Suspected State Hacking Campaign Against Europe and Israel Used U.S. Made Commercial Software
A hacking campaign against military targets within Israel and Europe has come to light recently and the researchers behind the discovery believe that the attack made use of commercially available software. The researchers from CrowdStrike and startup Cymmetria will present their unusual findings at the annual Chaos Communication Congress security conference in Hamburg on Saturday.
Criminal attackers have made use of commercially available tools – such as Metasploit – for quite some time now. However, state actors generally stay away from using any commercial software, for fears that it could be traced back to its customer leading to public outcry. Countries tend to use specifically written software for most purposes, to enhance security and independence. However, this attack in question took a new approach by misusing a security testing tool, developed by Boston-based Core Security. Core Security sells its products to clients who want to test their own security mechanisms.
Major government-sponsored hacks have specially written tools supplemented by free and widely available programs. That is in part because commercial programs could be traced back to specific customers. Although, reliance on certain on similar tailor made tools have allowed researchers to some what narrow down an attack to particular entities. Using the Core security program however, adds a new twist to the tale.
Using the Core Security program, which typically costs $10,000 or $20,000, could help muddy the waters, and CrowdStrike analyst Tillmann Werner said it could also help a second-tier cyber-power skip some of the work frequently undertaken by China, Russia and the United States.
“The most likely answer is they didn’t have the capability to do it on their own,” Werner said of the hackers, adding that “there is no risk of leaving tool-marks.”
Werner and Cymmetria Chief Executive Gadi Evron, who also chairs the Israeli CERT, said they did not know who was behind the campaign. But judging by the evidence of victims, researchers feel the attacked might have been sponsored by Iran. Evron has said that they have detected attacks dating back as far as April. These attacks include ones on an Israeli company “adjacent to the defense and aerospace industry,” an Israeli academic institution, a German-speaking defense agency, and an Eastern European defense ministry. Only other information we have as of this moment is that the attacks on targets based in Israel were unsuccessful.
CrowdStrike has dubbed this hacking campaign as ‘Rocket Kitten’ following its convention of naming every suspected Iranian cyber attack groups as Kittens. The attack relied on infected Excel sheets that were mailed to executives at the targets. The mail, requested permission to run a macro program inside the Excel Spreadsheet. Macros are small automated pieces of a program that are programmed to carry out a specific task.
However in this case the macro carried a carrier malware payload. Once the executive of the target company ran the macro, the carrier malware would download other components of Core’s Core Impact Tool and install them onto the servers of these machines. One of the features of Core’s Core Impact Tool is its stealth capability to hide from detection.
Core’s licensing terms forbid use of its program against unsuspecting third parties, and Core Vice President of Engineering Flavio de Cristofaro said the company had not heard of such misuse in at least five years. De Cristofaro said the company would assist the CERT if asked and in any case would try to track down how the software was pried away from the watermarks and other technical restrictions designed to limit its spread.
“We will follow that down,” De Cristofaro said.
Iran as a major suspect
Since the alleged US and Israel hand in attacking Iran’s nuclear program through Stuxnet virus, Iran is said to be beefing its cyber warfare capabilities. The Stuxnet virus has been particularly destabilizing on Iran’s indigenous nuclear program and is one of the reasons why Iran is said to have come to the negotiating tables with the Western powers on non-proliferation issues. Earlier Iran based hackers had successfully ran a hacking operation against the Las Vegas Sands Corp. which virtually shut down the networks of the US based Casino operator. This attack was done because the owner of Sands Corp had called upon the US military to nuke Iran to stop it from proliferating fission materials. The investigators into that hack attack did not find any links to the state of Iran but that fact does not deny that Iran is a very resourceful country in cyber warfare arts.
Resource : Chicago Tribune.