Hacking group Pravyy Sector (‘pravyy’ is bastardised Ukrainian for ‘right’, Right Sector is the name of Ukrainian ultranationalist party), responsible for leaking customer data of Polish ISP Netia, claimed on Twitter that they breached network of Polish Ministry of Defense. Group claimed that they gained full access to the MoD network and, what might be even more interesting, got their hands on ‘PRISM Poland logs’. Pravyy Sector then demanded $50 000 transferred to specified account or bitcoin address in exchange for not leaking the data.
To prove their access, group has posted screenshots from apparent MoD computer, photos of application to ‘PRISM service’ and xml containing information about hosts in alleged MoD network. It is worth noting that materials posted initially were hardly a proof of compromised network – attached screenshots suggests that all files were taken from single computer. MoD soon issued a statement claiming that attackers has gained only outdated documents and are trying to overestimate their success. Pravyy Sector countered with posting screenshots of emails with information related to organisation of recent NATO summit. Ultimately however, it seems that they bluffed. Alleged information coming from PRISM programme are probably just data collected by botnet with only superficial modifications made to make them more believable. Soon after, group has deleted twitts related to hack.
Kradzież własności intelektualnej przez Chińskie podmioty, mniej lub bardziej powiązane z władzami w Pekinie, od dłuższego czasu pozostawała bolączką Stanów Zjednoczonych – jedną trzecią listy najbardziej poszukiwanych przez FBI cyber przestępców stanowią funkcjonariusze Chińskiej armii. Ostatnio problem stał się tym bardziej poważny, iż bezpośrednio dotknął dwóch kluczowych obszarów strategicznych interesów USA – rolnictwa i obronności. Niedawno ujawniona została historia Chińskich szpiegów kradnących ziarna konkretnych odmian zbóż, natomiast już od dłuższego czasu kontrowersje budzi myśliwiec Shenyang J-31 ze względu na swoje uderzające podobieństwo do Amerykańskiego myśliwca piątej generacji F-35. Istotną częścią polityki Chin stanowiły także operacje prowadzone w cyberprzestrzeni takiej jak np.: operacja Aurora wymierzona między innymi w Google i Northrop Grumman. Szpiegostwo przemysłowe umożliwiało Chiną pominięcie wydatków związanych z R&D które często stanowią lwią część całości kosztów. W połączeniu z możliwościami produkcyjnymi Chińskiego zaplecza przemysłowego, takie postępowanie z pewnością przyczyniało się do wzmacniania pozycji gospodarczej Chin na świecie.
As North Korean internet suffered massive outage yesterday, it is difficult not to wonder whether this is the ‘proportional response’ President Obama warned about. While, massive DDoS of DPKR’s network seems almost too blunt instrument, considering sophisticated capabilities of targeted operations available to NSA, it would be appropriate as a “warning shot” – showing how easily (in matter of less than week) whole Korean internet infrastructure can be disabled. It has to be noted though that officially American administration ruled out possibility of demonstration strike. Regarding if North Korea is really source of the attacks, jury is still out. According to FBI, evidence strongly backs this theory, however some researchers, including Bruce Schneier, remains unconvinced. Those opinions however, often does not fully embrace the fact that FBI press release may purposefully present very general overview of evidence gathered, in order to not give heads up to actual attacker.
Until more informations will be available two issues may already discussed – to some degree who could be responsible for Korea’s internet outage and whether it is proper to engage in cyberwar over attack on corporation.
Regarding first question, recent write-up about state of DPKR‘s internet access and hosts identified reveals interesting state of DPRK’s network and perhaps potential attractive targeted attack for hackers. Legal status of such activities also remains in grey area – it is hard to judge whether authorities would decide to prosecute someone trying to breach into North Korean network, even if strictly speaking most provisions included in criminal codes does not differentiate between targets of breach. Also given possibility that Sony attacks originated from Korea, countries might not want to have leading back to them. Revealed IP address include even login page for Cisco router (http://188.8.131.52/) – possibly tempting target for anyone curious. However, scale of the outage suggests rather organised effort and no hacker group yet claimed responsibility. Interesting theory involves China intervention – perhaps escalation of affairs caused its involvement in order to prevent further embarrassment.
In latest Edward Snowden’s profile prepared by Wired two new informations related to US cyberwarfare activity were revealed. First is that NSA caused internet blackout in Syria while trying to deploy exploit in one of Syria’s main routers. Unfortunately instead of accomplishing their goal operatives made router completely unresponsive – effectively cutting off country from foreign internet connections. Combining secret nature of NSA activities with increased rebel activity during that period (November of 2012) the narrative presented by media was naturally much different. Pretty much every major news network claimed (often backed up by source from intelligence / cyber security companies) that Syria’s government is responsible for blackout, and furthermore that it was a deliberate effort in order to prevent global coverage of atrocities that are about to happen. There are two side of this – it might be argued that given unstable situation and callousness of Al-Assad’s regime, government sponsored blackout was the most probable course of action. On the other hand this case brutally reveals how much and to what extend informations about cyberwarfare in all its aspects (be it hacker attacks, cyber espionage, ddos attacks or anything else executed from behind the keyboard) are based on speculations and probability scales. Make no mistake – it is not strictly fault of news networks, or rather it is but there is little they can do about it. In case of rising superpower of news media, the internet outlets of various forms what matters most is page visit counter. While this phenomena is certainly not limited to cyberwarfare reporting, combination of lack of sources, clandestine nature of operations and limited technical knowledge of news staff makes reports even sketchier and more sensationalistic than usual. After all nothing makes a better headline than a cyberattack straight from Tom Clancy’s novel.