View
215
Download
0
Category
Preview:
Citation preview
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Blu3
Product of the Research & Information Support Center (RISC)
The following report is based on open-source reporting.
November 18, 2014
Introduction
As the lives of individuals and the daily operations of organizations increasingly use and depend upon
online networks and resources, the line between security incidents in the cyber and physical worlds has
become blurred. Traditional security definitions and boundaries no longer apply uniformly. While many
security professionals may still consider cyber security a technical problem, today’s reality is an
intertwined cyber-physical world wherein cyber security issues often affect and cross over into the
physical realm (and vice versa) with direct, tangible impact. Billions of people worldwide are now online; it
has become another, if not the primary, domain that individuals and organizations depend upon to
communicate, increase efficiency, engage in commerce, store and publish information, and reduce costs.
Criminals, spies, terrorists, and hacktivists (hacker activists) also take advantage of these same benefits.
The proliferation of intersections between cyber and physical is increasing as a function of computing
device connectivity. People use numerous communications protocols to connect multiple devices to
various networks at work, at home, and on the go. An organization’s sensitive and proprietary systems,
once closed-off networks, are now accessible or controllable via remote or Internet access. Furthermore,
low-cost “smart” technology has been introduced into departments not traditionally overseen by technical
staff. According to Gartner, 26 billion devices will be part of the “Internet of Things” (IoT) by 2020. IoT is
the interconnection of atypical, non-computing devices – everything from smart thermostats and alarm
systems to medical monitoring devices and automobiles – to the Internet using a myriad of wireless
technologies. This wave of ubiquitous automation will likely create a surge of security implications in both
the cyber and physical realms, especially considering security has historically lagged behind technology.
Defenders must cover all points of attack, while attackers only have to identify the weakest point. An
increasing number of traditional security incidents have occurred because of weak links that existed in the
cyber realm; the converse is also true. Through the examination of security incidents, including the
highlighted examples in Table 1, this white paper will demonstrate the interwoven nature of the two
realms, reveal who has been affected, and provide best practices and countermeasures.
Table 1: Examples of examined security incidents with a cyber-traditional security nexus
•Chinese military hackers compromise facility access systems Facility Security
•Online information sharing facilitates kidnapping of billionaire's son Personal Protection
•Syrian spy cameras and microphones surveil activists and journalists Information Security
•Credit card breaches will continue after chip and PIN adoption Financial Security
•Terrorist-linked software developers hired for critical infrastructure work Personnel Security
•Hackers can cause traffic jams and misdirection Public Safety
•Cyber warfare becomes a component of international conflict National Security
Cyber Case Studies: The Traditional Security Nexus
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Agreement on the categorization of traditional security disciplines is difficult because there is much
overlap among them; cyber security is no different. Several other security sub-categories could fall under
one or more security disciplines in Table 1, such as operations security (OPSEC). Facility security,
personal protection, and information security are all common sub-categories of physical security.
Physical Security Case Studies
Physical security (defined as the physical protection of sensitive or proprietary information, people,
facilities, installations, or other sensitive materials, resources, or processes) is broad and multi-faceted. Its
key areas involve the physical protection of facilities, people, and information.
Facility Security
U.S. Steel
In May, a federal grand jury indicted five military officers in China’s People Liberation Army (PLA) Unit
61398 for computer hacking, economic espionage, identity theft, and other related offenses directed at six
U.S. private-sector organizations in the nuclear power, metals, and solar energy industries. This was the
first time the U.S. Government successfully brought criminal charges against nation-state actors for this
type of computer hacking. Most of the alleged criminal conduct involved information that was stolen while
the companies were in negotiations, partnerships, or trade litigations with Chinese state-owned
enterprises (SOEs).
One of the affected organizations, United States Steel Corporation (U.S. Steel), was involved in trade
cases with Chinese steel companies between 2009 and 2012. Shortly before the anticipated decision in
one of the cases, an indicted military hacker allegedly sent spear-phishing emails to U.S. Steel
employees – including those associated with the litigation. Some of the emails, which appeared to come
from the CEO, successfully tricked employees into clicking on malicious links, resulting in the installation
of malware and backdoor access on corporate computers. The hackers used more spear-phishing
emails, with the subject line “US Steel Industry Outlook,” to steal a list of about 1,700 company
computers, including servers that controlled physical access to the company’s facilities and emergency
response.
Although the indictment stated that vulnerable servers on that list were identified and exploited, it does
not confirm which ones were hacked or detail the extent of exploitation. Compromised facility access
systems could have enabled a Chinese competitor to target U.S. Steel’s business operations from a
physical security angle. However, most of the alleged activity conducted by the PLA 61398 hackers
resulted in intellectual property (IP) and trade secret theft.
Countermeasures
The U.S. Steel case study underscores the need for
segmentation or compartmentalization of critical systems
from public-facing networks via physical and/or logical
(software) means.
The case study also stresses the importance of cyber
security education, especially to protect against spear-
phishing tactics.
o Spear-phishing is used in over 90 percent of
advanced economic espionage attacks by nation-state or nation-state-sponsored actors.
Spear-phishing is used
in over 90 percent of
advanced economic
espionage attacks by
nation-state or nation-
state-sponsored actors.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
o Spear-phishing was the predominant method allegedly used by the PLA 61398 hackers.
Segmentation and compartmentalization will likely become more important as the Internet of
Things expands, where thermostats, refrigerators, alarm systems, and security cameras could all
exist on the same network.
o A vulnerability in just one device could disclose the credentials to the entire network.
o Not only could an attacker turn off an alarm or security camera, but a threat actor could
use the cameras or smart meter readings to determine when a building is vacant in order
to break in.
o Manipulation of a thermostat to prompt a building evacuation could be the first step in a
plot to attack an organization’s physical security.
o In addition, networks that communicate without encryption, or with IoT devices that lack
physical protection, are exposed and vulnerable to attack.
Personal Protection
Social networking sites and social media sites have made collecting information on people and
organizations for social engineering, blackmail, and conducting traditional, economic, or industrial
espionage – in both the cyber and physical domains – much easier. However, information published on
these sites can also affect the physical security of people in an organization.
Mexican Drug Cartels and a Diverted Flight
Mexican drug cartels and organized crime groups (OCG) often glean personally identifiable information
(PII) from social networking and media sites to add legitimacy to extortion and kidnapping threats. They
regularly monitor social media target individuals, such as journalists disseminating “unfavorable”
information about illicit OCG activities. OCGs may also search for secure communication channels to
avoid detection by government and security authorities, and they are likely trying to diversify revenue
streams through hacking, counterfeiting, and ATM skimming activities. As such, there have been media
reports of kidnappings, enslavements, bribes, and coercions of computer programmers, engineers, and
telecommunications experts since at least 2009.
A hacking group called the Lizard Squad attacked Sony Online Entertainment in August 2014, causing
denial-of-service disruptions to Sony’s PlayStation Network servers and tweeting a hoax to American
Airlines about “receiving reports that [Sony Online Entertainment CEO]’s plane #362 from DFW to SAN
has explosives on-board.” The hackers were a previously-unknown group who claimed links to terrorism
to add credence to the hoax; therefore, American Airlines diverted the flight and security authorities
checked for explosives. The Lizard Squad had obtained the CEO’s flight information from cross-
referencing flight schedules with travel information he had posted on Twitter (see Figure 2).
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 2: Hacking group Lizard Squad devised a hoax using information gleaned from
Sony Online Entertainment CEO’s tweets
Private Celebrity Photos
Information found on social networking and media sites can be used to defeat security questions used to
reset passwords on online sites and services. This, in addition to the use of weak passwords, use of
repeated passwords across multiple sites, a lack of two-factor authentication, and the allowance of
unlimited password guesses on a cloud back-up service, contributed to the highly-publicized leaks of
private celebrity photos in 2014. Using information on the Internet to humiliate, blackmail, bully, stalk,
surveil, and/or kidnap a person may be the most frightening ways someone’s personal safety can be
compromised by cyber-related means.
Kaspersky Kidnapping
The highest-profile cyber surveillance, stalking, and abduction case involved Ivan Kaspersky, son of the
chairman and CEO of Russia-based Kaspersky Lab, one of the most prominent cyber security firms in the
world. Ivan Kaspersky was kidnapped for ransom in 2011 while walking to work from his Moscow
apartment. According to Russian media sources, amateurs – an older indebted couple – orchestrated the
plot and enlisted their son and two of his friends as “muscle” for the plot. The abductors stalked
Kaspersky and his girlfriend for several months prior to the kidnapping, determining his behavioral
patterns and discovering that he did not have a protective security detail. The kidnappers reportedly
obtained all the needed information from Kaspersky’s user profile on Vkontakte, a popular Russian social
networking site. His profile contained publicly-posted personal information, such as his real name, photo,
current school and area of study, girlfriend, work location, and the addresses of his last two apartments.
With this information, even amateurs could track and abduct the son of a prominent billionaire.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Kaspersky was forced to call his father to relay the ransom demands. Fortunately, the cellphone he used
was tracked within six days, although there is conflicting reporting as to whether its location was tracked
by Russian security authorities or someone working directly for Kaspersky. The Russian System for
Operative Investigative Activities (SORM) lawfully enables authorities to monitor, record, analyze, and
retain all data that traverses Russian telephone and Internet networks, including all emails, telephone
calls, Internet browsing sessions, text messages, and fax transmissions. The abductors may have used
the same cellphone to make food deliveries, or had geolocation services enabled.
Countermeasures
The common thread in these personal safety attacks is the lack of operations security (OPSEC)
used in online interactions.
o Limiting the amount of publicly-available personal information online and turning off
geolocation services on social networking and media sites can go a long way in
preventing targeted attacks.
o Even in cases where permissions are set to limit the audience to online “friends,” it is
easy for the Internet savvy to use fake social networking site accounts to socially
engineer their way in.
o Potential targets should be made aware of what information about them is publicly
available online (or for a few dollars), to understand the ways they could be targeted.
o Posting information from wearable IoT devices with geolocation capabilities (GPS), like
fitness activity-monitoring devices, could also reveal regular routes or residential
addresses.
Only trusted third-party sites and services with stringent security measures should be used for
any off-site or cloud storage of sensitive files.
Other best practices to help counter attacks include separating work and personal accounts and
using fabricated information in password reset security questions.
Information Security
In addition to facilities and people, physical security protects sensitive or proprietary information from
sabotage or theft. Using cyber methods to destroy or steal information stored electronically is obvious, but
using cyber methods to obtain information that is not located on computer networks or electronic media is
less so. Stringent physical security measures and systems used in facilities to prevent adversaries from
overhearing information, gaining access to printed information, or discovering what physical security
systems or methods are in place, can be defeated by one compromised cellphone or computer.
Computers and cellphones contain cameras, microphones, and often tracking devices – the same
components that make up high-tech eavesdropping devices.
Syria: Non-Governmental Organizations, Journalists, and Activists
Violence from Syria’s civil war continues both on the ground and in the cyber realm. Pro-government
forces are circulating spyware to infiltrate, track, and gather intelligence against the opposition, which
often winds up in the hands of the Assad regime and results in arrests, raids, and attacks. In some cases,
suspected rebels have been rounded up and interrogated about activities they conducted on their
computers, without the interrogators needing to have physical access to the machines.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Pro-Assad hackers deploy malware that is usually in the form of a remote access toolkit (RAT), which
grants nearly full access to victim computers. Not only do the attackers have access to computer files, but
they can record everything that is typed or displayed on the screen, such as online communications,
emails, video calls, and chats on social networking sites. The spyware is able to obtain information not
normally in the cyber domain – it can turn on cameras to collect intelligence on locations, record sensitive
information posted within view, attribute online activities to specific users’ faces, and turn on microphones
to eavesdrop on conversations in the room.
The attackers use well-informed social engineering that is tailored to the interests, needs, and fears of the
opposition. For example, they have hidden malware in fake security tools, fake versions of privacy or
encryption software [such as virtual private network (VPN) clients and Skype encryption tools], bait
documents, and malicious links. One email promised documents and maps showing the movements of
fighting groups. Further, they compromised legitimate Facebook accounts, such as one belonging to the
head of the Transnational Syrian Opposition, to recommend the installation of malicious software.
When diplomatic efforts appeared to replace the possibility of U.S. military action in Syria, NGOs and
journalists working on the conflict were included as targets in the attackers’ phishing, social media, and
spear-phishing campaigns. In one instance, an NGO administrator received an email purporting to
contain video evidence of Syrian military abuses. The file played a video of a graphic execution while it
installed RAT malware.
Pro-government hacking campaigns followed similar methods until late last year, when security
researchers began to see attacks that they believed were “false flags.” The new campaigns seemed to
implicate pro-Assad hackers deliberately, but did not fit their techniques and tactics. For example, new
malware of unknown origin claimed to be from the Syrian Electronic Army, but specifically attacked
Mac computers, which are uncommon in the region. Mac computers are more popular with activists
and journalists covering Syrian issues from outside the country. Kaspersky Lab has attributed the
locations of attackers in recent Syria-related cyber attack campaigns to operations coming from Syria,
Lebanon, and Russia. This may indicate that Syrian government allies with significant hacking
capabilities, such as Hizballah, are secretly assisting in the attacks. Figure 3 shows the geographical
distribution of those targeted by recent cyber attacks.
Activists, journalists, and NGOs working on the Syrian conflict have become more knowledgeable of
the risks posed by these kinds of attacks. However, the attackers’ malware campaigns have become
increasingly innovative and sophisticated in 2014, with higher levels of social engineering. Analysis of
the cyber attacks, especially correlating new or resurging attack campaigns with current events, is
difficult.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 3: Recent Syria-related cyber attacks mostly affected victims in Syria and nearby countries
(Source: Kaspersky Lab)
Countermeasures
In addition to education on spear-phishing techniques and social networking/media site
compromise methods, organizations can prevent malware installation by keeping all software
up to date with upgrades and patches, and only downloading or obtaining trusted software
from authorized, authentic websites and stores.
Organizations should also be aware that there is a risk of surveillance or eavesdropping when
using computers and mobile electronic devices.
o Microphones can be physically switched off (not using software) or disconnected from
systems in sensitive areas.
o Covers or removable tape can be used to cover camera lenses when not in use.
o Cellphones can be left outside, or batteries can be temporarily removed, during
sensitive conversations in secure areas.
o Other best practices for safely using electronic devices abroad can be found in the
OSAC report on economic espionage trends.
Reverse Case: Physical Security Affecting Cyber Security
An exploited vulnerability in cyber security does not always defeat physical security, but physical access
to computing devices nearly always defeats cyber security. Lack of access control, locks, temperature
control, and backup power for high-value networks or server rooms could easily result in data loss or
compromise.
Additionally, most attacks against cellphones and mobile electronic devices require one or more of the
following:
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
An unencrypted connection to an unsecure or Wi-Fi network;
Falling prey to a malicious link or attachment in an email, social networking or media site, or text
message;
Software that is unpatched or out of date; or
Having physical access to the device.
Physical access is the easiest way to compromise laptops and mobile electronic devices. Abroad,
especially in locations with aggressive technical collectors, most security experts assume devices that are
out of direct physical control are compromised.
Financial Security Case Studies
Perhaps the greatest confluence of traditional and cyber security occurs in the finance industry, where
international commerce and financial services operate largely on a cashless framework. “Cyber” is losing
its place as a term in the finance industry vernacular. Excluding cash-only economies, monetary
exchanges and transactions are done electronically. Brazil was a pioneer in the adoption of electronic and
online financial systems 30 years ago and today has a large, robust banking community and e-commerce
sector. Even in several African countries, such as Kenya, mobile network penetration preceded that of
broadband Internet, and financial transactions by phone have become commonplace. With rapid
technological growth comes a general lag in implementing and enforcing cyber security legislations and
practices, usually creating lucrative environments for cyber criminals. As such, Brazil is a worldwide
hotspot for cyber crime, and in Africa, fraud conducted over mobile networks is prolific.
Major Credit Card Breaches of 2014
Especially in the United States, major data breaches seem to make the news headlines regularly,
contributing to the “Age of the Data Breach.” In 2014 alone, hackers have stolen over 500 million financial
records from the U.S. private sector. Of these, point-of-sale (POS) terminal malware exposed the financial
information of over 100 million credit cardholders, stealing the information while it was unencrypted in
memory or elsewhere in the transaction chain. EMV “chip and PIN” credit cards, wherein cards contain an
embedded microchip and are authenticated to bank servers using a personal identification number (PIN),
may be an answer. However, without end-to-end encryption of credit card data in a financial transaction
(including memory and storage), these breaches could still occur. Furthermore, stolen card information
still can be used fraudulently in online transactions, which cannot access the chip.
Credit card skimming, when criminals insert a rogue device into an ATM or POS terminal that copies
information stored on the magnetic strip, will likely decrease in countries that migrate fully to EMV chip
technology. However, chip and PIN cards are not immune to software flaws, incorrect implementation, or
more advanced skimming attacks that clone the chip or harvest the PIN.
As countries migrate to the EMV standard, payment networks have implemented liability shifts. In the
U.S., the card issuer is liable for fraudulent transactions, but in countries that have adopted EMV, liability
for fraudulent transactions has shifted to retailers and ATM owners who do not support it.
Countermeasures
Large credit card breaches will likely continue to occur because of the time required for a country to
completely adopt EMV technology, and as long as there are end-to-end encryption issues. However,
examination of the major credit card breaches in 2014 reveals other vulnerabilities that were involved in
the attacks.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Computers on the same network as those in the POS transaction chain (without physical or
logical separation):
o Were open to Internet access;
o Had remote administration software installed;
o Had user accounts with access to email and Internet browsing (susceptible to spear-phishing
and drive-by downloads that install malware); and/or
o Were connected to third-party vendors or services, such as payment processor companies or
HVAC companies, that employ less stringent security measures.
Even organizations that employed stringent security software and response teams missed alerts
and warnings. This can happen when multiple offices are responsible for an organization’s overall
security, but there is no standard operating procedure to delineate individual responsibilities, and
when no formal breach response plan exists.
Compliance with new PCI-DSS 3.0 security standards will help address some of the vulnerabilities
affecting credit card transactions.
Personnel Security Case Studies
Personnel security assures the loyalty, reliability, suitability, and trustworthiness of employees and others
who work with or have access to sensitive information and material. It is often concerned with insider
threat. Economic (nation state) and industrial (corporate) espionage threat actors use social engineering
techniques, both cyber and traditional, to specifically target employees who have any access to sensitive
or IP-related information. Some insiders may be state-sponsored threat actors already embedded in U.S.
private-sector organizations, but many are coerced with promises of financial reward. Both economic and
industrial espionage actors lure employees with lucrative job opportunities at either state-owned
enterprises or competitors. Employees can also be coerced by nation-state governments to help their
home countries out of patriotism or loyalty.
Disgruntled employees are prime targets for economic and industrial espionage actors, wherein as many
as 75 percent of departing employees are disgruntled. According to client statistics compiled by cyber
security firm Websense, 65 percent of malicious insiders have already accepted a new job, and 25
percent of them hand over proprietary information to a foreign company or government (see Figure 4).
Figure 4: Threat profile of malicious insiders (Source: Websense)
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Jerome Kerviel and Societe General
For Jerome Kerviel, no encouragement or lure was needed in what became the biggest rogue trading
scandal in history. Kerviel, a trader for French multinational banking and financial services company
Societe Generale, was convicted in 2008 for breach of trust, forgery, and unauthorized use of the bank’s
computers. As an insider, he subverted controls and used an accumulation of privilege to go on a
gambling spree that resulted in a $7 billion loss for his employer. Since his release from prison in
September 2014, he was hired as an information systems and computer security consultant by Lemaire
Consultants and Associates.
Aum Shinrikyo
Aum Shinrikyo, a Japanese doomsday terrorist group, was responsible for many assassinations and the
1995 sarin gas nerve agent attacks on the Tokyo subway system that killed 12 people. Five years later,
security authorities realized that more than 80 Japanese companies and government organizations had
contracted computer companies affiliated with Aum Shinrikyo for software development. The Japanese
companies affected were major players in the electronics, food, banking, transportation, and metal
manufacturing fields, while some of the government agencies were responsible for construction,
education, postal services, and telecommunications.
Computer software development was a major source of revenue for Aum Shinrikyo. Many affected
organizations did not know they had ordered software from firms affiliated with the terrorist group because
their main suppliers had subcontracted the work. Additionally, most affiliates concealed their relationship
with Aum Shinrikyo. They developed about 100 different types of software, including customer
management, airline route management, and mainframe computer systems. The most prominent
corporate customer was Nippon Telegraph and Telephone (NTT), Japan’s main telephone and Internet
service provider, and the Defense Ministry of Japan. The concern that the terrorist group had inside
access to sensitive government and corporate computer systems became a widespread fear, as many
worried about acts of cyber terrorism and sabotage of vital communications and networks. Many affected
government agencies and companies were forced to suspend the use of purchased systems until they
could assure they were secure.
Countermeasures
The most effective countermeasure for insider threat is user education, especially as part of a
formalized insider threat program.
o The average employee is not aware that foreign governments, in addition to competitors,
attempt to recruit insiders.
o Coworkers have the best chance at identifying insider threat behavior in an organization.
o The CERT Insider Threat Center has published best practices for mitigating IP theft,
information systems sabotage, and fraud. Additionally, the FBI Counterintelligence
Division’s Insider Threat Program offers an extensive list of possible insider behavior and
risk indicators.
A great number of insiders are also unintentional.
o Although usually not as costly, many losses occur from negligent or uninformed
employees, who do not realize that they are not complying with cyber security best
practices.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
o It often requires only one instance of human error, such as falling for a spear-phishing
scheme, for a major data breach or loss to occur in an organization.
The Aum Shinrikyo case stresses the importance of personnel security measures not only for
employees in the workplace, but also for all those who work with or have access to sensitive
information or systems in the entire supply chain.
Public Safety Case Studies
Public safety involves the prevention of and protection from events that could endanger or cause injury,
harm, or damage to the general public. The Aum Shinrikyo case highlights a cyber-related incident that
overlaps multiple security disciplines; it could have had long-reaching effects on the public safety in
Japan. Other examples of cyber incidents that could impact public safety involve event security and
terrorism.
Major Event Disruption
Hacktivists (hacker activists) have threatened mass disruptions at major events to publicize or bring
attention to their causes. Days before the opening ceremony at the London 2012 Summer Olympic
Games, British security services warned Olympics authorities about the threat of a cyber attack on the
stadium’s power supply. According to government investigations, the threat came from hacktivists that
were not credible. However, the threat led to checks on a back-up power system, including tests to
ensure functionality despite the strain from the stadium’s lighting and communications networks.
Traffic Light Hacks
Hacktivists have also threatened to hack into traffic control systems at major events, such as the 2014
FIFA World Cup, using vulnerabilities in traffic control systems that were recently published in two
separate studies. The studies revealed that traffic control systems could be disrupted or rendered
inoperable. One researcher used a remote-control drone and cheap programmable hardware to launch
an attack on a traffic system and sent fake data to sensors – small wireless vehicle detection devices
embedded in the ground that transmit information about automobile location and movement. Traffic could
be impacted if the sensors were wirelessly linked to traffic lights. The other research team showed that it
was possible to break into the wireless communications of another system’s traffic controllers because
there were no passwords in use and no encryption used in the transmissions.
Terrorists could exploit traffic control system vulnerabilities to direct traffic toward (or restrict it to) a
planned attack location. While the products detailed in the studies are deployed primarily in the U.S.,
about 200,000 of the sensors in one system are in use worldwide – such as the UK, France, and
Australia. Experts believe that many traffic infrastructure devices created by various vendors have similar
security properties due to a lack of security consciousness in the traffic control systems field.
Countermeasures
There are several practical ways that transportation departments, traffic light operators, and
equipment manufacturers can increase the security of their infrastructure:
o Enabling encryption on wireless networks,
o Blocking non-essential traffic from being sent on the network, and
o Updating device firmware regularly.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
The simplest solutions with the greatest impact are to enable passwords and not rely on
default login credentials.
The vulnerabilities in the traffic sensor system have been patched, with planned upgrades for
older models. However, the identity of the other vendor has not been disclosed, and their
vulnerabilities are still exploitable.
National Security Case Studies
National security refers to the protection of a nation through the use of economic power, political power,
military might, and diplomacy to ensure its survival. Accordingly, national security is dependent upon
military as well as non-military facets such as economic security, energy security, and environmental
security.
One of the most concerning national security issues with or without a cyber security nexus is the scale of
trade secret theft conducted against U.S. economic interests, especially those with foreign operations. In
addition, host country national security can affect the operations and welfare of U.S. private sector
organizations abroad. There are many possible attack vectors that could impact a country’s critical
infrastructure and therefore the operations of OSAC constituents. Furthermore, international and
intranational conflicts more frequently include cyber components.
Economic Damage by Espionage
Intellectual property theft, especially in the cyber domain, has been one of the most serious economic and
national security challenges the U.S. has faced over the past several years. The Commission on the Theft
of American Intellectual Property, in their 2013 IP Commission Report, estimated that the U.S. economy
is experiencing annual losses of over $300 billion a year to international trade secret theft. The report
concluded that better protection for IP, especially overseas, would add millions of jobs to the U.S.
economy, significantly bolster economic growth, encourage investment in research and development, and
improve innovation.
Critical Infrastructure Attacks
Threats to a host nation’s critical infrastructure include those against the financial services industry,
energy sector, water supply, transportation systems, public health services, and telecommunications
networks. Nation states have infiltrated or attacked critical infrastructures, often controlled and monitored
by industrial control systems (ICS), since at least 2003. Patching and updating ICS equipment can be
difficult because it is often old, sensitive, proprietary, or no longer supports software upgrades. Many
systems require continuous operation and cannot be rebooted after an update, especially if it takes
several hours to do so or there is a risk that the system may not work properly afterward.
Critical infrastructures that are accessible via the Internet are most vulnerable to attack. However, those
that isolate, or “air gap” their systems from the Internet are not impenetrable. Advanced nation-state
attacks on air-gapped systems have succeeded, e.g., the Stuxnet and Agent.btz campaigns, where
employees may have inserted malicious USB flash drives – planted outside targeted facilities – into
computers that were connected (or later connected) to the sensitive, isolated networks. The Stuxnet virus
destroyed nuclear centrifuges in Iran, and Agent.btz infiltrated both classified and unclassified U.S.
military networks. Other research suggests that the Stuxnet virus may have entered via hacked suppliers
of nuclear facility components. Additionally, the Shamoon virus, introduced by a disgruntled insider with
full systems access, destroyed 75 percent of the corporate data at Saudi Arabia’s national oil and natural
gas company.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Actors based in China, Russia, and Iran have allegedly conducted cyber probes of U.S. grid systems;
cyber attacks have occurred against critical infrastructure in several other countries as well. In 2013, a
senior Israeli official revealed a foiled hacking attempt to break into the computers of the water system in
Haifa and stated that critical infrastructures in Israel undergo hundreds of cyber attacks every minute. In
2013 and 2014, private security researchers set up fake industrial control systems (“honeypots”) on the
Internet that emulated water pumping stations. Analysis of one decoy system revealed intrusion and
system modification attempts originating from several countries, as shown in Figure 5. Further, targeted
attacks to obtain statistics, diagnostics, and protocol information included a spear-phishing attack from
China, a commonly-known malware attack from Vietnam, and an unknown malware attack from Russia.
Figure 5: Water pumping station “honeypot” attacks by originating country with
highlighted exploitation methods (Source: Trend Micro)
Despite the vulnerabilities and reported intrusions of industrial control systems, it is rare for threat actors
to carry out significantly damaging or full-scale attacks. Many critical infrastructure systems in
technologically-advanced countries are air-gapping their most important systems from the Internet. Some
experts argue that a mass takeover of critical infrastructure is not likely because it is sufficiently
segmented, where only one component, area, or section could be affected at one time. Regardless, the
pervasiveness of cyber attacks on critical infrastructures and “cold war” tactics indicate that the definition
of national security has expanded to include a nation’s offensive and defensive cyber capabilities.
Cyber Component in International Conflicts
National governments use cyber tactics to help fight rebellions, oppositions, and terrorists internally (see
previous section on the Syrian civil war). However, they have also used cyber tactics as a component in
international conflicts. Cyber researchers have noted major spikes in malware traffic on corporate and
government networks preceding the Russia-Ukraine and Israel-Gaza conflicts, suggesting that conflict
occurring in the cyber realm could be used as a threat indicator or even a tripwire for kinetic attacks. Over
an 18-month period, as tensions rose between each pair of countries, so did the frequency of cyber
attacks between them. Attribution of the attacks becomes crucial, however, as a false flag or the
misidentification of a state-led cyber attack could lead to physical, armed conflict.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Russian Conflicts
Open-source reporting and private industry security research have accused Russia of conducting attacks
on telecommunications networks in its engagements with Estonia in 2007, Georgia in 2008, and Ukraine
in 2014. In a dispute that erupted over the Estonian removal of a Soviet war memorial in Tallinn, Russia
allegedly conducted a three-week cyber attack that took down Estonian systems that relied on Internet
technology – disabling voting, security, telephony, and 95 percent of banking operations. US-CERT
attributed the takedowns to distributed denial-of-service (DDoS) attacks. In 2008, the Russian invasion of
Georgia included disruption attacks that blocked Georgia’s banking, media, and government websites.
Internet connectivity within Georgia and to the outside world was impacted, and there were widespread
propaganda and website defacement campaigns against Georgian websites. In 2014, armed men raided
Ukrainian telecommunications facilities in Crimea, severing Internet and telephone services between the
region and the rest of Ukraine. However, this was accomplished by physically cutting telecommunications
lines, a military tactic that predates the Internet by decades. Russia also allegedly installed equipment
that blocked the mobile phones of Ukrainian members of parliament. Some Ukrainian government
agencies, including the Prime Minister’s office and at least 10 Ukrainian embassies abroad, were infected
with a Russian-linked cyber espionage campaign called the Snake malware, also referred to as
“Uroboros.” At least nine other countries’ embassies in Eastern Europe were also infected with the
malware, resulting in leaks of sensitive diplomatic information. And in September, the broadband network
of a major telecommunications provider in New Zealand ground to a halt for 36 hours when user
connections were co-opted to conduct a DDoS attack against websites in Ukraine and several large
international banks enforcing sanctions against Russia.
Predictably, the Russian government has denied state involvement in these attacks. Nonetheless,
investigations by private cyber security firms have determined that these attacks originated inside
Russia's borders. State-sponsored or Russian nationalist hackers could have been responsible for at
least some of the cyber campaigns. Cyber Berkut, a nationalist hacking group that emerged after the
dissolution of the “Berkut” Ukrainian special police force, took credit for the hacking of Ukraine’s electronic
election system prior to the 2014 presidential election. They took down the system via DDoS,
manipulated and destroyed data, and defaced the website to display fake election results.
Israel-Gaza Conflict
While Israel likely included a cyber component in its conflict with
Gaza, media reporting focused more on attacks that pro-Gaza
hackers conducted against Israel. Pro-Gaza hackers took control of
an Israeli satellite TV station to display propaganda, hacked into
emergency messaging systems to send false and threatening SMS
text messages to millions of Israeli civilians, and hacked the Israeli
Defense Forces’ Twitter account to report falsely that two rockets
from Gaza had hit the Dimona nuclear reactor and caused a leak.
While media reporting attributed the cyber attacks to Hamas, Israeli
security officials revealed that Iran may have also been involved.
One of the false emergency SMS text messages was an alert that
the airport in Tel Aviv had been hit by a rocket. Later that evening,
an OSAC constituent called the OSAC emergency duty phone to
confirm the attack after receiving a report from their security vendor
on the ground. However, the vendor was likely one of the many
who had received the hoax on their smartphones.
A constituent called
the OSAC emergency
duty phone to confirm
whether a rocket had
hit the Tel Aviv airport.
Their security vendor in
Israel likely received a
false SMS text alert
from the hacked
emergency messaging
system.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Terrorist Groups
The Islamic State of Iraq and the Levant (ISIL or ISIS) and Al-Qa’ida have not exhibited the ability to
conduct sophisticated cyber attacks, thus far only using social media networks and other online resources
to communicate, post propaganda, and recruit. Just as governments, militant groups, and terrorists may
receive physical assistance and arms support from their allies, they may also receive offensive cyber
training. Based on open-source reporting and past attack attribution, Iran, Syria, Hamas, Hizballah, and to
a lesser extent, pro-Islamic hacktivists, are the only adversaries in the Middle East and North Africa
region that have exhibited offensive cyber capabilities.
Countermeasures
Critical infrastructures should isolate their most important systems from public networks. Many ICS
devices are not only Internet-facing, but do not have security mechanisms to prevent unauthorized
access.
o Web-based ICS equipment that cannot be isolated from the Internet should use encrypted
communications.
o System administrators should set appropriately secure and non-default log-in credentials,
implement two-factor authentication, and disable insecure or unnecessary remote access
communications protocols.
o Organizations with aging, fragile, or sensitive industrial control systems can employ real-time
network monitoring and incident response. Otherwise, administrators should keep ICS
equipment up to date with software patches and fixes.
o Physical and logical (software-based) access control can prevent unauthorized employees or
contractors from accessing important equipment.
Air-gapped systems may still be vulnerable to attack by advanced nation-state threat actors.
o Education and training is the best way to protect against both insider threat and the
connection of unauthorized devices or external electronic media.
o Disabling or restricting computer ports that accept external electronic devices or media can
prevent the introduction of malware.
o Suppliers are usually much easier for hackers to exploit than the corporations or government
agencies using them.
Shodan is an online search engine that allows users to search for publicly-accessible devices and
computer systems that are connected to the Internet.
o Shodan users can locate systems including security cameras; heating and security control
systems for banks, universities, and large corporations; medical devices; and industrial
control systems (see Figure 6) for water plants, power grids, and nuclear power facilities.
o Users are primarily cyber security professionals, researchers, and law enforcement agencies,
and it is a useful tool for conducting penetration tests on, or “red teaming,” network resources
and systems.
o While cyber criminals can use the website, they have other effective methods to accomplish
the same task without detection. One recent honeypot study revealed intrusion attempts from
China-based attackers within two hours of connecting the decoy ICS equipment to the
Internet, before the system appeared on Shodan.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Figure 6: A map of industrial control systems that are directly connected to the Internet (Source: Shodan)
Outlook and Conclusion
Out of convenience, people and organizations have adopted technology into nearly every aspect of their
daily lives and operations. Physical devices are linking or connecting to the cyber realm at an exponential
rate. As atypical devices with “smart” functionalities and Internet capabilities become connected to the
Internet of Things, they also become hackable. Sharing or storing information on external networks also
relinquishes control of the data to third-party vendors and services. Even worse, technology adoption is
surpassing the ability to secure it. This is especially concerning as cyber security has become a
component of an organization’s overall security posture.
Supply chains today are large, complex, and often networked. It is
increasingly difficult to map all the systems, devices, and services
that support an organization’s operations, especially how they link
together. Security breaches occur when attackers probe and map
targeted networks before an organization can, seeking to exploit
the weakest spots and leveraging trusted third-party connections.
For example, hackers often compromise the email accounts of third
parties to send spear-phishing emails to higher-value targets with
stronger security postures. Suppliers – or even suppliers of
suppliers – are usually much easier to break into than the
corporations using them.
The convergence of traditional and cyber threats has created the need for integration of the security
disciplines. Adversaries have become more sophisticated in their exploits, often involving both traditional
and cyber attack vectors. Traditional security organizations and jobs are more frequently including cyber
security responsibilities as the line between cyber and real-world security incidents becomes indistinct.
Suppliers – or even
suppliers of suppliers –
are usually much
easier to break into
than the corporations
using them.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
Information security – traditionally the protection of sensitive or proprietary information – and financial
security have almost become synonymous with cyber security because most information and financial
data is now transmitted and stored on computer networks.
According to former DHS Secretary Michael Chertoff, “one of the biggest misconceptions is that cyber
security is a hardware or software problem; the reality is that it is a people problem.” Understanding
adversaries and addressing both technical and human vulnerabilities is critical. A strong security posture
depends upon a culture where security is everyone’s responsibility, especially when the actions of one
person, or one weak link, can compromise the entire enterprise.
Examination of the case studies presented in this white paper reveals countermeasures that OSAC
constituents could incorporate into their security strategies to prevent or lessen the impact of security
incidents with a cyber nexus:
Segmenting, compartmentalizing, or isolating sensitive information and systems from public-
facing networks and unauthorized access;
Separating work and personal accounts and/or information;
Enforcing separation of duties and least privilege for employee, contractor, and vendor user
accounts;
Educating and training employees and third parties, including social engineering techniques
used by threat actors, and holding third parties accountable with service-level agreements;
Keeping software, including anti-virus and anti-malware software, up to date with security
patches and upgrades;
Incorporating security into technology development, maintenance, and the overall system
development life cycle process;
Only downloading or obtaining trusted software from authorized, authentic websites and
stores;
Practicing good operations security (OPSEC) in online interactions;
Encrypting sensitive information in transit and storage whenever possible;
Employing two-factor authentication, especially for remote access to internal networks and
external storage of sensitive files;
Employing and enforcing strong password strategies;
Disabling microphones and cameras in sensitive areas to prevent surveillance or
eavesdropping;
Remembering that physical access to unencrypted computing devices nearly always defeats
cyber security; and
Integrating cyber security into crisis management, disaster recovery, and incident response
plans and exercises.
Contact Information
For further information or inquiries, please contact OSAC’s Coordinator for Information Security & Cyber
Threats.
The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes
of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public
statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-
derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.
OSAC constituents can confidentially report traditional or cyber security incidents abroad on the OSAC
website at https://www.osac.gov/Pages/IncidentSubmission.aspx or by directly contacting the OSAC
Research and Analysis Unit (RAU).
Referenced OSAC Reports:
Trade Secret Theft: Trends in State-Sponsored Economic Espionage
OSAC Assessment: Sochi 2014 Winter Olympics (Information Security and Cyber Threats
section)
OSAC Assessment: 2014 FIFA World Cup (Information Security and Cyber Threats section)
Recommended