Cyber Operations
Intelligence
"Intelligence" in the context of computer network defense refers to the collection, analysis, and dissemination of information about potential cyber threats and attackers. The goal of intelligence in computer network defense is to gain insight into the motivations, capabilities, and tactics of potential attackers, and to use this information to develop and improve the organization's defense strategies and practices. Intelligence in computer network defense typically involves: 1. Threat intelligence: The collection and analysis of information about potential cyber threats, such as malware variants, exploit kits, and attack campaigns. 2. Attacker intelligence: The collection and analysis of information about the actors behind cyber attacks, such as their motivations, techniques, and methods. 3. Network intelligence: The collection and analysis of information about the organization's own network, including its assets, vulnerabilities, and traffic patterns. 4. Industry intelligence: The collection and analysis of information about trends and developments in the broader cyber security industry, including new technologies, best practices, and regulatory requirements. The goal of intelligence in computer network defense is to provide organizations with a comprehensive understanding of the current cyber security landscape, and to help them make informed decisions about their defense strategies and investments. Intelligence is a critical component of an effective defense strategy, and can help organizations proactively identify and mitigate cyber threats before they can cause significant harm.
Offense
"Offense" in the context of computer network defense refers to the proactive and defensive use of cyber capabilities to identify, prevent, and respond to cyber threats. The goal of offensive operations in computer network defense is to protect the organization's networks, systems, and data from unauthorized access and exploitation by attackers. Offensive operations in computer network defense typically involve: 1. Vulnerability assessment and penetration testing: The proactive identification of vulnerabilities in the organization's networks, systems, and applications, and the testing of these vulnerabilities to determine the risk they pose to the organization. 2. Red teaming: The simulation of a cyber-attack against the organization to assess the effectiveness of its defensive capabilities and identify areas for improvement. 3. Incident response: The identification, investigation, and response to security incidents, including the identification and containment of threats, and the restoration of normal operations. 4. Cyber operations: The use of cyber capabilities to disrupt, degrade, or destroy the capabilities of an adversary, including the use of malware, network exploitation, and other tactics. The goal of offensive operations in computer network defense is to provide organizations with the ability to proactively identify and mitigate cyber threats, and to respond quickly and effectively to security incidents when they occur. Offensive operations are an important component of a comprehensive defense strategy, and can help organizations build resilience against cyber-attacks and maintain the confidentiality, integrity, and availability of their networks, systems, and data.
CNE - Computer Network Exploitation
(Undermining Confidentiality) computer network exploitation- enabling ops and intel collection capabilities conducted using computer networks to gather data from target or adversary info systems or networks (operation preparation of the environment [OPE])
Cuckoo's Egg:
A Cuckoo's Egg" is a term used to describe a computer security incident, in which a hacker gains unauthorized access to a system and uses it to launch attacks on other computers. The term is inspired by the behavior of the cuckoo bird, which lays its[MS1] eggs in the nests of other birds. Just like the cuckoo chick hatches and takes over the nest, the hacker in a Cuckoo's Egg scenario takes over the compromised system and uses it to carry out their activities, often without the knowledge of the owner of the system. The term is often used to emphasize the sneaky and hidden nature of these types of attacks. In this case study, the main cyber-attack being referenced is a hacking incident that took place at the Lawrence Berkeley National Laboratory in 1986. The attacker was able to gain unauthorized access to the computer system at the laboratory and use it as a launching point for further attacks on other computers. At the time, computer security was not a well-developed field, and many systems were vulnerable to attack. The hacker in Stoll's "Cuckoo's Egg" was able to exploit these vulnerabilities to gain access to the system, and was able to remain undetected for some time as he conducted his activities.
zero-day vulnerability
A software vulnerability that is unknown to the vendor that can be exploited by attackers.
APT1:
APT1 is a moniker used to refer to a highly advanced and persistent cyber espionage group that was first identified by cybersecurity firm Mandiant in 2013. The group was responsible for a large number of cyber attacks against a wide range of organizations, primarily in the United States, but also in other countries around the world. PLA Unit 61398 leverages the full capabilities of the CCP government. Strongly attributable to China through language mistakes, phone numbers, server locations, targets were tied to China's priorities for that 5-year-plan. APT1 was notable for its high level of sophistication and its ability to remain undetected in compromised systems for long periods of time. The group was known to use a wide range of techniques, including the use of custom malware, social engineering, and the exploitation of vulnerabilities in widely used software, to gain access to target systems and steal sensitive information. The group was believed to be operating out of China and to be state-sponsored. The vast majority of the targets of APT1's attacks were in the technology, defense, and financial sectors, suggesting that the group was primarily focused on gathering sensitive commercial and military information. The APT1 group was one of the most active and well-known advanced persistent threat (APT) groups at the time of its discovery, and its activities raised concerns about the scale and scope of state-sponsored cyber espionage. The identification and analysis of APT1 by Mandiant was seen as an important milestone in the fight against cybercrime and a wake-up call for organizations about the need to have robust cybersecurity measures in place to protect themselves against APT attacks.
· Active Defense:
Active defense is a strategy in computer network defense that involves proactively identifying and engaging cyber threats in order to prevent or mitigate their effects. Active defense strategies are designed to disrupt the operations of an attacker, to gather information about their activities, and to provide early warning of a potential attack. Some common examples of active defense strategies include: 1. Honeypots and decoys: Creating fake systems or data that can be used to lure attackers away from real systems and to gather information about their tactics and tools. 2. Intrusion detection and prevention systems: Monitoring network traffic for signs of attack and blocking malicious traffic in real-time. 3. Penetration testing: Regularly testing the security of systems and networks by simulating an attack to identify vulnerabilities and assess the effectiveness of existing security measures. 4. Incident response planning: Developing and practicing a plan for responding to successful cyber-attacks to minimize the impact of the attack and to restore normal operations as quickly as possible. 5. Offensive cyber operations: Taking proactive measures to disrupt the operations of an attacker, such as disrupting their command and control infrastructure or exfiltrating data from their systems. Active defense strategies can be more resource-intensive and more complex to implement than passive defense strategies. However, they can be more effective in preventing or mitigating the effects of cyber-attacks, especially against advanced persistent threats (APTs) and other sophisticated attackers. Organizations must weigh the risks and benefits of each type of defense strategy and determine the right mix of passive and active defense strategies to implement, based on their specific needs and circumstances.
Basic States of Data
At Rest, In transition, In use
CIA Triad
Confidentiality -gaining access to data that was supposed to be private Integrity - manipulating data or systems Availability - denying access to data
Dilemma of Interpretation
Dilemma of Interpretation If a state discovers another state's capability-building intrusions, it faces a dilemma of interpretation. The intruding state may be planning an imminent attack, but it might also simply be building out contingency options, as almost all sophisticated states do in some form, and not harboring malicious intent. The state suffering the intrusion will have to decide which of these possibilities is correct, despite having only imperfect information, and respond.
DCS
Distributed Computer System
Flame
Flame is a highly sophisticated computer malware that was discovered in 2012. It is considered one of the most complex and advanced pieces of malware ever discovered, and is believed to have been developed for state-sponsored cyber espionage purposes. Flame was discovered in Iran, and was found to be targeting computers in that country as well as in other Middle Eastern nations. The malware was designed to collect sensitive information from infected systems, including files, audio and video recordings, keystrokes, and screenshots. It was also capable of propagating itself to other systems on the same network, making it a highly effective tool for cyber espionage. The origin of Flame remains unclear, although some experts believe that it was developed by a nation-state with close ties to Israel, and was part of a larger cyber-espionage operation aimed at monitoring Iran's nuclear program. Flame was notable for its sophisticated design and advanced capabilities, and it drew widespread attention to the growing threat posed by state-sponsored cyber-attacks. The incident was one of the first high-profile examples of the use of advanced malware for cyber espionage purposes, and it highlighted the need for better cyber-security measures to protect against similar attacks in the future.
HMI
Human Machine Interface
Types of IT
IT (Information Technology)- IT Security Based on CIA Triad. IT devices manage data. Confidentially Integrity Availability
Architecture
In the context of computer network defense, "architecture" refers to the design and structure of a network and its associated systems, including hardware, software, and communication protocols. A network architecture specifies the components of a network, their interconnections, and the relationships between them. In terms of security, the architecture of a network plays a crucial role in determining its overall security posture. A well-designed network architecture should take into account the potential security threats and risks and implement appropriate measures to prevent, detect, and respond to these threats. This may include implementing firewalls, intrusion detection systems, access controls, encryption, and other security technologies. The architecture of a network also determines its scalability, reliability, and performance. As such, network architects must strike a balance between security and functionality to ensure that the network meets the business needs of the organization while also providing adequate protection against cyber-attacks.
ICS
Industrial Control Systems
Wiper
Insanely hard to research because the evidence is destroyed....Analysts discover Flame as they are investigating Wiper. This led researchers to conclude Wiper was designed to cover-up Flame. Wiper is a piece of malware that was discovered in 2012 and is believed to have been used in a series of destructive cyber attacks. The malware was initially identified in Iran, where it was used to wipe out data from computers at several key organizations, including the country's oil ministry and the Iranian National Oil Company. Wiper was designed to overwrite and permanently destroy data on the infected systems, making it difficult or impossible to recover the lost information. The malware was highly sophisticated and used advanced techniques to evade detection and spread to other systems within the affected networks. It is widely believed that Wiper was created and used by a state-sponsored group, although the identity of the attackers and their motivations remain unknown. The malware was highly effective in its mission, causing significant data loss and disruption to the affected organizations. Wiper serves as a reminder of the potential for malware to cause significant physical damage, beyond the more traditional consequences of data theft and unauthorized access. It has raised concerns about the vulnerability of critical infrastructure to cyber-attacks and the potential for similar attacks to cause widespread disruption and damage.
Moonlight Maze:
Moonlight Maze was a series of cyber-attacks that took place in the late 1990s and targeted several US government agencies, research institutions, and corporations. The attacks were notable for their sophistication and the extent of the information that was stolen, and they were among the first high-profile incidents of state-sponsored cyber-espionage. The FBI launched the investigation when the DoD identified hackers in the network in 1998. (DoD, DoE, NASA) Persistant Presence!!! The FBI traced Russian presence all the way back to 1996. The attacks were carried out by a group of hackers who were believed to be operating from Russia, and they were able to steal vast amounts of sensitive information, including research data, military secrets, and government plans. The attackers used a combination of hacking techniques, including exploiting vulnerabilities in computer systems and using social engineering tactics to gain access to sensitive information. The Moonlight Maze attacks had a significant impact on the US government and its agencies, leading to increased concern about the threat posed by state-sponsored hacking groups. The incident was one of the first to draw attention to the increasing sophistication and threat posed by cyber-attacks, and it led to increased focus on the need for better cyber-security measures to protect against similar attacks in the future. The exact identity of the attackers and their motivations remain unclear, and it is not known whether they were state-sponsored or working for a criminal organization. Nevertheless, the Moonlight Maze attacks remain one of the most high-profile cyber-espionage incidents in recent history and are widely studied by experts in the field.
NSO Group
NSO Group is a controversial cybersecurity company that was founded in 2010 and is based in Israel. The company is best known for developing and selling sophisticated surveillance software, which is marketed to government agencies and law enforcement organizations around the world. NSO Group's software, known as Pegasus, is capable of accessing a wide range of data on a target's smartphone, including texts, calls, emails, and location data, as well as accessing the device's microphone and camera. The software is designed to be used for lawful government surveillance, but there are concerns that it has been misused by some governments to spy on political opponents, journalists, and human rights activists. NSO Group has faced criticism and controversy over its business practices and the potential human rights abuses associated with its technology. There have been several high-profile cases in which Pegasus has been used to target journalists and human rights activists, leading to concerns about the potential for abuse of the technology. The company has also been the subject of several legal battles, including a lawsuit filed by WhatsApp in 2019, which alleged that NSO Group was involved in the hacking of several WhatsApp users' phones. The lawsuit was eventually settled out of court. NSO Group has defended its practices and the legality of its technology, and it has argued that its software is used for lawful government surveillance and is subject to strict internal controls and oversight. Despite this, the company's business practices and technology continue to be the subject of ongoing debate and controversy.
NotPetya:
NotPetya is a computer malware that was first discovered in June 2017. It is considered one of the most damaging and widespread cyber-attacks in recent history. NotPetya is a type of ransomware, which is a type of malicious software that encrypts a victim's files and demands payment in exchange for the decryption key. Unlike typical ransomware attacks, however, NotPetya was designed to cause widespread damage, rather than just to extort money from victims. The NotPetya attack initially spread through a software supply chain attack, compromising a popular Ukrainian tax software. From there, it spread rapidly throughout Ukrainian government agencies, financial institutions, and businesses. The attack also had a significant impact on organizations in other countries, including Europe, the United States, and Asia. NotPetya caused widespread disruption, with many organizations experiencing downtime and data loss. The attack was particularly damaging to businesses in Ukraine, where it was estimated that the cost of the attack reached hundreds of millions of dollars. The origin of the NotPetya attack is not definitively known, although it is believed to have been carried out by a state-sponsored group with ties to Russia. The incident highlights the dangers posed by supply chain attacks and the need for organizations to implement robust cyber-security measures to protect against similar threats in the future.
Operation Ababil:
Operation Ababil was a series of coordinated cyber-attacks that targeted several US financial institutions in 2012 and 2013. The attacks were carried out by a group of hackers who were believed to be connected to Iran, and they were in response to the US and European sanctions that were imposed on Iran due to its nuclear program. The attacks targeted several major US banks, including Bank of America and JPMorgan Chase, and they were characterized by large-scale Distributed Denial of Service (DDoS) attacks that aimed to overwhelm the banks' websites and disrupt their online services. The attacks were highly sophisticated and well-coordinated, and they were able to cause widespread disruptions and slow down access to the targeted banks' online services. The attacks had a significant impact on the targeted banks and their customers, causing widespread disruptions and leading to increased concern about the threat posed by state-sponsored hacking groups. The attacks also led to increased attention being paid to the need for better cyber-security measures to protect against similar attacks in the future. It is widely believed that Operation Ababil was carried out by Iranian state-sponsored hackers, though the Iranian government has denied any involvement. The incident remains one of the most significant cyber-security incidents in recent history and has been widely studied by experts in the field.
OT/IT
Operational Technology/ Information Technology
· Passive Defense:
Passive defense is a strategy in computer network defense that focuses on preventing or mitigating the effects of cyber-attacks without actively engaging the attacker. Passive defense strategies are designed to reduce the vulnerability of computer networks and systems to attack and to minimize the damage that can result from a successful attack. Some common examples of passive defense strategies include: 1. Network segmentation: Dividing a large network into smaller, more manageable parts that can be more easily secured. 2. Hardening systems and applications: Configuring systems and applications to be more secure by applying patches, disabling unnecessary services, and following secure configurations. 3. Data backup and recovery: Regularly backing up data to ensure that it can be recovered in the event of a successful attack. 4. Access control: Implementing strict access controls to limit the number of users who can access sensitive systems and data. 5. Encryption: Encrypting sensitive data to protect it from unauthorized access. Passive defense strategies are generally considered to be more cost-effective and less resource-intensive than active defense strategies. However, passive defense strategies are not a guarantee against successful attacks, and organizations must also implement active defense strategies, such as incident response planning, to ensure that they are prepared to respond to successful attacks.
SIS
SIS (Safety Instrumented Systems)- TRITION is a good example of this being used. systems that prevent people from dying. Systems put in place to protect human life. Examples of options available to an attacker who has successfully compromised an SIS (from our readings) Attack option 1: use the SIS to shutdown the process Attack option 2: reprogram the SIS to allow an unsafe state Attack option 3: reprogram the SIS to allow an unsafe state- while using the DCS to create an unsafe state or hazard
Shamoon
Shamoon is a destructive computer virus that was discovered in 2012 and was used in a series of targeted attacks against organizations in the Middle East, particularly in Saudi Arabia. The malware was designed to infect Windows-based systems and was able to spread rapidly within affected networks, overwriting and permanently destroying data on the infected computers. The most notable attack involving Shamoon occurred in August 2012, when it was used to compromise tens of thousands of computers at Saudi Arabian state-owned oil company, Saudi Aramco. The attack resulted in the loss of a significant amount of data and caused widespread disruption to the company's operations. Shamoon was highly sophisticated and used advanced techniques to evade detection and analysis, making it difficult to attribute the attacks to a specific group or individual. It is widely believed that the malware was used by a state-sponsored group, although the identity of the attackers and their motivations remain unknown. Shamoon is one of the most destructive pieces of malware to have been discovered and serves as a reminder of the potential for cyber-attacks to cause significant physical damage, beyond the more traditional consequences of data theft and unauthorized access. The attacks involving Shamoon have raised concerns about the vulnerability of critical infrastructure to cyber-attacks and the potential for similar attacks to cause widespread disruption and damage.
SolarWinds
SolarWinds is a Texas-based software company that provides network and IT management solutions to businesses and government organizations. In December 2020, it was revealed that the company had been the victim of a highly sophisticated cyber-attack. The attackers were able to compromise SolarWinds' software update process, allowing them to distribute a malicious version of the company's Orion network management software to its customers. Once installed, the malware provided the attackers with a backdoor into the affected systems, giving them the ability to steal sensitive information, move laterally within the network, and plant additional malware. The SolarWinds attack is considered to be one of the most significant and far-reaching cyber attacks in recent history. It is estimated that up to 18,000 organizations, including government agencies and Fortune 500 companies, were impacted by the attack. The attackers were able to remain undetected for several months, and it is believed that the full extent of the damage caused by the attack may never be known. The SolarWinds attack serves as a reminder of the potential for supply chain attacks, where attackers compromise a third-party provider to gain access to its customers' systems. It has raised concerns about the security of software updates and the need for organizations to carefully manage and monitor their supply chain to minimize the risk of cyber-attacks.
Stuxnet
Stuxnet is a sophisticated computer worm that was discovered in 2010 and is widely regarded as the first piece of malware specifically designed to target and manipulate industrial control systems (ICS). These systems are used to control and monitor critical infrastructure such as power plants, water treatment facilities, and other industrial processes. Stuxnet was designed to infect Windows-based systems and specifically target the programmable logic controllers (PLCs) that are used to control the operations of ICS. Once the worm infected a system, it was able to manipulate the PLCs and cause the machinery to behave in unexpected and potentially dangerous ways. It is widely believed that Stuxnet was created by a state-sponsored group for the purpose of sabotaging Iran's nuclear program. The worm was specifically targeted at the uranium enrichment facility at Natanz, Iran, and is believed to have caused significant damage to the centrifuges used in the enrichment process. Stuxnet is widely regarded as a landmark in the history of cyber warfare, as it marked the first known instance of a piece of malware being used to physically manipulate and damage critical infrastructure. It has also raised concerns about the vulnerability of industrial control systems to cyber-attacks and the potential for similar attacks to cause widespread disruption and damage.
SCADA
Supervisory Control and Data Acquisition
Colonial Pipeline Hack
The Colonial Pipeline hack was a cyberattack that took place in May 2021 and targeted the Colonial Pipeline, one of the largest fuel pipelines in the United States. The pipeline carries gasoline, diesel, and jet fuel from refineries along the Gulf Coast to markets along the East Coast, and it supplies about 45% of the fuel consumed on the East Coast. The attack was carried out by a group of hackers using ransomware, a type of malware that encrypts a victim's data and demands payment in exchange for the decryption key. The hackers were able to shut down the pipeline's operations, causing widespread panic and leading to fuel shortages and price hikes in several states. In response to the attack, Colonial Pipeline was forced to temporarily shut down its operations and launch an investigation into the breach. The company ultimately paid the ransom demand to the hackers to regain control of its systems, although it is not clear how much was paid. The Colonial Pipeline hack was significant because it highlighted the vulnerability of critical infrastructure to cyber-attacks and the potential for such attacks to have real-world consequences. The attack also raised concerns about the security of the nation's critical infrastructure and the ability of organizations to respond to cyber threats. The response to the Colonial Pipeline hack has been widely criticized, and it has led to increased calls for organizations to improve their cybersecurity measures and for governments to take a more proactive approach to protecting critical infrastructure from cyber threats. The incident serves as a wake-up call for organizations and governments to prioritize the security of critical infrastructure and to take the necessary steps to prevent and respond to cyberattacks that target these systems.
Equation Group:
The Crown Creator of Cyber-Espionage" -- Attributed by Kaspersky Lab. Lab states that they've found the ancestor of Stuxnet and Flame. A powerful threat actor with an absolute advantage in cyber-tools. This group employs a Wiper during their operations. This group targets civilian, commercial, and government targets. The sophistication of the tools (across campaigns) hints that this is a FVEY country.
Microsoft Exchange Hack:
The Microsoft Exchange hack refers to a widespread cyber-attack that affected Microsoft Exchange Server systems in early 2021. It was discovered that multiple nation-state hackers had exploited vulnerabilities in Microsoft Exchange Server to gain access to the email systems of thousands of organizations globally. Timeline: SolarWinds (2020/2021). January 6th 2021, cybersecurity company identifies mysterious activity. On February 2 they notified Microsoft about the identified vulnerabilities. Other cyber security identifies other issues (discovered on January 18th and notify Microsoft on 22nd). Microsoft has to patch 4 issues. Right before Microsoft can send the patch, the attacker conducts a "Smash and Grab." Grab." Microsoft patch only fixes original backdoors...but fails to fix new backdoors. There is a flux of criminal activity following this patch. The attackers used four zero-day vulnerabilities to gain initial access to the targeted systems and then deployed additional tools to steal data and maintain persistence within the compromised networks. The attack primarily targeted on-premise Exchange servers in the United States, but organizations globally were also impacted. The attack was particularly concerning because it gave the attackers access to sensitive corporate data, including email communications, contacts, and calendar entries. The attackers also deployed additional tools that gave them the ability to move laterally within the network and exfiltrate data. The Microsoft Exchange hack underscores the importance of staying up-to-date with software updates and patches, especially for critical systems like email servers. It also highlights the need for organizations to implement multi-layered security measures, including threat detection and response capabilities, to detect and respond to cyber-attacks in a timely manner.
Slingshot
The Middle East: A cyber operation in Africa and the Middle East (discovered by Moscow-based Kaspersky Labs). Employed in 2012, but not discovered until 2018. There is no attribution tied to this group, but it is based in a resource-rich country. We only have an incomplete picture of how attacks commence. This malware compromises routers and forces devices to send data and download malware.
Sands Casino:
The Sands Casino hack was a high-profile cyber-attack that took place in 2014 and targeted the Sands Casino in Las Vegas, Nevada. The attack was notable for the large amount of sensitive information that was stolen and the disruptive nature of the attack, which saw the attacker destroy sensitive data and demand a large ransom from the casino. The attack was carried out by a group of hackers who infiltrated the casino's network and stole sensitive information, including credit card information, social security numbers, and other personal information belonging to the casino's employees and customers. The attackers also destroyed large amounts of data, making it impossible for the casino to recover the information. The attack cost the casino several million dollars in revenue (not exactly sure how much). As @Sarah pointed out, this answer had an error! There was no ransom demanded in this attack. This attack was politically // ideologically based. The Iranian government or its proxies targeting an American-owned casino in retaliation for Sheldon Adelson's comments about how to deal with Iran. Adelson advocated for "old-school signaling" through a show of force....this hack was a response to his personal comments (See Buchanan, pg. 160 for more info) The attack had a significant impact on the casino and its customers, leading to widespread concern about the security of sensitive information and the increasing threat posed by cyber-attacks. The incident also led to increased attention being paid to the need for better cyber-security measures to protect against similar attacks in the future.
The Sony Hack:
The Sony Pictures hack, also known as the "Guardians of Peace" or GOP hack, was a cyber attack that took place in November 2014 against Sony Pictures Entertainment, a subsidiary of the Japanese multinational conglomerate Sony Corporation. The attack was attributed to the North Korean government and was carried out in response to the planned release of a satirical film called "The Interview," which was seen as an insult to the North Korean regime. The hackers stole a large amount of confidential information from Sony Pictures, including sensitive emails, personal information of employees, and unreleased films and TV shows. The stolen data was leaked online, causing significant embarrassment and financial damage to Sony Pictures. In addition to the data theft, the attackers also wiped the hard drives of computers at Sony Pictures, causing widespread disruption to the company's operations. The attack was seen as one of the most significant and destructive cyber-attacks against a US company, and it raised concerns about the vulnerability of companies and their sensitive information to state-sponsored cyber-attacks. The Sony Pictures hack serves as a reminder of the potential for cyber-attacks to have significant real-world consequences, beyond the theft of sensitive data. It has raised awareness of the need for companies to have robust cybersecurity measures in place to protect themselves against cyber-attacks and minimize the damage caused by successful attacks.
2007 Estonia Hack:
The cyber-attack in Estonia in 2007 was a series of coordinated cyber-attacks that took place in Estonia in April and May of that year. The attacks targeted Estonian government institutions, banks, media outlets, and other critical infrastructure, causing widespread disruption and leading to one of the first instances of a nation-state being targeted in a large-scale cyber-attack. The attacks were in response to the Estonian government's decision to move a Soviet-era war memorial from the center of Tallinn, the country's capital, to a military cemetery. This decision was highly controversial and led to widespread protests in the country, including among ethnic Russians living in Estonia. The cyber-attacks began shortly after the war memorial was moved, and they were characterized by large-scale Distributed Denial of Service (DDoS) attacks that aimed to overwhelm the websites of Estonian institutions and organizations. The attacks were highly sophisticated and well-coordinated, and they were able to take down many of the country's critical online services for several days. The attacks had a significant impact on the country, causing widespread disruptions and leading to millions of dollars in losses for affected organizations and businesses. The attacks also raised concerns about the potential for similar attacks to be carried out against other countries in the future, and they led to increased attention being paid to the threat posed by state-sponsored hacking groups. It is widely believed that the attacks were carried out by Russian state-sponsored hackers, though the Russian government has denied any involvement. The incident remains one of the most significant cyber-security incidents in recent history and has been widely studied by experts in the field.
2015 Ukraine Hack:
The cyber-attack in Ukraine in 2015 refers to a significant cyber-security incident that took place in Ukraine during December 2015 and January 2016. The attack was widely regarded as one of the first instances of a cyber-attack being used to disrupt a nation's critical infrastructure. The attack targeted Ukraine's power grid and caused widespread power outages in several regions of the country, leaving tens of thousands of people without electricity. The attack was carried out using a piece of malware known as BlackEnergy, which was used to gain access to the control systems of several power companies in Ukraine. The attack was notable for its sophistication and its use of malware that was specifically designed to target industrial control systems (ICS), which are used to control critical infrastructure such as power grids, water treatment plants, and transportation systems. This was the first known instance of ICS-targeted malware being used in a destructive manner, and it raised concerns about the potential for similar attacks to be carried out against critical infrastructure in other countries. It is widely believed that the attack was carried out by a state-sponsored hacking group, with some experts pointing to the involvement of Russian state-sponsored hackers. The Ukrainian government has blamed Russia for the attack, though this has been denied by the Russian government. The 2015 cyber-attack in Ukraine remains one of the most significant cyber-security incidents in recent history, and it has had a lasting impact on the way that organizations and governments around the world view cyber-security and the threat posed by state-sponsored hacking groups.
2016 Ukraine Hack:
The cyber-attack in Ukraine in 2016 was a large-scale cyber-security incident that took place in Ukraine in June 2016. The attack was notable for being one of the first instances of a piece of malware known as Petya being used in a widespread, global cyber-attack. The attack began in Ukraine, where it affected several Ukrainian government institutions, banks, and infrastructure companies, causing widespread disruption. The malware quickly spread beyond Ukraine, affecting organizations and companies in other countries, including Russia, the United Kingdom, the United States, and several other European countries. Petya was a sophisticated piece of malware that was designed to encrypt the hard drives of infected computers, making it difficult or impossible for users to access their data. The malware was spread via email, and it was able to infect systems even if the recipient did not open the attachment or click on a link. The 2016 attack was seen as a significant escalation in the scale and complexity of cyber-attacks, and it raised concerns about the potential for similar attacks to be carried out against other organizations and critical infrastructure around the world. While the full extent of the damage caused by the attack remains unclear, it is estimated that the attack caused tens of millions of dollars in losses for affected organizations and businesses. It is widely believed that the attack was carried out by a state-sponsored hacking group, though the identity of the group responsible for the attack remains unknown. Several investigations into the attack have been carried out, but no definitive conclusions have been reached about who was responsible or what their motivations were.
Master Boot Record (MBR)
The first sector on a hard drive, which contains the partition table and a program the BIOS uses to boot an OS from the drive.
Titan Rain/Byzantine Hades:
Titan Rain (also known as Byzantine Hades) was a series of coordinated cyber-attacks that targeted several US government agencies and corporations in the early 2000s. The attacks were notable for their sophistication and the extent of the information that was stolen, and they were among the first high-profile incidents of state-sponsored cyber-espionage. Presence since 2003 and operational for three years. Probably state-sponsored. The attacks were carried out by a group of hackers who were believed to be operating from China, and they were able to steal vast amounts of sensitive information, including research data, military secrets, and government plans. The attackers used a combination of hacking techniques, including exploiting vulnerabilities in computer systems and using social engineering tactics to gain access to sensitive information. The Titan Rain attacks had a significant impact on the US government and its agencies, leading to increased concern about the threat posed by state-sponsored hacking groups. The incident was one of the first to draw attention to the increasing sophistication and threat posed by cyber-attacks, and it led to increased focus on the need for better cyber-security measures to protect against similar attacks in the future. The exact identity of the attackers and their motivations remain unclear, and it is not known whether they were state-sponsored or working for a criminal organization. Nevertheless, the Titan Rain attacks remain one of the most high-profile cyber-espionage incidents in recent history and are widely studied by experts in the field.
Triton
Triton is the name given to a sophisticated malware framework that was discovered in 2017. The malware was designed to target industrial control systems (ICS) used in critical infrastructure, such as power plants, water treatment facilities, and manufacturing plants. Triton is notable for its ability to manipulate the programmable logic controllers (PLCs) that are used to control industrial processes. This capability gave the attackers the ability to cause physical damage to the targeted systems, making Triton one of the few known examples of malware that can directly impact the real world. The malware was discovered after a failed attack on a petrochemical plant in Saudi Arabia. The attack was unusual because it appeared to be motivated by a desire to cause physical damage, rather than to steal data or compromise the targeted systems. Triton is believed to be the work of a nation-state actor, although the identity of the group behind the attack has not been officially confirmed. The discovery of Triton has raised concerns about the security of industrial control systems and the potential for cyber-attacks to cause physical damage to critical infrastructure. The Triton attack serves as a reminder of the growing threat to critical infrastructure from cyber-attacks and the need for organizations to have robust cybersecurity measures in place to protect against these types of threats. It has also highlighted the need for governments and international organizations to work together to address the security of critical infrastructure and to develop measures to prevent and respond to cyber-attacks that target these systems.
Turla
Turla is a highly sophisticated cyber espionage group that has been active since at least 2007. The group is believed to be based in Russia and is known for its ability to carry out advanced persistent threat (APT) attacks. Dr. Rid pieced this group to Moonlight Maze through digital forensic work. Turla is best known for its targeting of government organizations, diplomatic entities, and educational institutions in various countries, including the United States, Europe, and the Middle East. The group is believed to be responsible for some of the most complex and long-running cyber espionage campaigns in recent history, and it is known for its use of sophisticated techniques to evade detection and maintain access to its targets. Turla has been known to use a variety of tools and techniques, including custom malware, rootkits, and backdoors, to compromise its targets and steal sensitive information. The group is also known for its ability to leverage third-party tools and infrastructure to carry out its attacks, making it difficult for security researchers to track its activities. The Turla group is considered one of the most advanced and persistent APT actors in the world, and its activities continue to be a major concern for organizations and governments around the world. The group's focus on government and diplomatic targets, as well as its use of advanced techniques, makes it a particularly dangerous threat and highlights the importance of organizations having robust cybersecurity measures in place to protect against APT attacks.
WannaCry
WannaCry is a computer malware that was first discovered in May 2017. It is considered one of the largest and most widespread ransomware attacks in history. WannaCry is a type of ransomware, which is a type of malicious software that encrypts a victim's files and demands payment in exchange for the decryption key. The WannaCry attack was particularly damaging because it was able to spread rapidly, infecting vulnerable computers in over 150 countries in just a few days. The WannaCry attack exploited a vulnerability in older versions of the Microsoft Windows operating system. The malware was able to spread to other computers on the same network, making it a highly effective tool for cyber criminals. WannaCry caused widespread disruption, with many organizations experiencing downtime and data loss. The attack was particularly damaging to businesses in Asia, where it was estimated that the cost of the attack reached hundreds of millions of dollars. The origin of the WannaCry attack is not definitively known, although it is believed to have been carried out by a group of cyber criminals who may have had links to North Korea. The incident highlights the dangers posed by ransomware attacks and the need for organizations to implement robust cyber-security measures to protect against similar threats in the future.
Shaping
changing a game- mold the geopolitical environment to be more to your liking. Based on espionage, sabotage, and destabilization (ex. Stuxnet)
Signaling
to hint credibly in an attempt to influence how the other side will; challenging due to the difficulty of attribution (ex. SONY)
