iftach Ian Amit | April 2011
Hungry yet?
That was just the appetizer...
All rights reserved to Security Art ltd. 2002-2010 9
10. Iftach Ian Amit | April 2011
Question 1: What is this?
All rights reserved to Security Art ltd. 2002-2010 10
11. Iftach Ian Amit | April 2011
Question 1: What is this?
All rights reserved to Security Art ltd. 2002-2010 11
12. Iftach Ian Amit | April 2011
Perceptions may be deceiving...
War Crime
All rights reserved to Security Art ltd. 2002-2010 12
13. Iftach Ian Amit | April 2011
War Crime
• Government / state • Private
• Official backing • Semi-official backing (org.
crime)
• Official resources
• Financing
• Official resources
• Expertise?
• Self financing?
• Exploits/Vulns?
• Established expertise (in-
house + outsourced)
• Market for exploits
All rights reserved to Security Art ltd. 2002-2010 13
14. Iftach Ian Amit | April 2011
CyberWar
“Cyberwarfare, (also known as
cyberwar and Cyber Warfare), is the
use of computers and the Internet in
conducting warfare in cyberspace.”
Wikipedia
All rights reserved to Security Art ltd. 2002-2010 14
15. Iftach Ian Amit | April 2011
It did not happen yet
Estonia being an exception?
“There is no Cyberwar”
All rights reserved to Security Art ltd. 2002-2010 15
16. Iftach Ian Amit | April 2011
This is not the only way! Neither is this...
But civilian are
always at stake!
All rights reserved to Security Art ltd. 2002-2010 16
17. Iftach Ian Amit | April 2011
Many faces of how CyberWar is perceived...
From McAfee’s “Virtual Criminology Report”
Image caption:
“countries developing advanced offensive cyber capabilities”
All rights reserved to Security Art ltd. 2002-2010 17
18. Iftach Ian Amit | April 2011
We’ll focus on current players:
And no, here size does NOT matter...
All rights reserved to Security Art ltd. 2002-2010 18
19. Iftach Ian Amit | April 2011
USA
• Thoroughly documented activity around cyberwar
preparedness as well as military/government agencies
with readily available offensive capabilities
• Massive recruiting of professional in attack/defense for
different departments:
• USCC (United States Cyber Command - includes
AirForce, Marines, Navy and Army service
components)
• NSA
• Other TLA’s...
All rights reserved to Security Art ltd. 2002-2010 19
20. Iftach Ian Amit | April 2011
Russia
• GRU (Main Intelligence Directorate of the
Russian Armed Forces)
• SVR (Foreign Intelligence Service)
• FSB (Federal Security Services)
• Center for Research of Military Strength of
Foreign Countries
• Several “National Youth Associations” (Nashi)
All rights reserved to Security Art ltd. 2002-2010 20
21. Iftach Ian Amit | April 2011
China
• PLA (People’s Liberation Army)
• Homework: read the Northrop Grumman
report...
• General Staff Department 4th Department -
Electronic Countermeasures == Offense
• GSD 3rd Department - Signals Intelligence
== Defense
• Yes... Titan Rain...
All rights reserved to Security Art ltd. 2002-2010 21
22. Iftach Ian Amit | April 2011
Iran
• Telecommunications Infrastructure
co.
• Government telecom monopoly
• Iranian Armed Forces
All rights reserved to Security Art ltd. 2002-2010 22
23. Iftach Ian Amit | April 2011
Israel
• This is going to be very boring... Google data only :-(
• IDF (Israel Defense Forces) add cyber-attack
capabilities.
• C4I (Command, Control, Communications, Computers
and Intelligence) branches in Intelligence and Air-Force
commands
• Staffing is mostly homegrown - trained in the army and
other government agencies.
• Mossad? (check out the jobs section on mossad.gov.il...)
All rights reserved to Security Art ltd. 2002-2010 23
24. Iftach Ian Amit | April 2011
CyberWar - Attack
Highly selective targeting of
military (and critical)
resources
In conjunction with a
kinetic attack
OR
Massive DDOS in order to
“black-out” a region,
disrupt services, and/or
push political agenda
(propaganda)
All rights reserved to Security Art ltd. 2002-2010 24
25. Iftach Ian Amit | April 2011
CyberWar - Defense
• Never just military
• Targets will be civilian
• Physical and logical protections = last
survival act
• Availability and Integrity of
services
• Can manifest in the cost of making
services unavailable for most
civilians
All rights reserved to Security Art ltd. 2002-2010 25
26. Iftach Ian Amit | April 2011
CyberCrime
All rights reserved to Security Art ltd. 2002-2010 26
27. Iftach Ian Amit | April 2011 Criminal Boss
Under Boss Trojan
Provider and Manager
Trojan Command and
Control
Attackers Crimeware
You want
Toolkit Owners
Trojan distribution in
legitimate website
money, you Campaign Manager Campaign Manager Campaign Manager
gotta play like
the big boys
do...
Affiliation Affiliation Affiliation
Network Network Network
Stolen Data Reseller Stolen Data Reseller Stolen Data Reseller
All rights reserved to Security Art ltd. 2002-2010 27
Figure 2: Organizational chart of a Cybercrime organization
28. Iftach Ian Amit | April 2011
CyberCrime - Attack
• Channels: web, mail, open services
• Targeted attacks on premium resources
• Commissioned, or for extortion purposes
• Carpet bombing for most attacks
• Segmenting geographical regions and market
segments
• Secondary infections through controlled outposts
• Bots, infected sites
All rights reserved to Security Art ltd. 2002-2010 28
29. Iftach Ian Amit | April 2011
CyberCrime - target locations
All rights reserved to Security Art ltd. 2002-2010 29
30. Iftach Ian Amit | April 2011
CyberCrime - Locations
Major Cybercrime group locations
All rights reserved to Security Art ltd. 2002-2010 30
31. Iftach Ian Amit | April 2011
CyberCrime - Ammunition
=≈ APT
All rights reserved to Security Art ltd. 2002-2010 31
32. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 32
33. Iftach Ian Amit | April 2011
CyberCrime - Defense
• Anti [ Virus | Malware | Spyware | Rootkit | Trojan ]
• Seriously?
• Firewalls / IDS / IPS
• Seriously?
• Brought to you by the numbers 80, 443, 53...
• SSL...
All rights reserved to Security Art ltd. 2002-2010 33
34. Iftach Ian Amit | April 2011
How do these connect?
Claim: CyberCrime is being used to
conduct CyberWar
Proof: Let’s start with some history...
All rights reserved to Security Art ltd. 2002-2010 34
35. Iftach Ian Amit | April 2011
History - Revisited...
Estonia
You read all about it.
Bottom line: civilian infrastructure was targeted
Attacks originated mostly from civilian networks
All rights reserved to Security Art ltd. 2002-2010 35
36. Iftach Ian Amit | April 2011
History - Revisited...
Israel
Operation Orchard
September 6th, 2007 Source: Der Spiegel
Source: http://en.wikipedia.org/wiki/
Operation_Orchard
All rights reserved to Security Art ltd. 2002-2010 36
37. Iftach Ian Amit | April 2011
Mid-east crime-war links
ARHack
Hacker forum by day
Cybercrime operations by night
All rights reserved to Security Art ltd. 2002-2010 37
38. Iftach Ian Amit | April 2011
Political post
Buying/Selling cards for 1/2 their balance
Selling 1600
visa cards
All rights reserved to Security Art ltd. 2002-2010 38
39. Iftach Ian Amit | April 2011
History - Revisited...
Georgia
More interesting...
Highly synchronized Kinetic and Cyber attacks
Targets still mostly civilian
Launched from civilian networks
All rights reserved to Security Art ltd. 2002-2010 39
40. Iftach Ian Amit | April 2011
Russian Crime/State Dillema
Micronnet
McColo
Atrivo
Eexhost
ESTDomains
RBN
RealHost
All rights reserved to Security Art ltd. 2002-2010 40
41. Iftach Ian Amit | April 2011
Russian
Crime
Government
ESTDomains ESTDom RBN
Atrivo
McColo UkrTeleGroup
HostFresh
Hosted by
Customer
Network provider
All rights reserved to Security Art ltd. 2002-2010 41
42. Iftach Ian Amit | April 2011
Remember Georgia?
• Started by picking on the president...
flood http www.president.gov.ge
flood tcp www.president.gov.ge
flood icmp www.president.gov.ge
• Then the C&C used to control the botnet
was shut down as:
• Troops cross the border towards Georgia
• A few days of silence...
All rights reserved to Security Art ltd. 2002-2010 42
43. Iftach Ian Amit | April 2011
Georgia - cont.
• Six (6) new C&C servers came up and drove attacks
at additional Georgian sites
www.president.gov.ge
os-inform.com
www.parliament.ge
www.kasparov.ru
apsny.ge
hacking.ge mk.ru
news.ge
newstula.info
tbilisiweb.info
skandaly.ru
newsgeorgia.ru
• BUT - the same C&C’s were also used for attacks on
commercial sites in order to extort them (botnet-
for-hire) Additional sites attacked:
•Porn sites •Carder forums
•Adult escort services •Gambling sites
•Nazi/Racist sites •Webmoney/Webgold/etc…
BTW - Guess who
were the owners of all the
Georgian IPSs?(Russia)
All rights reserved to Security Art ltd. 2002-2010 43
44. Iftach Ian Amit | April 2011
Georgia - cont.
• Final nail in the coffin:
• The city of Gori
• DDoS hits all municipal sites August
7th 2008 at 22:00
• Complete network disconnect of the
district August 8th 06:00
• First strike on city August 8th 07:30
All rights reserved to Security Art ltd. 2002-2010 44
45. Iftach Ian Amit | April 2011
History - Revisited...
Iran
2009 Twitter DNS hack attributed to Iranian
activity.
Political connections are too obvious to ignore
(elections)
Timing was right on:
Protests by
UN Council
leadership opposition
Decisions
in Tehran
All rights reserved to Security Art ltd. 2002-2010 45
46. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 46
47. Iftach Ian Amit | April 2011
Iran-Twitter connecting dots
• Twitter taken down December 18th 2009
• Attack attributed eventually to cyber-crime/
vigilante group named “Iranian Cyber Army”
• Until December 2009 there was no group
known as “Iranian Cyber Army”...
• BUT - “Ashiyane” (Shiite group) is from the
same place as the “Iranian Cyber Army”
All rights reserved to Security Art ltd. 2002-2010 47
48. Iftach Ian Amit | April 2011
All rights reserved to Security Art ltd. 2002-2010 48
49. Iftach Ian Amit | April 2011
Iran-Twitter - Ashiyane
• Ashiyane was using the same pro-Hezbolla
messages that were used on the Twitter
attack with their own attacks for some
time...
• AND the “Iranian Cyber Army” seems to
be a pretty active group on the Ashiyane
forums www.ashiyane.com/forum
Let’s take a look at how Ashiyane operates...
All rights reserved to Security Art ltd. 2002-2010 49
50. Iftach Ian Amit | April 2011
On [Crime|War] training
Ashiyane forums
WarGames
All rights reserved to Security Art ltd. 2002-2010 50
51. Iftach Ian Amit | April 2011
Wargames targets includes:
All rights reserved to Security Art ltd. 2002-2010 51
52. Iftach Ian Amit | April 2011
Back to [Crime|War] Links:
What else happened on the 18th?
Later on - Baidu takedown
with the same MO (credentials)
All rights reserved to Security Art ltd. 2002-2010 52
53. Iftach Ian Amit | April 2011
Mapping Iran’s [Crime|War]
Iran
US
Iraq Site
DDoS
Defacement
Ashiyane
Botnet Credit
Herding Card Theft
$$ UK
Crime
War
Iranian Strategic
Cyber Attacks
US CN
All rights reserved to Security Art ltd. 2002-2010 53
54. Iftach Ian Amit | April 2011
Iran - the unspoken
• Stuxnet
• There, I’ve said it
All rights reserved to Security Art ltd. 2002-2010 54
55. Iftach Ian Amit | April 2011
History - Revisited...
China
• Great Chinese Firewall doing an OK job in
keeping information out.
• Proving grounds for many cyber-attackers
• Bulletpfoof hosting (after RBN temporary
closure in 2008 China provided an alternative
that stayed...)
All rights reserved to Security Art ltd. 2002-2010 55
56. Iftach Ian Amit | April 2011
China ...connecting the dots
January 12th - Google announces it was hacked
by China
Not as in the “we lost a few minutes of DNS”
hacked...
“In mid-December we detected a highly
sophisticated and targeted attack on our
corporate infrastructure originating from China that
resulted in the theft of intellectual property from
Google” (David Drummond, SVP @Google)
All rights reserved to Security Art ltd. 2002-2010 56
57. Iftach Ian Amit | April 2011
China ...connecting the dots.
January 12th - Adobe gets hacked. By China.
“Adobe became aware on January 2, 2010 of a
computer secur ity incident involving a
sophisticated coordinated attack
against corporate network systems managed by
Adobe and other companies” (Adobe official
blog)
Same MO: 0-day in Internet Explorer to get
into Google, Adobe and more than 40
additional companies
All rights reserved to Security Art ltd. 2002-2010 57
58. Iftach Ian Amit | April 2011
China ...connecting the dots...
Problem: Attacks all carry the signs of
Cybercrime...
Criminal groups attack companies in order to get
to their data so they can sell it (whether it was
commercial or government data!)
US Response: “We look to the Chinese government
for an explanation. The ability to operate with
confidence in cyberspace is critical in a modern society
and economy.” (Hillary Clinton, Secretary of State)
All rights reserved to Security Art ltd. 2002-2010 58
59. Iftach Ian Amit | April 2011 Anecdote - a
professor in one of the
China ... universities linked to the attack
connecting the dots....
admitted that the school network
is often used to anonymously
The China move:
relay attacks
Use of criminal groups to carry out the
attacks provides the perfect deniability on
espionage connections (just like in the past,
and a perfect response to clinton).
Targets are major US companies with strategic
poise to enable state interest espionage
Information sharing at its best:
State Crime
All rights reserved to Security Art ltd. 2002-2010
Win59 - Win
60. Iftach Ian Amit | April 2011
How does APT fit here?
RSA
• Infection vector: Flash vulnerability exploited
through Excel file
• Persistence: Using Poison Ivy as the trojan
• Exfiltration: Pack data in password protected
RAR files and upload to FTP
All rights reserved to Security Art ltd. 2002-2010 60
61. Iftach Ian Amit | April 2011
APT ...connecting the dots
Compared to what we just reviewed, that was a
SIMPLE attack...
Trojan is not even a “commercial” product (free
download at http://www.poisonivy-rat.com/)
All rights reserved to Security Art ltd. 2002-2010 61
62. Iftach Ian Amit | April 2011
APT ...connecting the dots....?
Persistence,
Infiltration Exfiltration
C&C
Social/ Advanced C&C Advanced
APT (p2p, lateral move) exfil (dns,VoIP)
physical
Simple C&C Simple exfil
APT?! Phishing
(HTTP) (FTP)
Bottom line: Not a direct state attack - Criminals again...
All rights reserved to Security Art ltd. 2002-2010 62
63. Iftach Ian Amit | April 2011
The Future (Ilustrated)
CLOUDS
All rights reserved to Security Art ltd. 2002-2010 63
64. Iftach Ian Amit | April 2011
Summary
Good Bad
Formal training on Commercial
cybersecurity by development of
nations malware still reigns
Ugly
Good meet Bad: money changes hands, less
tracks to cover, criminal ops already creating
the weapons...
All rights reserved to Security Art ltd. 2002-2010 64
65. Iftach Ian Amit | April 2011
Summary
The Future
Lack of legislation and cooperation on multi-
national level is creating de-facto “safe
haven” for cybercrime. <- Fix this!
Treaties and anti-crime activities may prove to
be beneficial. <- Translate to politics/law!
All rights reserved to Security Art ltd. 2002-2010 65
66. Iftach Ian Amit | April 2011
Thanks!
Q&A
iamit@iamit.org
pro: iamit@security-art.com
twitter: twitter.com/iiamit
blog: iamit.org/blog
All rights reserved to Security Art ltd. 2002-2010 66