Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for September 2012

Cyberwar, Cyberdouchery, and Where The Rubber Meets The CyberRoad

leave a comment »

BEGIN//

Uso Xqx gukk: Xyc cpu sw zol kz sw tkrbp zpditaeeag rp xyh Gncai.

Zr kq b qrwhyt vj cghc bru gsuvo, e imcb fmkksl vv wrdgrz si wc lwpr. Ycpaf mk lg u ubfacer pj zqeokyc nfkai grq ch pv etaqsox sh byisitrgb.

\\END

CYBER CYBER CYBER CYBER WAR! (A new song by Culture Club soon!)

I have been more quiet lately due to being a little burned out on the whole INFOSEC scene. The usual groups of factions are bellowing their usual bloviations and rutting like wild animals online, locking horns with others for dominance. It all frankly makes me just want to step back into my blind and clean my weapon, but, it also gives me pause to think and reflect on it all. It has been in this mode that I have sat and watched the “cyberwars” continue to amp up with the Kaspersky’s of the world finding more and more malware to write neat little papers on how they work and how “nation-statey” they are (oddly though never Russian in origin.. Gee I wonder why?) 

Others out there are writing treatises on how “Cyberwar” will work all the while there has been no real definition put down and agreed upon by the masses as to what “cyberwar/Cyber-War/Cyber-Warfare” really is. It has not been codified really, even with the recent UN Tallinn document:

“A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”
Tallinn Manual on The International Law Applicable to Cyber Warfare – Michael N. Shmitt

Without a common definition we are all left with a great amount of confusion and gray area to move forward and commit actions that may or may not be “war” because there is no set ground rules, law, or definitions. So, here we are, we have all these people making a great hue and cry, plans and deeds, all without really understanding perhaps the potentials for their actions, all eager to get in on the ground floor of the “new war” and yes, you gentle INFOSEC reader are also part and parcel, willing participants to it all as well. The “cyberdouchery” it seems cannot be washed from your hands as well, and this includes me I think.

Mea culpa.. Mea culpa…

While reflecting in my recently infected state (pre-con flu) I sat down with the laptop and watched “Cyberwar: Not what we were expecting” a BruCon presentation that I had a hand in with Josh and Brian. The presentation went well, and as I had seen and thought about the material before, having had discussions with both in the process of creation, I began to have a bit of a paradigm change in thought on this after the final presentation. I looked back at my own mind set and writings on the douchery and realized my own shortsightedness, I too had fallen prey to the “cyberwars” and the only conclusion I could have now is that they are upon us, no matter the definition and I had better think on that.

Let’s face facts here… No matter how many times we call douchery, it’s here…

For all of the high handed railing that I have done in the past, I perhaps had missed the salient fact that people are people, and that we as a society will always latch on to the new “thing” that is super cool, but may in fact be the worst thing for us (think of the iPhone madness) We as a species, tend to go, like many other creatures, say parrots or cockatiels, for the “shiny things” It’s just our nature. So how much more shiny than anything else is the notion of a clean “cyberwar” where we take out the enemy with a click of the button, no, not with kinetic explosions but instead with the lights just going out or a centrifuge breaking.

Yeah, sound familiar?

This neat idea though could in fact cause some dystopian scenarios to happen and yes, in the idea of “war” as we commonly know it, kinetic actions (i.e. tanks and planes and bombs) would likely be employed as well, but, this in fact may not be the end goal of “cyberwar” in the minds eye of those dreaming and plotting it. After all, I would say that we are in the era of the “cyberwars” now in fact, and the only use of kinetic force seems to be only taking place in the non declared wars in Afghanistan and now the Horn of Africa right?

The “cyberwars” though, have been playing out mostly quietly, bits and bytes doing their non kinetic (mostly) damage, stealing data for financial gain or other espionage goals. Both nation state as well as personal, group, non nation state, whatever you decide to name the actors as, they are doing it, right now.. You can almost hear the clicks of the hard drives now right?

It’s really just a war of packet attrition… But then again I hear you thinking,

“But, you said war.. and well, that’s not war.. That’s espionage and maybe sabotage”

Well, yes, but, then there’s this notion of “Cold War” to deal with.

“Christ, I miss the Cold War.” (Cold War vs. Hot War)

The above quote was one of my favorites from “Casino Royale”, the recent re-boot of the James Bond story line. I find it apropos to this discussion as even with Josh and Brian, the idea of the nomenclature of war has been somewhat nebulous really. The idea of a “cold war” seemed elusive to them and perhaps even to me in some way, though I lived through the cold war and was actually in East Germany briefly just before the wall fell. Seeing the “cold war” first hand kind of gives you a new perspective I guess, so I was a little more pliable to the idea that a cold war was in fact a war, just not one where we have outright battles being fought in the “open” and that’s the key here.

Cold War Noun:
A state of political hostility existing between countries, characterized by threats, violent propaganda, subversive activities, and…
The state of political hostility that existed between the Soviet bloc countries and the US-led Western powers from 1945 to 1990.

Cyberwar, is the new “black” of Cold War.

See what I am getting at here? Sure, there can be an all out war that employs a “digital aspect” to it, (i.e. disrupting comms and supply chains) but also, the mainstay thus far of digital warfare is “information war” and this is much closer to “cold warfare” as it has ever been as you can see from the standard definition. Case in point, we are trying to contain Iran from having its own nuclear weapons. What have we been doing? Well, sanctions, propaganda, espionage, and now, post Stuxnet, digital sabotage of their programs as well as great swaths of digital thievery of their data to see just how far along they are.

Now, look up at that definition again and think about it… See what I’m saying here? Of course this is one element though and there are others like the kinetic typical warfare also described. Actions in tandem (digital and physical/kinetic) like that of Estonia but you get the point. It’s mostly, at this point, about cold war tactics to manipulate an enemy without committing to all out warfare and that’s the rub. Of course there are many war planners out there looking at plans to do more than just manipulate an enemy politically, that’s more the bailiwick of the likes of the CIA and other three letter agencies.

Diplomacy it seems, has a new tool in it’s little black bag…. As does the military sector.. Truly “Dual use” technology here.

State vs. Non State, War vs. Non War (What’s in a name?)

In the rubric though of “cyberwar” lately, we have seen arguments made (some unqualified, some quite qualified) about just what it constitutes and one of those factors has been whether or not the actors are “state or non state” actors. I would put it to you right up front, who’s to say who is or is not state actors to start with? Have none of you ever heard about proxy wars? I mean come on people, we lived through the 80’s and the wars being fought by proxy and still you guys don’t get it?

Iran Contra

Afghanistan and the Mujahideen

The War on Drugs

The Current War on Drugs with boots on the ground in Mexico (CIA/MIL)

So, you are going to quibble over nation state and non nation state actors in cyber warfare? What’s more, you are going to do so when attribution is so damned hard? Wow, the hubris of it is just stunning on some people’s parts within this community. Talk about douchery, just take a look around people. Sure, there is a lot of douchery going around, but I just have to say look in the mirror here and take a good long look. I think we all could be blamed just as equally here.

Actions taken by entities, in this arena (cyber-warfare) no matter the attribution, which may be wholly wrong mind you, can always have a sliver of doubt attached to them as to whether they are a proxy of a nation. It’s as simple as that. So, in the case of say the Georgia DDoS that happened, who can be sure, unless they have a really solid HUMINT report in hand, that this attack was not in some way or shape condoned or sponsored by the Russian government or factions thereof?

*silence.. baleful stare*

All I’m really saying is that the world is grey and to make great pronouncements of “I know shit” isn’t going to cut it in reality, and that even goes for me. Like they say on the internets, photo’s or it never happened. What can be said though, is that it would seem, from all evidence within the media machine and the rhetoric of the governments of the world, that the Dr. Cyberlove’s of the world are beating the drums for “cyberwar” pretty damn hard… And that the governments are scurrying to get a piece of the action.

“A fool with a tool.. Is still a fool” (Or: Simians flinging digital poo)

Which brings me to my next diatribe. As the title above says, a fool with a tool.. Is still a fool. Folks, we have all kinds of work going on developing 0day’s and plans of action by various warfighting units new and old. It seems that whenever we, as a race, come up with a new way to get over on the other guy, we mass produce and refine it without really thinking about the ramifications of our actions. It’s just human nature it seems, but in cases like this we just rush headlong into it, like we did for so long with biological warfare.

“Surely digital warfare and code is nothing as bad as biological warfare” is what some of you are thinking out there now as you read these lines, and yes, you are right I think on the whole, but, there is always wiggle room for disaster right? The potentials for malware and unforeseen consequences are there and unlike Jericho’s take on the dangers of “cyberwar” now, I can give it a little more room for possible bad outcomes from what’s being created now. What will happen as we all reach the singularity that some are postulating as we network everything? Currently the grid is a big topic as we make the “smart grid”, a model that is already being attacked by hackers as well as perhaps nation states trying to gather intelligence on how it works/will work and how to manipulate it. This type of attack alone could be dual use, like the Stuxnet attack, it could be a way to manipulate a country and its policies, or the prelude to a further physical attack. Who’s to know until it happens right?

All in all, I just have to look on in wonder at the hubris of the whole affair. We truly are monkeys with digital guns. Unfortunately today we have political systems that are short sighted and, in the case of our own here in the US, groups of diametrically opposed morons in a political election cycle that looks much more like a high school election campaign for prom queen. These are the people in the political office that direct the policies and war plans for us, which now include the idealistic ideas of “clean cyber warfare, targeted and with little blowback or collateral damage”

Monkeys with digital guns…

Cyberwar and YOU

Well, so here we are, we are in the age of the “Cyberwars” as much as the term might stick in the craw of many in the community. I would put it to you that as a person with anything online, you are a target. Whether it be the cyberwarfare of the state, or the cyber machinations of the criminal gang seeking to steal your money or your data, we all are under the same threats. Infrastructure as well as your personal PC are targets within a larger game of digital Stratego. Face the fact, live with it a while, and then think about what you can do to insulate yourselves a bit better.

It seems that even if you do not have a computer (some don’t.. no, really!) you still have a digital presence online because the companies that you do business with have one. The governments have their records online and those records are your records! There is no escaping it really, you are a part of the picture and you should get used to the idea. The power that you suck up every day with your digital toys is somewhat vulnerable and a target, and even if the adversary cannot take out the whole country, let me tell you from experience, just take out one state and see the shit fly because people don’t have power. Where I live we had that big storm a year ago and when people could not get their gas to power their generators it started getting hairy, and that was with the power only being out a week or so. Imagine if it were in fact long term? It’s the people’s reactions (base and territorial) that worries me more than the power being off.

So, whether it’s your data, your power, or your money, you too are a cog in the vast cyberwar machine that is all the rage. Will bad things happen? Maybe. Will epic and tragically bad things happen? Maybe. I am not short sighted enough to say it won’t ever happen, nor can I say that these attacks will not be employed by some foreign power or Bondian villain. I’m just saying it is possible, not overly likely, but look at all the work going on at DARPA and other places looking into how to make it a reality.

The cyberwar is upon us and we had best start taking it seriously because people in power are making plans, and like biological warfare, it seems perhaps there could be unforeseen cirucmstances that could trigger bigger and worse things.

Plan accordingly and think a bit more cogently.

K.

Written by Krypt3ia

2012/09/29 at 13:16

Peter the Great Versus Sun Tzu: DEATH MATCH!

with one comment

gioaumyoljglrxqi

“Douchery, it seems, like life, always finds a way”

Even in the shallowest of pools, the most vile of biological sludge can dwell.. And so it seems that the friendly folks at Trend Micro have decided to put out a little pdf on how the different kinds of APT act, rating them against greater entities from history. In other words, they put out a pile of crap and think that they have done the world a great service in laying said pile of crap where you can trod in it.

The paper, “Peter the Great Versus Sun Tzu” alleges that a comparison can be made between the varying actors in malware creation and use today. They have broken this down into a battle royal between the “Asians” (i.e. China) and the “Eastern Europeans” (i.,e. The Russians) which, is just patently stupid, but, lets choke down the bile for a bit to really look at their “research” shall we? Let’s look first at the players in this game, well the ones other than an AV firm looking to get their horse into the APT game that is…

First off, the paper is co-mingling and APT vs Crimeware activities while trying to compare the two which is somewhat dubious in my opinion. Why? Because as there are different goals here and widely different time tables as well as assets available. Crimeware may have come a long way, but, it is not at all at the level of the espionage game being played not only by China, but also Russia as well as a host of other countries in the game today. So, just to focus on these two is rather short sighted to start, but wait, it gets worse! They go on to look at the structure of the orgs as well comparing each to a thought leader in their country, thus we have Sun Tzu and Peter The Great.. Which, uhh, well, Peter The Great? Really? I’da gone with Rasputin or something like that but ok…

Secondly, the paper then goes on to talk about infrastructures and timetables of each group’s modus operandi claiming that there was extensive research into it. Of course the only research that they link to was a paper on the Chinese syndicates on their blog. They do link to a couple other studies on past malware packages but really, where’s the love for the Russians here? What’s more, the author then goes on to talk about how the players are like mercenaries (Russia) and Foot Soldiers (China) which in a stretch can be almost made, but, there is much more complexity to this issue of operations than an eight page document allows for. Sorry, but you are glossing over so many salient facts that must be talked about here that it all just makes the point of the exercise laughable.

What’s more here, uhh how is this going to help anyone looking for help with APT with your product Trend? Do you have some magical “Sun Tzu Difference Engine” that we don’t know about yet? Look, it’s all good that you want to investigate the players and you think that you can look to be better equipped as an AV company to deal with these threats, but nothing in this document has anything to do with real world countermeasures or, for that matter, solid information or understanding of the mindset’s of the players here.

Not to mention, like I alluded to above, they are not the only players here. So… What was your point again? I mean, even your “tactical comparisons” were weak and only part of a larger and more complex picture that you just don’t seem to have a handle on. Otherwise I think you would have thought better than to release this on the internet.

“Sun Tzu is Angry…”

Ahh, well, here we have another aspect of this paper that I have a bone to pick with. I have had this discussion with Jericho on more than one occasion and to whit, anyone trying to kulge Sun Tzu into any cyberwar or cyber cyber cyber argument had better be well versed in two things.

1) Being able to think like a tactician

2) READ and have UNDERSTOOD all of Sun Tzu and The Art of War

All too often people wing out a single maxim and BANG! They are experts on this subject! No, no, you’re not there cowboy, now sit down and shut up mmmkay? In this instance, Sun Tzu’s name is used but not really related to at all within the document as a whole. No explanations on how the author conceived how Sun Tzu’s teachings about warfare at all affected or shaped the Chinese APT/Hackers/Malware Writers at all. Not. One. Word. So, exactly how does Sun Tzu fit in here other than a catchy title one wonders… I am going to hazard a guess that the author has not read and understood Sun Tzu… And I am further going to make a statement that that is just really douchey.

While the paper does have some inkling of the idea that there are different classes of hackers within China, they really have yet to emote any other understanding than that. It’s akin to saying there are many cats in the world.. “So many that there are all kinds!” Yeah, thank you, please sit down and learn with the class there Clyde… Look, there are many reasons for hackers and malware writers to be active. Many psychological reasons that are innumerable, but, there are some broader stroke ideas that can be made, and yes, some of them are political. See, we are all a product of our upbringing and in China, they are rather nationalist as a country, so sure, there would be a great swath of players out there doing it for their country or their pride. But, that’s not the whole picture nor are any others really written about in this paper.

Additionally, I nearly choked when the paper cited the “Thousand Grains of Sand” without any real preface or explanation thereof afterwards. All I’m saying here is that you need a better understanding of China, the MSS, and the players as a whole (Green Army to today’s patriotic outfits) as well as the Nation State players before you just release such drivel upon the world Trend.

Go read… Maybe talk to some hackers… Eight pages to explain the Chinese! HA! Do you know that they have 26k characters in their language right? Eight pages…

Sun Tzu is pissed and he will send the clay army after you soon.

“Peter The Great is pissed too!”

This brings me to the illusory statement about the Russian hackers being “Mercenaries” and on equal footing like the days of Peter when he removed the egalitarian nature of the army to allow for officers of any class to be made…

“Twattle”

It’s twattle and you should be beaten around the head and neck with a rubber fish for that one. How the hell do you get from there to the criminal gangs today? Hell, how do you even try to equate that to FSB/KGB/GRU activities being perpetrated by these groups? I mean, ok, sure, highest bidder for services and small groups of thugs sure, maybe the moniker of mercenary is apro pos but they are more like thugs and gangs than anything else.

Sure, they want to keep their trade secrets to sell to the highest bidder as well. So they take more time and patients with their infrastructure and coding. It only makes sense, but once again, what has this to do with your AV product? Do you have some sort of “Semiotics Engine” you are selling here? It’s all just backfill and not really fully fleshed out with, oh, facts and such. You know, citations maybe?

Yes the Russians have quite the syndicate of malware writer gangs and yes, they make lots of money… But if I wanted to know more about that, I’d talk to Brian Krebbs because, oh, he has experience and cites facts in his articles…

Just sayin…

“HEY YOU! YES YOU! OUT OF THE SHALLOW END OF THE INFOSEC POOL!”

In the end, I read this paper with increasing amounts of bile rising out of my duodenum with each word. It’s great that you want to take up this “research” and all, but, really, what’s it got to do with Sun Tzu, tactics, Peter the Great, or for that matter, your AV product? Will all this unsolicited and unsupported conjecture really give me an edge with your product line? Will the “Semiotics Engine” stop the next wave of crimeware phishing emails coming at me that try to connect to Turkish servers? Will that in fact tell me that it is really the Russians or the Baltic players? Or maybe this is all some sort of “Attribution Engine” you are developing for us all to understand the adversary better as you shrug your shoulders, palms up, and say “Sorry, our product didn’t stop that malware”

Do us all a favor and go make an engine that really works. Come up with a means to really protect our end users from phishing emails and their own stupidity (CLICK CLICK CLICK! HEY WHY WON’T THIS SCREENSAVER WORK?) because this paper, as you call it, is useless to me and everyone else out here in the real world looking for some kind of solution.

… And don’t come out of your lab til you have a real workable solution…

Why? Cuz Sun Tzu said so THAT’s WHY!

K.

Written by Krypt3ia

2012/09/21 at 19:38

The Four Horsemen of The INFOSEC Apocalyse and The Freak Power Ticket

leave a comment »

Wzvaafmokehpmvqnyvmja

Well, the time came and the time went for us all to get 1% of the CISSP’s of the world to sign our petitions to be in the race for the BoD of ISC(2). It seems that two of the four horsemen made it in (Dave and Chris) so congrats to them and well wishes on the next leg of this epic journey… That of getting “elected” Which also may be another fun exercise in the secret language and rules of ISC(2) as well. I swear at times it’s like trying to discern the real motives and mores of Skull and Bones more than some governance group for INFOSEC peeps I tell ya.

Anywho, I managed to get about 300+ sigs in the end and to all of you who sent me emails of support, I thank you. It was fun trying this, albeit I didn’t really lobby much here or “press the flesh” as they say *heh* Maybe next time around I will let Javvad run my campaign for me, cuz, well, he’s a master of deception.. Uhh.. I mean, a good political mover and shaker.. Yeah, that… Though, all of this will be tempered by what happens next for Dave and Chris. Will they be able to penetrate the old boy network? Will they be able to, once ensconced in the ISC(2) inner sanctum, make any kinds of change that would make the CISSP more meaningful?

Time will tell my friends…

Though, from experience thus far I am not holding out too much hope on this.. After all, Skull and Bones has been around for a long time and no one has leaked their inmost secrets.. CISSP and ISC(2) may remain the same. I just wonder where all the money goes…

Don’t you?

Let’s see how the election goes… Maybe there’ll be a bloody coup!

K.

Written by Krypt3ia

2012/09/18 at 14:50

Posted in ISC2

Three Days of The Condor… With Malware…

leave a comment »

Rvy taes eha qgcq tlmbvq tqsix. Px iiuz ytwtqn cvzl dek. Yxi dtf fq wjzbbuk. Yahpv moi riagk lbrzy mop hm xte bdibuk. Mnm o tty aulu gchd fqsrrv rvy, mnm o uhvv iiuz filr, mnm gfflsze hcl dusi, mjmsx lzqn cflla, aulu uvm vyf oo hyx jed. Awr yx dmxl bazel, e nelcdbuk emrzv. Ubx te fwce simvn cgxu xte mcfk vj fhn qrk hrp ootvk as sies phb e xioh.


Turner: Do we have plans to invade the Middle East?
Higgins: Are you crazy?
Turner: Am I?
Higgins: Look, Turner…
Turner: Do we have plans?
Higgins: No. Absolutely not. We have games. That’s all. We play games. What if? How many men? What would it take? Is there a cheaper way to destabilize a regime? That’s what we’re paid to do.
Turner: So Atwood just took the games too seriously. He was really going to do it, wasn’t he?
Higgins: A renegade operation. Atwood knew 54/12 would never authorize it, not with the heat on the company.
Turner: What if there hadn’t been any heat? Suppose I hadn’t stumbled on their plan?
Higgins: Different ballgame. Fact is, there was nothing wrong with the plan. Oh, the plan was all right, the plan would’ve worked.
Turner: Boy, what is it with you people? You think not getting caught in a lie is the same thing as telling the truth?
Higgins: No. It’s simple economics. Today it’s oil, right? In ten or fifteen years, food. Plutonium. And maybe even sooner. Now, what do you think the people are gonna want us to do then?
Turner: Ask them.
Higgins: Not now — then! Ask ’em when they’re running out. Ask ’em when there’s no heat in their homes and they’re cold. Ask ’em when their engines stop. Ask ’em when people who have never known hunger start going hungry. You wanna know something? They won’t want us to ask ’em. They’ll just want us to get it for ’em!
Turner: Boy, have you found a home. There were seven people killed, Higgins.
Higgins: The company didn’t order it.
Turner: Atwood did. Atwood did. And who the hell is Atwood? He’s you. He’s all you guys. Seven people killed, and you play fucking games!
Higgins: Right. And the other side does, too. That’s why we can’t let you stay outside.

The Geopolitics of Fossil Fuels

Since the discovery of fossil fuels (oil and the derivative of gas from it) we have had a real love affair with it. Though it was tough to get out of the ground and then refine into a usable product we decided that it was the best alternative to keeping our lights on and our cars running. Since then, the resources have become the aegis of foreign and domestic policies globally, and likely will continue this way until the last drop of fuel is burned by some car somewhere. It’s these policies that I believe are driving the recent attacks on oil and gas firms within the Middle East recently. There may be some tit for tat as well, and maybe a warning to certain players, but, overall, it seems to me that a game is being played. Of course, all the games have been being played in the region of the Middle East because of the need for fossil fuels, anyone who says otherwise I think, well, is delusional.

Whether or not you are a “tipping point” believer, in general, we have seen over the years many instances where the Med has affected and still affects today, the price of gas and thus, the cascade effect prices on just about everything because we are dependent on the gas to move things, to grow things, to.. Well you get the point right? No gas means no economy really today. So, this is an imperative and those countries seeking to gain access to said fuel resources would not be above trying to get a competitive edge over others, never mind the possibilities of gaming the owners of the resource from the start right? Add to this the pressures today of the instability in the region (and really, when has it ever been really steady?) and you have quite the motive to use espionage to get that advantage and deny others the access they too desire.

It’s with this in mind that I have been sitting back and watching the events with Saudi Aramco and RasGas with some interest. I have been reading the news reports as well as the malware assessments and cannot help but see a parallel with the movie “Three Days of the Condor” from 1975. The story line moves along the lines of an analyst finding an unsanctioned plot to overthrow a government in the Middle East over oil. This film stuck with me since seeing it as a kid in the 80’s and I have quoted it before in posts on other things. This time around though, I think we are seeing some more direct actions by persons unknown, to manipulate the playing field where oil or fuel resources are concerned..

Albeit with a modern twist for today.

Spygames  with Malware

Virus origin in Gulf computer attacks in question

New Virus Hits Oil Giant, LNG Producer

At least two types of malware are alleged to have penetrated Saudi Aramco and RASGAS in the last month or two. Not much is known about them, though Shamoon aka W32.Disttrack seems to have been pulled apart a bit by Symantec. Not much has been really made in the press over these attacks and those attacked have been quiet as well. Both RasGas and Saudi Aramco though, made statements that none of their production or distribution systems were affected by the malware, a claim that they have not really backed up with facts I might add. However, as far as we can see thus far, those statements are overall true because there are no reports of system breakdowns in getting the product to and from the companies collectively.

As it would seem from the analysis thus far of Shamoon, the malware seems to be the run of the mill data thievery type that is almost COTS in a way. The more interesting bits seem to be around the “wiping” feature that was written into it. Why the malware was made to wipe the MBR is a bit of a mystery to me and seems rather amateurish in a way that leads me to believe either someone is playing it very smart, or, they are just malicious.

I can’t be sure which…

While the method of wiping is not as exotic as the so called “wiper”  Shamoon corrupts the MBR of the system and game over. I have not seen in any of the data so far (via googling) a means of triggering the wipe sequence on Shamoon though. One wonders if it’s just timed out or is there some trigger if it is detected or tampered with? Also, it is interesting to note that the name “Shamoon or Simon” is from a folder listed in the malware as well as the fact that this was targeted to the “Arabian Gulf” as the wiper module alludes to as well. So, this seems to have been a targeted attack from these bits of data and the fact that it’s penetration out in the wild is low from what I have seen online. It is likely that this was initiated by a directed phishing attack at the companies afflicted and worked it’s way through their networks. Networks by the way, that may not in fact have been separate from the ICS/SCADA networks, which it seems may not have been directly “affected” because the payload did not include any attacks on said systems. The only fallout would likely come from a PC getting wiped which could easily be re-imaged or replaced with a working copy.

Still.. What was the goal here? What data was taken? In the case of both Saudi Aramco and RasGas, a look with Google (Google Fu) shows that both companies had quite a bit of data hanging out there to exploit and use in an attack. Today though, most of their data has been redacted, but, you still can get some cached copies of interesting tidbits. Given that they were loose before, one might imagine that they were a rich target environment for the malware to ex-filtrate all kinds of documents to the C&C server. It would take a lengthy investigation as to their market placement and any potential deals ongoing to give some more context I think, but doing so would be an interesting diversion to understand these attacks a bit better as to motive though.

The Possible Players in Shamoon/Wiper/UNSUB Malware Attacks

With all that said, then who would be the likely players here? Is this nation state? Is it corporate espionage and acts of attrition in an ongoing oil war? It’s hard to say really. One source indicated to me that perhaps it was a move by Russia to give the hint to Iran on some internecine plot over power plays in the region. I personally think that the whole “cutting sword of justice” claim that they took down Saudi Aramco is bunk but hey, maybe a cabal of hackers did this to… Well do what? Perhaps there is more yet to be dumped online in a pastebin to give us the proper scope here. Overall though, it’s been really low key and not much has come out like I said on what was taken, what was done, and the damages to the systems/companies involved.

So where does that leave us regarding who did this? Well, pretty much where we stared, with supposition and guess work. Was this nation state? This is an interesting question. If it was nation state, could it have been a fledgling group, like say, the IRGC and it’s cyber hacking group recently formed? Would Iran benefit from such attacks? All good questions and something we should all ponder. However, the most interesting point there might in fact be that since the Stuxnet genie was let out of the bottle, it was only a matter of time before actors like Iran would make their own variants and loose them upon others. In the case of Iran though, they too seem to have been hit with the same if not similar malware in recent days as well, but, this does not presuppose that they didn’t have a hand in it.

All in all, there just isn’t enough information to nail down a culprit or culprits.. But, it does show us a precedent that we should all worry about just as much as we should over certain instances of attacks against pockets of ICS/SCADA implementations. What I am talking about is blowback from attacks.

Blowback

Blowback usually refers to consequences coming back on those who took the action in the first place. Here though, I am not only referring to those who carried out the malware attacks, but also on the rest of the world in certain scenarios like this. By attacking systems such as these, one could in fact cause market fluctuations depending on the markets and their jittery-ness. In the case of the oil business, we have seen great changes in prices due to not only the control over the oil and it’s price by the cartels (Saudi) but also how the countries are feeling about their markets and the state of affairs in the world. If you start tinkering with companies of this kind and by the product of destroying infrastructure (or the perception of such) you will be affecting the prices at least for those companies directly. What if though, you were to hit more of them at the same time and cause not only damage but the “perception” of insecurity within the system of oil/gas production and distribution?

This time nothing much seems to have happened, but one can only say this because there isn’t much information out there as to what really took place on those systems and networks. What if this played out another way, with much more press and obvious damages? This would be worse and might occur the next time whether or not it was intended by the programming of the malware. This all of course depends on the scope of the attacks and with that you have to wonder about nation state vs. non state actors here. The difference being, that a nation state may attack a wider variety of systems and companies as a precursor to war while the non state actors may just be looking for information or to hobble a competitor. Both however, could have unforeseen blowback from their actions.

What all of this says though, is that Pandora’s box has been opened. All the players are now taking the field, and many of them may not be ready to play a proper game… Shamoon did it’s thing, but it seems to be more a brute force tool than an elegant piece of code and a slick plan. The blowback though is yet to be determined.

K.