Cyber-collection

Last updated

Cyber-collection refers to the use of cyber-warfare techniques in order to conduct espionage. Cyber-collection activities typically rely on the insertion of malware into a targeted network or computer in order to scan for, collect and exfiltrate sensitive information.

Contents

Cyber-collection started as far back as 1996, when widespread deployment of Internet connectivity to government and corporate systems gained momentum. Since that time, there have been numerous cases of such activities. [1] [2] [3]

In addition to the state sponsored examples, cyber-collection has also been used by organized crime for identity and e-banking theft and by corporate spies. Operation High Roller used cyber-collection agents in order to collect PC and smart-phone information that was used to electronically raid bank accounts. [4] The Rocra, aka Red October, collection system is an "espionage for hire" operation by organized criminals who sell the collected information to the highest bidder. [5]

Platforms and functionality

Cyber-collection tools have been developed by governments and private interests for nearly every computer and smart-phone operating system. Tools are known to exist for Microsoft, Apple, and Linux computers and iPhone, Android, Blackberry, and Windows phones. [6] Major manufacturers of Commercial off-the-shelf (COTS) cyber collection technology include Gamma Group from the UK [7] and Hacking Team from Italy. [8] Bespoke cyber-collection tool companies, many offering COTS packages of zero-day exploits, include Endgame, Inc. and Netragard of the United States and Vupen from France. [9] State intelligence agencies often have their own teams to develop cyber-collection tools, such as Stuxnet, but require a constant source of zero-day exploits in order to insert their tools into newly targeted systems. Specific technical details of these attack methods often sells for six figure sums. [10]

Common functionality of cyber-collection systems include:

Infiltration

There are several common ways to infect or access the target:

Cyber-collection agents are usually installed by payload delivery software constructed using zero-day attacks and delivered via infected USB drives, e-mail attachments or malicious web sites. [17] [18] State sponsored cyber-collections efforts have used official operating system certificates in place of relying on security vulnerabilities. In the Flame operation, Microsoft states that the Microsoft certificate used to impersonate a Windows Update was forged; [19] however, some experts believe that it may have been acquired through HUMINT efforts. [20]

Examples of operations

See also

Related Research Articles

Computer security Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.

Malware Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has got up to 669,947,865 in 2017, which is twice as many malware variants in 2016.

Timeline of computer viruses and worms computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Rootkit Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Internet security Branch of computer security specifically related to Internet, often involving browser security and the World Wide Web

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Ransomware Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interface controllers connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, the worm is widely understood to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games.

Mobile security Security risk and prevention for mobile devices

Mobile security, or more specifically mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. Of particular concern is the security of personal and business information now stored on smartphones.

Flame, also known as Flamer, sKyWIper, and Skywiper, is a modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is being used for targeted cyber espionage in Middle Eastern countries.

Agent.BTZ, also named Autorun, is a computer worm that infects USB flash drives with spyware. A variant of the SillyFDC worm, it was used in a massive 2008 cyberattack on the US military.

TURBINE is the codename of an automated system which in essence enables the automated management and control of a large network of implants.

Blackshades is a malicious trojan horse used by hackers to control infected computers remotely. The malware targets computers using operating systems based on Microsoft Windows. According to US officials, over 500,000 computer systems have been infected worldwide with the software.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced ... we have seen", operating alongside but always from a position of superiority with the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

WireLurker is a family of malware targeting both macOS and iOS systems. The malware was designed to target users in China that use Apple mobile and desktop devices. The malware was suspected of infecting thousands of Chinese mobile devices. The security firm Palo Alto Networks is credited with uncovering the malware.

Zombie Zero is an attack vector where a cyber attacker utilized malware that was clandestinely embedded in new barcode readers which were manufactured overseas.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

Internet security awareness Knowledge of end users about the cyber security threats and the risks their actions may introduce

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

  1. 1 2 Pete Warren, State-sponsored cyber espionage projects now prevalent, say experts , The Guardian, August 30, 2012
  2. Nicole Perlroth, Elusive FinSpy Spyware Pops Up in 10 Countries , New York Times, August 13, 2012
  3. Kevin G. Coleman, Has Stuxnet, Duqu and Flame Ignited a Cyber Arms Race? Archived 2012-07-08 at the Wayback Machine , AOL Government, July 2, 2012
  4. Rachael King, Operation High Roller Targets Corporate Bank Accounts , June 26, 2012
  5. Frederic Lardinois, Eugene Kaspersky And Mikko Hypponen Talk Red October And The Future Of Cyber Warfare At DLD , TechCrunch, January 21, 2013
  6. Vernon Silver, Spyware Matching FinFisher Can Take Over IPhones ,, Bloomberg, August 29, 2012
  7. "FinFisher IT Intrusion". Archived from the original on 2012-07-31. Retrieved 2012-07-31.
  8. "Hacking Team, Remote Control System". Archived from the original on 2016-12-15. Retrieved 2013-01-21.
  9. Mathew J. Schwartz, Weaponized Bugs: Time For Digital Arms Control , Information Week, 9 October 2012
  10. Ryan Gallagher, Cyberwar’s Gray Market , Slate, 16 Jan 2013
  11. Daniele Milan, The Data Encryption Problem, Hacking Team
  12. Robert Lemos, Flame stashes secrets in USB drives Archived 2014-03-15 at the Wayback Machine , InfoWorld, June 13, 2012
  13. how to spy on a cell phone without having access
  14. Pascal Gloor, (Un)lawful Interception Archived 2016-02-05 at the Wayback Machine , SwiNOG #25, 07 November 2012
  15. Mathew J. Schwartz, Operation Red October Attackers Wielded Spear Phishing , Information Week, January 16, 2013
  16. FBI Records: The Vault, Surreptitious Entries , Federal Bureau of Investigation
  17. Kim Zetter, "Flame" spyware infiltrating Iranian computers , CNN - Wired, May 30, 2012
  18. Anne Belle de Bruijn, Cybercriminelen doen poging tot spionage bij DSM , Elsevier, July 9, 2012
  19. Mike Lennon, Microsoft Certificate Was Used to Sign "Flame" Malware Archived 2013-03-07 at the Wayback Machine , June 4, 2012
  20. Paul Wagenseil, Flame Malware Uses Stolen Microsoft Digital Signature , NBC News, June 4, 2012
  21. "Red October" Diplomatic Cyber Attacks Investigation , Securelist, January 14, 2013
  22. Kaspersky Lab Identifies Operation Red October Archived 2016-03-04 at the Wayback Machine , Kaspersky Lab Press Release, January 14, 2013
  23. Dave Marcus & Ryan Cherstobitoff, Dissecting Operation High Roller Archived 2013-03-08 at the Wayback Machine , McAfee Labs
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.