Russian spear phishing attack against .mil and .gov employees

Last Updated on Monday, 8 February 2010 08:52 Written by Jeffreycarr Monday, 8 February 2010 08:52 0 Comments

A “relatively large” number of U.S. government and military employees are being taken in by a spear phishing attack which delivers a variant of the Zeus trojan. The email address is spoofed to appear to be from the NSA or InteLink concerning a report by the National Intelligence Council named the “2020 Project“. It’s purpose is to collect passwords and obtain remote access to the infected hosts. Considering the target (.gov and .mil employees), and the purpose, I can’t imagine a better use for a National Security Letter than to have one hand-delivered to the company who has been leasing servers to these bad actors for years.

Brian Krebs broke the story.

Jim McQuaid adds additional info.

And this week’s IntelFusion FLASH Traffic explores the problem in greater depth (subscription service).

Bottom line, the U.S. needs to emulate China and start forcing bad ISPs to either clean up their act or shut them down. This is getting friggin’ embarassing.

OSINT Hacks on Mining the Russian Internet

Last Updated on Friday, 5 February 2010 10:21 Written by Jeffreycarr Friday, 5 February 2010 10:21 0 Comments

I’m very excited about launching OSINT Hacks on Mining the Russian Internet, which will teach attendees the sources and methods that GreyLogic/Project Grey Goose investigators use to conduct OSINT via the Russian Internet. This two day course will be offered through the IO Institute and will immediately follow InfoWarCon on May 17th and 18th.

Description: Open source intelligence collection on the Russian Internet (Runet) can be challenging at best. U.S. IP addresses are sporadically blocked from accessing certain Russian forums and websites. Google has very limited data indexed on Runet. Machine translation from Russian to English is frequently poor or barely adequate. Personal identifying information is prioritized differently in the Russian Federation than in the United States.There is an entirely new universe of social networking and gaming sites to mine that are exclusive to Runet and which are loaded with valuable information on Russian Ministry of Defense key assets (locations of nuclear bases, submarine schedules, Spetsnatz deployments, etc.).

The OSINT Hacks course will teach you how to maximize your intelligence gathering resources and mine a rich variety of high value data from the closely monitored and tightly controlled Russian Internet through a combination of actual Project Grey Goose case studies and new resources developed by GreyLogic for this course.

Also, if your agency or company would like me to teach this course at your facility, the IO Institute has agreed to extend that option to you as long as you can provide a minimum of six registrants. You can also pick the dates that are most convenient for your group.

I’ve recently posted about the need for a new Cyber Intelligence model here and here. This course will provide you with the essential knowledge you need to implement those changes at your organization or agency. Each attendee will also receive a free copy of Inside Cyber Warfare for preliminary reading before the course begins.

A look at Sandia National Labs’ Threat Analysis Model and why it won’t work

Last Updated on Wednesday, 3 February 2010 09:50 Written by Jeffreycarr Wednesday, 3 February 2010 09:49 0 Comments

In my earlier post on the need for a new Cyber Intelligence model, I discussed problems with the approach Deloitte recommended in its report “Cyber Crime: a Clear and Present Danger“. Today I’ll be taking an indepth look at an integral part of the National SCADA Test Bed -  Sandia’s Threat Analysis model – and its reliance on a flawed OSINT methodology.

Sandia National Labs, in an ongoing effort to protect U.S. critical infrastructure from physical and network attacks, has developed a Threat Analysis Framework comprised of 5 elements:

1. the identification of an adversary
2. the development of generic threat profiles
3. the identification of generic attack paths
4. the discovery of adversary intent
5. the identification of mitigation strategies

Sandia researcher David Duggan and his colleagues, who are responsible for developing this tool, recognized the limitations of classified threat data (i.e., a very slow process to get it to the people who need it) and chose to develop an unclassified threat analysis framework instead. Duggan’s report “Threat Analysis Framework” is available for public release and should be read if you want a full understanding of this model.

For the purpose of this post, however, I’m only focusing on one very problematic dilemma for everyone in the Threat Assessment business – Is an attack being formulated by a threat seeking to exploit a vulnerability?

Duggan’s approach to answering this question involves breaking it into two separate questions:

1. Are any threats discussing aspects of exploiting a specific vulnerability?
2. Could the threat find enough information about a vulnerability to develop an attack?

He recommends accessing web forum data sets, such as the Dark Web project owned by the University at Arizona AI Lab, Intelligence Community reporting, and other open source data in order to find the answer to both questions.

The following scenario describes Sandia’s approach. Screen captures come from the Threat Analysis workshop presentation (June 24, 2008).

Figure 1: Discover adversary intent from open and closed sources

Figure 2: Are SCADA vulnerabilities discoverable online?

Figure 3: Note that this approach relies on Search capabilities

Figure 4: The 6 steps by which discovery is made

Figure 5: The Results

The results show that the second question “Could the threat find enough information about a vulnerability to develop an attack?” can be answered with a “yes”. In fact, it’s distressingly easy to find detailed SCADA vulnerability information online. However, Sandia’s Threat Analysis model failed to find chatter in public online sources.

The Sandia Threat Analysis Model suffers from the same problem that Deloitte’s model does. It looks for threat data in the wrong places – open forums. Bad actors with the smarts to understand SCADA software vulnerabilities, devise a plan of attack to exploit that vulnerability, and execute on it are not stupid enough to plan it on a publicly accessible forum. It’ll be done in IRC channels or on private, more secure online venues. And that requires different sources and methods than those used even as late as last year.

In yesterday’s post, I outlined a new approach to developing cyber threat intelligence. With today’s post on Sandia’s Threat Analysis for the NSTB, I hope to point out how critical it is that organizations with the responsibility of protecting our most vital assets begin re-evaluating how emerging threats can be detected. My recommendation, obviously, is the adoption of a more aggressive, active intelligence gathering process.

Ask your security vendor what they’re doing about detecting emerging threats. If you’re not satisfied with the answer, ask them to contact GreyLogic. Sandia’s excellent research in this area aptly shows how complex the problem is. No one company has all of the resources needed to provide a complete threat picture. A joint effort is needed, and my company is happy to collaborate with any security vendor currently operating in this space.