25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the...
Transcript of 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the...
![Page 1: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/1.jpg)
מנהלים תקציר 1
Cyber Report 25
December 2017
![Page 2: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/2.jpg)
2
Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the
prominentusesmadeofcyberspacebyterroristorganizationsandtheirsupporters inDecember
2017.Thisisnotanexhaustivelistbutratheranidentificationofthemaintrendsastheyarosefrom
thefield,andtheiranalysisisdividedintofiveareas.
1. Intheoperationaldomain,jihadistorganizationscontinuedtousecyberspaceforavarietyof
needs,themostprominentamongthembeingpropagandaandfinancing.Thedisseminationof
propagandaonsocialnetworkscontinuedasusualduringthisperiod,whilethefinancialaspect
showedadrastictrendoftheincreaseduseofdigitalcurrency.
2. Inthedefensivedomainofterrorists incyberspace,therewasnosignificant innovation.The
trend of distributing content on issues of security and encryption, privacy and anonymity,
warnings against phishing, and the safe use of mobile devices continued; most of the
publicationsconsistedofrecycledcontentthatwasobservedanddocumentedoverthepast
year,mainlythroughtheTelegramchannelsofthe“ElectronicAfaqHorizons”institution.
3. domainoffensive the In, the following stoodout during theperiodunder review: Caliphate
Cyber Ghosts, which is associated with the Islamic State (IS) and hacker groups
supported/directedbyIran.Inaddition,thethirdissueofthemagazine,Kybernetiq,whichis
distributedbyglobaljihadsupportersanddedicatedentirelytocyber-terrorism,waspublished.
Terroristorganizationscontinuedtheireffortstoimprovetheiroffensivecapabilities,butthey
havenotyetbeenfullydeveloped.
4. Inthedomainbetweencyber-crimeandcyber-terrorism,therewasatrendofhackergroups
operatingunderstatedirection–themainplayersbeingRussia,IranandNorthKorea.While
theattacksbyRussiaandIranwereaimedatespionageandintelligencegathering,NorthKorea
launchedcyber-attacksforeconomicgain.Atthesametime,therewasanapparenttrendof
high-level data security risk stemming from the employment of subcontractors in critical
projects/areas.
5. Copingwithcyber-attacks,bothcrime-basedandterrorism-based,requiresglobalcooperation
andout-of-the-boxthinking.Thecountermeasuresusedarelawandorder,includingregulation
and prosecution for oversights/crimes occurring in the area, primarily for economic crime;
setting a policy of refusing to negotiate with cyber-criminals; financing R&D projects of
![Page 3: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/3.jpg)
3
technological solutions designed to make it harder for attackers; promoting cooperation
betweentheprivatesectorandthegovernmentsector.
![Page 4: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/4.jpg)
4
TableofContents.1 UsesOperational................................................................................................5
Propaganda..................................................................................................5
Financing:IncreasingUseofDigitalCurrency..............................................6
2. TheDefensiveDomain......................................................................................10
3. TheOffensiveDomain......................................................................................11
AttackGroups.............................................................................................12
DigitalMagazines.......................................................................................13
4. Cyber-CrimeandCyber-Terrorism....................................................................14
AttacksDirectedbyStates.........................................................................14
PointofVulnerability:Subcontractors.......................................................16
5. Coping...............................................................................................................17
Law,StatuteandRegulation......................................................................17
PolicySurrender-Non.................................................................................18
CooperationctoralSe-Inter.........................................................................18
SolutionsTechnologicalR&D.....................................................................19
![Page 5: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/5.jpg)
5
1. UsesperationalODuringtheperiodunderreview,jihadistorganizationscontinuedtousecyberspaceforavarietyof
operationalneeds,themostprominentamongthembeingpropagandaandfinancing.Thecontent
ofthepropagandaservesadoublepurpose;tosowfear(psychologicalwarfare)andtoserveasa
catalyst for the execution of “lone wolf” attacks. The dissemination of propaganda on social
networkscontinuedasusualwhilethefinancialaspect,incontrast,gainedtremendousmomentum
duringthisperiod.
Propaganda
The online propaganda mechanism of terrorist organizations continued to distribute content
encouraging the execution of terrorist attacks. IS supporters customarily design banners that
encourageattacksinaccordancewithcurrentevents,andduringtheperiodunderreviewChristmas
waspresentedasasetdatetocarryoutattacks.Theorganization’sofficialandunofficialmedia
institutions produced psychological warfare videos alongside banners about the organization’s
mediamethodology.Thefollowingareexamplesofdetectedinstances:
- During the month of December, IS supporters published a series of banners that contained
threatstocarryoutattacksincrowdedlocationsintheWest,suchasmarkets,malls,etc.,against
thebackdropofChristmascelebrations.Alongsidethis,threatstoharmJewswerealsopublished
againstthebackdropofTrump'sdeclarationthatJerusalemisthecapitalofIsrael(Telegram).
- TheISproducedavideofromAl-Hayatmediainstitutioncontainingaseriesofthreatstocarry
outterroristattacksonUSsoil.Themessagesinthevideodealtwiththefollowingcontent:the
MuslimNation lived intheeraoftheArmageddon;thesoldiersoftheCaliphatemay“sustain
blows”hereandtherebuttheystillremainstrong;theterroristwhocarriedouttheattackinLas
VegasconvertedtoIslamandsworeallegiancetotheIS;Arabrulersarecooperatingwiththe
enemiesofIslam.1
1http://www.dailymail.co.uk/news/article-5132459/ISIS-threatens-attacks-new-propaganda-video.htmlhttp://www.dailymail.co.uk/news/article-5132459/ISIS-threatens-attacks-new-propaganda-video.html
![Page 6: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/6.jpg)
6
celebrationsChristmasofckdropbatheagainstWesttheinattacksterroristoutcarrytoThreats
- TheFursanal-I'lammediagroup,whichisinvolvedinmediafortheIS,publishedabannercalling
on anyonewhowishes to assist in disseminatingmedia for the organization tomaintain the
methodology that characterizes the organization and not to disseminate information that
misrepresentstheorganization'spath(GooglePlus).
I'lam-alFursanofbannerThe
Financing:IncreasingUseofDigitalCurrency
Theuseofdigitalcurrencyforthepurposeoffinancingterrorismincreaseddrasticallyduringthe
periodunder review.Beloware a series of documented instancesof financing campaignsusing
digitalcurrencythatwereidentifiedduringthisperiod:2
2Forthefullreportontheuseofdigitalcurrencybyjihadists,see:http://www.ict.org.il/images/Jihadists%20Use%20of%20Virtual%20Currency.pdf
![Page 7: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/7.jpg)
7
- TheTelegramaccount, “Technical Support for theElectronicAfaq Institution”, amediagroup
associated with the IS that focuses on the publication of materials concerning cyberspace,
publishedabannerwitharecommendationtomakeonlinepurchasesusingtheonlinecurrency,
Zcash.
ArecommendationforZcash
- The Web site, Akhbar al-Muslimin which publishes news from the IS, launched an online
fundraisingcampaigninNovember2017.Thesite’sadministratorsaddedalinktoeverymedia
articlethatitpublishedencouragingdonationsintheformofbitcoinvirtualcurrencytohelpfund
thesite’soperation,providedthatthedonationdoesnotcomezakat funds.Astudythatwas
publishedbythe IntelligenceandTerrorism InformationCenter in thebeginningofDecember
revealedthatclickingonthelinkleadstoapagedesignatedfordonationonthebitcointrading
site, coingate.3An independentexaminationconductedby the ICTCyberDesk found that the
diversiontocoingateisnolongeractive;instead,thelinkdivertstoaninternalpageonthesite
thatwascreatedonDecember7,2017,andanyclickon the linkproducesadifferentbitcoin
address.
3http://www.terrorism-info.org.il/app/uploads/2017/12/H_235_17.pdf
![Page 8: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/8.jpg)
8
Examplesofvariousbitcoinwalletsproducedwitheveryclickonthefundraisinglink
- InDecember2017,theHaqqsite,whichisaffiliatedwiththeIS,publishedanarticleaboutthe
saleofcoinsmintedbytheISonaWebsite.4Inthesummerof2014,theISdeclaredtheminting
oflocalcoinsbasedontheirintrinsicworth–gold,silverandcopper.Thelaunchofthenewcoin
waspublishedinDABIQmagazineandinapropagandafilmtitled,“ReturnoftheGoldDinar”(Al-
Hayat).ItwasexplainedinthesepublicationsthattheinitiativeisintendedtokeepISsupporters
fromusingtheWesternbankingsystem,whichisbasedonacointhatisnotmadeofprecious
metals,butratherisprintedonpapernotesandwhosevalueisbeingmanipulatedbythecentral
banks.ThefalloftheIShasmadethecoinsredundantforconventionaluseaslocalcurrencyin
theterritoryoftheCaliphateandtheyareapparentlysoldandexchangedascollectors'coins.The
ICTCyberDeskdiscoveredaWebsitecalled,“isis-coins.com”inwhichthesecoinsaresold.The
siteispresentedasanofficialsiteoftheIslamicState’sFinanceDepartmentcontainingthecoins
mintedbytheISinaccordancewiththespecificationsdescribedinthefilmtitled,“Returnofthe
GoldDinar”.Setsofsevencoinsareavailableforsaleonthesite:twogoldcoins,threesilvercoins,
andtwocoppercoins,atacostof$950persetandpaidforusingthevirtualbitcoincurrency.The
sitewasregisteredintheWhoisRegistryonOctober19,2017throughaRussianbrokeragefirm
(Moscow) thatprevents the identificationof thesite’sowners.However, there isevidenceof
discussionaboutthissiteincoincollectors’forumsstartingin2015,5andweassumethatthesite
wasupanddownperiodicallyduringthisperiod.The2015versionofthesite,assavedinWeb
Archive, ismissingthepagethatofferscoinsforsale.Thecredibilityofthesitewasexamined
fromvariousangles:theofficialsymboloftheIS,thesymboloftheIslamicState’sMinistryof
Finance(Baytal-Mal),andfromthelinguistic-philologicalangleintheArabiclanguage.Although
4http://www.terrorism-info.org.il/app/uploads/2018/01/H_003_18.pdf5https://en.numista.com/forum/topic37660.html
![Page 9: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/9.jpg)
9
thefindingsrevealedthattheseareauthenticcharacteristics,itshouldbeemphasizedthatitis
impossibletoconfirmorrefutetheassumptionthattheISistheownerofthesite(documentation
onthenextpage).
Fromlefttoright:ascreenshotfromtheWebArchivesite(May8,2015);ascreenshotfromtheisis-coins.comsite(January17,2018)
- Al-Sadaqah launched a fundraising campaign using digital currency. This is an independent
organizationthatoperatestoassistthemujahideeninSyria,andsuppliesthemwithweapons,
financialsupportandhelpwithadditionaljihad-relatedprojects.
Al-Sadaqah’scampaigninSyria
![Page 10: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/10.jpg)
10
2. TheDefensiveDomain
During theperiodunder review, therewasno significant innovation in thedefensivedomainof
terrorists in cyberspace. The trend of distributing content on issues of security and encryption,
privacyandanonymity,warningsagainstphishingandsafeuseofmobiledevicescontinued;most
ofthepublicationsconsistedofrecycledcontentthatwasobservedanddocumentedoverthepast
year,mainlythroughtheTelegramchannelsofthe“ElectronicAfaqHorizons”institution,amedia
groupaffiliatedwiththeISthatfocusesonthepublicationofmaterialsconcerningcyberspace.The
followingareseveralexamplesoftherecycledcontent(source:Telegram):
- AguidebookontheuseoftheKasperskyanti-virussoftware.Theguidebookwasprovidedintheframeworkofacoursetitled,“ComputerSecurityCourse:ElectronicandAnti-VirusProtection”.
For example, it stated that the software allows the user to browse anonymously, prevents
tracking,enablesdataencryption,andmore.
AguidebookonhowtousetheKasperskyanti-virussoftware
- AguidebookexplainingthesafeandsecureuseofAndroiddevices.
AguidebookonsafeuseonAndroiddevices
![Page 11: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/11.jpg)
11
- Anexplanationaboutransomware.
Anexplanationaboutransomware
- AguidebookonhowtousethePidginsoftware,anencryptedchatsoftwareontheWindows
operatingsystem.
ThePidginsoftware
3. TheOffensiveDomain
Terroristorganizationscontinuedtheireffortstoimprovetheiroffensivecapabilities,buttheyhave
notyetbeenfullydeveloped.However, itshouldbetaken intoaccountthattheseorganizations
may hire the services of hacker groups or acquire offensive capabilities with the assistance of
terrorist-supportingcountries.Thefollowingarehackergroups:
![Page 12: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/12.jpg)
12
HackerGroups
- An IS-supporting hacker group named Caliphate Cyber Ghosts published a video and several
banners on its Telegram account threatening to launch an electronic attack on December 8
againstallcoalitioncountriesparticipatinginthewaragainsttheIS,especiallyagainsttheUS.The
groupclaimedthatitsmembershadmanagedtopenetrateclassifiedWebsitesoftheUSArmy,
MinistryofInterior,StateDepartmentandotheroffices,andtosteallargeamountsofclassified
material.Thegroupaddedthatitintendedtopublishsomeofthestoleninformationandtosend
the rest to lone terrorists inorder toassassinate the individualsmentioned in the list and to
intensifythescopeoftheattacks.Initsconcludingremarks,thegroupstressedthattheISwould
ultimatelydefeatitsenemies.Inanothermessage,thesamegroupannouncedthatithadhacked
into several US government and civilian Web sites during the second half of the month of
December.
AscreenshotfromtheCaliphateCyberGhosts’video
- Iranisstrengtheningitscyberwarfareprogram.IranisoneoftheleadingcyberrivalsoftheUS.
ItdevelopeditsprogramonlyafewyearsafterRussiaandChina,andsofar,hasdemonstrated
lessabilitythanthelatter.Nevertheless,Iranhascarriedoutseveralcyber-attacksthatcauseda
greatdealofdamage,andhasbecomeafundamentalthreatthatwilldevelopandgrow.Like
Russia and China but unlike other countries, Iran openly encourages its hackers to attack its
![Page 13: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/13.jpg)
13
enemies. Thus, the country not only recruits hackers to its ranks but even encourages
independentattacks(December12,2017).6
DigitalMagazines
Digitalmagazinesserveasaneffectivetoolfortransmittinginformationinamoderncommunication
channel(notthroughtelevision/radio).Mostofthemagazinespublishedbyterroristorganizations
carrypropagandamessages, suchas INSPIRE,DABIQ andRumiyah; Several (three) issuesof the
magazine,Kybernetiq,whichisdedicatedentirelytocyber-terrorism,werepublished:
- ThethirdissueofthecyberwarfaremagazineKybernetiq,waspublished.KybernetiqisaGerman-
languagedigitalmagazine thatcoverscyberwarfare.Themagazine isdirectlyassociatedwith
global jihad supporters and, contrary to popular perception, it cannot be unequivocally
determined that it is associatedwith the IS. Three issues of themagazinewere published at
intervalsofaboutoneyearfromeachother.Thethirdissuewasdesignedatahighlevelanditis
clearthatitappealstoaWesternaudience-bothinlightofthechoiceofthewritinglanguage
andtheuseofpopcultureasa recurringgraphicmotif.Each issueopenswithapreface that
relatestoWesternmediaandendswithaSci-Fistylestory.Themainchaptersdealwithanalyses
of organized cyber-attacks, a discussion of programming languages, attack tools, Pen-Tests,
digital forensics,botnets,howtocopewiththechallengesofcomputerizationbytheGerman
intelligence,andrecommendations for technological solutions forprivacyprotection incyber-
space.ThemagazinecanbedownloadedfromadedicatedsitethatisaccessibleviaTOR(onion
domainsuffix).
Issueno.3ofKybernetiq
6http://www.newsweek.com/irans-cyber-warfare-program-now-major-threat-united-states-745427
![Page 14: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/14.jpg)
14
4. Cyber-CrimeandCyber-Terrorism
Inrecentyears,cyber-attackshavebeenusedforpoliticalpurposes.Theseattacks,whicharecarried
outbyhackergroups,areactuallydirectedbycountriesthatbenefitfromthedifficultyin(legally)
attributingtheattacktothegroup.Terroristorganizationsdevelopandlearnfromtheseattacksand
mayevenhiretheservicesofthehackers.Therefore,itisimportanttoexamineandanalyzetheline
thatfallsbetweencrimeandterrorismincyberspace.
AttacksDirectedbyStates
Duringtheperiodunderreview,therewasaprominenttrendofhackergroupsoperatingunder
statedirectionandattackingpoliticaltargets.ThemainplayerswereRussia,IranandNorthKorea.
While theattacksbyRussiaand Iranwereaimedatespionageand intelligencegathering,North
Korealaunchedcyber-attacksforeconomicgain.Thefollowingarestate-directedcyber-attacksthat
wereidentifiedduringtheperiodunderreview:
- TheRussianhackergroup,FancyBear,carriedoutacyber-attackagainstjournalistictargetsandmediapersonnelthatregularlypublishedcontenthostiletotheKremlin.Thegoaloftheattack
was spying, and in that framework the grouphacked into theGmail accounts of at least 200
journalistsandbloggersontheInternet,startinginmid-2014.Appearingonthelistofthegroup’s
targetswereAmerican,RussianandUkrainian,andeasternEuropeanmediapersonnel.Thelist
oftargetsisevidenceoftheconclusionmadebytheAmericanintelligencecommunitythatFancy
Bear acted (favorably) in the service of the Russian government when it intervened in the
Americanpresidentialelections;theKremlindeniestheaccusations(December22,2017).7
- Thecompany,FireEye,identifiedanespionageattackagainstagovernmentorganizationinthe
MiddleEast.ThecompanyestimatesthattheattackwascarriedoutbytheIranianhackergroup,
APT34,which is involved ina long-range cyberespionageoperation that focusesprimarilyon
intelligencegatheringefforts in Iran's interests; ithasoperatedsinceat least2014.Thisgroup
carriedoutextensiveattacksagainstavarietyofsectors,includinggovernmentsandtheenergy,
chemicalandcommunicationsindustries,andhasfocuseditsactivitiesontheMiddleEast.Itis
7https://www.usatoday.com/story/news/world/2017/12/22/election-hackers-pursued-reporters-russia-united-states/975920001/http://abcnews.go.com/International/wireStory/russian-hackers-targeted-200-journalists-globally-51948081https://nypost.com/2017/12/22/russian-hackers-targeted-hundreds-of-journalists-around-the-world/https://www.apnews.com/c3b26c647e794073b7626befa146caad
![Page 15: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/15.jpg)
15
estimated that APT34 operates under the direction of the Iranian government based on
infrastructuredetailsthat includereferencestoIran,theuseof Iranianinfrastructure,andthe
choiceoftargetsthatarecompatiblewiththeinterestsofthenation-state.TheAPT34groupuses
amixofpublicandnon-publictools,andoftencarriesoutphishingoperationsthroughhacked
accounts,sometimescombinedwithsocialengineeringtactics(December7,2017).8
- The cryptographic currency trading platform, YouBit (formerly Yapizon), filed a request for
bankruptcy after it again fell victim to hacking by cyber criminals. The breach wiped out
approximately17%ofitsassets.InApril2017,theSouthKoreanplatformsufferedabreachinthe
framework of which approximately 4,000 bitcoin were stolen. As a result of the breach, an
investigation was launched by the country’s intelligence services for fear of North Korean
involvementaimedatincreasingthestatecoffersbymeansofcryptographiccurrency(December
20,2017).9
- TheWhiteHouseformallyaccusedNorthKoreaoflaunchingthe“WannaCry”ransomwareattack
that tookplace inMay2017.The ransomwaredisrupted theactivitiesofhospitals,banksand
commercialcompaniesaroundtheworld.TheUS isnot theonlycountry tohavereachedthe
conclusionthattheattackwascarriedoutbyNorthKorea;BritainandMicrosoftreachedsimilar
conclusions in independent analyses carried out after the attack. The North Korean Foreign
Ministrydeniedtheallegations(December17,2017).10
8https://www.infosecurity-magazine.com/news/iranian-blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.htmlhttps://www.infosecurity-magazine.com/news/iranian-statesponsored-apt-34/https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/https://www.reuters.com/article/us-far-eastern-fine/taiwans-far-eastern-international-fined-t8-million-over-swift-hacking-incident-idUSKBN1E60Y39https://bitcoinist.com/youbit-bankruptcy-hackers-assets/https://cryptovest.com/news/another-bitcoin-exchange-hacked-youbit-files-bankruptcy-after-losing-users-coins/https://themerkle.com/youbit-hacked-again-closes-its-doors/10https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537https://www.reuters.com/article/us-northkorea-missiles-cyber/north-korea-rejects-u-s-accusation-says-it-is-not-linked-to-any-cyber-attacks-idUSKBN1EF0BDhttps://www.cbsnews.com/news/north-korea-wannacry-cyberattack-tom-bossert-oped/http://edition.cnn.com/2017/12/18/politics/white-house-tom-bossert-north-korea-wannacry/index.htmlhttps://www.reuters.com/article/us-usa-cyber-northkorea/u-s-blames-north-korea-for-wannacry-cyber-attack-idUSKBN1ED00Q
![Page 16: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/16.jpg)
16
PointofVulnerability:Subcontractors
TheNSAhasahistoryofinformationleaks(andattacktools)carriedoutbysubcontractors,themost
famousofwhichwasthecaseofEdwardSnowden.Thefollowingisalistofsimilarincidentsthat
exposetheriskposedtoinformationsecurityresultingfromtheuseofsubcontractors:
- LeDucHoangHai,31,aVietnamesehacker,hackedintothecomputersystemofPerthAirport
andstolesensitivedataaboutaviationinfrastructureandsecurityinPerthAirport.Theincident
tookplaceinMarch2016whenthehackerobtainedentrypermitstothesystemsofathird-party
contractorthatallowedhimaccesstotheaviationsystems.Haistolesignificantamountsofdata
concerningtheairport,includingsketchesanddetailsregardingphysicalsecurityintheairport’s
buildings.However,therewasnobreachofradarorotheraircrafttakeoffandlandingsystems,
sopassengerswerenotatrisk.AninvestigationofthebreachledtoVietnamandtheAustralian
FederalPoliceactivateditscolleaguesinVietnamtoarrestHai.Hewassentencedtofouryears
inprison. In addition to thebreachof PerthAirport, itwasdiscovered thatHai hadattacked
infrastructureandWebsites inVietnam, including thoseofbanks, telecommunicationandan
onlinemilitarynewspaper(December11,2017).11
- TheheadoftheGermanintelligenceagency,BfV,warnedthatChinesecyberspiesareusingsocial
networkstoattackEuropeanentities.Accordingtohim, it isa large-scaleattemptto infiltrate
parliaments,governmentministriesandgovernmentagencies.TheGermanintelligenceagency
reportedthatover10,000GermansweretargetsforChineseintelligenceagentswhoposedas
consultants,headhunters(inthefieldofplacement)orresearchers,especiallyonthenetworking
site, LinkedIn. It also reported thatChinesehackers are investing in attacks against European
companiesthroughtrustedsuppliersandthrough"supplychain"attacksdesignedtocircumvent
corporateprotections.Suchattacksaredirectedagainst ITworkersandotheremployeeswho
serveas trustedserviceproviders,andenablemalicioussoftwaretobesent throughthemto
networksoforganizationsthattheattackerswanttoattack(December10,2017).12
11http://www.ibtimes.co.uk/perth-airport-hack-vietnamese-hacker-steals-significant-amount-security-data-building-plans-1650933http://www.computerweekly.com/news/450431587/Perth-airport-security-plans-stolen-by-Vietnamese-hackerhttp://www.dailymail.co.uk/news/article-5165727/Hacker-Vietnam-stole-security-data-Perth-Airport.htmlhttps://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-stolen-in-perth-airport-hacking-ng-b88686393z12http://www.bbc.com/news/world-europe-42304297
![Page 17: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/17.jpg)
17
5. Coping Copingwithcyber-attacks,bothcrime-basedandterrorism-based,requiresglobalcooperationand
out-of-the-boxthinking.Newtools(attacktools)requirenewlaws.Thefollowingaredescriptions
ofcountermeasuresusedbyglobalplayerstoeradicatethephenomenonofcyber-attacks:
Law,OrderandRegulation
Thelawcrystallizesoutofaneedthatarisesinaparticularsocietytowhichitprovidesananswer.
Therefore,thelawoftentendstobeformulatedlateinrelationtothedateoftheincident.Thelegal
battleagainstcyber-attacksmaybebasedontheintroductionof"ordinary"lawsoncyberspaceand,
alternatively,onspecificlegislationtailoredtothedetailsofanattackincyberspace,whichofcourse
requirespriorpreparation.Belowisalistofseveralcasesdemonstratingcopingmethodsthatwere
usedduringtheperiodunderreview:
- Taiwan’s financial regulator fined the Far Eastern International Bank $266,524 as a result ofdeficiencies related to thebreachof itsSWIFTsystem. InOctober2017,Taiwan’s localmedia
reportedthathackershadstolenapproximately60milliondollarsfromthebankandthatallof
the money, with the exception of $500,000, was returned by the bank. The bank’s own
investigation as well as the investigation by the regulator, revealed that in this incident the
informationsecuritysystemwasnotfullyprepared,theaccountwasnotadequatelymanaged,
and the bank did not reinforce its SWIFT security system. For these reasons and others, the
regulatornotedthatthebankdidnotsecureitsinternalcontrolsystemforinformationsecurity
and,asaresult,violatedaclauseinTaiwan’sbankinglaw.Theregulatoralsostatedthatitwould
worktoimproveitsregulatorysysteminconnectionwithinformationsecurity,includinginviting
externalexpertstoparticipate.13
- TheFederalCourtinCentralIslip,NewYork,filedanindictmentagainstZoobiaShahnazfromLong
Islandforbankfraudandmoneylaunderingforthepurposeofsupportingterrorism(December
14, 2017). The defendantwas suspected of defrauding several financial entities, stealing and
https://www.ft.com/content/31c2884e-ddc8-11e7-a8a4-0a1e63a52f9chttp://www.dailymail.co.uk/news/article-5164365/German-intelligence-warns-increased-Chinese-cyberspying.htmlhttps://mobile.nytimes.com/aponline/2017/12/10/world/europe/ap-eu-germany-china-spying.html?partner=IFTTT&referer=https://t.co/S4R4Q7ERId?amp=113http://focustaiwan.tw/news/aeco/201712120025.aspxhttp://ktwb.com/news/articles/2017/dec/12/taiwans-far-eastern-intl-fined-t8-million-over-swift-hacking-incident/?platform=hootsuitehttps://www.fireeye.com/
![Page 18: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/18.jpg)
18
laundering over $85,000 of illegal returns using Bitcoin digital currency and other digital
currenciesbetweenMarchandJuly2017.Thefundsweretransferredoutofthecountrytostraw
entities in Pakistan, China and Turkey, and were intended to support the IS. The defendant
attemptedtofleetheUStoSyriaandwasarrestedbytheauthoritiesafterquestioninginJFK.14
Non-SurrenderPolicy
Oneofthemostprominentcyberspacethreatsinrecenttimesistheransomwareattack.Thisattack
isextremelyattractivetoterroristelementsbecauseofthedualitythatitoffers-boththeexecution
ofelectronicjihadandameansoffinancing.Similartophysicalransom(orhostage)scenarios,an
online scenario requires thedelineationof a clear responsepolicy similar to thatused inNorth
Carolina.Belowarethedetailsofthecase:
- Mecklenburg County, North Carolina, United States, refused to pay hackers a ransom in the
amountof$23,000 inexchange for the releaseof informationheld in the county’s computer
system,whichhadbeenhacked.Thehackers,whoappeartohaveoperatedfromIranorUkraine,
frozethesiteandtheotherelectronicservicesofMecklenburgCounty,anddemandedaransom
torestorethesituationtoitsformerstate.Thecountrydecidednottosurrendertothehackers’
demands.Inviewofthedecision,thecountrywillnowuseavailablebackupdatatorebuildits
system,givingprioritytothedepartmentsthatinfluencethecourt,healthandsocialservices,and
environmentalservices.15
Inter-SectoralCooperation
Counterterrorism and cyber threats share a common characteristic - both require broad
cooperation. Cooperation can be between countries, between organizations and even cross-
sectoral.Thefollowingarerelevantcollaborationsthattookplaceduringtheperiodunderreview:
- ESET'ssecurityresearchers, incooperationwithMicrosoft, lawenforcementagencies,theFBI,
Interpol, Europol and other information security agencies, took part in amajor campaign to
toppleabotnetknownasAndromeda,whichhasbeeninfectingvictimssince2011.Cooperation
between the entities began on November 29, 2017, and as a result of the joint effort law
14https://www.justice.gov/usao-edny/pr/long-island-woman-indicted-bank-fraud-and-money-laundering-support-terrorists15http://www.hickoryrecord.com/news/state/north-carolina-county-won-t-pay-hacker-ransom/article_5efc9665-28cb-5c60-b564-9f10a8f039b9.htmlhttp://www.wbtv.com/story/37007041/county-computer-hackers-demanding-substantially-more-than-first-reportedhttp://abcnews.go.com/US/wireStory/latest-carolina-sheriff-affected-county-hacking-51617202
![Page 19: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/19.jpg)
19
enforcementagenciesaroundtheworld wereabletocarryoutanarrestandblocktheactivities
ofafamilyofmalwareresponsibleforinfecting1.1millionsystemsadayandwhichdistributed,
amongotherthings,theknownransomware,PetyaandCerber.MicrosoftandESETinvestigators
sharedtechnicalanalyses,statisticalinformationandthedomainaddressesandCommandand
Controlserversinordertohelpdisruptthemaliciousactivityofthegroup.Overthelastyear-and-
a-half, ESET also shared information about Andromeda thatwas obtained from the constant
monitoringofmalwareandbotnetnetworks.Inaddition,lawenforcementauthoritiesinBelarus
arrestedasuspectinthecreationofAndromeda'smaliciouscode,whichwouldnothavebeen
possiblewithouttheinformationprovidedtothem.Duringthefirst48hoursfollowingtheseizure
ofthecommandandcontrolserversbytheauthorities,itwasdiscoveredthatthenetworkwas
currentlyspreadoutover223countries,withmorethan2millioninfectedcomputersattempting
toconnecttoit.16
- EugeneKaspersky,thefounderofthesecuritycompanybearinghisname(KasperskyLab),made
itclearthathewouldleaveRussiaifitsintelligenceserviceswouldeveraskhiscompanytospy
for it. According to Kaspersky, if the Russian government would ask him and ask him or his
employeestodosomethingimproper,hewouldtakehisbusinessoutofRussiasincehiscompany
never helped spy agencies, Russians or any other country. Kaspersky mentioned that the
company'sproductsweredesignedtostopattacksandidentifymaliciouscode,nottospyonthe
company’s customers. The statements of theRussian information security giant cameon the
heelsofthefindingsofaninvestigationthatitpresentedinNovember2017,whichcontradicts
claimsofthecompany’sinvolvementinRussianespionageintheUnitedStates.17
SolutionsTechnologicalR&D
- DARPA (The Defense Advanced Research Projects Agency of the US Department of Defense)
awardedagrantintheamountof$3.6MtoateamfromtheUniversityofMichigantofundthe
technologicaldevelopmentofanun-hackablecomputer.ThenameoftheprojectisMorpheus
andthesoftwareisintendedtopresentanewwaytodesignhardwaresothatinformationpasses
16https://www.reuters.com/article/us-cybercrime-botnet-belarus/belarus-arrests-suspected-ringleader-of-global-cyber-crime-network-idUSKBN1DZ1VYhttps://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/17https://www.theguardian.com/technology/2017/nov/30/eugene-kaspersky-russian-spies-us-government-http://www.zdnet.com/article/eugene-kaspersky-we-would-quit-moscow-if-russia-asked-us-to-spy/
![Page 20: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/20.jpg)
20
quicklyandrandomly,andisthendestroyed.Thegoalofthetechnologyistomakeitharderfor
attackers toget thecritical informationtheyneedtobuildasuccessfulattack,andtoprotect
hardwareandsoftware.18
18https://www.digitaltrends.com/computing/darpa-u-michigan-morpheus-unhackable-computer/https://www.extremetech.com/extreme/261052-darpa-university-michigan-team-build-unhackable-chiphttps://news.engin.umich.edu/2017/12/unhackable-computer-under-development-with-3-6m-darpa-grant/
![Page 21: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/21.jpg)
21
ABOUTICTCYBER-DESK
TheCyberDeskReviewisaperiodicreportandanalysisthataddressestwomainsubjects:
cyber-terrorism(offensive,defensive,andthemedia,andthemaintopicsofjihadistdiscourse)
andcyber-crime,wheneverandwhereveritislinkedtojihad(funding,methodsofattack).The
CyberDeskReviewaddressesthegrowingsignificancethatcyberspaceplaysasabattlefieldin
currentandfutureconflicts,asshownintherecentincreaseincyber-attacksonpolitical
targets,crucialinfrastructure,andtheWebsitesofcommercialcorporations
ABOUTTHEICT
Foundedin1996,theInternationalInstituteforCounter-Terrorism(ICT)isoneofthe
leadingacademicinstitutesforcounter-terrorismintheworld,facilitatinginternational
cooperationintheglobalstruggleagainstterrorism.ICTisanindependentthinktank
providingexpertiseinterrorism,counter-terrorism,homelandsecurity,threat
vulnerabilityandriskassessment,intelligenceanalysisandnationalsecurityanddefense
policy.ICTisanon-profitorganizationlocatedattheInterdisciplinaryCenter(IDC),
Herzliya,Israelwhichreliesexclusivelyonprivatedonationsandrevenuefromevents,
projectsandprograms.
![Page 22: 25 Report Cyber 2017 December - ICT 25 december 2017 english (n… · Cyber Report no. 25 by the International Institute for Counter-Terrorism (ICT) reviewed the prominent uses made](https://reader033.fdocuments.us/reader033/viewer/2022060214/5f05a6187e708231d4140293/html5/thumbnails/22.jpg)
22
CYBER-DESKTEAM
ICTDirector,ExecutiveDeputyAzani,EitanDr.
Dr.MichaelBarak,TeamResearchManager,ICT
ICTResearcher,SeniorYaakov,BenUriAdv.
NadineLiv,Researcher,ICT
CYBER-DESKCONTRIBUTORS
Adv.DeborahHousen-Couriel,Cybersecurityandinternationallawexpert
Dr.TalPavel,ExpertontheInternetintheMiddleEast
OrenElimelech,CyberSecurityExpert,Researcher&Consultant
ShukMr.iPeleg,HeadofInformationSecurityandCyberatMATAF,Israel
Dr.MenashriHarel,ResearchFellow,ICT,&Cyber,InformationSecurity&Technological
IntelligenceExpert,Israel
NirTordjman,Researchfellow,ICT
The research was facilitated by a special technology for the collection
and analysis of information gathered from the DarkNet, developed by
Athena from Mer Group in cooperation with SixGill.