Tallinn ManualGeo-location in Cyberwar Apps Computrace Cyber Operations Stuxnet & family (US + Israel ???) Orchard (Israel) + Neptune’s Spear (US) ATP1 (China) Hangover (India) Nettraveler (China) Prism (US)
TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBERWARFARE
Rule 11-Definition of Use of Force. A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force. Rule 30-Definition of Cyber Attack. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.
Rule 2-Jurisdiction : Without prejudice to applicable international obligations a State may exercise its jurisdiction: (a) over persons engaged in cyber activities on its territory; (b) over cyber infrastructure located on its territory; and (c) Extraterritorially, in accordance with international law.
Rule 21-Geographical Limitations. Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.
Parts of Computrace Application Agent Persistent Module
Persistent Module installed in BIOS / Firmware Reinstalled MISSING Reinstalled MISSING Reinstalled MISSING (from OS) Agent communicate with Absolute Monitoring Centre at regular interval (Non-removable part of BIOS) Self-healing capability repair the Persistent Module in case BIOS flashed!! -or- -or-
This is How actual Recovery process works: Once Computer Agent installed& Computer Stolen Owner contact Absolute Software Absolute Software coordinate with Law Enforcement Agency to recover Stolen Laptop Location of Stolen Laptop identified by (IP Address, Region) Absolute Theft Recovery Team remotely communicate with stolen Laptop once online
Computrace partners Computrace partnered with mentioned firm to embed Computrace-agent-module in firmware of their machines
Some facts about computrace It is stealthy >200Kb of disk space > 200 kbps of bandwidth (for video) Agent contacts the Monitoring Centre at least once a day Real Time Services allows any time to contact and execute commands such as data delete, device freeze, Camera/screen capture geolocation
Hardware backdoors are lethal, because: They can be injected at manufacturing time – (without your knowledge) They are small & stealth – (requires less than 200kb of disc space & bandwidth) They can’t be removed by any known means – (formatting/OS reinstallation/AV/HDD replacement) They can circumvent other types of security – (because of a trusted, small, stealthy & persistent module) Hardware backdoor is no more an imagination, its practical
Hardware backdoor is no more an imagination, it’s practical Schneier: possible backdoor in IPMI, iDRAC, IMM2, iLO these chips are on motherboardsIt is a perfect spying platformYou can't control it, You can't patch it It can completely control your computer's hardware and software its purpose is remote monitoring Click image to read paper
Hardware backdoor is no more an imagination, it’s practical Captured Intel Drone – An American Intelligence Disaster? “In the case of the stolen CIA drone, the hardware with the backdoor was most likely embedded within the telemetry system, which is the multi- function brain of the drone, in fact every system within the drone is routed through the telemetry system, every sensor, every control, everything” “Once that hardware is triggered it is programmed to change the all the other frequencies used to control the secret drone and allow the Iranians to take total and complete control.” Click image to read main article
What if Computrace like technology misused? Can become a perfect backdoor Persistent Stealthy Portable (hardcoded in motherboard) Remote Access & Remote update No platform dependency Non-detectable by AV consider the impact of a compromised device in a military environment, or in a massive distribution of technological systems of large diffusion.
Realistic Attack Scenario what if someone hardcoded this type of backdoor in a motherboard and put it up for sell
Realistic Attack Scenario or what if a nation state / government make use of this technology to access your private information
Cyber-conflicts through ages YearOperation Name SuspectVictimType of Operation 1998Moonlight Maze RussiaUSSurveillance 2003Titan RainChinaUSSurveillance 2006WikileaksJulian Assnage Nation StatesHacktivism & Espionage 2007Tullinn Cemetery RussiaEstoniaWebsite defacement & Denial of Service Attack 2007OrchardIsraelSyriaPhysical Destruction of Nuclear Fuel Refining plant 2008South Ossetia War RussiaGeorgiaWebsite defacement & Denial of Service Attack 2009AuroraChinaUS IndustryEspionage 2009GhostnetChinaTibetan government-in- exile, India Espionage
Cyber-conflicts through ages YearOperation NameSuspectVictimType of Operation 2010Night DragonChinaOil & Natural Gas companies Industrial Espionage 2010 Stuxnet & DuquUS/ IsraelIranCyber weapon 2011Occupy Movement AnonymousNation StatesHacktivism 2012FlameUS/ IsraelIranCyber weapon 2012Iran retaliatesIranUS BanksSurveillance & Denial of Service 2013Shanghai Group (ATP1) ChinaUSCyber Intelligence 2013Unnamed ( by NTRO) ChinaIndiaCyber Intelligence 2013HangoverIndiaPakistanCyber Intelligence 2013NettravelerChinaIndiaCyber Intelligence 2013PrismUSWorldCyber Intelligence
State Sponsored Multi- disciplinary groups of work force Knowledge of deep internals of PLC Specific Target Knowledge of personnel behavior of target Use of score of zero-day vulnerability at one go Use of Authentic (stolen) Digital Signatures
Stuxnet Geographical Distribution Source : Symantec Security Response
Source : http://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cyber_Weapons on 10 April 2013http://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cyber_Weapons Stuxnet & family
Key Findings APT1 is believed to be the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department ( 总参三部二局 ), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398 部队 ). APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously. APT1 focuses on compromising organizations across a broad range of industries in English-speaking Countries.
Key Findings In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.
OPERATION HANGOVER The name, “Operation Hangover”, was derived from the name of one of the most frequently used malwares. The project debug path is often visible inside executable files belonging to this family.
Purpose & Objective To be a platform for surveillance against targets of national security interest been used for industrial espionage against the Norwegian telecom corporation Telenor and other civilian corporations
Highly-Targeted Social Engineering Tactics Decoy Files/websites were used – specifically geared to the particular sensibilities of regional targets including cultural and religious subject matter. The initial spear phishing mail contained two files as attachments – a document named “220113.doc”, and – an executable file “few important operational documents.doc.exe”
Case expansion was through domain usage and registrations Domains registered by the attackers are “privacy protected”. – registrant has paid the domain registrar to withhold identity information related to the registration
Target data Hanove Uploaders recursively scan folders looking for files such as: Hanove keyloggers set up keyboard hooks or polls to capture keypresses and log these to a text file. Capture other data as well, such as clipboard content, screenshots, titles of open windows and content of browser edit fields. The stolen data are uploaded to remote servers by FTP or HTTP.
Recommendations Include Cyberwar in National Cyber Security Policy Evolve Cyber warfare doctrine and develop capacity to implement such doctrine Modify necessary orders (War-Book) defining change in structures where required to synergies national war efforts Define Rule-of- engagement for Cyberwar to prevent unintended escalation of war War objectives, scenarios and targets should be defined to develop appropriate cyber- weapons Develop penetration tools indigenously Establish close coordination amongst agencies and defence forces
Recommendations Maintain database of capable persons who can be enlisted or used as militia for Cyberwar Develop capabilities to synthesis of cyber- intelligent inputs Establish Cyber- operation Centres Allocate area of responsibility in cyberspace to avoid fratricide and waste of efforts Maintain presence in social-media for psy- ops and intelligence gathering Build human resource capacity build capacity for artefact analysis for cyber-battle-damage- assessment