There are times that cyber attacks are directed at a specific target. Examples of these attacks are attacks like the attacks on Google by China, the DDOS attacks on Estonia, the Stuxnet attacks against Iran, or the Sony PSN. Each of these attacks were done in different ways with different exploits used but all were focused attacks with a their own single goal.
The Google attack was performed by someone using an IP address in China, the IP being owned by a university affiliated with the Chinese red army. What they did was they targetted workers at Google with focused phishing attacks. The attack used an unpatched exploit in Microsoft Internet Explorer and Adobe PDF readers which then allowed the attackers to get malware on the employees computer, and from there they got the employees access to gmail and other Google cloud apps and were able to get data on many Chinese dissidents. The attacks prompted Google to stop all of it’s employees using Microsoft Windows. It turned out that many companies were attacked at the same time and the common denominator was email targeted phishing attacks directed at the Windows operating system used by people holding data for people who disagree with China.
The DDOS attacks against Estonia were performed by the hacker community in Russia after the Estonian government announced they were moving a statue that honored the Russian solders killed in some crushing of dissidents in Estonia. So the Russian underground stopped everything else they were doing and deployed their bot nets against the institutions and backbone of the internet within Estonia. Banks and newspapers and ordinary Estonians were knocked off the net for a week and only with a lot of help from the international community was the situation resolved. The basis of this attack was the bot nets of compromised Windows computers used by the attackers to just hammer the servers in Estonia with traffic. Only when we are able to make bot nets no longer a viable proposition will this type of attack be stopped. Estonia is one of the worlds most connected countries and so one of the most vulnerable but once the attack was mitigated by the people who control the main routing and dns servers the attack just petered out and the Russian bot nets went back to their normal spam generation. They apparently did the attack just because they were good Russians and not because their government asked them to, although the monetary loss for two weeks of all of their bot nets may have to have been offset in some manner as these groups are normally motivated by greed.
Stuxnet was an example of a targeted attack that we in the community have been discussing and have been happening quietly for years. This was the first that has become known to the media in general and even reported much on the internet. Stuxnet was an example of an attack on the infrastructure of a nation by another nation or nations. Iran was attacked by a highly targeted attack aimed at its nuclear program, which the other nations of the world think is weapons and not electrical power.
The attack was against a facility that is not supposed to have internet access, to keep it from being targeted by such an attack. Since it was not supposed to be internet connected the attacking malware should not have gotten out to where we could see it. The attack was thus initiated by getting the virus onto the network using a USB key and Windows Exploits, most likely by either an insider who copied it onto the network manually or by a classic leave some usb keys around and someone will open one on the victim network. With Windows autorun feature and with some zero day Windows Exploits this malware searched the network for any machines that were hosting any specifically configured SCADA controllers. It then reprogrammed those controllers and modified the scada software to not show the changes. Those changes were designed to cause the process they were controlling to fail. Apparently it worked just fine but somehow this isolated network was not so isolated and the malware got out into the wild so to speak and researchers were able to get copies of it and do analysis. It was once of the most sophisticated attacks known to date and the first to be available for research that is a true cyber warfare attack.
All of these last three attacks were all using malware and exploits to attack the computers remotely and hands off. While the Google attack then led to people using passwords harvested from the attack to then open peoples accounts and read emails or documents the largest part of the attacks were via malware. The next attack is completely different.
In the Sony PS Gaming Network attack and the follow-up attacks on other Sony networks the attackers picked a good time to attack. At the time of the Sony attacks Sony was under attack by another attack that seems to not be related. Anonymous, the lose knit group of cyber ‘hacktivists’ has been doing DDOS attacks against Sony, but not on the PSN servers. They have been attacking Sony on it’s business and advertising servers but not the gaming ones as that would hurt gamers more than Sony. (I won’t go into the politics of why they do these attacks here. Maybe later.)
The attacks on the PSN servers was done in the old fashioned hack your way in, get root access then copy off the files you want to your own servers. It starts with the attacker finding the server and assessing if there is a way to break in. This includes checking the software on the server, to see what version it is and what exploits are available. In Sony’s case this meant an out of date web server and that server being protected more by trying to hide it than actually defending it. An attack starts with running a script of attacks and capturing the results from that scan. Also try using nmap to see what ports are open and what servers are running. Defense starts with proper security software and a good log monitoring tool. Apparently Sony was missing both of these. The attacker found a hole, opened it, logged in as root and then started copying files off. He then covered his tracks fairly well, and left a fake calling card to throw the security people at Sony (if you can call them that now) off of the trail. The files seem to be all copied to China and the reports of the files obtained being offered for sale all point to people on both sides of the China, Russia border. Sony didn’t even notice some of the attacks had happened for 2 weeks calling all of their security into question.
This attack has been attributed to Anonymous and the DDOS certainly was. But the group is not known for any type of greed motivation as they are very much hacktivists. So the credit card and information stealing is most likely a combination of the Russian and Chinese underground as the servers involved with receiving the files and the attempts to sell the databases have been from a combination of these two groups and they have worked together in the past. If only Sony had a clue about security and let people use the hardware they purchased as they would like to both attacks would never have happened.
So there you have it, 4 different targeted attacks with specific targets and goals. and some hints at the things done to mitigate the damage. What can take away from these attacks? Well Windows played a big part in at least three of the four attacks. And if you want to be protected from these types of attacks it is mandatory that the computers OS, applications, security software and servers if running all must be up-to-date and if your running servers you have to watch your logs for suspicious activity.
Also I would like to point out that Anonymous doesn’t use illegally created bot nets to do their DDOS attacks as their members and people from the general public allow them to use their systems for these attacks.