On June 13th I attended the Swiss Cyber storm 4 Conference in the most visited city in Switzerland, Lucerne. Lucerne is famous for the Lake of Four Cantons and its historical wooden bridge.
A hacking contest was held in parallel with the conference. The goal of the contest was not only find “good hackers” but also engineers that are able to present well their attack results.
Mark Saxer, a known lobbyist in Bern and a General Manager of the SPIK (Police ICT) association, was the moderator of Swiss Cyber Storm 4. SPIK association plays the role of a bridge between the police and law enforcement agencies and the IT world. Swiss confederation with MELANI, SPIK, Symantec, PWC, Swisscom were the main sponsors of the event. The main goal of the event, as introduced by the moderator, was to provide an open exchange between technical experts and management.
I want to share with the community the details of the presentation from my point of view, that of a Business Development Manager with an engineering background. Hope you will also get some valuable insights as I did.
The first presentation was given by Costin Raiu, Director of Kaspersky Lab’s Global Research and Analysis team. Surprisingly, he is not Russian; his is actually from Romania.
His presentation gave a nice recap of the most known malware attacks: “Advanced malware from Flame and Red October to MiniDuke”. The presentation started with the story on the “Aurora operation” uncovered by Google in 2009. The attack was targeting Google, Adobe, Yahoo, Morgan Stanley, Dow Chemical, etc… It seems that the goal of the attack was counter intelligence gathering with access to legal databases at the above mentioned companies. Some of the databases were storing critical lists of spies/informants. Since, this was a sophisticated operation, it took years to be understood.
Stuxnet is another well-known operation, and I will not go into its details. On the other hand, it was interesting to find out how STUXNET was discovered. Sergey Oulasen, working for the antivirus company, was called in for emergency while he was attending a wedding. The clients of the company saw only blue screens on their PCs. The antivirus application was having a conflict with STUXNET! Having examined the details, the company realized something BIG was discovered.
DUQU was discovered in Budapest in 2011. Its main targets were certificates’ authorities, in order to penetrate Iran’s infrastructures. This operation was probably preceding STUXNET and executed by the same authors.
In 2012 Kaspersky uncovered FLAME. It will probably take another 10 years to be fully understood. Its mechanism is basically allowing to play the man-in-the-middle in a Windows upgrade. The software of 20 MB includes a lot of modules. Using some secure SSH based tunneling it allows to communicate with Command & Control servers. No one knows how a target can get infected and how exactly FLAME works.
RED OCTOBER was the next operation dissected during the presentation. This worldwide attack was discovered in October 2012 when a Kaspersky lab customer reported a strange occurrence. The target countries were all over the map, but strangely not China. From here you can draw some conclusions, but read the rest of this paragraph before you fully make up your mind on where the attack originated from. The malware was able to contact three different Command & Control servers (C2) name for example nt-windows-online.com. Interestingly, the domain was registered in Russia and some email exchanged with domain providers were exchanged in Russian by native speakers. So, it looked like the attackers wanted to implicate China as the root of these attacks, however, this is far from being proven.
In order to understand the Red October operation, Kaspersky lab registered some of the expired domains and configured sinkholes to collect and analyze data. This allowed the company to localize some of the victims of the attacks. It was discovered that hackers used more than three levels of proxies to try to mask the origin of the attacks.
“MiniDuke” was an attack that used hacked twitter accounts that were broadcasting encrypted URL. This operation was active in May 2012 mostly in NATO countries. The malware was written in assembler with some interesting signatures like the code “666” or “29A” in Hex or reference to Dante Divine Comedy’s words, which shows sophistication of the hackers.
Costin Raiu presented what he views to be the main three dangers of a Cyber War:
• Ideas and technics can easily be copied and repurposed (it’s cheap)
• Companies can become collateral victims of state-sponsored attacks
• Cyber criminals start to exploit attack tools developed by governments
Weaknesses found in Internet Explorer, Adobe Flash and Java often are the main entry points of malware attacks. The secret services agencies are reporting data that the world can incur the risk of:
“… Internet will be DDOSed by Superpowers stealing data from each other…”
The second presentation was by Michael Anti, a Chinese Internet freedom fighter from the ”People’s Republic of Firewall”. Michael Anti changed the focus of his presentation at the last minute due to the news about the American PRISM campaign. The US did not help Chinese people trying to get more freedom. In fact, reported news now gives the central Chinese government more justification for its control of Internet. The Chinese government published a new paper just five days after the Western World learned about PRISM saying: “…See, the US is doing the same as we do…”.
The Chinese government is watching closely what’s taking place in the Middle East with the Arab Spring. They learned that it would be a bad idea to cut off Internet. Mubarak did that in Egypt, people overthrew him and his long-standing regime came to an end. The Tunisian regime did leave Internet available to their citizens; however, the government still got replaced. .
This is why China believes it keeps the right balance, by letting people access a controlled web. China copies every popular service available and oftentimes even improves it. For each popular service in the free world you have its Chinese equivalent. A good example is Baidu an equivalent of Google in China.
China counts 300 million micro bloggers on ONE server 100% controlled by the central government. Searches are censored; for example, no information from the New York Times can be found any longer after the newspaper’s report on the fortune of the prime minister. China has put together a detailed grid, where each quarter of a city is under the responsibility of a police officer, who is responsible for all activist and bloggers in the area. The activists are using images, replacing, for example tanks on the Tien An Men square by rubber ducks, because the time it takes the authorities to find the picture will be sufficient for some of the 300 million users to see it. Words, on the other hand, are censored immediately.
One of Michael Anti’s comments was symptomatic. He said that a Western IT company should forget doing business on the Chinese market. The outcome would always be the same. Chinese companies will reverse-engineer, copy and replace all foreign vendor products in a very short period of time. China has two separate entities responsible for operations in the cyber space: The Central Government, whose mission is to control what the Chinese people have access to and also support the government actions abroad. On the other hand the Chinese Army has a role which is to help companies to make money.
In conclusion Michael Anti asked the Western World not to give China more justification to continue what the country is e doing; otherwise, it could get much worse.
The content of the following presentation by Symantec was not revolutionary. My main take-away from it was that most attacks of today were reusing the same tools, e.g. Poison Ivy and others by changing only the signature for the anti-virus tools not to detect them. Also, some attacks on UNIX systems are so basic that they consist from a one-line script commanding the deletion of all data on a hard drive.
I will pause here to let you absorb the notes from the Swiss Cyber Storm and promise to continue in a few days with the notes on the second half of the conference.
Kudelski Security Research 