Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tallinn ManualGeo-location in Cyberwar Apps Computrace Cyber Operations Stuxnet & family (US + Israel ???) Orchard (Israel) + Neptune’s Spear (US) ATP1.

Similar presentations

Presentation on theme: "Tallinn ManualGeo-location in Cyberwar Apps Computrace Cyber Operations Stuxnet & family (US + Israel ???) Orchard (Israel) + Neptune’s Spear (US) ATP1."— Presentation transcript:



3 Tallinn ManualGeo-location in Cyberwar Apps Computrace Cyber Operations Stuxnet & family (US + Israel ???) Orchard (Israel) + Neptune’s Spear (US) ATP1 (China) Hangover (India) Nettraveler (China) Prism (US)


5 Rule 11-Definition of Use of Force. A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force. Rule 30-Definition of Cyber Attack. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.

6 Rule 2-Jurisdiction : Without prejudice to applicable international obligations a State may exercise its jurisdiction: (a) over persons engaged in cyber activities on its territory; (b) over cyber infrastructure located on its territory; and (c) Extraterritorially, in accordance with international law.

7 Rule 21-Geographical Limitations. Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.













20 Parts of Computrace Application Agent Persistent Module

21 Persistent Module installed in BIOS / Firmware Reinstalled MISSING Reinstalled MISSING Reinstalled MISSING (from OS) Agent communicate with Absolute Monitoring Centre at regular interval (Non-removable part of BIOS) Self-healing capability repair the Persistent Module in case BIOS flashed!! -or- -or-

22 This is How actual Recovery process works: Once Computer Agent installed& Computer Stolen Owner contact Absolute Software Absolute Software coordinate with Law Enforcement Agency to recover Stolen Laptop Location of Stolen Laptop identified by (IP Address, Region) Absolute Theft Recovery Team remotely communicate with stolen Laptop once online

23 Computrace partners Computrace partnered with mentioned firm to embed Computrace-agent-module in firmware of their machines

24 Some facts about computrace It is stealthy >200Kb of disk space > 200 kbps of bandwidth (for video) Agent contacts the Monitoring Centre at least once a day Real Time Services allows any time to contact and execute commands such as data delete, device freeze, Camera/screen capture geolocation

25 Hardware backdoors are lethal, because: They can be injected at manufacturing time – (without your knowledge) They are small & stealth – (requires less than 200kb of disc space & bandwidth) They can’t be removed by any known means – (formatting/OS reinstallation/AV/HDD replacement) They can circumvent other types of security – (because of a trusted, small, stealthy & persistent module) Hardware backdoor is no more an imagination, its practical

26 Hardware backdoor is no more an imagination, it’s practical Schneier: possible backdoor in IPMI, iDRAC, IMM2, iLO these chips are on motherboardsIt is a perfect spying platformYou can't control it, You can't patch it It can completely control your computer's hardware and software its purpose is remote monitoring Click image to read paper

27 Hardware backdoor is no more an imagination, it’s practical Captured Intel Drone – An American Intelligence Disaster? “In the case of the stolen CIA drone, the hardware with the backdoor was most likely embedded within the telemetry system, which is the multi- function brain of the drone, in fact every system within the drone is routed through the telemetry system, every sensor, every control, everything” “Once that hardware is triggered it is programmed to change the all the other frequencies used to control the secret drone and allow the Iranians to take total and complete control.” Click image to read main article

28 What if Computrace like technology misused? Can become a perfect backdoor Persistent Stealthy Portable (hardcoded in motherboard) Remote Access & Remote update No platform dependency Non-detectable by AV consider the impact of a compromised device in a military environment, or in a massive distribution of technological systems of large diffusion.

29 Realistic Attack Scenario what if someone hardcoded this type of backdoor in a motherboard and put it up for sell

30 Realistic Attack Scenario or what if a nation state / government make use of this technology to access your private information

31 Cyber-conflicts through ages YearOperation Name SuspectVictimType of Operation 1998Moonlight Maze RussiaUSSurveillance 2003Titan RainChinaUSSurveillance 2006WikileaksJulian Assnage Nation StatesHacktivism & Espionage 2007Tullinn Cemetery RussiaEstoniaWebsite defacement & Denial of Service Attack 2007OrchardIsraelSyriaPhysical Destruction of Nuclear Fuel Refining plant 2008South Ossetia War RussiaGeorgiaWebsite defacement & Denial of Service Attack 2009AuroraChinaUS IndustryEspionage 2009GhostnetChinaTibetan government-in- exile, India Espionage

32 Cyber-conflicts through ages YearOperation NameSuspectVictimType of Operation 2010Night DragonChinaOil & Natural Gas companies Industrial Espionage 2010 Stuxnet & DuquUS/ IsraelIranCyber weapon 2011Occupy Movement AnonymousNation StatesHacktivism 2012FlameUS/ IsraelIranCyber weapon 2012Iran retaliatesIranUS BanksSurveillance & Denial of Service 2013Shanghai Group (ATP1) ChinaUSCyber Intelligence 2013Unnamed ( by NTRO) ChinaIndiaCyber Intelligence 2013HangoverIndiaPakistanCyber Intelligence 2013NettravelerChinaIndiaCyber Intelligence 2013PrismUSWorldCyber Intelligence


34 Source : Rayn Mayer

35 State Sponsored Multi- disciplinary groups of work force Knowledge of deep internals of PLC Specific Target Knowledge of personnel behavior of target Use of score of zero-day vulnerability at one go Use of Authentic (stolen) Digital Signatures

36 Stuxnet Geographical Distribution Source : Symantec Security Response

37 Source : on 10 April 2013 Stuxnet & family


39 Operation Orchard 6 th September 2007 Israel's 2007 bombing of an alleged atomic reactor in Syria was preceded by a cyber attack which neutralized ground radars and anti-aircraft batteries.





44 255 Kms 145 Kms


46 Key Findings APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department ( 总参三部二局 ), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398 部队 ). APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 focuses on compromising organizations across a broad range of industries in English-speaking Countries.

47 Key Findings In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.


49 Source

50 OPERATION HANGOVER The name, “Operation Hangover”, was derived from the name of one of the most frequently used malwares. The project debug path is often visible inside executable files belonging to this family.

51 Purpose & Objective To be a platform for surveillance against targets of national security interest been used for industrial espionage against the Norwegian telecom corporation Telenor and other civilian corporations

52 Highly-Targeted Social Engineering Tactics Decoy Files/websites were used – specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. The initial spear phishing mail contained two files as attachments – a document named “220113.doc”, and – an executable file “few important operational documents.doc.exe”

53 Infrastructure Development

54 Case expansion was through domain usage and registrations Domains registered by the attackers are “privacy protected”. – registrant has paid the domain registrar to withhold identity information related to the registration

55 Target data Hanove Uploaders recursively scan folders looking for files such as: Hanove keyloggers set up keyboard hooks or polls to capture keypresses and log these to a text file. Capture other data as well, such as clipboard content, screenshots, titles of open windows and content of browser edit fields. The stolen data are uploaded to remote servers by FTP or HTTP.

56 Target Selection

57 Attribution “continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin”

58 KimT on iOS






64 Top 10 Infected Countries













77 Recommendations Include Cyberwar in National Cyber Security Policy Evolve Cyber warfare doctrine and develop capacity to implement such doctrine Modify necessary orders (War-Book) defining change in structures where required to synergies national war efforts Define Rule-of- engagement for Cyberwar to prevent unintended escalation of war War objectives, scenarios and targets should be defined to develop appropriate cyber- weapons Develop penetration tools indigenously Establish close coordination amongst agencies and defence forces

78 Recommendations Maintain database of capable persons who can be enlisted or used as militia for Cyberwar Develop capabilities to synthesis of cyber- intelligent inputs Establish Cyber- operation Centres Allocate area of responsibility in cyberspace to avoid fratricide and waste of efforts Maintain presence in social-media for psy- ops and intelligence gathering Build human resource capacity build capacity for artefact analysis for cyber-battle-damage- assessment

79 Proposed Structure for Cyberwar Management



Download ppt "Tallinn ManualGeo-location in Cyberwar Apps Computrace Cyber Operations Stuxnet & family (US + Israel ???) Orchard (Israel) + Neptune’s Spear (US) ATP1."

Similar presentations

Ads by Google