Executive Cyber Intelligence Report: September 1, 2014

This report was prepared by The Institute for National Security Studies (INSS) and The Cyber Security Forum Initiative (CSFI) to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities, and follow-­up measures.


Major cyber-attack against United States banks

A week ago, the US financial sector experienced a massive cyber-attack. Several banks, including JP Morgan Chase and others, were targeted by a series of cyber-attacks. According to a vast investigation, the hackers infiltrated the bank’s networks and stole gigabytes of data, including customers’ details and employees’ information.

According to the FBI (who are conducting the investigation in cooperation with the United States Secret Service), the identities and motivation of the hackers have not been yet determined. However, without any certitude, it appears the hackers originated from Russian or Eastern European countries.

This is not the first time US banks are experiencing cyber-­attacks. US banks have often been victims of hackers targeting credit card numbers and CVVs to sell on the Internet. Moreover, iSight Partners, a security company, warned banks about online threats and insisted banks should prepare to face several cyber-­attacks from Russia in retaliation for Western economic sanctions. When it comes to financial fraud and banks, Russian hackers are the most organized and powerful cyber-criminals. They are well-skilled and very motivated.


Behind Israeli cyber battle of Operation Protective Edge

According to an article written by Daniel Cohen and Danielle Levin, researchers from the Institute for National  Security Studies, cyber-­attacks targeting Israel during Operation Protective Edge demonstrated Israel’s implementation of government policy in the cyber sphere and application of the systematization learned since 2012’s Operation Pillar of Defense.

There was a significant improvement in coordination of Israel’s cyber defense organizations, including the functioning of Israel’s security systems and the increased cooperation between the civilian and defense sectors. The objective of the main attack during the Operation was to cause Israeli networks to collapse by overloading the system. Cohen and Levin explain that these attacks focused on distributed denial of service (DDoS) and Domain Name Service (DNS) attacks on communication and Internet companies in an attempt to swamp the Israeli Internet networks.

The Shin Bet stated that international hacking groups conducted the attacks during the operation. The Israel Defense Force (IDF) mentioned Iran had a large role in the increase of cyber-­attacks on civilian infrastructure. An Israeli security firm later confirmed that most of the attacks were from the Middle East origin, and later the IDF confirmed Iran partook in cyber-­attacks targeted to Israel. Both the IDF and the Shin Bet were able to foil any damaging attempts to Israeli government networks and critical infrastructure. The Shin Bet confirmed they were able to secure all cyber-­attacks targeted towards the Israeli government’s networks and systems.

Shin Bet, through its cyber division, acted in coordination with private contractors, the Israeli Ministry of Communications, and the media in taking preemptive measures against these straightforward cyber-­attacks. The IDF worked with an integrated communications network of the Military Intelligence and cyber companies related to the Ministry of Defense, which assisted in recognizing and removing all cyber threats from attackers related to these attacks. The Head of the IDF cyber defense unit revealed that infiltration had also been attempted on IDF networks, but he verified Israel’s high technological capabilities were elevated in order to ensure breaches did not occur.


Most cyber-­attacks targeting Western Europe come from Russia

According to a study conducted by Alert Logic, a Houston Web Security Company, hackers directly from Russia conducted the vast majority of cyber-­attacks targeted at Western Europe. In turn, China has become the leader in the number of hacking attacks against the United States.

Analysis showed that 40% of hackers targeting users in Northern European countries were carried out from Russia. Western European countries subjected to hacking attacks were conducted from China (32%), United States (21%), India (17%), and Russia (9%). Exports also reported 63% of attacks on the countries of the Asia-­Pacific region have been carried out from the USA. The most frequent were infections caused by the Conficker-A malware.


Iranian cyber offense during Operation Protective Edge

An analysis of Iran’s cyber activity during Operation Protective Edge indicates growing maturity in the Islamic Republic’s operational capabilities, showing it is capable of conducting an extensive military cyber operation against a range of targets using a wide spectrum of methods, according to an article by Dr. Gabi Siboni and Sami Kronenfeld, researchers from the Institute for National Security Studies.

Moreover, Iran’s focus on cyberspace during Operation Protective Edge may indicate the start of a process in which cyberwar replaces classical terrorism as the main tool in Iran’s doctrine of asymmetrical warfare. Cyberwar, which offers the attacker distance and deniability, two features the Iranians consider extremely valuable, enables serious damage to the civilian front of an enemy enjoying military and geostrategic superiority. Thus far, Iran’s cyberspace capabilities remain inferior to Israel’s and to those of the leading technological powerhouses, but it is rapidly and efficiently closing the gap.

Hackers related to ISIS took down Sony PlayStation’s network

“Lizard Squad,” a pro ISIS cyber group, claimed responsibility for hacking the Sony PlayStation’s network. Using a distributed denial of service (DDoS) attack, the group managed to overload the SPN server and cause the crash. Other services affected included Xbox LIVE, Battle.net log-­ins for Blizzard titles, League of Legends, and Path of Exile. As posted on Twitter, the group is connected with the Islamic State (IS), claiming to be loyal to the Calipha and acting as part of the IS against the greediness of corporations, such as Sony. Nevertheless, many of the hackers from Lizard Squad were traced back to IPs in Europe.

Qatari technology helps Hamas build sophisticated cyber systems to attack Israel

Before and during Operation Protective Edge, Hamas was funded by Qatar. Qatar invested hundreds of millions of currency in both defensive and offensive cyber-­capabilities for the terrorist organization. According to Aviad Dadon of the Israeli cyber-­security firm AdoreGroup: “We have sourced 70% of the cyber-­attacks on Israeli government sites in recent weeks to IP addresses associated with Qatar.”

According to Dadon, not only is Qatar investing time and money into cyber-­attacks, but it is also training Hamas terrorists in how to use sophisticated equipment and systems to manage its extensive terror tunnel system in addition to systems for firing rockets at Israel using automatic, timed launching systems. Qatar has hired hackers to hit Israeli government and infrastructure sites trying to disrupt the operations of electricity, water and other critical systems during the 50-day operation.


Budget cuts increase Australian cyber-­security risks

Australia’s cyber-­security-­focused Co-­Operative Research Centre (CRC) had not been funded for the second time. CRC dates back to 1990 and had provided funds and guidance to encourage research collaboration between universities and the private sector. Once the cuts hit the research institutes, a significant drop in R&D is imminent. However, a plan for the Australian Cyber-­Security Research Institute is supposed to be announced later this year. Experts think this may be a little too late.

Hacker targets info on MH370 probe

The computers of high-­ranking officials in agencies involved in the MH370 investigation were hacked and classified information was stolen. The stolen information was allegedly being sent to a computer in China before Cybersecurity Malaysia (a Ministry of Science, Technology and Innovation agency in Malaysia) had the transmissions blocked and the infected machines shut down.

The national cyber-­security specialist agency revealed that sophisticated malware or malicious software, disguised as a news article reporting that the missing Boeing 777 had been found and was e-­mailed to the officials on March 9, a day after the Malaysia Airlines plane vanished during its flight from Kuala Lumpur to Beijing.


Ecuador is latest country to face cyber-­espionage campaign

Kaspersky Labs revealed that Ecuador is the latest country faced with a cyber-­espionage campaign known as “Machete.” The campaign started in 2010 with hundreds of gigabytes of classified information breached, beginning with infected PowerPoints. Once accessed, the attackers intercepted messages from the keyboard, recorded audio from the computer microphone, took screenshots and stole files from remote serves.

Stolen information was also used through a special USB. “The attackers were not interested in money, but in highly classified information of military… basically everything that involves national security of a government,” Dmitry Bestuzhev explained, Director of the Security Team for Latin America at Kaspersky Lab. Latin American countries of Colombia and Venezuela were also affected, in addition to the embassies of Russia, France, China and more.


UK Ministry of Defense launching £2 million cyber defense project

The UK Ministry of Defense decided to launch a £2 million cyber defense project. This project is a competition aimed at finding a solution to automate cyber response, collect data and identify cyber-­attacks to ensure better protection to the UK MoD computer systems.

The competition has been organized by the MoD’s Centre for Defence Enterprise, which explained, “Once a system is compromised, a cyber-­attack can quickly escalate, so automated responses are an essential part of cyber defense processes, while recognizing that the user may wish to revert to human decision making.”

The MoD declared it does not necessarily expect one winner for this competition and all good ideas will be reviewed. The budget has been split into two parts, £1 million each. The first part will be launched in September at an Innovation Network event in London. Then, the second part will be awarded on a per-­project basis to the most successful bidders.

The UK MoD spokesperson explained that “the whole aim is to support people with ideas or small businesses that have ideas that don’t necessarily have the funds to develop them further. If they do prove successful, then there’s the potential to take them forward.” The UK, which is one of the most advanced countries for cyber defense, seems to adopt a participatory strategy involving British civilian companies to get involved in the UK defense. This type of project is a plus for countries that are looking to develop their response capabilities to multiple cyber-­attacks.

Germany working on cyber security law to protect critical infrastructure

The German interior ministry is thinking of launching a cyber security law to protect its national critical infrastructure. The Interior Minister, Thomas de Maiziere, submitted a draft law imposing stronger cyber security requirements on companies and national agencies in charge of critical infrastructure, such as information technology, telecommunications, energy, transportation, health, water, food supply, finance and insurance.

Part of this new cyber security law is to oblige these companies to report any hacking incidents of which they were victims. According to the Minister, Germany’s critical infrastructure needs to be “the safest in the world.” Moreover, other German federal government departments have been asked to look at the proposals and then the debate will take place. The Ministry also declared that the cyber security draft proposals are part of Germany’s 2014-­2017 ‘digital agenda,’ which has been approved by the German federal government.

Despite a great cyber security strategy, Germany still suffers from several cyber-­attacks against its critical infrastructure. This new proposal should help to strengthen their critical infrastructure and national security.


South Africa’s IT Governance launched four ISO 27001 package solutions to help South African organizations tackle cyber crime

IT Governance’s ISO 27001 package solutions offer world-­class cyber security resources, training and consultancy online to help businesses protect their information assets. In a recent statement from the University of Johannesburg’s Centre for Cyber Security, Professor Basie von Solms said, “Business is also guilty of not doing enough to tackle cyber crime.” According to the 2013 Norton Report, South Africa has the third highest number of cyber crime victims after Russia and China.

Kenya urges concerted efforts to fight crime

Kenya called for concerted efforts in the fight against organized crime in Africa in order to help spur development in the continent.

Deputy President William Ruto told a regional conference for spy chiefs that working together will eliminate competition and create synergy in the fight against crime, which he said was threatening economic efforts. He also mentioned that there was need for closer collaboration among the police, military officers, national intelligence service and immigration officers in the fight against crime.

The spy chiefs will review security challenges in the continent and exchange intelligence to develop a shared understanding of common security problems.

These materials, including copyrighted materials, are intended for “fair use” as permitted under Title 17, Section 107 of the United States Code (“The Copyright Law”). Use of copyrighted material for unauthorized purposes requires permission from the copyright owner. Any feedback regarding this report or requests for changes to the distribution list should be directed to the Open Source Enterprise via unclassified e-­‐mail at: inssdcoi@gmail.com.

CSFI and the INSS would like to thank the Cyber Intelligence Analysts who worked on collecting and summarizing this report.



CREDIT: Cyber Security Forum Initiative


The M’aadi Campaign – Part I


Kaspersky Lab Expert
Posted July 17, 13:00  GMT

For almost a year, an ongoing campaign to infiltrate computer systems throughout the Middle East has targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe.

Together with our partner, Seculert, we’ve thoroughly investigated this operation and named it the “Madi”, based on certain strings and handles used by the attackers. You can read the Seculert analysis post here.

The campaign relied on a couple of well known, simpler attack techniques to deliver the payloads, which reveals a bit about the victims online awareness. Large amounts of data collection reveal the focus of the campaign on Middle Eastern critical infrastructure engineering firms, government agencies, financial houses, and academia. And individuals within this victim pool and their communications were selected for increased monitoring over extended periods of time.

This post is an examination of the techniques used to spread the Madi malware to victim systems, the spyware tools used, and quirks about both. In some cases, targeted organizations themselves don’t want to provide further breach information about the attack, so some perspective into the parts of the campaign can be limited.

The Arrival

Social engineering schemes to drop and run spyware

The Madi attackers rely mostly on social engineering techniques to distribute their spyware:

The first of the two social engineering schemes that define spreading activity for this surveillance campaign is the use of attractive images and confusing themes embodied in PowerPoint Slide Shows containing the embedded Madi trojan downloaders. An “Activated Content” PowerPoint effect enables executable content within these spearphish attachments to be run automatically. These embedded trojan downloaders in turn fetch and install the backdoor services and related “housekeeping” data files on the victim system. One example, “Magic_Machine1123.pps”, delivers the embedded executable within a confusing math puzzle PowerPoint Slide Show where the amount of math instructions may overwhelm a viewer. Note that while PowerPoint presents users a dialog that the custom animation and activated content may execute a virus, not everyone pays attention to these warnings or takes them seriously, and just clicks through the dialog, running the malicious dropper.

Another PowerPoint Slide Show named “Moses_pic1.pps” walks the viewer through a series of calm, religious themed, serene wilderness, and tropical images, confusing the user into running the payload on their system as seen below:



Some of the downloaders also drop and open documents with Middle Eastern news content and religious themes as well, as seen here.

Social engineering – Right to left override (RTLO) techniques

Like many pieces of this puzzle, most of the components are simple in concept, but effective in practice. No extended 0-day research efforts, no security researcher commitments or big salaries were required. In other words, attacking this set of victims without 0-day in this region works well enough.

In addition to the attractive PowerPoint Slide Shows frequently delivered within password protected zip archives, the attackers sent out executables maintaining misleading file names using the publicly known “Right to Left Override” technique. These file names appear to the user as image files with harmless “.jpg” extensions, “.pdf” extensions, or whatever a determined attacker might craft along with the matching file type icons, leading users to believe they can just click on what is not a data file, but an executable file. The issue exists with the way Windows handles Unicode character sets. The technique has been written up here and here. Madi’s related incident files included filenames that appeared on victim systems as “picturcs..jpg”, along with a common “.jpg” icon. But when that Unicode, or UTF-8 based filename is copied to an ANSI file, the name is displayed as “pictu?gpj..scr”. So some Madi victims were tricked into clicking on what they thought was a harmless “.jpg”, and instead ran the executable “.scr” file. A screenshot presents an example filename here, with the flawed Widows explorer display above, and the command line display below:

When executed, these PE droppers will attempt to show misleading images or videos, once again, tricking the victim into believing nothing is wrong. Here’s a video about a missile test:

And a nuclear explosion photo:

Finding Presence

The backdoors that were delivered to approximately 800 victim systems were all coded in Delphi. This would be expected from more amateur programmers, or developers in a rushed project. Here is a screenshot of the interface for the admins:

The executables are packed with a recent version of the legitimate UPX packer such as UPX 3.07. Unfortunately, that technique and quickly shifting code will get the code past some gateway security products.

When run, most versions of the dropper create a large volume of files in “c:\documents and settings\\Printhood”. Along with UpdateOffice.exe or OfficeDesktop.exe (and other variations on the Office name), hundreds of mostly empty, housekeeping files are created. Here’s a short list of files keeping configuration data:

FIE.dll Filename extension
xdat.dll Last check-in date
BIE.dll Distraction filename extension
SHK.dll, nam.dll Victim directory path prefix (i.e. “abamo9” <- this is the operator/handler name for this victim)
SIK.dll Domain check-in (i.e. http://www.maja&lt;*>.in)

Also dropped and opened are any one of several “distraction images” and documents. One of the documents is the “Jesus image” posted above (dropped as encoded content within “Motahare.txt”), and one of the documents is a copy and paste job of an article at The Daily Beast on electronic warfare in the region, which was dropped as encoded content within “Mahdi.txt”.

Infostealers are downloaded and run as “iexplore.exe” from within the “templates” directory mentioned above.

Functionality list:

The functionality in the backdoor software mirrors the options present in the configuration tool. Notice the nine different options:

1. Keylogging

2. Screenshot capture at specified intervals. (see timers below)

3. Screenshot capture at specified intervals, initiated exclusively by a communications-related event. The event may be that the victim is interacting with webmail, an IM client or social networking site. These triggering sites include Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, google+, Facebook and more.

4. Update this backdoor

5. Record audio as .WAV file and save for upload

6. Retrieve any combination of 27 different types of data files

7. Retrieve disk structures

8. Delete and bind – these are not fully implemented yet

The various operations of the backdoor are controlled by Delphi Timers, as seen below:

Using a disinfected version of Resource Hacker

It’s common behavior for malware to maintain malicious code in their resource section, decompress it on the fly and drop it to disk. Or, for attackers to modify the icons of their RTLO spearphish.

The Madi attackers maintain two copies of ResHacker (see http://www.angusj.com/resourcehacker/ ) for distribution on their websites, embedded within files “SSSS.htm” and “RRRR.htm”. They not only created more noise on the wire by instructing their malware to download ResHacker, a well known resource section editor, but it looks like they have had problems with virus infections on their own networks. These copies differed by one byte. That difference is the value in the SizeofImage section, 0xdc800 in one file, and 0xde000 in the other. The difference presents itself because both were infected with “Virus.Win32.Parite.b” (https://www.securelist.com/en/descriptions/old20924) at some point, and then cleaned by Anti-Virus scanners. So it’s possible and likely that the attackers are bumbling through infections of their own.

Indicators of compromise

All known compromised systems are known to communicate over HTTP with one of several web servers, such as: 174.142.57.* (3 servers) and 67.205.106.* (one server).

In addition, ICMP PING packets are sent to these servers to check their status. The infostealers are downloaded and executed from the “c:\Documents and Settings\%USER%\Templates” folder. The downloader itself runs from “c:\documents and settings\%USER%\Printhood”, which may contain over 300 files with “.PRI”, “.dll”, and “.TMP” extensions. The infostealers are named “iexplore.exe”, while the downloaders maintained names like UpdateOffice.exe or OfficeDesktop.exe.

At the time of writing, the campaign continues to be in operation and we are working with various organizations to clean up and prevent further infections. Kaspersky products detect the malware as “Trojan.Win32.Madi.*”; some of the older variants are detected as “Trojan.Win32.Upof.*”.

Related MD5s, not a complete list:


Part II of this blogpost will examine the broader picture – infrastructure, communications, data collection, and victims.

Flame spy virus going to Suicide

The creators of the world’s most complicated espionage virus Flame have sent a ‘suicide’ command that removes it from some infected computers. U.S. computer security researchers said on Sunday that the Flame computer virus, which struck at least 600 specific computer systems in Iran, Syria, Lebanon, Egypt, Sudan, Saudi Arabia and the Palestinian Authority, has gotten orders to vanish, leaving no trace.

The 20-megabyte piece of malware already had a self-destruct module known as SUICIDE that removed all files and folders associated with Flame, but the purging command observed by Symantec researchers instead relied on a file called browse23.ocx that did much the same thing. According to Symantec, the ‘suicide’ command was “designed to completely remove Flame from the compromised computer,” the BBC reports.
Computers infected with Flame, including honeypots, have been routinely contacting its C&C servers to check for new commands. When the C&C servers still owned by Flame’s authors recently sent out a self-destruct code, Symantec detected the command immediately.
Flame was designed to suck information from computer networks and relay what it learned back to those controlling the virus. It can record keystrokes, capture screen images, and eavesdrop using microphones built into computers.
Bots have long contained such self-destruct mechanisms, so it’s not surprising that malware as complex and comprehensive as Flame would, too.