Tag: Anonymous

Weekly Cyber Risk Roundup: Spain-Catalonia Conflict Goes Digital, Russian Hacking Revealed

The Spanish government was the week’s top trending cybercrime target due to a series of distributed denial-of-service (DDoS) and other attacks that were orchestrated by the hacktivist group Anonymous.

2017-11-04_ITT.png

The Anonymous’ campaign against the Spanish government comes on the heels of  Catalonia’s recent referendum on independence. As Miguel-Anxo Murado wrote in The New York Review last month, the multi-year independence movement finally came to a head in October as secessionists ignored both a ban placed on the vote by the Spanish Constitutional Court as well as the threat of police action and voted for independence.

That vote led to “mayhem,” Murado wrote, resulting in almost nine hundred people being injured throughout Catalonia as Spanish police confronted protesters and stormed polling stations in order to seize the ballot boxes. On Sunday, Reuters reported that Spain had issued arrest warrants for ex-Catalonia leader Carles Puigdemont and four associates due to rebellion and sedition charges related to the push for recession.

The independence movement has also been accompanied by what one Washington Post editorial described as “The great Catalonian cyberwar of 2017.” According to the Post, Spanish courts and authorities have in the past few months ordered telecom companies to shut down websites pertaining to the vote and forced Google Play to remove an app related to the referendum. 

Scattered cyber-attacks have occurred as the issue unfolded over the past couple months; however, attacks ramped up towards the end of October as Anonymous groups on Twitter and elsewhere urged others to join the #FreeCatalonia campaign, which resulted in numerous organizations being targeted with DDoS attacks, website defacements, and other low-level malicious activity.

2017-11-04_ITTGroups

Other trending cybercrime events from the week include:

  • Extortion attacks: TheDarkOverlord said it hacked the customer database of Hollywood production studio Line 204, and the group is threatening to leak the company’s internal client data, which includes contracts, files, invoices, and more. The group told media outlets that it will leak the data if it does not receive an unspecified ransom, a threat the group has made to numerous other hacked organizations. A malicious actor has released the personal information of 29 University of the Fraser Valley students and is threatening to release more data if the school does not pay a $30,000 ransom.
  • Data leaked: Information related to 46.2 million Malaysian mobile phone numbers that was taken from Malaysian telephone companies and mobile virtual network operators in 2014 has leaked, and the data appears to have been traded among multiple malicious actors. An unnamed third party contractor for government agencies, a bank, and a utility exposed the details of 48,270 Australian employees due to a publicly accessible Amazon S3 bucket.
  • Third-party-related breaches: Malicious actors used information apparently stolen in another breach to create Iowa Public Employees Retirement Systems accounts for individuals who had never created one, and they used those accounts to steal pension checks by redirecting them to different bank accounts. Kimberly-Clark is notifying a “small number” of customers that their personal information may have been compromised due to attacks that targeted registered accounts using a list of credentials leaked in other data breaches not related to the company. Midland County in Texas said a third-party payment system used to pay fines may have been compromised resulting in an undisclosed number of individuals having their payment card information stolen.
  • Other data breaches: North Korean hackers were likely behind an April 2016 hack of Daewoo Shipbuilding & Marine Engineering that led to the theft of sensitive documents. Catholic Charities for the Diocese of Albany said that the personal information of clients and some employees was compromised due to hackers gaining access to a server. The certified public accountants Chiorini, Hunt & Jacobs are notifying customers that their personal information may have been compromised due to three email accounts being accessed. The Union Labor Life Insurance Company is notifying customers that their information may have been compromised when an unauthorized third-party briefly gained access to an employee’s email account and used that account to send spam messages that contained PDF documents with links to malicious sites.
  • Other notable incidents: Numerous art galleries confirmed they were targeted by business email compromise scams that hijacked email communications and requested payment details be changed in order to steal amounts up to £1 million. T-Mobile said it has called all of the few hundred customers targeted by malicious actors with attempts to “swap” the victims’ SIM cards and impersonate them. An unspecified cyber attack at the Oklahoma Corporate Commission led to its network being shut down for a week. A former University of Iowa student used keyloggers to steal credentials, access 250 student and faculty accounts, and then change his grades and access his exams early.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-11-04_ITTNew

Cyber Risk Trends From the Past Week

2017-11-04_RiskScoresThe investigation into Russia’s alleged election-related hacking brought several new developments this past week.

For starters, the Wall Street Journal reported that the Justice department has identified at least six members of the Russian government connected to the Democratic National Committee (DNC) hack, and evidence is being assembled to potentially bring official charges against those individuals next year. The WSJ said that dozens of others may have played a role in the hack; however, it is possible prosecutors may wait to identify some or all of those involved until Special Counsel Robert Mueller’s ongoing investigation into alleged Russian hacking is complete.

The Mueller investigation has already resulted in several indictments as well as a guilty plea for lying to the FBI from George Papadopoulos, who served as a foreign policy advisor for the Trump campaign. The guilty plea has some overlap with the hacked emails, as court documents state that an overseas professor Papadopoulos met with multiple times “told him about the Russians possessing ‘dirt’ on then-candidate Hillary Clinton in the form of ‘thousands of emails.’”

A Sunday report from the Associated Press lays out the timeline of Russia’s hacking attempts, and that campaign appears to have begun with phishing emails sent to a list of email addresses tied to staffers of Hillary Clinton’s 2008 campaign. Most of those emails bounced back, but one of those staffers who had also joined the 2016 campaign ended up clicking on multiple phishing links — possibly providing the attackers with a fresh batch of email addresses to target. More than a dozen democrats were ultimately hacked, including John Podesta. One of Podesta’s hacked emails was the first document published by Guccifer 2.0, although it was altered. Guccifer 2.0 airbrushed the word “CONFIDENTIAL” onto the document and claimed the document came from the DNC rather than Podesta in order to entice reporters.

APT28, the group tied to the hacks, had wide-reaching targets far beyond the U.S. election, the AP reported. The group targeted the gmail accounts of 4,700 users spread across 116 countries, including Ukrainian officers, Russian opposition figures, U.S. defense contractors, and thousands of others of interest to the Kremlin. In the U.S. the targets included diplomatic and military officials; defense contractors such as Boeing, Raytheon, and Lockheed Martin, some republicans, and more than 130 democratic party workers.

Hacktivists Use Automated Tools, Growing Reach to Target Government Organizations

Despite recent media attention surrounding nation-state hackers infiltrating government organizations and attempting to influence elections, the bulk of government-related cybercrime tends to be driven by less sophisticated and more ideologically-motivated campaigns carried out by hacktivist actors, according to a new report from SurfWatch Labs.

govriskchart
Government sector risk scores compared to the average for all sectors over the past year.

Government is the third most active sector when it comes to cybercrime, behind only information technology and consumer goods, and more than a third of the government CyberFacts collected by SurfWatch Labs this year have been related to hacktivist activity — far more than any other sector.

“The global reach of the Internet and social media along with the relative anonymity of cyber-attacks has provided hacktivists with a larger platform than ever to share their message, recruit new actors, and ultimately impact organizations,” noted the report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

It continued: “As a result, the most common cybercrime story in the government sector has involved websites and data being targeted by hacktivist groups resulting in service downtime, website defacement, and various types of information being stolen and publicly leaked.”

government-atep-4
SurfWatch Labs’ data shows that hacktivists have been the top trending actor category across many different government subgroups so far this year – in some cases appearing in more than two-thirds of CyberFacts.

Hacktivist-driven data breaches are not a new problem for the government sector. In 2013, the FBI warned that anonymous hacktivists using Adobe exploits were able to infiltrate agencies such as the U.S. Army, the Department of Energy, and the Department of Health and Human Services in order to steal sensitive information.

“It is a widespread problem that should be addressed,” the 2013 alert stated.

Three years later,  hacktivists remain as a top source of government-sector data breaches.

2016-09-27-govbreachactors
Hacktivists are the top trending known actor group associated with government data breaches so far in 2016.

Government agencies across the world have been targeted by hacktivists using well-known attack vectors such as SQL injections, social engineering and stolen credentials.

For example:

  • Shortly after Anonymous Philippines defaced the COMLEC website in protest of “questions and controversies” surrounding the country’s electoral process, LulzSec Pilipinas posted the entire COMLEC database online. The incident has been described as the largest government-related data breach in history – affecting more than 55 million people.
  • A hacker supporting Palestine published the names and personal information of FBI and Department of Homeland Security employees. The hacker said he first compromised the email account of a Department of Justice employee. Then he socially engineered access to the portal by pretending to be a new employee. Finally, he was able to find databases of employee information on the DOJ intranet.
  • The Anonymous #OpAfrica campaign led to several breaches including a one terabyte dump of information from Kenya’s Ministry of Foreign Affairs and International Trade. Kenya’s Ministry of Information and Communications Technology cabinet secretary Joseph Mucheru said the information was stolen due to a phishing attack that duped employees into clicking a link to change their credentials, which provided the hacktivist access to email accounts.
  • A hacker known as Hanom1960 breached several government agencies – including the Costa Rica Ministry of Culture and Foreign Affairs, the Columbia Ministry of Information Technologies and Communications, and Columbia’s Ministry of National Education – and subsequently leaked information on various government employees. “I see many mistakes in [their IT] systems,” the hacker told news outlets. “It is something that does not concern governments.”

government_hacktivistmicroeffectHacktivists are often characterized as graffiti artists or vandals that simply deface websites and cause other nuisance-level problems for organizations.

Those types of attacks are common, with SurfWatch Labs’ data showing that website downtime and website defaced are the most popular effects of hacktivism; however, the threats from hacktivists go beyond those simple attacks.

According to the report:

“Government officials noted in 2015 that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services put traditional cybercrime tools such as malware, botnets and DDoS attacks at the fingertips of a vastly larger pool of actors. … This trend, along with the large number of federal, state and local government agencies across the world, the global reach of hacktivist actors, and a never-ending series of political causes means that hacktivists have the ability, reach and will to cause harm to government organizations on a level never before seen.”

Hacktivists don’t have the resources of state-sponsored actors, but they are much more open about their attacks — often using public channels to coordinate attacks, gain media attention and recruit other actors to the campaign.

“This chatter can lead to valuable threat intelligence around what types of organizations are being targeted, how those attacks are impacting organizations and, ultimately, what can be done to better protect your organization,” the report concludes. “Monitoring hacktivist chatter and utilizing external cyber threat intelligence, along with your own internal data, can help to paint a full picture of the cyber risks facing your organization, determine what assets are at greatest risk, and inform where cyber defense efforts should be focused in the future.”

For more information, download the full report, Cybercrime Gets Political: Automated Tools and Growing Reach Empowers Hacktivists.

Anonymous Ops Trending, Where are the Other Hacktivists?

Not long ago, several hacktivist groups like the Syrian Electronic Army and Lizard Squad were making headlines on a weekly basis with new hacktivism campaigns and random attacks. While Anonymous has always been the primary source of hacktivism throughout the world, it is interesting to see how these other prominent hacktivist groups’ activity has essentially fallen off the map. Where have all the hacktivists gone?

Taking a look at SurfWatch Labs’ data, Anonymous has been (and will remain) the top trending hacktivist group in 2016, with other factions of Anonymous such as New World Hacking and Ghost Squad Hackers providing additional support to the many Anonymous campaigns currently in existence.

2016-05-23_hacktivistactors
Anonymous is by far the top trending hacktivist group in 2016. Several other Anonymous-affiliated groups also made the list. 

The members of the Anonymous collective have been busy in 2016. New campaigns are underway, but several operations that were created in previous years have seen the most activity to date.

2016-05-23_hacktivistops
Throughout each month so far in 2016 an Anonymous campaign has made headlines. 

Government Sector Targeted, Financials Sector Trending

The government sector has been targeted the most by hacktivism in 2016 by a large margin. The data breach of the Philippines Commission on Elections is by far the top trending hacktivism target.

2016-05-23_hacktivism
The Government sector has been targeted the most by hacktivism in 2016. The Philippines Commission on Elections is the top trending industry target. 

Two Anonymous-affiliated groups were behind the data breach of the Commission on Elections: Anonymous Philippines and Lulzsec Pilipinas. The breach affected 55 million Filipino voters and is considered one of the biggest government data breaches on record.

The Financials sector has also seen a lot of activity over the last month. This is largely due to #OpIcarus, a campaign created by members of Anonymous that is specifically targeting banks.

As the chart illustrates above, several banks are trending, with new banks targeted by #OpIcarus making headlines seemingly on a weekly basis. Between May 13 and 19, a total of 18 banks suffered DDoS attacks at the hands of Anonymous.

Where are the Other Hacktivist Groups?

Anonymous continues to make headlines while other prominent hacktivist groups remain stagnant. Groups like Lizard Squad, the Armada Collective, and the Syrian Electronic Army (SEA) appear to have almost completely ceased all operations. The CyberFacts collected by SurfWatch Labs backs this up, with 2015 being the last time any significant conversation took place among the three groups.

2016-05-23_hacktivistgroups
The chart above shows negative CyberFacts for SEA, Lizard Squad, and the Armada Collective over the past 18 months. 

Syrian Electronic Army
Once one of the most recognized hacktivist groups, the SEA has seemingly disappeared since the summer of 2015. Most current news surrounding the SEA involves legal and law enforcement content as members of the group are being hunted down for past hacking activities. The SEA has been involved with many cyber-attacks, including the the hijacking of the Associated Press Twitter account and the takeover of Forbes. The group was founded in 2011, with most of their activity occurring during 2013 and 2014.

Lizard Squad
Perhaps one of the most notorious groups linked with DDoS attacks, Lizard Squad made a name for themselves after launching multiple DDoS attacks against the Sony Playstation Network and Xbox Live. The group has engaged in a war with Sony Online Entertainment president John Smedley, leading to bizarre events such as calling in a fake bomb threat to an airline which Smedley was a passenger of and effectively grounding the flight. Lizard Squad has recently made headlines without any effort, as a group of unknown hackers were posing as the hacktivist group in an effort to extort money from U.K. businesses through the threat of a DDoS attack. As for actual current activity from Lizard Squad, Blizzard reported a DDoS attack from the group back in April 2016.  

Armada Collective
The Armada collective is the newest hacktivist group out of the three, and it is well-known for its DDoS extortion attacks against online retailers, a method of attack that was first made popular by another hacker group, DD4BC. The group was very active towards the end of 2015, attempting to extort several companies. Much like ransom demands, experts have overwhelmingly warned companies not to give into these attacks. The group went silent in late 2015, although other groups continue to use the group’s name for fake DDoS threats, which unfortunately lead to the group earning over $100,000 for their efforts.

While many people find the threats of hacktivism to be just a nuisance, the damage created from a single attack can have lasting consequences. DDoS attacks — the primary hacktivist weapon of choice — can impact a company through financial losses and damaged brand reputation due to the amount of time the company’s servers are down. In other attacks, sensitive data can be obtained and leaked on the Internet for other criminals to exploit. Hacktivism hasn’t been as prominent in 2016 compared to years past, but the threat posed from these groups remains the same, and companies need to remain diligent in protecting from these threats.