Cybersecurity Exam 1
SQL Injection Attack
a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access.
Man-in-the-Middle (MITM) Attack
occurs when an attacker intercepts communications between two parties either to secretly eavesdrop or modify traffic traveling between the two. Attackers might use MITM attacks to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data.
5. Cyber Mercenaries
➢ An example of a potential cyber mercenary group is Ice Fog, which allegedly has members in China, Japan, and South Korea. The group appears to have emerged in 2011 and has mainly attacked targets in South Korea and Japan, including military, mass media, and telecommunications.
2. Foreign Government-Linked Groups (state-supported hacking groups)
➢ The Chinese government is believed to support several Chinese hacking groups such as Emissary Panda (APT27), KeyBoy, and Tonto Team. ➢ The Iranian government is believed to support several Iranian hacking groups such as Cutting Sword of Justice and Newscaster (APT35). ➢ The Vietnamese government is believed to support a Vietnamese-based hacking group, OceanLotus (APT32). ➢ The Russian government is believed to support several Russian hacking groups such as Palmetto Fusion and Sandworm (Voodoo Bear).
Non-State Actors: Terrorist Groups
global terrorist groups may be motivated to engage in cyber-attacks in order to further their ideological or political goals, including recruiting members and spreading propaganda, or to influence public opinion in the target state.
State Actors: Intelligence Agencies
government intelligence agencies of countries with cyber capabilities are motivated to engage in cyber-attacks (cyber espionage and cyber sabotage) in order to gather sensitive or classified information from another country or to cause damage to facilities, equipment, or computer systems in another country.
State Actors: Military Forces
government military forces with cyber capabilities may be motivated to engage in cyber-attacks as part of a conventional military operation against the military forces of another country or in order to degrade or disrupt the ability of the opposing military forces to communicate with each other or effectively conduct their operations.
State Actors: Strategic Rivalries
major international powers may be motivated to engage in cyber- attacks against other major international powers (cyber espionage and cyber interference) in order to gain an economic, military, and/or political advantage. Cyber- attacks are a less risky alternative to traditional instruments of power.
Cyber Espionage
refers to cyber-attacks that are intended to illegally obtain private, confidential, sensitive or classified information from a target. there are two types: industrial or commercial and national security
Cyber (Political) Interference
refers to cyber-attacks that are intended to interfere with the political processes within a target, including campaign webpages, voter registration data bases, voting systems, and elections.
What are the main sources of cyber-attacks?
1. Foreign Military and Intelligence Agencies (state actors) 2. Foreign Government-Linked Groups (state-supported hacking groups) 3. Cyber Activists (hacktivists) 4. Cyber Criminals (organized criminal groups) 5. Cyber Mercenaries 6. Corporations (corporate competitors) 7. Amateur Hackers (opportunists) 8. Company, Organization, or Agency Insiders (internal actors)
What are the main targets of cyber-attacks?
1. Government agencies 2. Critical Industries 3. Corporations and Small Businesses 4. Transnational and Non-Governmental Organizations 5. Colleges and Universities 6. Individuals
Non-State Actors: Insider Actors
A disgruntled former employee may be motivated to engage in cyber- attacks in order to get revenge against a former employer or company.
Non-State Actors: Criminal Groups
Criminal groups are motivated to engage in cyber-attacks in order to enrich themselves (greed). Cybercriminals often steal financial and other personal information and sell the information on the dark web. Cybercriminal operated on anonymous (Tor) and peer-to-peer networks (OpenBazaar).
Categories of Cyber Security Threats
Cyber Warfare Cyber Terrorism Cyber Sabotage Cyber Espionage Cyber Crime Cyber Disruption Cyber Propoganda Cyber Activism Cyber Interference
Message Manipulation
Disruption of an organization's social media presence through the hijacking of a user's account passwords.
External Service Disruption
Disruption of external operations through a distributed denial- of-service (DDoS) attack.
Equipment Attack
Disruption of internal operations by physically destroying or disabling equipment control capabilities; and/or assess to electric power or other critical infrastructure.
Internal Communication Disruption
Disruption of internal operations through a denial of service.
Data Attack
Disruption of internal operations through internal multi-point deletion or encryption of user data;
Non-State Actors: Cyber Activists (Hacktivists)
Hacktivists are motivated by causes - political, economic, social, or ideological - and may engage in cyber attacks to promote their causes, including stealing and disseminating sensitive or classified information and conducting a DDoS attack against a target company or website.
Characteristics of Cyber (Political) Interference
Sources - the sources of the cyber-attacks are mainly state actors and state-supported actors. Targets - the targets of the cyber-attacks are mainly government agencies (state and local election offices), as well as political parties and campaigns. Motivation - the cyber-attacks are primarily motivated by ideological and political considerations. Severity/Intensity - the cyber-attacks may impact voter registration systems, voting systems, and election outcomes. Techniques - the cyber-attacks mainly involve spearphishing and hacking into the computer systems of government agencies (state and local election offices), as well as the computer systems of political parties and campaigns. f. Coordination - the cyber-attacks may be coordinated with other types of cyber-attacks launched by the same source, including cyber propaganda (cyber disinformation) and cyber disruption. g. Duration - the cyber-attacks may be conducted over several weeks or months before being detected. h. Legality - the cyber-attacks may be unlawful under national criminal laws and may violate certain international principles and norms such as sovereignty, non-intervention (non- interference), and self-determination. i. Attribution - the cyber-attacks may be difficult to attribute to a state or state-supported actor.
Characteristics of Cyber Crime
Sources - the sources of the cyber-attacks are non-state actors (cyber criminal groups) and, in some cases, state-supported actors. For example, some state- supported cyber criminal groups in North Korea have been linked to cyber-attacks against banks in Chile (2019), India (2018), and Bangladesh (2016). Targets - the main targets of the cyber-attacks are corporations, colleges & universities, organizations, and individuals. Motivation - the cyber-attacks are primarily motivated by money. Severity/Intensity - the cyber-attacks cause significant economic losses for the targets. Techniques - the cyber-attacks may involve hacking, phishing & spear phishing emails, identity theft, spyware, and ransomware. Examples of ransomware include SamSam, Petya, WannaCry, Ryuk, and CryptoLocker. f. Coordination - the cyber-attacks may be part of a coordinated effort on the part of the source actor. For example, the Texas Department of Information Resources reported that 23 towns in the state had been struck by a "coordinated" ransomware attack in August 2019. g. Duration - the cyber-attacks may be conducted over several weeks or months before being detected. h. Legality - the cyber-attacks are typically unlawful under existing national criminal laws. i. Attribution - the cyber-attacks may be difficult to attribute to a specific non-state actor or state-supported actor.
Characteristics of Cyber Espionage (Cyber Spying)
Sources - the sources of the cyber-attacks are state actors (government intelligence agencies) and state-supported actors, including several AdvancedPersistent Threats (APTs) such as China's APT10 "Stone Panda" and Russia's APT28 "Fancy Bear". Targets - the main targets of the cyber-attacks are the computer networks and information systems of government agencies and corporations. Motivation - the cyber-attacks are generally motivated by political and economic factors. Severity/Intensity - the cyber-attacks are intended to acquire personal information, sensitive or classified data, trade secrets, or intellectual property. Techniques - the cyber-attacks involve hacking, phishing & spear phishing emails, and malware (Trojan horses and spyware). f. Coordination - the cyber-attacks are generally coordinated by government intelligence agencies in the source state. g. Duration - the cyber-attacks may be conducted over long periods of time. h. Legality - the cyber-attacks are generally not violations of existing international laws or norms, but the attacks generally are violations of national criminal laws. However, cyber espionage carried out by an intelligence agent of a source state on the territory of the target state is a violation of the principle of state sovereignty. Cyber espionage may also be unlawful under international law if it violates an existing international agreement such as the Vienna Convention on Diplomatic Relations (1961/1964). i. Attribution - the cyber-attacks are difficult to attribute to a specific state actor or state-supported actor.
Characteristics of Cyber Warfare
Sources - the sources of the cyber-attacks are state actors or state-supported actors. Targets - the main targets of the cyber-attacks are the computer networks and information systems of state actors, including government agencies (military and intelligence) and critical national infrastructures (transportation, energy, telecommunications, financial, agriculture, etc.). Motivation - the cyber-attacks are politically-motivated. Severity/Intensity - the cyber-attacks are intended to cause significant damage or destruction to government (military and intelligence) targets and/or critical national infrastructures and may have the potential to cause the loss of life or injuries to individuals. Techniques - the cyber-attacks may involve a variety of sophisticated cyber weapons, including viruses, malware, and distributed denial of service (DDoS) attacks. f. Coordination - the cyber-attacks are coordinated by military or intelligence agentsof the source state; the cyber-attacks may be conducted prior to or at the same time as conventional uses of military force by a state actor against another state actor. g. Duration - the cyber-attacks are conducted over a period of several days or longer. h. Legality - the cyber-attacks are not regulated or restricted by a body of international cyber laws; however, some norms or principles of the existing international laws of war (e.g. principle of self-defense) may be applicable. i. Attribution - the cyber-attacks may be difficult to attribute to a specific state actor or state-supported actor, especially when the attacks are carried out by an Advanced Persistent Threat (APT). As a result of the attribution problem, deterrence is more difficult in cyber warfare compared to conventional warfare.
Characteristics of Cyber Disruption
Sources - the sources of the cyber-attacks may be state actors, state-supported actors, or non-state actors. Targets - the main targets of the cyber-attacks are the computer networks and information systems of critical national infrastructures, government agencies, and corporations. Motivation - the cyber-attacks may be motivated by a variety of concerns, including political, economic, ideological, and social. Severity/Intensity - the cyber-attacks are intended to temporarily disrupt or interfere with the use of public or private computer networks and services in a targeted state. There is the potential for financial losses or indirect harm to individuals from such cyber-attacks. Techniques - the cyber-attacks may involve hacking, malware, and distributed denial of service (DDoS) attacks. f. Coordination - the cyber-attacks may be coordinated with other cyber-attacks launched by the same source actor against the same target. g. Duration - the cyber-attacks may be isolated attacks or may occur over a period of several months. h. Legality - the cyber-attacks may be unlawful under national criminal laws. The principle of due diligence under international law requires state actors (governments) to ensure that their own territory and other entities (non-state actors) over which they have control are not used in a way that significantly harms other state actors. i. Attribution - the cyber-attacks may be difficult to attribute to a specific state actor, state- supported actor, or non-state actor.
1. Foreign Military and Intelligence Agencies (state actors)
The Chinese government, including the People's Liberation Army (PLA) and the Chinese Ministry of State Security, sponsors several Chinese hacking groups such as Comment Crew (Advanced Persistent Threat-APT 1), Elderwood Group, Stone Panda (APT10), Naikon (APT30), Shell_Crew (Deep Panda), and TempTick. ➢ The Russian government, including the Foreign Intelligence Service (SVR), Main Intelligence Directorate (GRU), and Federal Security Service (FSB), has sponsored several Russian hacking groups such as Cozy Bear (APT29), Energetic Bear, Fancy Bear (APT28), and Turla (Venomous Bear). ➢ The North Korean government sponsors several North Korean hacking groups such as the Lazarus Group and Reaper (APT37). ➢ The Iranian government, including the Iranian Revolutionary Guard and the Nasr Institute, sponsors several Iranian hacking groups such as Iranian Cyber Army (ICA), Elfin (APT33), Chafer (APT39), Rocket Kittens, and Tarh Andishan. ➢ The Syrian government sponsors the Syrian Electronic Army (SEA) which has targeted opposition groups, foreign leaders, technology companies, and news organizations.
Cyber Attack
a deliberate and direct aggressive action intended to harm critical infrastructure or to compromise the confidentiality, integrity or availability of data, resources, or processes through the use of electronic means.
Ransomware
a type of malicious software (malware), such as CryptoLocker and Reveton, that gets installed on a computer without the knowledge of the user and blocks access to the infected computer (sometimes through the encryption of files on the computer) until a ransom (often paid in the digital currency, bitcoins) is paid to the cyber criminal.
Categories of Cyber (Political) Interference
a. Destruction or disruption of voting equipment. b. Interfering with the counting of votes (vote manipulation). c. Stealing sensitive or personal information (documents and email messages). d. Information warfare (doxing, propaganda, and disinformation or "fake news").
Characteristics of Cyber Terrorism
a. Sources - the sources of the cyber-attacks are non-state actors, including transnational actors and sub-state actors. b. Targets - the direct and indirect targets of the cyber-attacks are the general public (civilians or non-combatants) and government officials. c. Motivation - the cyber-attacks are ideologically or politically motivated. d. Severity/Intensity - the cyber-attacks are sufficiently violent and destructive to cause widespread fear in the civilian population of the target state. e. Techniques - the cyber-attacks involve a wide range of cyber techniques, including hacking, viruses, and malware f. Coordination - the cyber-attacks are coordinated by cyber terrorists using the Internet ("dark web") for communicating, fundraising, planning, and recruiting. g. Duration - the cyber-attacks are limited in duration, although planning may take place over several months. h. Legality - the cyber-attacks are generally unlawful under existing national criminal laws. i. Attribution - the cyber-attacks are attributable to the non-state actor that claims responsibility for the attacks.
Characteristics of Cyber Activism
a. Sources - the sources of the cyber-attacks are non-state actors. b. Targets - the main targets of the cyber-attacks are corporations, non-governmental organizations (religious organizations), and government agencies. c. Motivation - the cyber-attacks are primarily motivated by social and political considerations. d. Severity/Intensity - the cyber-attacks are generally limited in their severity and intensity. e. Techniques - the cyber-attacks may involve website defacement and distributed denial-of-service (DDoS) attacks. f. Coordination - the cyber-attacks are generally not coordinated with any other cyber- attacks by the source actor. g. Duration - the cyber-attacks generally last less than 24 hours. h. Legality - the cyber-attacks may be illegal under national criminal laws. i. Attribution - the cyber-attacks are generally attributable to a particular cyber activist group, but it is difficult to attribute the cyber-attacks to specific individuals.
Characteristics of Cyber Propaganda
a. Sources - the sources of the cyber-attacks are state actors, state-supported actors, and non-state actors. b. Targets - the main targets of the cyber-attacks are individuals (public opinion). c. Motivation - the cyber-attacks are primarily motivated by ideological and political considerations. d. Severity/Intensity - the cyber-attacks may influence public opinion, election outcomes, and government policies. e. Techniques - the cyber-attacks may involve creating and disseminating disinformation f. Coordination - the cyber-attacks may be coordinated with other cyber-attacks (cyber interference or cyber disruption) and military operations by the source of the cyber-attacks. g. Duration - the cyber-attacks may be conducted over several weeks or months before being detected. h. Legality - the cyber-attacks may be illegal under national criminal laws. While there is no specific provision of international law prohibiting cyber propaganda, international custom generally prohibits the spread of "propaganda hostile to the governments of friendly foreign countries". i. Attribution - the cyber-attacks may be difficult to attribute to a specific state, state- supported, or non-state actor.
What are the potential consequences of cyber-attacks? 2. Corporations
a. Theft of intellectual property or sensitive business information. b. Theft of customers' financial or personal informationc. Loss of consumer trust (reputational damage).d. Expenditures of money for enhanced cybersecurity.
Cyber Threats
are individuals or groups that "attempt unauthorized access to a control system devices and/or networks using a data communications pathway. This access can be directed from within an organization by trusted users or from remote locations by unknown persons using the internet. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and malicious intruders.
Denial-of-Service (DoS) Attack
refers to a cyber-attack in which there is a concerted assault on a targeted computer system or a website that disrupts service and makes the computer system or website unusable. A Distributed Denial-of-Service (DDoS) attack involves many computers firing off thousands or even millions of requests for information from a website, which can crash from the suddenoverwhelming traffic. DDoS attacks are often carried out using Botnets ("zombies"), which are computers located in multiple geographic locations that are infected with malware to carry out a DDoS attack against a targeted system.
Website Defacement
refers to a cyber-attack on a website that changes the visual appearance of the website. These are typically the work of system crackers, who break into a web server and replace the hosted webpage with one of their own. The most common method of defacement is using SQL Injections to log onto administrator accounts. Defacements usually consist of an entire page. This page usually includes the defacer's pseudonym or "Hacking Codename." Sometimes, the website defacer makes fun of the system administrator for failing to maintain server security. Most times, the defacement is harmless, however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware or deleting essential files from the server.
Malicious Code (Logic Bomb)
refers to a program timed to cause harm at a certain point in time but is inactive up until that point. A set trigger, such as a preprogrammed date and time, activates a logic bomb. Once activated, a logic bomb implements a malicious code that causes harm to a computer. A logic bomb's application programming points may also include other variables such that the bomb is launched after a specific number of database entries. A logic bomb may be implemented bysomeone trying to sabotage a database when they are certain they won't be present to experience the effects. Logic bombs can cause many types of damage, including data corruption, file deletion, and hard drive clearing.
Malicious Software (Malware)
refers to any software downloaded onto a computer that results in the disruption of computer operations, destruction of data, gathering of sensitive information, gaining access to computer systems, or displaying unwanted advertising. The most common types of malware include Trojans, viruses (macro and stealth), worms, Adware, Spyware, and Ransomware.
Cyber Crime
refers to cyber-attacks in which a computer is the object of the crime or is used as a tool to commit an offense such as child pornography, hate crimes, and identity theft. Cyber criminals may use computer technology to access personal information or business trade secrets (cyber theft) or may use the internet for malicious purposes (cyberbullying or cyber harassment). Criminals can also use computers for communication and document or data storage
Cyber Disruption
refers to cyber-attacks that are designed to disrupt the use of public and private computer networks, services, and data by a target.
Cyber Sabatoge
refers to cyber-attacks that are intended to damage or shut down key infrastructures, facilities, equipment, or computer networks in a target
Cyber Activism (Hacktivism)
refers to cyber-attacks that are intended to manipulate digital information to promote a political ideology and the process of using Internet-based socializing and communication techniques to create, operate, and manage activism of any type. A "hacktivist" is a type of cyber activist who, among other things, hacks into a webpage or computer system in order to communicate a politically or socially motivated message, or in order to draw attention to a political or social cause.
Cyber Propaganda (Cyber Disinformation)
refers to cyber-attacks that are intended to manipulate or influence public opinion in a target, including spreading false or misleading information on social media, placing deceptive advertisements on social media, and spreading "fake news" on social media
Cyber Terrorism
refers to pre-meditated cyber attacks that are politically or ideologically motivated and intended to directly or indirectly cause harm to civilians or destruction in a target. may also involve intimidation or coercion of individuals or the government of a targeted state for political or ideological purposes
Cybersecurity
refers to the process of protecting information and information systems by preventing, detecting, and responding to the unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality
Spamming
refers to the use of electronic messaging systems, including email and text messaging, to send unwanted or unsolicited messages to large numbers of individuals at the same time. Email spamming is the most common type of spamming.
Hacking
refers to unauthorized intrusion into a computer or a network. The person engaged in hacking activities is known as a hacker. A hacker may alter system or security features to accomplish a goal that differs from the original purpose of the system. Hacking also refers to activities that seek to compromise digital devices, such as computers, smartphones, tablets, and even entire networks.
Identity Theft
refers to various crimes in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. Identity theft can result in fraudulent applications for loans and credit cards, fraudulent withdrawals from bank accounts, fraudulent filings of federal and/or state income tax returns, and fraudulent use of telephone calling cards or online accounts.
Case Study: Advanced Persistent Threat-28 (APT28)
➢ Advanced Persistent Threat-28 (APT28), which was established around 2007, is a Russian hacking group known for their cyber espionage attacks against a variety of targets mainly in the U.S. and Europe, including the German Bundestag, German Council on Foreign Relations, French television network TV5Monde, Georgian Ministry of Internal Affairs, Georgian Ministry of Defense, White House, NATO, World Anti-Doping Agency (WADA), Democratic National Committee (DNC), International Association of Athletics Federation (IAAF), International Olympic Committee (IOC), Ukraine Election Commission, and the Netherlands' General Intelligence and Security Service. ➢ APT28 is also known by a variety of other names, including Fancy Bear, Pawn Storm, Sofacy Group, Tsar Team, and STRONTIUM. APT28 is believed to be sponsored by the Russian military intelligence agency (GRU). APT28 has used zero-day exploits, spear phishing emails, and malware to attack its targets. ➢ On October 4, 2018, the U.S. Department of Justice indicted seven GRU officers, who were part of the "Fancy Bear" hacking team, for computer hacking, wire fraud, aggravated identity theft, and money laundering.
7. Amateur Hackers (opportunists)
➢ An example of a major cyber-attack attributed to amateur hackers (also known as "script kiddies") were three distributed denial-of-service (DDoS) attacks launched against the computer networks of domain name system (DNS) provider, Dyn Inc., on October 21,2016. Dyn Inc. is a New Hampshire-based company that monitors and routes Internet traffic. The DDoS attacks, which used the Mirai botnet, temporarily impacted the websites of hundreds of corporations in Europe and North America, including PayPal, Twitter, Reddit, GitHub, Tumblr, Amazon, Pinterest, Netflix, Etsy, Spotify, Verizon, Netflix, Comcast, CNN, Fox News, New York Times, Wall Street Journal, PlayStation, and RuneScape. The Mirai botnet consists mostly of "Internet of Things" (IoTs) devices such as digital cameras, printers, and DVR players.
8. Company, Organization, or Agency Insiders (internal actors)
➢ An example of an "insider" cyber-attack was the 2019 Capital One data breach by a former employee of Amazon Web Services, a cloud hosting company used by CapitalOne. The "insider" hacker gained access to data on more than 100 million customer accounts and credit card applications. Paige A. Thompson, a former software engineer for Amazon Web Services, was indicted by a federal grand jury for two counts related to the Capital One data breach, which cost the company up to $150 million.
3. Cyber Activists (hacktivists)
➢ Anonymous is a transnational hacktivist group known for their politically-motivated attacks, including attacks against ISIS, Church of Scientology, New York Stock Exchange, U.S. Department of Defense, MasterCard, Visa, and PayPal. ➢ Hackers associated with Anonymous created the Ghost Squad Hackers in 2014. ➢ Honker Union is a Chinese "patriotic" hacking group known for defacing webpages in the U.S., Vietnam, Philippines, and other countries. ➢ Lizard Squad, which is a transnational hacking group with members in the U.S. and UK, is known for DDoS attacks against Facebook, Microsoft Xbox Live, and Sony's PlayStation Network. ➢ Lulz Security (LulzSec) is a hacktivist group that separated from Anonymous in 2011
Case Study: Anonymous hacktivists
➢ Anonymous, a decentralized group of international cyber activists, was established in 2004. The group supports internet freedom and freedom of speech. ➢ Anonymous cyber activists (hacktivists) use several techniques, including website defacement, distributed denial-of-service (DDoS) attacks, and hacking (including illegally accessing email accounts). ➢ Since 2008, Anonymous hacktivists' targets have included the Church of Scientology, Australian prime minister, Egyptian government, Visa, Mastercard, PayPal, Sony, Malaysian government, Orlando Chamber of Commerce, Westboro Baptist Church, Roman Catholic Diocese of Orlando, Syrian Defense Ministry, Boston Police Department, American Israeli Public Affairs Committee, Vatican City, Central Intelligence Agency, Monsanto, Chinese government, India Supreme Court, Myanmar government, Mexican military, Philippines Commission on Elections, Royal Canadian Mounted Police, United Nations, and Republic of Cyprus.
6. Corporations (corporate competitors)
➢ Corporations may engage in "industrial espionage" (including cyber espionage) to acquire information about a competitor. According to legalmatch.com, industrial espionage refers to "when a person or party gains access to a company's information in way that is illegal, unethical, or constitutes unlawful business practices." Industrial espionage includes the "unlawful observation of company activity, unlawful listening (such as a wiretap), and unlawful access to a company's information, which all constitutes spying on the company." ➢ Industrial espionage is often called economic espionage or corporate espionage, in order to distinguish it from more traditional forms of national security espionage. Crimes such as identity theft, piracy, and computer fraud often involve some form of industrial espionage, wherein one country spies on another country. The federal and state governments govern corporate espionage through various laws such as the Economic Espionage Act of 1996.
2007 Cyber-Attack against Estonia
➢ Estonia regained its independence in 1991 following 51 years of occupation by the Soviet Union and (briefly during the Second World War) Germany. In 2001, Russian President Vladimir Putin warned the North Atlantic Treaty Organization (NATO) not to expand into the former Soviet Union. In March 2004, Estonia, along with six other countries in eastern Europe, officially joined NATO. ➢ On April 26-27, 2007, the Estonian government relocated the Monument to the Liberators of Tallinn ("Bronze Soldier") from downtown Tallinn to a military cemetery outside of the city. The statue was erected in 1947 as a tribute to Soviet soldiers who died fighting Germany during the Second World War. Estonian police fired rubber bullets and a water cannon at hundreds of ethnic Russian protesters and rioters. ➢ On April 27, 2007, distributed denial-of-service (DDoS) cyber-attacks using botnets ("zombie" computers) were launched against Estonian government websites, including the websites of Prime Minister Andrus Ancip and President Toomis Hendrik Ilves. The cyber-attacks, which also targeted the website of other Estonian government agencies, political parties, banks, newspapers, and schools, continued for three weeks. On May 2, 2007, the Russia government halted deliveries of fuel oil, diesel, gasoline, and coal to Estonia to protest the Estonian government's actions. ➢ On May 17, 2007, Estonian Defense Minister Jaak Aaviksoo stated that the Internet Protocol (IP) addresses of the initial cyber-attacks against Estonia were from Russian government offices. The Russian government denied responsibility for the cyber-attacks. Cyber-attacks against Estonia ended on May 18, 2007. In March 2009, a Russian youth group Nashi claimed responsibility for launching cyber-attacks against Estonia in 2007.
Case Study: Russian Cyber Disinformation in Ukraine
➢ Following the collapse of the pro-Russian Ukrainian President Viktor Yanukovych on February 22, 2014, the Russian military intelligence agency (GRU) launched a cyber disinformation campaign against pro-western demonstrators and government officials. ➢ GRU agents created fake social media accounts (Facebook and Vkontakte) to impersonate Ukrainians opposed to the pro-western demonstrators and government officials. The fake "Ukrainians" referred to the pro-western forces as "Nazis" and "fascists". Along these same lines, pro-Russian media sources spread photos of Ukrainian military forces altered with Nazi symbols. ➢ Russians took control of the Crimea parliament building on February 27, 2014. GRU agents used social media to promote Crimean secession from Ukraine. Some 60 percent of the population of Crimea consisted of ethnic-Russians. ➢ On March 2, 2014, Russian troops entered the Crimea region of Ukraine. Pro-Russian online media communicated false narratives about the Russian actions in Crimea, including denying the presence of Russian troops in Crimea. ➢ On March 16, 2014, a majority of Crimeans voted in a referendum to declare their independence and to secede from Ukraine. The Russian parliament formally annexed Crimea on March 21, 2014.
Case Study: Cyber-attack against Ukraine's power grid
➢ Hackers shut down parts of the power grid in western Ukraine on December 23, 2015. The power outages affected 225,000 individuals for between one and six hours. ➢ The cyber-attack began in March 2015 with spear-phishing email messages sent to employees of three power distribution companies. The spear-phishing campaign exploited a zero-day vulnerability to deliver a variant of the BlackEnergy malware, which opened a backdoor to the computer networks of the power distribution companies to the hackers. During the next few months, the hackers collected data, detected vulnerabilities in the systems, and created accounts. ➢ The hackers eventually gained access to the Supervisory Control and Data Acquisition (SCADA) networks which controlled the power grid in the region. The hackers sent commands to disable the uninterruptible power supply (UPS) system and then proceeded to take several power substations offline. The hackers launched a telephone denial of service (TDoS) attack against the customer call centers to prevent customers from reporting the power outages. The hackers also disabled computers in the power companies' operator stations using the malware KillDisk. ➢ U.S. cybersecurity company iSight Partners determined that a Russian hacking group known as the Sandworm Team was responsible for the power outages.
Case Study: The Mittesh Das Case
➢ Mittesh Das, a contractor for the U.S. Army, was arrested in April 2016 for allegedly using his position as a military contractor to sabotage the U.S. Army Reserve's computer system. ➢ In 2014, Mittesh Das placed a "logic bomb" with the computer program responsible for the handling of pay and personnel actions for some 200,000 U.S. Army reservists. The logic bomb affected five servers located at Fort Bragg, North Carolina. The U.S. Army had to spend $2.6 million to remove the malicious code and inspect the entire computer system. ➢ Mittesh Das was sentenced to two years in prison in September 2018 for "transmitting malicious code with intent to cause damage to the U.S. Army computer used in the furtherance of national security."
Case Study: 2012 Aramco Cyber-Attacks
➢ On August 15, 2012, the internal computer network of the Saudi Arabian state-owned oil company Aramco was attacked by a malicious virus, resulting in the loss of documents, spreadsheets, email messages, and files from the hard drives on some 35,000 computers in Aramco offices in Saudi Arabia, Netherlands, and the U.S. The data on the computer network's hard drives was replaced with the image of a burning American flag. ➢ The company responded by shutting down its computer network for more than one week in order to prevent the computer virus, known as Shamoon, from spreading. Aramco, which had to replace the hard drives of its computers, did not experience any disruption in its oil production as a result of the cyber-attack. ➢ A hacking group known as "Cutting Sword of Justice" claimed responsibility for the cyber- attack. Some cybersecurity experts blamed the incident on a company insider who had access to the company's computer network. Another report indicated that a computer technician working for Aramco opening a scam email message a few weeks prior to the attack, allowing hackers to infect the computer network with the Shamoon virus. The Saudi government has never publicly blamed Iran, or any other country, for the cyber- attack.
Case Study: The 2008 Russian-Georgian War
➢ Russian troops launched an invasion of the country of Georgia on August 7, 2008 following an attack by Georgian military forces against separatists in South Ossetia. ➢ Simultaneously, Russian hackers launched cyber-attacks, including distributed denial-of- service (DDoS) attacks, SQL injections, and webpage defacement, against Georgian banks, companies, educational institutions, and other targets. ➢ Russia also waged a disinformation campaign and psychological warfare against Georgia through cyber-attacks against media. ➢ On August 13, 2008, Russia ended its military operations against Georgian military forces and agreed to a six-point diplomatic plan for peace. Russian forces completed their withdrawal from Georgian territory by August 22, 2008.
Case Study: Flame malicious software
➢ Some cybersecurity experts believe that the malicious software (malware), the so-called Flame worm, was developed and launched by the U.S. and Israeli governments around 2010. The purpose of the worm was to infect computer networks running the Microsoft Windows operating system and gather sensitive information about Iran's nuclear programs. ➢ The Flame worm had several functions and capabilities, including stealing passwords, taking screenshots, recording audio conversations, transferring stolen data to command- and-control servers, intercepting keyboard activity, and avoiding anti-malware and other security software. The worm was discovered on computers in the Iranian Oil Ministry and National Oil Company. ➢ The Flame worm was a "Trojan", meaning that it appeared to be harmless software that created "backdoors" to access computers on a network. ➢ By the time it was discovered by cybersecurity experts in May 2012, the Flame worm had infected computers throughout the Middle East, including 189 computers in Iran and 98 computers in Israel/Palestine.
Case Study: The 2009-2010 Cyber-Attacks against Iran
➢ Starting in June 2009, several companies in Iran with connections to the Natanz uranium enrichment facility were targeted by a malicious program known as the Stuxnet worm. One or more employees of the companies used USB flash drives infected with the worm, which was specifically designed to target Supervisory Control and Data Acquisition (SCADA) systems and Programmable Logic Controllers (PLC). One of the targeted companies Behpajooh, which is an engineering firm located in Esfahan, was responsible for installing and programming industrial and automation systems, including the same types of Siemens systems used at the Natanz facility. ➢ Between November 2009 and January 2010, the Natanz uranium enrichment facility was impacted by the Stuxnet worm. The worm caused the centrifuges to speed up and slow down, resulting in damage to about 1,000 centrifuges. The Stuxnet worm also infected some 100,000 computers around the world, including computers in India and Indonesia. ➢ The source of the Stuxnet worm is believed to have been U.S. and Israeli intelligence agencies seeking to hinder Iran's nuclear weapons program. In June 2012, the New York Times reported that Stuxnet was likely part of a U.S.-Israeli cyber campaign against Iran known as "Operation Olympic Games" beginning in 2006.
Case Study: The Cyber Caliphate
➢ The Islamic State Hacking Division-ISHD was established by Junaid Hussain (Abu Hussain al Britani) and other members of the Islamic State in Iraq and Syria (ISIS) in 2015. The ISHD claimed responsibility for cyber-attacks on the Twitter and YouTube accounts of the U.S. Central Command on January 12, 2015. ➢ The ISHD released several "kill lists" beginning in 2015, including a list of approximately 100 members of the U.S. military in March 2015. ➢ Junaid Hussain was killed in a U.S. drone strike on August 25, 2015. ➢ In early 2016, the ISHD had divided into four groups, including the Cyber Caliphate Army- CCA and the Sons of the Caliphate Army-SCA. The four groups reunited as the United Cyber Caliphate-UCC in April 2016. ➢ On January 7, 2019, the Caliphate Cyber Shield-CCS was announced as an extension of the UCC
4. Cyber Criminals (organized criminal groups)
➢ The Russian Business Network (RBN) is a Russian cyber criminal organization located in St. Petersburg, Russian known for hosting illegal internet businesses (including child pornography and malware), phishing, DDoS attacks, and identity theft. There are some allegations that the Russian government has "hired" RBN to conduct cyber-attacks.
Case Study: Russian Interference in 2016 U.S. Presidential Electio
1. The Internet Research Agency (IRA), a Russian-government supported "troll farm" located in St. Petersburg, created thousands of social media accounts (Facebook and Twitter) that posted "fake news", disseminated propaganda through advertisements on Facebook, and planned political events (rallies) in support of candidate Donald Trump during the 2016 presidential election. 2. Russian government-controlled media, including Russia Today (RT) and Sputnik, also disseminated propaganda during the election. The propaganda was then further spread on Twitter and other social media. 3. Russian hacking groups associated with the Russian military intelligence service (GRU), known as "Fancy Bear" (APT28) and "Cozy Bear" (APT29), illegally accessed and stoled electronic documents and email messages from the computer systems of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign. The stolen documents and email messages were released through DCLeaks, Guccifer 2.0, and WikiLeaks during the presidential election campaign. 4. Russian intelligence operatives and others associated with the Russian government made contacts and met with individuals associated with Donald Trump and his presidential campaign. 5. Russians attempted to hack into or successfully hacked into the election systems and voter registration data bases of several U.S. states during the 2016 elections. According to a 2018 joint report by the U.S. Department of Homeland Security and the Federal Bureau of Investigation (FBI): "Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40. Despite gaps in our data where some states appear to be untouched by Russian activities, we have moderate confidence that Russian actors likely conducted at least reconnaissance against all U.S. states based on the methodical nature of their research. This newly available information corroborates our previous assessment and enhances our understanding of the scale and scope of Russian operations to understand and exploit state and local election networks." 6. On July 13, 2018, the U.S. Department of Justice indicted 12 Russian intelligence officers for their involvement in Russian cyber interference in the 2016 U.S. presidential election.
Characteristics of Cyber Sabotage
Sources - the sources of the cyber-attacks are state actors, state-supported actors, and non-state actors (including insider actors). Targets - the targets of the cyber-attacks are critical national infrastructures, corporations, and government agencies or services. Cyber security experts are particularly concerned about the vulnerabilities in supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS) used by critical national infrastructures (e.g. electric utilities). Motivation - the motivations of the cyber-attacks depend on the specific sources; state and state-supported actors are generally politically-motivated. Severity/Intensity - some of the cyber-attacks may cause some damage or disruption to a critical national infrastructure, a corporation's computers systems, or a government agency's website or online services. Techniques - the cyber-attacks involve a wide range of cyber techniques, including distributed denial-of-service (DDoS) attacks and malware (Triton, Havex, BlackEnergy, and Stuxnet). f. Coordination - the cyber-attacks are not part of a larger cyberwar, but may be coordinated with efforts by government intelligence agencies or other actors to collect sensitive or classified information (cyber espionage). g. Duration - the cyber-attacks are limited in duration, although planning may take place over several months. h. Legality - the cyber-attacks are generally unlawful under existing national criminal laws. i. Attribution - the cyber-attacks may be difficult to attribute to a specific state actor, state- supported actor, or non-state actor
Advanced Persistent Threat (APT)
a cyber-attack in which an unauthorized user gains access to a system or network and remains there for an extended period without being detected. APTs are particularly dangerous for enterprises, as hackers have ongoing access to sensitive company data. APTs generally do not cause damage to company networks or local machines. Instead, the goal of APTs is most often data theft. APTs typically have several phases, including hacking the network, avoiding detection, constructing a plan of attack and mapping company data to determine where the desired data is most accessible, gathering sensitive company data, and exfiltrating that data.
Email Bombing
a cyber-attack on an individual's email account inbox that involves sending massive amounts of email messages. Email bombing can also refer to flooding an email server with too many emails to overwhelm the email server and bring it down. An email bombing is often a distraction used to bury or hide an important email in someone's email account inbox. In 2016, over 100 email addresses in the U.S. government were targeted with an email bombing attack.
Examples of industrial espionage, including cyber espionage, include:
a. Breaking into company files or trespassing onto property without proper authorization. b. Posing as a worker in order to learn company trade secrets or other confidential information. c. Placing a wiretap on a competitor's phone. d. Hacking into computers. e. Sending viruses or malware to a competitor's website
What are the potential consequences of cyber-attacks continued? 3. Individuals
a. Loss of financial or personal information (identity theft). b. Theft of money (monetary loss).
What are the potential consequences of cyber-attacks? 1. Government Agencies
a. Loss of sensitive or classified information. b. Damage to critical infrastructures.c. Disruption of government services. d. Harm to the national economies - Cyber-attacks caused $50 to $100 billion in damage to the U.S. economy and $450 billion in damage to the global economy in 2016.
State-Supported Actors: Domestic Hacking Groups
nationalist (or patriotic) hacking groups may be motivated to engage in cyber-attacks against other countries on behalf of their government for political or ideological reasons. Members of some hacking groups may be motivated by the desire to avoid government prosecution of their illegal hacking activities and/or to collect financial resources from the government.
Phishing
refers to a high-tech scam that uses e-mail to deceive individuals into disclosing personal information to cyber criminals through requests to update or validate information or to click on a specific link. Spear phishing is a type of targeted phishing that is directed towards a specific individual or group of individuals. Spear phishing may involve email spoofing or website cloning.
Contaminated Hardware (Hardware Trojan)
refers to a malicious alteration or inclusion to an integrated circuit (IC) that will either alter its intended function or cause it to perform an additional malicious function. These malicious inclusions or alterations are generally programmed to activate only under a specific set of circumstances created by an attacker and are extremely hard to detect when in their dormant state.
Cyber Warfare
refers to cyber attacks that are intended to cause widespread physical destruction of critical infrastructures, information systems or computer networks in a target. It may be coordinated with conventional military operations
Case Study: SamSam Ransomwar
➢ The SamSam ransomware was first identified in late 2015, but it impacted several hospitals and government agencies through 2018, including the city of Atlanta, the Colorado Department of Transportation, and the Port of San Diego. ➢ Hackers used vulnerabilities in remote desktop protocol (RDP), Java-based web servers, and file transfer protocol (FTP) to gain access to the targeted computers, and then infected the computers with the SamSam ransomware without being detected. Ransom notes were left on the encrypted computers, requesting that the victims establish contact through a Tor website and pay the ransom in Bitcoin. The victims then received links to download cryptographic keys and tools to decrypt the computers. ➢ In November 2018, two Iranian hackers were accused of using the SamSam ransomware in cyber-attacks against more than 200 organizations and companies in the U.S. and Canada, including hospitals and government agencies. There were some $30 million in damages as a result of the SamSam ransomware attacks.