Cyber Research

Cyber News

Cyber Info


 April, 2016







 In this issue



*         U.S. Cyberattacks Target ISIS in a New Line of Combat

*         German nuclear plant suffers cyberattack designed to give hackers remote access

*         Finnish Defense Ministry Hit by DDoS Cyber Attack

*         Qatar National Bank hit by cyber attack

*         Latest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


U.S. Cyberattacks Target ISIS in a New Line of Combat


April 24, 2016

The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons.

The effort reflects President Obama’s desire to bring many of the secret American cyberweapons that have been aimed elsewhere, notably at Iran, into the fight against the Islamic State — which has proved effective in using modern communications and encryption to recruit and carry out operations.

The National Security Agency, which specializes in electronic surveillance, has for years listened intensely to the militants of the Islamic State, and those reports are often part of the president’s daily intelligence briefing. But the N.S.A.’s military counterpart, Cyber Command, was focused largely on Russia, China, Iran and North Korea — where cyberattacks on the United States most frequently originate — and had run virtually no operations against what has become the most dangerous terrorist organization in the world.

A review of what should be done to confront the Islamic State is on Mr. Obama’s agenda on Monday, when he is scheduled to attend a conference in Hanover, Germany, with the leaders of Britain, France, Italy and Germany. Of these efforts, the cybercampaign is the newest. It is also the one discussed in least detail by officials of many countries, and its successes or failures are the most difficult to assess from the outside.

The goal of the new campaign is to disrupt the ability of the Islamic State to spread its message, attract new adherents, circulate orders from commanders and carry out day-to-day functions, like paying its fighters. A benefit of the administration’s exceedingly rare public discussion of the campaign, officials said, is to rattle the Islamic State’s commanders, who have begun to realize that sophisticated hacking efforts are manipulating their data. Potential recruits may also be deterred if they come to worry about the security of their communications with the militant group.

Defense Secretary Ashton B. Carter is among those who have publicly discussed the new mission, but only in broad terms, and this month the deputy secretary of defense, Robert O. Work, was more colorful in describing the effort.

“We are dropping cyberbombs,” Mr. Work said. “We have never done that before.”

The campaign has been conducted by a small number of “national mission teams,” newly created cyberunits loosely modeled on Special Operations forces.

While officials declined to discuss the details of their operations, interviews with more than a half-dozen senior and midlevel officials indicate that the effort has begun with a series of “implants” in the militants’ networks to learn the online habits of commanders. Now, the plan is to imitate them or to alter their messages, with the aim of redirecting militants to areas more vulnerable to attack by American drones or local ground forces.

In other cases, officials said, the United States may complement operations to bomb warehouses full of cash by using cyberattacks to interrupt electronic transfers and misdirect payments.

The fact that the administration is beginning to talk of its use of the new weapons is a dramatic change. As recently as four years ago, it would not publicly admit to developing offensive cyberweapons or confirm its role in any attacks on computer networks.

That is partly because cyberattacks inside another nation raise major questions over invasion of sovereignty. But in the case of the Islamic State, officials say a decision was made that a bit of boasting might degrade the enemy’s trust in its communications, jumbling and even deterring some actions.

“Our cyberoperations are disrupting their command-and-control and communications,” Mr. Obama said this month, emerging from a meeting at the C.I.A. headquarters in Langley, Va., on countering the Islamic State.

Gen. Joseph F. Dunford Jr., the chairman of the Joint Chiefs of Staff, offered broad outlines of the new campaign against the Islamic State, which is also known as ISIS or ISIL, during a news conference in February.

The National Security Agency headquarters in Fort Meade, Md. The agency has for years listened to Islamic State militants, but its military counterpart, Cyber Command, will now direct operations against the militant group. Credit Patrick Semansky/Associated Press

“We’re trying to both physically and virtually isolate ISIL, limit their ability to conduct command and control, limit their ability to communicate with each other, limit their ability to conduct operations locally and tactically,” he said.

“But I’ll be one of the first ones arguing that that’s about all we should talk about,” General Dunford said. “We want them to be surprised when we conduct cyberoperations. And, frankly, they’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age.”

In an interview this month in Colorado Springs, where she talked to Air Force Academy cadets, Mr. Obama’s national security adviser, Susan E. Rice, said that the fight against the Islamic State had to be thought of as a multifront war — and that computers were just another weapon in the arsenal.

“It should not be taken out of proportion — it is not the only tool,” she said when asked about Mr. Work’s “cyberbombs” comment. In fact, some of Mr. Work’s colleagues acknowledged that they had winced when he used the term, because government lawyers have gone to extraordinary lengths to narrowly limit cyberattacks to highly precise operations with as little collateral damage as possible.

But Ms. Rice said the Islamic State had “uniquely utilized cyberspace” to recruit, to communicate over encrypted apps and to coordinate its operations from Syria to Europe.

Ms. Rice would not comment on reports from officials in the Pentagon that Mr. Obama had asked — quite pointedly — in the fall why the arsenal of cyberweapons that had been developed at a cost of hundreds of millions, if not billions, of dollars was not being used in the fight against the terrorist group.

Several officials said that Mr. Carter had complained that Cyber Command was too focused on traditional adversaries, and that he had set deadlines for a new array of operational cyberplans aimed at the Islamic State. Those were ultimately delivered by Adm. Michael S. Rogers, the commander of Cyber Command and the director of the National Security Agency.

But inside Fort Meade in Maryland, home to the N.S.A. and Cyber Command, initial demands from the White House generated some resistance, according to officials involved in the debate.

The N.S.A. has spent years penetrating foreign networks — the Chinese military, Russian submarine communications, Internet traffic and other targets — placing thousands of implants in those networks to allow it to listen in.

But those implants can be used to manipulate data or to shut down a network. That frequently leads to a battle between the N.S.A. civilians — who know that to make use of an implant is to blow its cover — and the military operators who want to strike back. N.S.A. officials complained that once the implants were used to attack, the Islamic State militants would stop the use of a communications channel and perhaps start one that was harder to find, penetrate or de-encrypt.

“It’s a delicate balance,” Ms. Rice said. “We still have to keep our eye on the Russia-China state-sponsored activity, but this was a new mission, one where we have to balance the collection equities against the disruption equities.”

In Britain, the Government Communications Headquarters, the country’s equivalent to the N.S.A., has been going through a similar debate. It is a familiar one for the British: According to an oft-repeated legend from World War II, Winston Churchill decided to let the Nazis bomb Coventry, at a cost of hundreds of lives, rather than reveal that Britain had used its Enigma machine to crack German codes. (There is a historical dispute about whether Churchill knew the city was to be targeted.)

Lisa O. Monaco, a deputy national security adviser and Mr. Obama’s top adviser for counterterrorism, has led efforts examining how to disrupt the use of social media for recruiting. She has met technology executives in Silicon Valley; Austin, Tex.; Boston; and Washington to come up with a more integrated plan for both taking down social media posts and encouraging the development of a counternarrative.

One effort has included amplifying the testimony of Islamic State recruits who have escaped and now describe the group’s brutality and question its adherence to the true tenets of Islam. Facebook, YouTube and Twitter are also growing more efficient at finding and removing Islamic State posts — which they can take down without court orders because the posts are a violation of the companies’ terms of service, executives say.

But Ms. Monaco suggested that the effort was just beginning. “We are not going to kill our way out of this conflict,” she said. “And we are not going to delete our way out of it, either.”

More info http://www.nytimes.com/2016/04/25/us/politics/us-directs-cyberweapons-at-isis-for-first-time.html?_r=0

German nuclear plant suffers cyberattack designed to give hackers remote access

April 25, 2016

A  nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday.

The Gundremmingen plant, located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE.

The viruses, which include "W32.Ramnit" and "Conficker", were discovered at Gundremmingen's B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods, RWE said.

Malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant's operating systems. RWE said it had increased cyber-security measures as a result.

W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software, according to the security firm Symantec.

First discovered in 2010, it is distributed through data sticks, among other methods, and is intended to give an attacker remote control over a system when it is connected to the Internet.

Conficker has infected millions of Windows computers worldwide since it first came to light in 2008. It is able to spread through networks and by copying itself onto removable data drives, Symantec said.

RWE has informed Germany's Federal Office for Information Security (BSI), which is working with IT specialists at the group to look into the incident.

The BSI was not immediately available for comment.

Read more at http://www.telegraph.co.uk/news/2016/04/27/cyber-attackers-hack-german-nuclear-plant/

Finnish Defense Ministry Hit by DDoS Cyber Attack

April 4, 2016.

Finland’s Ministry of Defence (MoD) is reviewing its IT security infrastructure in the wake of a distributed denial of service (DDoS) attack on its main website.

The attack was launched hours before Finnish President Sauli Niinistö met with Russian President Vladimir Putin in Moscow on March 22 to discuss regional security issues and the implementation of deeper cooperation on border defense.

Initial investigations by the National Cyber Defense Center (NCDC) are examining the possibility that the cyber attack may have been launched from Russia to coincide with high-level, inter-government talks.

Similar DDoS attacks launched against public and private organizations in Sweden in March had traced the servers to Russia.

Niinistö met with US President Barack Obama in Washington on April 1. The meeting took place during the international Nuclear Security Summit hosted by the US president.

Finland’s MoD confirmed that the sustained DDoS attack, which lasted more than three hours, was the second such cyber attack against its online IT infrastructure in 2016. The MoD responded by diverting traffic from its main site defmin.fi to a temporary site.

The previous DDoS attack took place Feb. 27 and lasted nearly five hours. Other key government department websites, including finance, social affairs and health, agriculture and forestry, and the Council of State office, were targeted in  simultaneous attacks.

The timing of the latest DDoS attack is significant, coming as Finnish and US governments finalize plans connected to joint military exercises in Finland.

More Info http://www.homelandsecuritynewswire.com/dr20160307-new-vulnerability-discovered-in-open-ssl-a-common-encryption-protection-package



Qatar National Bank hit by cyber attack

April 27, 2016.

Qatar National Bank, the gas-rich Gulf state’s leading lender, has been rocked by a data leak that has exposed the personal details of many of its clients in a file posted on social media that singles out some Al Jazeera staff and purports to identify security officials.

The leak contains references to thousands of alleged transactions records of QNB customers, including remittance data to global banks with thousands of alleged beneficiary names and account numbers.

The 1.4GB leaked file includes the names and passwords of thousands of QNB customers. Subfolders within the leaked data file individual details into folders including staff at Al Jazeera, members of Qatar’s ruling al-Thani family, and intelligence and defence officials.

One former QNB customer mentioned in the file, who has since left the country and declined to be identified, confirmed to the Financial Times that his details posted online were accurate.

Another folder titled “Al-Qaradawi” contains the details of Yousuf Abdullah al-Qaradawi, the same name as the controversial spiritual leader of the pan-Arab Muslim Brotherhood, whose longstanding presence in Qatar has been a source of consternation to some of Doha’s neighbours, especially Egypt and the United Arab Emirates.

One folder, marked “Spy, Intelligence” refers to individuals and internal Qatari security agencies. One file identifies a British customer as “MI6,” an apparent reference to the UK’s overseas intelligence service.

Some of those identified as “spies” are French, British and US nationals based in Qatar. The hacker has compiled more comprehensive data on some targets, including social media profiles.

Simon Edwards, a cyber security expert with security software company Trend Micro, suggested this points to a campaign to target these so-called “spies” with phishing and other cyber attacks.

The hacker breached QNB’s online defences as far back as July 2015, according to Mr Edwards.

“This is the work of a hacker — we can see the log file of the secret insertion tool he used,” said Mr Edwards. “They have been in there since July, pulling data out of the data base and then worked within the environment and profiling a lot of the customers.”

The focus of the infiltration appears to have been logging transactional data, rather than stealing money, he added. The hacker was profiling the data on the bank’s computers, rather than using a different machine.

“He was not after financial data per se or just stealing, the aim was to look for something specific, trying to put together foreign transactions, or trying to find movement of money to foreign agencies,” he said. “This has the hallmarks of someone in Qatar trying to find dodgy transactions or someone trying to expose something in Qatar.”

Security experts said the bank’s online defences were using vulnerable software that appear to have been breached by fairly common infiltration methods.

State-controlled QNB has said it is investigating the matter, which it referred to as “social media speculation in regard to an alleged data breach”. QNB said it did not comment on reports circulated via social media but assured “all concerned that there is no financial impact on our clients or the bank”.

“QNB Group places the highest priority on data security and deploying the strongest measures possible to ensure the integrity of our customers’ information,” it added.

Rising tensions in the Middle East, pitting Shia Iran against Sunni Saudi in proxy battles from Syria to Yemen, have spilled over into cyber space.

While the Gulf states have become more aware of cyber threats since an Iranian cyber attack on Saudi national oil group Saudi Aramco in 2012, security consultants say defence measures need to be improved.

A KPMG cyber security survey in the UAE last year found that companies under attack take up to a month to recover, while only half of the respondents had contingency arrangements in place for a cyber attack.

Read more: https://next.ft.com/content/7faf84c4-0c98-11e6-b41f-0beb7e589515



Latest Cyber Security News

Cyber Privacy

700 Million People Just Got Encryption That Congress Can’t Touch: Last month, WhatsApp, the hugely popular messaging service that Facebook owns, made end-to-end encryption the default for its 1 billion users. On Tuesday, Viber said it will do the same for the 700 million people who use it. Wired, April 20, 2016

Hackers only need your phone number to eavesdrop on calls, read texts, track you: 60 Minutes showed how hackers only needed a congressman’s phone number to record his calls and track his location. The congressman said people at intelligence agencies, who are aware of the SS7 flaw and abuse it, should be fired. Computerworld, April 18, 2016

How hackers eavesdropped on a US Congressman using only his phone number: A US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used. ars technica, April 18, 2016

Cyber Danger

US-CERT to Windows Users: Dump Apple Quicktime: Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched. KrebsOnSecurity, April 18, 2016

Cyber Defense

Report Says PlayStation Network to Get Two-Factor Authentication: Sony plans to add two-factor authentication to its PlayStation Network. PC Magazine, April 21, 2016

Information Security Management in the Organization

Cyber Security Management – C Suite

Information Security Culture: It’s Time to Upgrade to 2.0: Information security requires an approach that involves people, process and technology. But, while we have made great strides in technological advancements in information security, security culture for many organizations remains in a state of stasis. InfoSecurity, April 22, 2016

Collaboration & Inclusiveness Keys to Success, Part 1 – IBM Inst for Business Value: A 2016 report from the IBM Institute for Business Value, “Securing the C-Suite: Cybersecurity Perspectives from the Boardroom and C-Suite” provides valuable insights about the dynamics within the C-suite — insight that anyone in the role of chief information officer (CIO) or chief information security officer (CISO) cannot afford to miss. IBM surveyed more than 700 executives from 28 countries across 18 different industries that occupied nine different roles in the C-suite. SecurityIntellegence, April 5, 2016

Collaboration & Inclusiveness Keys to Success, Part 2 – IBM Inst for Business Value: A 2013 IBM report titled “Exploring the Inner Circle: Insights From the Global C-Suite Study” found that the top-performing organizations all had one quality that set them apart from their peers: collaboration. Top leadership’s view is that “the ability to collaborate is the most important factor” and that “how the members of the C-suite collaborate is as significant as the extent to which they collaborate.” SecurityIntellegence, April 12, 2016

Collaboration & Inclusiveness Keys to Success, Part 3 – IBM Inst for Business Value: Chief executive officers (CEOs) are under intense pressure from all sides. From an economic perspective, areas that were once the domain of a few favored organizations are now ripe for disruption by newcomers. Indeed, according to IBM’s “Redefining Competition: Insights From the Global C-suite Study – The CEO Perspective,” CEOs believe technology is the chief external influence on their enterprises. More specifically, cybersecurity issues have crashed into the C-suite and the boardroom, and top leadership is under the spotlight when it comes to achieving an acceptable cyber posture. SecurityIntelligence, April 19, 2016

Cyber Awareness

Staff Awareness Vital as Law Enforcement, Government Agencies See Phishing as Main Cyber Risk: In a meeting held in New York, representatives of law enforcement and governments from the US and the UK met to agree on a joint plan to tackle cyber threats, and their top priority for the foreseeable future will be phishing attacks. Softpedia, April 21, 2016

Staff Weak Link as Malware Attacks More Frequent, Harder To Fight: The newest Ponemon State of the Endpoint Report found enterprises struggling to enforce endpoint security and to manage their biggest threat: Employees. InformationWeek, April 21, 2016

Staff spoofed to wire money as whaling emerges as major cybersecurity threat: Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back. CIO, April 21, 2016

Cyber Defense

The Problem With Patching: 7 Top Complaints: Is your security team suffering from patching fatigue? Check out these tips and eliminate critical vulnerabilities in your IT environment. DarkReading, April 22, 2016

Bypass the Windows AppLocker bouncer with a tweet-size command: Video If you’re relying on Microsoft’s AppLocker to lock down your office or school Windows PCs, then you should check this out. A security researcher says he’s found a way to potentially bypass the operating system’s software whitelist and launch arbitrary scripts. TheRegister, April 22, 2016

DDoS Attacks: Know Your Enemy: Distributed-denial-of-service (DDoS) attacks are more frequent today than they’ve ever been, according to the latest report by Verisign. In the final quarter of 2015, DDoS attacks globally rose by 85% compared with the previous year – and 15% on the previous quarter alone. Not only that – they’re also getting more dangerous, deploying higher volumes of packets than ever before. InformationSecurity, April 20, 2016

Cyber Security in Society - National Cyber Security

U.S. Ratchets Up Cyber Attacks on ISIS: Military hackers are disrupting ISIS’s encrypted chats, implanting viruses in terrorists’ computers, and mining the machines to launch real-world strikes. TheDailyBeast, April 17, 2016

Cyber Law Enforcement

FBI paid at least $1.3M for zero-day to get into San Bernardino iPhone: FBI Director James Comey suggested to a conference in London that his agency paid more than $1.3 million to gray-hat hackers who were able to unlock the iPhone 5C that was used by Syed Farook Rizwan, the dead terrorist who masterminded the attack in San Bernardino, California, in December 2015. ars technica, April 21, 2016

Cyber Lawsuit

Attorney sued after BEC fraud costs couple $1.9m: A Manhattan couple wired a $1.9 million deposit for their new co-op but learned that the messages from an AOL e-mail account hid a crucial detail: They got conned. The Real Deal, April 19, 2016

Financial Cyber Security

‘ATM skimming increased five-fold from 2014 to 2015 while ‘Black Box’ ATM Attacks Loom as Growing Threat: Although skimming attacks remain the No. 1 ATM fraud concern in the United States, so-called “black box” attacks loom as a growing threat. BankInfoSecurity, April 20, 2016

Giant Food Requires Cash for Gift Cards, Reloadables & Prepaid Debit Cards: Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards. KrebsOnSecurity, April 20, 2016

Cyber Security in Healthcare

NY Presbyterian Hospital Slapped With Second HIPAA Fine: For the second time in two years, federal regulators have slapped New York Presbyterian Hospital with a multi-million dollar penalty as part of a HIPAA settlement. HealthInfoSecurity, April 21, 2016

Lack of Business Associate Agreement Costs Clinic $750,000: A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information to a vendor without having a business associate agreement in place, as required under HIPAA. HealthInfoSecurity, April 20, 2016

Critical Infrastructure

Upgrade Coming to Grid Cybersecurity in U.S.: The hackers who unplugged 225,000 people from the Ukrainian electricity grid in December—the first confirmed cyber-takedown of a power system—have lent credence to calls by cybersecurity experts for greater vigilance by utilities. “It’s really brought the whole thing to a head and made people aware that this isn’t just chatter about the sky falling,” says Eric Byres, a security consultant who commercialized one of the first firewalls for industrial control systems. IEEE Spectrum, April 20, 2016

Cyber Underworld

Cybercrime Gang Tied to 20 Million Stolen Cards: A previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards, collectively worth an estimated $400 million via underground cybercrime forum sales, according to the cybersecurity firm FireEye. BankInfoSecurity, April 21, 2016

Criminals in the cloud: How malware-as-a-service is becoming the tool of choice for crooks: Rather than selling their malware as a one-off, virus writers are offering access to the latest exploit kits via on-demand services. ZDNet, April 21, 2016

How One Cybercrime Gang Is Ratcheting Up PoS Attacks: With magnetic-stripe payment card transactions gradually starting to disappear in the US, cybercriminals have been on a tear with PoS attacks against retail and hospitality targets that haven’t yet adopted EMV card payment, FireEye researchers say. DarkReading, April 20, 2016

Cyber Sunshine

SpyEye Makers Get 24 Years in Prison: Two hackers convicted of making and selling the infamous SpyEye botnet creation kit were sentenced in Georgia today to a combined 24 years in prison for helping to infect hundreds of thousands of computers with malware and stealing millions from unsuspecting victims. KrebsOnSecurity, April 20, 2016





Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net