Airbus Defence and Space cyber security experts analysed the modus operandi of cyber criminals. They found that the attackers were attempting to extract strategic information, particularly VIPs’ emails, R&D data and information pertaining to ongoing sales negotiations.
The attackers appear to be quite familiar with the security tools commonly used and aware of their vulnerabilities and know how to exploit them.
Although technically advanced and complex, the attacks follow a relatively unchanging pattern: once the attackers define a target, they start gathering information about it and its employees from social networks and develop malware program that allows them an initial access to the target. The malware is introduced either by emails to the employees or via the target’s website.
In the Middle East, the most impressive attack observed was the malware Shamoon which targeted in 2012 two major oil companies in the regions. The Company has analysed the way the attackers proceeded. The companies names have been anonymised in the following findings:
• On 13th of March 2012, five months before the attack, the Twitter account MIDDLEEASTCRASHED is created. On 1st of August, the Hilf-al-Fosoul site is created along with several dozen accounts on Twitter, Google+, Facebook, etc., all of which announced the attack on a designated Middle East company.
• On 15th of August 2012, employees of the two Middle East companies connect a USB key to one of their company’s PC, thereby causing the Shamoon virus to get into the systems.
• Shamoon consists of three modules:
• Module 1 – the carrier: this is the component that spreads the virus. It copies modules 2 and 3 and then replicates itself on all the computers that are connected, subsequently embedding itself at the core of Windows, so that it is launched simultaneously upon start-up. This part of the virus contains fairly basic programming errors that an expert would not have missed, which is why the authors of Shamoon are thought to be proficient amateurs.
• Module 2 – the eraser: this is the module that causes destruction. It erases system files irretrievably and replaces them with an image. The PCs are rendered inoperative, even if the hard drive is replaced.
• Module 3 – the monitoring module: this module sends a report of the destruction to a site controlled by the attacker.
In terms of the damage that was publicly announced by one of the two companies, the attack destroyed 30,000 computers, which included the loss of data that were stored on them. This equates to 15 million dollars to replace the hardware ($500 per PC), operational costs of more than 5 million dollars for ordering, transporting, delivering, deploying and reassembling these 30,000 computers, in addition to the damage in the image of the company.
Ultimately, the two Middle East companies didn’t announce the impact on their production, but admitted to having only been able to use faxes for 15 days as a means of communicating externally.
These kind of attacks, today known as Advanced Persistent Threats (APTs) can often be detected by a proactive monitoring of suspicious behaviour of all the network elements. The Cyber World is not anymore at the era of firewalls, but it is entering into the era of cyber war and threat intelligence.