The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict
cooperation coproduction between CIA and Mossad.
Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.
Consequently it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).
Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?
If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.
- “Flame” malware infiltrating Middle East computers: the most complex Cyber Weapon, ever! (theaviationist.com)
Largest U.S. exercise in Middle East furtively taking place in Jordan. Involving 19 countries and 12,000 military May 19, 2012Posted by David Cenciotti in : Military Aviation , add a comment
Almost ignored by some media outlets, a major strategic theater cooperation exercise including 19 countries and more than 12,000 participants is currently taking place in Jordan.
U.S. Central Command (CENTCOM) says that the Eager Lion 2012 is “the largest annual exercise in the Central Command area of operations” whose is aim is “to strengthen military-to-military relationships of participating partner nations through a joint, whole-of-government, multinational approach, integrating all instruments of national power to meet current and future complex national security challenges. The exercise scenarios are designed to portray realistic, modern-day security challenges. The scenarios are designed years in advance to fulfill collaborative training goals.”
Although “annual”, this year’s Eager Lion seems to be a bit different from 2011 edition: what does not pass unnoticed is that the drills are no longer bilateral (U.S. – Jordan) but involve the military of 17 different countries.
Participating countries are Australia, Bahrain, Brunei, Egypt, France, Italy, Iraq, Jordan, Kingdom of Saudi Arabia, Kuwait, Lebanon, Pakistan, Qatar, Spain, Romania, Ukraine, United Arab Emirates, United Kingdom and United States.
Image credit: U.S. Army via CENTCOM
Even if officials strongly denied the drills are aimed at any realistic threats in the region, the fact that the U.S. is amassing forces in Middle East seems to be a sign that Washington (along with several close and less close partners) is preparing to manage a large crisis response operation in that part of the globe.
In fact, there are fears that the Syrian uprising will force thousands refuge into Jordan across Syria’s southern border. And, there is also a specific concern that Assad regime could lose control of some its chemical and biological weapons stocks, that could illicitly smuggled into Jordan, as reported by the CNN.
Eager Lion, headquartered at Kasotc (King Abdullah II Special Operation Training Center), in Amman, focuses on irregular warfare, special operations, counterinsurgency and crisis response.
Little is known about the participating units. Just a few press releases and some images published on Flickr days after the exercise kicked off give an idea of what is currently operating in Jordan whilst there is almost no or little information about the assets and troops brought in by the rest of the coalition partners.
Among the most interesting ones, there are the Marines with the 24th Marine Expeditionary Unit and Iwo Jima Amphibious Ready Group (with the MV-22 Osprey tit rotor aircraft of the VMM-261) and the U.S. Air Force F-15s of the 104th Fighter Wing, Massachusetts Air National Guard, deployed to Mwaffaq Al Salti Air Base within the 131 EFS (Expeditionary Fighter Squadron).
Image credit: U.S. Air Force via CENTCOM
Middle East Cyber War: Revenge Of The Drones April 23, 2012Posted by Paolo Passeri in : Information Security , 4comments
In the same hours in which I was publishing my post on Cyber Weapons, news agencies all around the world have begun to release (few) details about a new alleged Cyber Attack targeting the Iranian Oil Ministry, the National Iranian Oil Company and several other state-owned businesses.
The attack has been confirmed by a spokesman of the Iranian Oil Ministry, who also stressed that critical data have not been damaged or lost in the attack. Anyway, as a consequence of the Cyber Attack albeit as a precaution Internet access to several oil refineries has been cut off.
Of course Iran is not new to Cyber Attacks targeting Critical Infrastructures (do you remember Stuxnet and the possible hoax of
Duqu Stars?), in any case it is too soon to draw any connection with Stuxnet or any other kind of State-Sponsored Attack, even because, according to the scant information available, only a server providing public information has been harmed.
Probably this malware has nothing to deal with cyber weapons but, just for fun, I cannot help but notice that this alleged Cyber Attack came in the same day in which, among many doubts, Iran has announced to have reverse-engineered the U.S. stealthy RQ-170 Sentinel drone captured by Iran in December 2011.
The revenge of the reverse-engineered drone?
[tweet https://twitter.com/paulsparrows/status/194494174488313856 align='center']
Obviously it’s ironic, but what if the drone was actually a Trojan horse?
The mysterious hatch possibly housing a recovery chute. Image courtesy: Dave Krakow
- What is a Cyber Weapon? (theaviationist.com)
- Iran claims it has decoded the U.S. stealthy RQ-170 Drone Intel but provides unsubstantiated evidence to prove it. (theaviationist.com)
After latest F-35 hack, Lockheed Martin, BAe Systems, Elbit under multiple cyber attacks….right now. March 14, 2012Posted by Paolo Passeri in : China, F-35, Information Security , 8comments
I have just published a timeline covering the main Cyber Attacks targeting Military Industry and Aviation, but it looks like the latest events will force me to post an update, soon.
Although perpetrated with very different timelines, origins and motivations behind them, the last three days have seen a new wave of attacks against military industry that has unexpectedly become the point of intersection between cybercrime and cyberwar.
The first clamorous attack was disclosed a couple of days ago, when the Sunday Times revealed that alleged Chinese Hackers were able to penetrate into computers belonging to BAE Systems, Britain’s biggest defence company, and to steal details about the design, performance and electronic systems of the West’s latest fighter jet, the costly F-35 Joint Strike Fighter. The hacking attack has raised concerns that the fighter jet’s advanced radar capabilities could have been compromised and comes few weeks after papers about the future British-French drone were stolen in Paris.
Apparently, once again, an APT-based attack, or maybe one of its precursors, since it was first uncovered nearly three years ago. In any case, according to the sources and the little information available, it lasted continuously for 18 months, exploiting vulnerabilities in BAE’s computer defences to steal vast amounts of data. A fingerprint analogous to other similar cyber operations, allegedly generated from China such as Operation Aurora or the controversial operation Shady RAT.
Details of the attack have been a secret within Britain’s intelligence community until they were disclosed by a senior BAE executive during a private dinner in London for cyber security experts late last year.
Curiously the F-35 seems to be a very attracting prey for hackers as it was already the victim of a Cyber Attack in 2009; once again the latest attack is believed to be originated from China, who is showing a restless cyber activity.
Although completely different for impact and motivations, a second attack has just been announced by the infamous hacking collective Anonymous, which, in name of the #OpFreePalestine operation, has published the contact details for senior staff at BAE (hit once again), Lockheed, Gulfstream Aerospace, a division of General Dynamics, and the United States Division Of Israeli Owned Arms Company Elbit Systems. An attempt to embarrass military industry considered involved in the events happening in Palestine.
Although the data dumps apparently contain little valuable information (according to V3.co.uk many of the telephone numbers listed are for company headquarters, while several of the names appear to be out of date), the latest attacks represent a quantum leap in the Middle East Cyber War, after the “reign of terror” threatened by Anonymous against Israel.
The F-35 JSF is not only the most advanced stealthy fighter plane of the next future. It is also the most expensive. That’s why some partners have been compelled to downsize their initial requirements because of cuts imposed by the increasing unit price (with the new contract the total unit cost for an LRIP 5 jet is 205.3 million USD!!).
Apparently these cuts are interesting even the IT Security budgets of the manufacturers.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow the author of this article @paulsparrows on Twitter for the latest updates.
- Exclusive Infographic: all Cyber Attacks on Military Aviation and Aerospace Industry (theaviationist.com)
Unknown hatch on captured U.S. stealth drone raises questions December 19, 2011Posted by David Cenciotti in : Captured Stealth Drone, Drones, Iran, Military Aviation , 11comments
The amout of contribution I receive each time I publish a blog post on the stealth drone now part of Iran’s asset is amazing. For instance, yesterday, few minutes after publishing the Infographic that I used to explain how the drone was captured (a theory based on the known facts to date), I got an email from Dave Krakow with an interesting drawing he sent me to show how the mysterious hatch on the top of the RQ-170 Sentinel, it’s not up to the typical American Aerospace standards. “The details are imprecise, nothing like Lockheed Martin products.”
Image courtesy: Dave Krakow
Dave believes the thing shown by Iranians was possibly constructed previously, for radar signature research, with details added in a hurry for cameras. “A lot of the commentary on the web regarding general accuracy assumes Iranian intelligence has only the same photos we have on the internet, and thus they could only know certain details if they had an original. I don’t think this is a reasonable assumption” he wrote to me.
For sure, as highlighted in the above image, the mysterious “top hatch” (that I supposed could be used to deploy a recovery chute) features some oddities. Some of them in particular, raise questions. However the angle of the camera, the effect of the zoom, and many other contributing factors (lights, shadows, image compression etc) may have affected the quality of the footage shown on Iran State TV rendering, for example, fasteners seemingly randomly spaced.
Furthermore, there’s still a chance that Iranians worked on the Sentinel after they recovered it: maybe they tried to get access to the internal hardware, removed panels to inspect lenses, memories to look for interesting data or to disable any self-destruction mechanisms or Emergency Locator-like systems, in order to prevent the Americans from locating or destroying it.
Nevertheless, we can’t rule out the possibility that the one showcased in what looked like a school in Kashmar was actually obtained by melting pieces belonging to various wrecked Sentinels that Iran has downed in the past, even if this would imply that the U.S. have already lost two or more “Beast of Kandahar” robots in Iran! By the way, Iran has recently announced it will show the remains of three U.S. and four Israeli drones downed in the last years while spying on Iran’s nuclear program.
Someone argued that a deployed recovery chute would have confirmation only if hatch doors were opened but I’ve already given a possible explaination for the fact that they were closed.
Someone suggested the drone is too clean for a crash landing, however, if a recovery chute made its crash landing soft, I would expect a damaged belly, as the hidden bottom of the drone seems to confirm.