Scribd
Upload
509 views72 pages

Raoul Chiesa CYBER

The document discusses cybercrime, cyber espionage, information warfare, and cyber war. It profiles hackers and provides a case study of cyber espionage. It aims to connect these topics and show their relationships and transitions between each other.

Uploaded by

librari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
509 views72 pages

Raoul Chiesa CYBER

The document discusses cybercrime, cyber espionage, information warfare, and cyber war. It profiles hackers and provides a case study of cyber espionage. It aims to connect these topics and show their relationships and transitions between each other.

Uploaded by

librari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

Cybercrime, Cyber-Espionage, Information Warfare

and “Cyber War”: the fil-rouge which connects the dots

Raoul “Nobody” Chiesa


Expert
Disclaimer

● The information contained within this presentation do not infringe


on any intellectual property nor does it contain tools or recipe that
could be in breach with known laws.
● The statistical data presented belongs to the Hackers Profiling
Project by UNICRI and ISECOM.
● Quoted trademarks belongs to registered owners.
● The views expressed are those of the author(s) and speaker(s) and
do not necessary reflect the views of UNICRI or others United
Nations agencies and institutes, nor the view of ENISA and its PSG
(Permanent Stakeholders Group), neither Security Brokers.
● Contents of this presentation may be quoted or reproduced,
provided that the source of information is acknowledged.

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 2
Agenda
Agenda
 Introductions
 The scenarios and the Actors
 Profiling «Hackers»
 Information Warfare
 Cyber Espionage case study
 Conclusions
 References, Q&A

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 3
Introductions
The Speaker
 President, Founder, Security Brokers
 Principal, CyberDefcon Ltd.
 Independent Senior Advisor on Cybercrime @ UNICRI (United Nations Interregional
Crime & Justice Research Institute)
 Former PSG Member (2010-2012 / 2013.2015) @ ENISA (Permanent
Stakeholders Group @ European Union Network & Information Security
Agency)
 Founder, Board of Directors and Technical Commitee Member @ CLUSIT
(Italian Information Security Association)
 Steering Committee, AIP/OPSI, Privacy & Security Observatory
 Former Member, Co-coordinator of the WG «Cyber World» @ Italian MoD
 Cultural Attachè, APWG European Chapter (APWG.EU)
 Board of Directors, ISECOM
 Board of Directors, OWASP Italian Chapter
 Supporter at various security communities
The Security Brokers
 We deal with extremely interesting, niche topics, giving our strong know-hows gained from +20
years of field experience and from our +30 experts, very well known all over the world in
the’Information Security and Cyber Intelligence markets.
 Our Key Areas of services can be resumed as:
 Proactive Security
 With a deep specialization on TLC & Mobile, SCADA & IA, ICN & Trasportation, Space &
Air, Social Networks, e-health, […]
 Post-Incident
 Attacker’s profiling, Digital Forensics (Host, Network, Mobile, GPS, etc..), Trainings
 Cyber Security Strategic Consulting (Technical, Legal, Compliance, PR, Strategy)
 On-demand «Ninja Teams»
 Security Incident PR Handling & Management
 Psychological, Social and Behavioural aspects (applied to cyber environments)
 Cybercrime Intelligence
 Botnet takeovers, takedowns, Cybercriminals bounting, Cyber Intelligence Reports,
Technical & Operational support towards CERTs and LEAs/LEOs,[…]
 Information Warfare & Cyber War (only for MoDs & Intelligence Agencies)
 Specialized Trainings, Attack&Defense Labs, more…
 0-day and Exploits – Digital Weapons
 OSINT
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 6
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 7
Terminologies!

 In the Information Security (InfoSec) world, we have a


tremendous problem: the terminology.
 Each term has different meanings, depending on the context and the
actor

 This is not enough, tough: in the last years a new trend come out,
which is adding the prefix “cyber” to most of the terms.
 Nevertheless, a lot of (huge) doubts still persist, even in your own
national language!

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 8

No common spelling…
„Cybersecurity, Cyber-security, Cyber Security ?”
No common definitions…
Cybercrime is…?
No clear actors…
Cyber – Crime/war/terrorism ?
No common components?…
 In those non English-speaking countries, problems with correctly
understanding words and terms rise up.

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 9
The scenario(s) and the Actors

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 10
Crime -> Today

You got the information, you got the power..

(at least, in politics, in the business world, in our personal relationships…)

• Simply put, this happens because the “information” can be transformed at once
into “something else”:

1. Competitive advantage
2. Sensible/critical information (blackmailing)
3. Money

• … that’s why all of us we want to “be secure”.

• It’s not by chance that it’s named “IS”: Information Security 

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 11
Cybercrime
 Cybercrime:
“The use of IT tools and telecommunication networks
in order to commit crimes in different manners”.
 The axiom of the whole model:
“acquiring different types of data (information),
which can be transformed into money.”
 Key points:
 Virtual (pyramidal approach, anonimity, C&C, flexible and scalable, moving quickly
and rebuilding fast, use of “cross” products and services in different scenarios and
different business models)
 Transnational
 Multi-market (buyers)
 Differentiating products and services
 Low “entry-fee”
 ROI /Return of Investment (on each single operation, which means that,
exponentially, it can be industrialized)
 Tax & (cyber) Law heaven

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 12
Why?
“2013 Cybercrime financial turnover apparently
scored up more than Drugs dealing, Human
Trafficking and Weapons Trafficking turnovers”

«Cybercrime Various sources (UN, USDOJ, INTERPOL, 2013)

ranks as one Financial Turnover, estimation: 12-18 BLN USD$/year

of the top
four economic
crimes»
PriceWaterhouseCoopers LLC
Global Economic Crime
Survey 2011

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 13
From Cybercrime to…
 We are speaking about an ecosystem which is very often
underevaluated: most of times, Cybercrime is the starting or transit
point towards different ecosystems:
 Information Warfare
 Black Ops
 Cyber Espionage
 Hacktivism
 (private) Cyber Armies
 Underground Economy and Black/Grey Markets
 Organized Crime
 Carders
 Botnet owners
 0days
 Malware factories (APTs, code writing outsourcing)
 Lonely wolves
 “cyber”-Mercenaries

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 14
Profiling Actors

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 15
New Actors joined in
• Cybercrime and Information Warfare have a very wide spectrum
of action and use intrusion techniques which are nowadays,
somehow, available to a growing amount of Actors, which use
them in order to accomplish different goals, with approaches and
intensity which may deeply vary.

• All of the above is launched against any kind of targets: Critical


Infrastructures, Governative Systems, Military Systems, Private
Companies of any kind, Banks, Medias, Interest Groups, Private
Citizens.…
– National States
– IC / LEAs
– Organized Cybercrime
– Hacktivists
– Industrial Spies Everyone against everybody
– Terrorists
– Corporations
– Cyber Mercenaries

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 16
The worldWorld
is changing… (?)
→ Geopolitical shift : 2013 - Map of ITU Dubai General Assembly December (red=not signed; black=signed)

Source: Flavia Zappa,


Security Brokers, 2013
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 17
Welcome to HPP!

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 18
HPP V1.0
• Back in 2004 we launched the Hacker’s
Profiling Project - HPP:
http://www.unicri.it/special_topics/cyber_threats/
• Since that year:
– +1.200 questionnaires collected & analyzed
– 9 Hackers profiles emerged
– Two books (one in English)
• Profilo Hacker, Apogeo, 2007
• Profiling Hackers: the Science of Criminal Profiling as
Applied to the World of Hacking, Taylor&Francis
Group, CRC Press (2009)

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 19
Evaluation & Correlation standards

Modus Operandi (MO) Hacking career

Lone hacker or as a
member of a group Principles of the hacker's ethics

Motivations Crashed or damaged systems

Perception of the illegality of


Selected targets
their own activity

Relationship between Effect of laws, convictions and


motivations and targets technical difficulties as a deterrent

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 20
The scenario
• Everything «evolved», somehow…
• Here’s what the United Nations says (Hacker’s Profiling Project):
OFFENDER ID LONE / GROUP HACKER TARGET MOTIVATIONS /
PURPOSES

Wanna Be Lamer 9-16 years GROUP End-User For fashion, It’s “cool” => to
“I would like to be a hacker, boast and brag
but I can’t”

Script Kiddie 10-18 years GROUP: but they act alone SME / Specific security flaws To give vent of their anger /
The script boy attract mass-media attention

Cracker 17-30 years LONE Business company To demonstrate their power /


The destructor, burned attract mass-media attention
ground

Ethical Hacker 15-50 years LONE / Vendor / Technology For curiosity (to learn) and
The “ethical” hacker’s world GROUP (only for fun) altruistic purposes

Quiet, Paranoid, Skilled 16-40 years LONE On necessity For curiosity (to learn) =>
Hacker The very specialized and egoistic purposes
paranoid attacker

Cyber-Warrior 18-50 years LONE “Symbol” business company For profit


The soldier, hacking for / End-User
money

Industrial Spy 22-45 years LONE Business company / For profit


Industrial espionage Corporation

Government Agent 25-45 years LONE / GROUP Government / Suspected Espionage/


CIA, Mossad, FBI, etc. Terrorist/ Counter-espionage
Strategic company/ Vulnerability test
Individual Activity-monitoring
21
Military Hacker 25-45 years LONE / GROUP Government / Strategic Monitoring /
company controlling /
crashing systems

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 21
HPP V2.0: what happened?
• VERY simple:
• Lack of funding: for phases 3&4 we need support!
– HW, SW, Analysts, Translators
• We started back in 2004: «romantic hackers», + we
foreseen those «new» actors tough: .GOV, .MIL,
Intelligence.
• We missed out:
– Hacktivism (!);
– Cybercriminals out of the «hobbystic» approach;
– OC;
– The financial aspects (Follow the Money!!);
– Cyberterrorists (do they really exist?)

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 22
Information Warfare (Cyberwar?)
and the evolution
of the 0-days market

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 23
WTF…

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 24
The DUMA knew it, long time ago….

"In the very near future many conflicts will not take place on the
open field of battle, but rather in spaces on the Internet, fought
with the aid of information soldiers, that is hackers.
This means that a small force of hackers is stronger than the
multi-thousand force of the current armed forces.“

Former Duma speaker Nikolai Kuryanovich, 2007

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 25
Hackers as a National Resource?

 A couple of years ago I’ve dig into a research


from an Hungarian security researcher from HP
 His idea was weird!

 Should we consider hackers as “the enemy” /


“troubles”…
 …Or, may they represent an opportunity for
Governments??
 Patriot’s Hackers
 Think about bloggers and North Africa (Egypt,
Tunisia, Morocco) / GCC Area (Gulf Countries)
 Think about IRAN and Twitter
 See the potentialities?

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 26
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 27
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 28
Making “Cyber War”…
• „dummy list“ of „ID-10T“ for phishing
• equipment to mimic target network • background info on organisation (orgchart etc.)
• dummy run on similar network • Primer for sector-specific social-engineering
• sandbox zerodays • proxy servers
• banking arrangements
• purchase attack-kits
• rent botnets
• find (trade!) good C&C server

• purchase 0-days / certificates


• purchase skill-set Alexander Klimburg 2012
• bespoke payload / search terms •Purchase L2/L3 system data

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 29
Mistyping may lead to (very) different
scenarios…

Non-state proxies and “inadvertent Cyberwar”:


„ During a time of international crisis, a [presumed non-state CNE] proxy network of country
A is used to wage a „serious (malicious destruction) cyber-attack“ against country B.“

How does country B know if:


a) The attack is conducted with consent of Country A (Cyberwar)

b) The attack is conducted by the proxy network itself without consent of Country A
(Cyberterrorism)

c) The attack is conducted by a Country C who has hijacked the proxy network? (False Flag
Cyberwar)

© Alexander Klimburg 2012

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 30
Back in 2005
 Vodafone Greece 2004 (“The The illegally wiretapped cellphones in the Athens
Athens affair”) affair included those of the prime minister, his
defense and foreign affairs ministers, top military
 Rootkit on MSC Ericsson AXE and law enforcement officials, the Greek EU
commissioner, activists, and journalists.
 Inbound and Outbound Voice
calls, SMS in/out, forwarded to
14 “pay-as-you-go” SIM cards
(anonymous ones)
 Olympic Games
 14 DEC 2007: Vodafone GR
fined with 76M€
 http://spectrum.ieee.org/telecom/sec
urity/the-athens-affair
 http://en.wikipedia.org/wiki/Greek_tel
ephone_tapping_case_2004-2005

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 31
Ahhhhh…. now I get it!
 PRISM and other secret project’s scandals
(“the Snowden case”)
 NSA’s budgets for black operations revealed
 http://rt.com/usa/snowden-leak-black-budget-176/
 http://rt.com/usa/us-hacking-exploits-millions-104/
 http://www.lemonde.fr/technologies/visuel/2013/08/27/plon
gee-dans-la-pieuvre-de-la-cybersurveillance-de-la-
nsa_3467057_651865.html

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 32
Will this ever end up? 

Costas Tsalikidis,
Network Planning Manager,
Vodafone-Panafon

Vodafone Greece CEO George Koronias holds documents


in April 2006 before the start of a parliamentary
committee hearing investigating the phone-tapping
scandal.
Photo: Louisa Gouliamaki /AFP/Getty Images

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 33
Budgets, Black Ops
NSA «black-ops Budget» exposed
 NSA’s “black budget”: 652M$ (2011)
 231 black operations known as of today (2011)
 16 US agencies involved from the US Intelligence community (107.035
employees)

 Targets: US intelligence agencies high priority:


 Iran
 Russia
 China
 Afghanistan
 North Korea
 Syria
 ……
 Cyber Attacks Unit “GENIE”
 Hacking into foreign systems in order to spy on contents, controlling functions
 http://articles.washingtonpost.com/2013-08-29/world/41709796_1_intelligence-
community-intelligence-spending-national-intelligence-program
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 35
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 36
Maybe……. 

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 37
The «last» one

What happened on September 2013?

Belgian Telco says it was


hacked, while reports point to
NSA or GCHQ as culprit
http://gigaom.com/2013/09/16/belgian-telco-says-it-was-
hacked-while-reports-point-to-nsa-or-gchq-as-culprit/

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 38
The on-going one…

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 39
And the Police, too!

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 40
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 41
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 42
Finfisher

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 43
Global, dirty business
• “Mass interception of entire populations is not
only a reality, it is a secret new industry
spanning 25 countries.”
• “It's estimated that the global computer
surveillance technology market is worth $5
billion a year.”
– ITALY: >300M/year

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 44
Who do you wanna sell (your 0days) to?

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 45
The pricing debate
• What about this? (CHEAP but LAME, India’s ones)

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 46
The pricing debate

http://www.theregister.co.uk/2014/11/11/german_spooks_want_millions_to_buy_0day_vulns/
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 47
The pricing debate

http://www.theregister.co.uk/2014/11/11/german_spooks_want_millions_to_buy_0day_vulns/
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 48
Black Market?
Grey Market?
White Market?
Prices ranging from thousands to millions?

WTH?!?!?!

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 49
→ 0-day Markets

Black Market
Grey Market (Cybercrime)
(underground)
Software Rel
x.y.z
White (?)
Market
0-day

Patch
Software

«Bug»
Vendors
CERT (ICS-CERT)
National Institutions
A different (more serious?) approach
Buyer’s typology
IS = IT Security companies
Public Knowledge INT = Intelligence Agencies 0-day Exploit code +
of the vulnerability for Governmental use PoC Cost: Min/Max
(National Security protection)
MIL = MoD/related actors
for warfare use
OC = Cybercrime

Y IS 10K – 50K USD

Y INT 30K – 150K USD

Y MIL 50K – 200K USD

Y OC 5K – 80K USD

N ALL X2 – X10

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 51
A different (more serious?) approach
Vulnerability relays on: Buyer’s typology

Public Operating System ( OS) IS = IT Security companies 0-day Exploit


Knowledge INT = Intelligence Agencies code + PoC
of the Major General Applications for Governmental use Cost: Min/Max
vulnerability (MGA) (National Security protection)
MIL = MoD/related actors
SCADA-Industrial for warfare use
Automation (SCADA) OC = Cybercrime

Y OS OC 40K – 100K
Y MGA INT 100K – 300K
Y SCADA MIL 100K – 300K

N OS MIL 300K – 600K


N SCADA MIL 400K – 1M

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 52
Cyber Espionage:
a case study from India

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 53
Cyber Espionage
 The complexity and the infrastructural and operating costs of espionage (in the
wide sense of the term) dramatically lowered down along the years, because of the IT
revolution and the so-called “Digital Society”.
 In most of the cases, the information sits on (also, or “just”) on digital storages and
travels over the Net.
 As a first effect, the concept of “stealing” doesn’t exist anymore (it’s virtual) and
we must speak about copying the information (espionage approach):
 What is “still there”, is “safe”;
 More time needed to realize the “theft”;
 Less time needed to transfer or reselling the information -> cashing out.
 (public) incidents do happen both in the private and public (even Military and
Governmental) business:
 insiders (drivers: political, ethics, religious, fame and mass media, corruption, blackmail,
ignorance);
 contractors (external suppliers, consultants, VPN and RAS access, etc);
 “competitors” (civilian and military) both State-Sponsored and Independent.

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 54
Massive Cybercrime + Industrial Espionage
 The case study
 Our counter-cybercrime internal team works closely with different security communities (APWG, Host
Exploit, Global Security Map, Team Cymru, etc…) which run concrete actions such as information
sharing, botnets takedowns, international digital investigations, supporting and coordinating with
different Law Enforcement Agencies in those involved countries (since the crime is global).
 +One year ago, some members of these communities alerted about suspicious activities, not public
known.

 Weird aspects
 The world-famous «Chinese espionage» wasn’t involved
 Technical level and quality of the used tools: medium-low.
 Serial industrialization of the whole operational chain of the APT attacks (Advanced Persistent
Threats).
 Full outsourcing of the attack.
 MO (Modus Operandi) organized by steps: Social Engineering based (phone calls, emails), then target
exploitation (spear phishing).
 A very important and scaring sign of those synergies between Cybercrime and Cyber Espionage
worlds.
 Something like a «prét à portér» of digital espionage.

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 55
Operation Hang Over
 Repeated, targeted malicious activities, “targeted attack infrastructure” type.
 New and different MO:
 low-quality (.doc + .exe!!)
 Very noisy;
 persistant;
 Not executed by a single person.
 Attacks and actions (apparently) originated from India.
 Operating infrastructure since at least 3 years (mostly 4).

 We are speaking about a specific cybercrime service sold by an IT Security company based
in India (AppPin Security Group…ever heard about?).

 Targets public known:


 Telenor (Norway)
 Bumi PLC (Indonesia)
 Targets found later:
 ENRC (UK) – Energy National Research Center
 Porsche (Austria)
 Private companies from different markets in USA, Germany, etc
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 56
How this started?
 Snorre, team leader, told us the following

“The op started with Telenor intrusion, we received md5s and cc info from TN via NorCert.

We then started looking into the case on our own initiative.

We were quickly able to connect the case with others, just googling the http request string
returned lots of hits, and we used our own databases to get a lot more.

Dns reqs in combination w malware behavior info was one of the main mapping methods,
but we also used other tricks, for example tracking bad guys through shodan.
They often tanked their vps images identically, meaning we could see identical esmtp
banners on different ip ranges.

Generally, the Hangover op was large-scale, over many arenas, but minimal complexity.

And I suspect it is not the only one ongoing in that region.

Snorre”

(Source: email exchange with Snorre Fagerland, Norman Shark, May-June 2013)

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 57
GUI pret-à-portèr

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 58
GUI pret-à-portèr

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 59
The «Big Picture»

Domain map of the


attack infrastructure.
Yellow and orange
nodes constitute
domains, blue are IP
addresses, and
purple are
autonomous
systems (AS).
Green nodes are
domains that are not
part of any attack
pattern, but are
interesting in this
context.
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 60
Conclusions

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 61
Conclusions

 Everything has changed.

 You just cannot fight on your own this war anymore. You may
win a single battle, while it won’t be enough.
 If you are insecure, I will be insecure too….

 Information Sharing, Security Awareness, Attacker’s Profiling,


balanced InfoSec approach & processes: this is what you
need.

 Ask for technical solutions from the Security Industry, be


compliant with security standards and regulations, but don’t
forget both taking from and giving back to the security
communities.
October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 62
A gift for you all here! 

● Get your own, FREE copy of “F3” (Freedom from


●Fear, the United Nations magazine) issue #7,
totally focused on Cybercrimes!

DOWNLOAD:

● www.FreedomFromFearMagazine.org

● Or, email me and I will send you the full PDF (10MB)

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 63
Spam Nation, Brian Krebs, 2014

Kingpin, Kevin Poulsen, 2012



Reading Room /1
Profiling Hackers: the Science of Criminal Profiling as applied to the world of hacking, Raoul Chiesa, Stefania Ducci, Silvio

Ciappi, CRC Press/Taylor & Francis Group, 2009


H.P.P. Questionnaires 2005-2012

●Fatal System Error: the Hunt for the new Crime Lords who are bringing down the Internet, Joseph Menn, Public Affairs,
2010
● Stealing the Network: How to 0wn a Continent, (an Identity), (a Shadow) (V.A.), Syngress Publishing, 2004, 2006, 2007
● Stealing the Network: How to 0wn the Box, (V.A.), Syngress Publishing, 2003
●Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier, Suelette Dreyfus, Random House
Australia, 1997
●The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Clifford Stoll, DoubleDay (1989), Pocket
(2000)
● Masters of Deception: the Gang that Ruled Cyberspace, Michelle Stalalla & Joshua Quinttner, Harpercollins, 1995
● Kevin Poulsen, Serial Hacker, Jonathan Littman, Little & Brown, 1997
● Takedown, John Markoff and Tsutomu Shimomura, Sperling & Kupfler, (Hyperion Books), 1996
● The Fugitive Game: online with Kevin Mitnick, Jonathan Littman, Little & Brown, 1997
● The Art of Deception, Kevin D. Mitnick & William L. Simon, Wiley, 2002
● The Art of Intrusion, Kevin D. Mitnick & William L. Simon, Wiley, 2004
● @ Large: the Strange Case of the World’s Biggest Internet Invasion, Charles Mann & David Freedman, Touchstone, 1998
Reading Room /2
● The Estonia attack: Battling Botnets and online Mobs, Gadi Evron, 2008 (white paper)
● Who is “n3td3v”?, by Hacker Factor Solutions, 2006 (white paper)
● Mafiaboy: How I cracked the Internet and Why it’s still broken, Michael Calce with Craig Silverman, 2008
● The Hacker Diaries: Confessions of Teenage Hackers, Dan Verton, McGraw-Hill Osborne Media, 2002
● Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner, Simon & Schuster, 1995
● Cyber Adversary Characterization: auditing the hacker mind, Tom Parker, Syngress, 2004
● Inside the SPAM Cartel: trade secrets from the Dark Side, by Spammer X, Syngress, 2004
● Hacker Cracker, Ejovu Nuwere with David Chanoff, Harper Collins, 2002
● Compendio di criminologia, Ponti G., Raffaello Cortina, 1991
●Criminalità da computer, Tiedemann K., in Trattato di criminologia, medicina criminologica e psichiatria forense,
vol.X, Il cambiamento delle forme di criminalità e devianza, Ferracuti F. (a cura di), Giuffrè, 1988
●United Nations Manual on the Prevention and Control of Computer-related Crime, in International Review of
Criminal Policy – Nos. 43 and 44
●Criminal Profiling: dall’analisi della scena del delitto al profilo psicologico del criminale, Massimo Picozzi, Angelo
Zappalà, McGraw Hill, 2001
●Deductive Criminal Profiling: Comparing Applied Methodologies Between Inductive and Deductive Criminal
Profiling Techniques, Turvey B., Knowledge Solutions Library, January, 1998
●Malicious Hackers: a framework for Analysis and Case Study, Laura J. Kleen, Captain, USAF, US Air Force Institute
of Technology
●Criminal Profiling Research Site. Scientific Offender Profiling Resource in Switzerland. Criminology, Law,
Psychology, Täterpro
International press on the case study

 http://www.csoonline.com/article/733709/attack-on-telenor-was-part-of-large-cyberespionage-operation-with-indian-
origins-report-says?source=CSONLE_nlt_salted_hash_2013-05-21
 http://www.cio.com/article/733712/Peculiar_Malware_Trail_Raises_Questions_About_Security_Firm_in_India?taxonomyId
=3089
 http://www.eweek.com/security/cyber-spying-campaign-traced-back-to-india-researchers/
 http://www.pcworld.com/article/2039257/attack-on-telenor-was-part-of-large-cyberespionage-operation-with-indian-
origins-report-says.html
 http://www.scmagazine.com/espionage-hacking-campaign-operation-hangover-originates-in-india/article/294135/
 http://www.zdnet.com/aggressive-espionage-for-hire-operation-behind-new-mac-spyware-7000015613/
 http://www.techweekeurope.co.uk/news/india-pakistan-cyber-attack-norman-116749
 http://www.all-about-security.de/wirtschaftsnachrichten/artikel/15218-der-erste-grosse-cyberspionageangriff-aus-indien/
 http://www.com-magazin.de/news/sicherheit/cyberspionageangriff-indien-121848.html
 http://www.globalsecuritymag.fr/Le-rapport-des-cyber-recherches-de,20130521,37378.html
 http://www.pcadvisor.co.uk/news/security/3448255/attack-on-telenor-was-part-of-large-cyberespionage-operation-with-
indian-origins-report-says/
 http://www.thedatachain.com/news/2013/5/norman_shark_cyber_research_report_uncovers_first_large_cyber_espionag
e_activity_emanating_from_india
 http://www.indianexpress.com/news/sophisticated-indian-cyberattacks-targeted-pak-military-sites-report/1118547/1
 http://www.net-security.org/secworld.php?id=14927
 http://persberichten.com/persbericht/73650/Cyber-Research-rapport-van-Norman-Shark-onthult-eerste-grote-
cyberspionage-operatie-vanuit-India
 http://www.toolinux.com/Un-cyber-espionnage-de-taille-venu
 http://itrpress.com/communique/34785/rapport-cyber-recherches-norman-shark-revele-grand-jour-plus-grande-activite-
cyber-espionnage-jamais-connue-originaire-inde

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 66
Contacts, Q&A
• Need anything, got doubts, wanna ask me
smth?
– rc [at] security-brokers [dot] com
– Pub key: http://www.security-brokers.com/keys/rc_pub.asc

Thanks for your attention!

QUESTIONS?

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 67
EXTRA Material

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 68
HPPV1.0 - Zoom: correlation standards
Gender and age group Individual and group attacks
Background and place of residence The art of war: examples of attack techniques
How hackers view themselves Operating inside a target system
Family background The hacker’s signature
Socio-economic background Relationships with the System Administrators
Social relationships Motivations
Leisure activities The power trip
Education Lone hackers
Professional environment Hacker groups
Psychological traits Favourite targets and reasons
To be or to appear: the level of self-esteem Specializations
Presence of multiple personalities Principles of the Hacker Ethics
Psychophysical conditions Acceptance or refusal of the Hacker Ethics
Alcohol & drug abuse and dependencies Crashed systems
Definition or self-definition: what is a real hacker? Hacking/phreaking addiction
Relationship data Perception of the illegality of their actions
Handle and nickname Offences perpetrated with the aid of IT devices
Starting age Offences perpetrated without the use of IT devices
Learning and training modalities Fear of discovery, arrest and conviction
The mentor's role The law as deterrent
Technical capacities (know-how) Effect of convictions
Hacking, phreaking or carding: the reasons behind the choice Leaving the hacker scene
Networks, technologies and operating systems Beyond hacking
Techniques used to penetrate a system

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 69
CONVICTIONS
CONVICTIONS
DETERRENCE SUFFERED BY TECHNICAL
LAWS SUFFERED BY
EFFECT OF: OTHER DIFFICULTIES
THEM
HACKERS
Wanna Be Lamer NULL NULL ALMOST NULL HIGH
HIGH: they stop
Script Kiddie NULL NULL after the 1st HIGH
conviction
Cracker NULL NULL NULL MEDIUM
HIGH: they stop
Ethical Hacker NULL NULL after the 1st NULL
conviction
Quiet, Paranoid,
NULL NULL NULL NULL
Skilled Hacker
NULL: they do it
Cyber-Warrior NULL NULL NULL
as a job
NULL: they do it
Industrial Spy NULL NULL NULL
as a job

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 70
EXTRA MATERIAL
→ Lesson learned?
I. Information Sharing and PPP (Public, Private Partnerships) are “must-have” in the InfoSec
(and “Cybersecurity” ) world
 Gov CERTs
 Independent Security Communities
 Investigation speed:
 Knowing procedures
 Direct, field experience
 Network of contacts
 Concrete and operative collaboration among victims, ISPs and ICT security experts
II. If this happed to a TLC operator in Northern Europe, possibly it happened also in other
countries?
 Did we know it? Did we realized we have been attacked, breached, exfiltrated?
III. The Cyber Espionage world is moving towards the outsourcing of “APT-based” attacks…
 … which was already there! The difference is that, now, is incredibly cheap and is coming from
India, a country with a hacking know-how which is average good, and has huge experiences with IT
outsourcing, very famous because of their prices, much lower than other markets;
 Sold by a private company: did we investigated on a special, single, isolated case study? Are these
the first steps of something bigger?

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 71
→ Solu ons
 Despite being or not APTs, over the last 3-4 years attacks evolved, focusing on the human
factor when dealing with targeted espionage, getting benefits from:
 Ignorance of the victims (lack of education, basic training, security awareness, simulations);
 Exposure and visibility on the Social Networks of the companies and its employees;
 contractors and external suppliers;
 BYOL (Bring your own device: smartphones, tablets;
 “remote working”;
 Lack of dialogue and information exchange with other market players (even competitors!);
 Lack of procedures (approved, ready-to-go, tested) for Incident Handling, Digital Forensics e overall
the “PR Security Management”.

 The “solution?”? There is not a panacea which “fixes everything”. But, good sense, personnel
education and being ready to manage such incidents.
 Speaking with the management, getting the authorizations approved
 Security Awareness to all of the company’s levels
 Specific trainings (IT department, software developers, Security department, Blue Team) and
practical simulations (at least) yearly (2-3 /year=better)
 The most important thing: work along with colleagues from different departments, such as Legal,
Human Resources, Marketing, Sales!!

October 26-27, Istanbul, Turkey Istanbul 2015 FIRST Technical Colloquium & TRANSITS Training 72

You might also like