Tallinn ManualGeo-location in Cyberwar Apps Computrace Cyber Operations Stuxnet & family (US + Israel ???) Orchard (Israel) + Neptune’s Spear (US) ATP1.

TALLINN MANUALTALLINN MANUALONON

THE INTERNATIONAL LAWTHE INTERNATIONAL LAWAPPLICABLE TO APPLICABLE TO

CYBERWARFARECYBERWARFARE

Rule 11-Definition of Use of Force. A cyber operation constitutes a use of force when its scale and effects are comparable to non-cyber operations rising to the level of a use of force.

Rule 30-Definition of Cyber Attack. A cyber attack is a cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.

Rule 2-Jurisdiction : Without prejudice to applicable international obligations a State may exercise its jurisdiction:(a) over persons engaged in cyber activities on its territory;(b) over cyber infrastructure located on its territory; and (c) Extraterritorially, in accordance with international law.

Rule 21-Geographical Limitations. Cyber operations are subject to geographical limitations imposed by the relevant provisions of international law applicable during an armed conflict.

Parts of Computrace

Persistent Module installed in BIOS / Firmware

Rein

stal

led

MIS

SIN

G

Rein

stal

led

MIS

SIN

G

Rein

stal

led

MIS

SIN

G

(from OS)(from OS)

Agent communicate Agent communicate with Absolute with Absolute

Monitoring Centre at Monitoring Centre at regular intervalregular interval

(Non-removable part of BIOS)Self-healing capability repair the Persistent Module in case BIOS flashed!!

-or--or- -or--or-

This is How actual Recovery process works:

Once Computer Agent installed & Computer Stolen Owner contact Absolute Software

Absolute Software coordinate with Law

Enforcement Agency to recover Stolen Laptop

Location of Stolen Laptop identified by (IP

Address, Region)

Absolute Theft Recovery Team remotely

communicate with stolen Laptop once online

Computrace partners

Computrace partnered with mentioned firm to embed Computrace-agent-module

in firmware of their machines

Some facts about computrace

Hardware backdoors are lethal, because:

• They can be injected at manufacturing time– (without your knowledge)

• They are small & stealth– (requires less than 200kb of disc space & bandwidth)

• They can’t be removed by any known means– (formatting/OS reinstallation/AV/HDD replacement)

• They can circumvent other types of security– (because of a trusted, small, stealthy & persistent module)

Hardware backdoor is no more an imagination, its practical

Hardware backdoor is no more an imagination, it’s practical

Schneier: possible backdoor in

IPMI, iDRAC, IMM2, iLO

Click image to read paper

Hardware backdoor is no more an imagination, it’s practical

Captured Intel Drone – An American Intelligence Disaster?

“In the case of the stolen CIA drone, the hardware with the backdoor was most likely embedded within the telemetry system, which is the multi-function brain of the drone, in fact every system within the drone is routed through the telemetry system, every sensor, every control, everything”

“Once that hardware is triggered it is programmed to change the all the other frequencies used to control the secret drone and allow the Iranians to take total and complete control.”

Click image to read main article

What if Computrace like technology misused?

• Can become a perfect backdoor• Persistent• Stealthy • Portable (hardcoded in motherboard)

• Remote Access & Remote update• No platform dependency• Non-detectable by AV

consider the impact of a compromised

device in a military environment, or in a massive distribution

of technological systems of large

diffusion.

Realistic Attack Scenario

what if someone hardcoded this type of

backdoor in a motherboard and put

it up for sell

Realistic Attack Scenario

or what if a nation state / government make use

of this technology to access your private

information

Cyber-conflicts through agesYear Operation

NameSuspect Victim Type of Operation

1998 Moonlight Maze

Russia US Surveillance

2003 Titan Rain China US Surveillance

2006 Wikileaks Julian Assnage

Nation States Hacktivism & Espionage

2007 Tullinn Cemetery

Russia Estonia Website defacement & Denial of Service Attack

2007 Orchard Israel Syria Physical Destruction of Nuclear Fuel Refining plant

2008 South Ossetia War

Russia Georgia Website defacement & Denial of Service Attack

2009 Aurora China US Industry Espionage

2009 Ghostnet China Tibetan government-in-exile, India

Espionage

Cyber-conflicts through agesYear Operation Name Suspect Victim Type of Operation

2010 Night Dragon China Oil & Natural Gas companies

Industrial Espionage

2010 Stuxnet & Duqu US/ Israel Iran Cyber weapon

2011 Occupy Movement

Anonymous Nation States Hacktivism

2012 Flame US/ Israel Iran Cyber weapon

2012 Iran retaliates Iran US Banks Surveillance & Denial of Service

2013 Shanghai Group (ATP1)

China US Cyber Intelligence

2013 Unnamed ( by NTRO)

China India Cyber Intelligence

2013 Hangover India Pakistan Cyber Intelligence

2013 Nettraveler China India Cyber Intelligence

2013 Prism US World Cyber Intelligence

Source : Rayn Mayer http://www.youtube.com/watch?v=scNkLWV7jSw

State Sponsored

Multi-disciplinary groups of

work force

Knowledge of deep

internals of PLC

Specific Target

Knowledge of personnel behavior of

target

Use of score of zero-day

vulnerability at one go

Use of Authentic (stolen) Digital

Signatures

Stuxnet Geographical Distribution

Source : Symantec Security Response

Source : http://www.securelist.com/en/analysis/204792257/Kaspersky_Security_Bulletin_2012_Cyber_Weapons on 10 April 2013

Stuxnet & family

Operation Orchard6th September 2007

Israel's 2007 bombing of an alleged atomic reactor in Syria was preceded by a cyber attack which neutralized ground radars

and anti-aircraft batteries.

255 Kms

145 Kms

Key Findings• APT1 is believed to be the 2nd Bureau of the People’s

Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department ( 总参三部二局 ), which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398 (61398 部队 ).

• APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.

• APT1 focuses on compromising organizations across a broad range of industries in English-speaking

• Countries.

Key Findings

• In over 97% of the 1,905 times Mandiant observed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.

• The size of APT1’s infrastructure implies a large organization with at least dozens, but potentially hundreds of human operators.

Source

OPERATION HANGOVEROPERATION HANGOVER

The name, “Operation Hangover”, was derived from the name of one of the most frequently used malwares. The project debug path is often visible inside

executable files belonging to this family.

Purpose & ObjectivePurpose & Objective

Highly-Targeted Social Engineering Highly-Targeted Social Engineering TacticsTactics

• Decoy Files/websites were used– specifically geared to the particular sensibilities of regional

targets including cultural and religious subject matter. • The initial spear phishing mail contained two files as

attachments – a document named “220113.doc”, and – an executable file “few important operational

documents.doc.exe”

Infrastructure DevelopmentInfrastructure Development

Infrastructure DevelopmentInfrastructure Development

• Case expansion was through domain usage and registrations

• Domains registered by the attackers are “privacy protected”.– registrant has paid the domain registrar to

withhold identity information related to the registration

Target data

• Hanove Uploaders recursively scan folders looking for files such as:

• Hanove keyloggers set up keyboard hooks or polls to capture keypresses and log these to a text file.

• Capture other data as well, such as clipboard content, screenshots, titles of open windows and content of browser edit fields.

• The stolen data are uploaded to remote servers by FTP or HTTP.

Target Selection

Attribution

“continued targeting of Pakistani interests and origins suggested that the attacker was of Indian origin”

KimT on iOS

Top 10 Infected Countries

Recommendations

Recommendations

Proposed Structure for Cyberwar Management