By Omar Tisza
In our quest to continue exploring salient examples of complex and blended threats, we have complied a few incidents and articles that further underscore a need for understanding such threats. Looking to 2018 retrospectively as we turn to yet another year, we sense an increased awareness of threats that are hard to pin down as either physical or cyber in the security and resiliency landscape due to a myriad of factors. Undoubtedly, 2019 will keep blurring the lines between the cyber and physical domains, as we continue to witness the steady movement towards the integration of web-connected devices and systems–and the risk we implicitly accept–into our daily lives and the infrastructure that supports it.
Following is a simple refresher of complex and blended threats definitions:
We’ve defined blended threats as natural, accidental, or purposeful physical or cyber dangers that have or indicate the potential to have crossover impacts and harm life, information, operations, the environment, and/or property. Complex threats would be two or more separate attacks aimed at the same general or specific target(s) or objective(s). A key distinction of blended threats is the crossover component – one attack, with crossover effects; a threat that originates in one domain and that has impacts across to another domain. More detailed definitions can be found here.
Hybrid Threats Will Target Critical Infrastructure
SC Magazine: “Nation-states, terrorists place critical infrastructure in their cross-hairs.” 04 December 2018 by Steve Durbin, @stevedurbin. The alarm continues to ring on the highly effective tactics adversary nation states and terrorist groups will have in a not-so-distant future. The increased awareness of hybrid threats, as Steve calls them, closely aligns with our definitions of complex and blended threats. The continued awareness of hybrid, complex, and blended threats bring the critical infrastructure sectors – to include health, financial, Information technology, telecommunications, water, electricity, and more – closer to immunity from these vulnerabilities. Threat actors will not only target the critical infrastructure that support homes, businesses, and vital entities, but also homes and work spaces themselves with the emergence of the Internet of Things (IoT) and smart devices embedded throughout our environments. With interconnectivity in mind, Steve further warns, “physical and cyberattacks will be deployed simultaneously, creating unprecedented damage.” Sustainable and effective change to mitigate this risk can be achieved through the continued engagement of the C-suite with a keen focus on rigorous and comprehensive security that “can commit to building a mature, realistic, broad-based, collaborative approach to cybersecurity and resilience.”
“Many nation states and terrorist groups (or both, working together) will have the capability to bring together the full force of their armaments – both traditional and digital – to perform a clustered ‘hybrid’ attack. The outcome, if successful, would be damage on a vast scale.” – Steve Durbin, Managing Director, Information Security Forum
DDoS Attacks and Physical Actions Unraveled Global Cyber Interruptions
Oracle: “Last Month in Internet Intelligence: November 2018.” 06 December 2018 by David Belson, @dbelson. “As usual, there were hundreds of brief issues with limited impact and generally unknown causes, but the most notable issues last month [of November] were due to reported DDoS [Distributed Denial of Service] attacks, problems with terrestrial and submarine cables, and general network issues.” While Cambodia experienced a large scale DDoS attack of their biggest internet service providers (ISP), other parts of the world–such as the US Virgin Islands, Sierra Leone, The Gambia, Mexico City, Burkina Faso, and Somalia–suffered from internet disruptions mainly due to two factors, network connectivity issues and accidental fiber cable cuts. Identifying the root cause of network issues in Burkina Faso and Somalia presented severe difficulties and because of a lack of clear physical indicators. Oracle concluded the connectivity issues were evident at the network level but may have suffered from additional physical incidents, such as accidental fiber cable cuttings or other unidentifiable actions.
DarkVishnya Took Millions in European Bank Heist
CyberScoop: “Kaspersky: Physical devices used to steal ‘tens of millions’ from Eastern Europe banks.” 14 December 2018 by Zaid Shoorbajee, @zbajee. “Banks in Eastern Europe were targeted with cyberattacks that involved the planting of physical devices on premises.” The attacks have been named “DarkVishnya” after reports surfaced in early December 2018 that the robberies “were carried out in-person by a third party who planted devices that connect directly to the banks’ networks. The attackers used one of three tools, the researchers say: a laptop, a Raspberry Pi computer or a Bash Bunny — a USB drive-looking device specifically designed to deliver a malicious payload.” The attackers used evasive tactics to mask their presence on the network, circumvent security measures, and enter the physical premises, which exemplifies the idea of blended threats. The attack originated in the physical realm, with the physical intrusion of individuals who then unleashed a damaging cyber-payload that successfully extracted “tens of millions” by connecting hardware and software to the financial infrastructure.
Bomb Threats in Your Inbox
Digital Shadows: “Bomb Threat Emails: Extortion Gets Physical.” 14 December 2018 by Digital Shadows Security Engineering Team, @digitalshadows. “Extortionists actors have now upped the ante by making bomb threats” via email to various organizations across the country. Law enforcement and information sharing bodies were quick to keep victims from paying the ransom as the campaign had minimal credibility. While evacuations took place as a precautionary measure, the extortion did not seem to be financially successful. It is believed that this campaign originated from a Russian source and the emails and credentials used were not acquired from public data sources, which was a tactic observed in the previous ‘sextortion’ campaign. Another commonality with previous extorsions of this kind is the social engineering to coax the victims to make a payment in bitcoin. This bomb threat extortion seems to follow the pattern in which cyber-extortion campaigns have seen to unfold, however, this latest iteration is noticeably of smaller scale and much more haphazardly orchestrated.
From Bomb Threat to Acid Attack
Cisco Talos Intelligence: “Bitcoin Bomb Scare Associated with Sextortion Scammers.” 14 December 2018 by Jaeson Schultz, @jaesonschultz. “The attackers have returned to their empty threats of harming the individual recipient. This time, they threaten to throw acid on the victim.” This is new form of extortion is a continuation of the bomb threat email campaign that began on December 13, 2018. “The criminals conducting these extortion email attacks have demonstrated that they are willing to concoct any threat and story imaginable that they believe would fool the recipient.” This new take on cyber-extorsion seems to be a desperate attempt to wring money out of gullible victims and a devolution of the strategies employed by the threat actor.
Shamoon Evolves to Continue Attacks on Critical Industry
McAfee Labs: “Shamoon Returns to Wipe Systems in Middle East, Europe.” 14 December 2018 by Alexandre Mundo @ValthekOn, Thomas Roccia @fr0gger_, Jessica Saavedra-Morales, Christiaan Beek @ChristiaanBeek. Shamoon, the destructive malware, continues to develop and improve its tactics to “have a critical impact on businesses, causing the loss of data or crippling business operations” by deleting data off critical systems and incapacitating tools and devices. The most affected industry sectors seem to include “oil, gas, energy, telecom, and government organizations in the Middle East and southern Europe.” Essentially, Shamoon “overwrites all files with random rubbish and triggers a reboot, resulting in a ‘blue screen of death’ or a driver error and making the system inoperable.” This is achieved by allowing the malware to install a wiper that can deploy the attack. The most telling sign of Shamoon’s development is “the wiper component can be reused as a standalone file and weaponized in other attacks, making this threat a high risk.”
Symantec: “Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail.” 14 December 2018 by the Security Response Attack Investigation Team, @symantec. Symantec echoed the findings of MacAfee, specifically the wiper component and its potential for costly damage. Symantec further remarked that an organization in “Saudi Arabia had recently also been attacked by another group Symantec calls Elfin (aka APT33) and had been infected with the Stonedrill malware… The proximity of the Elfin and the Shamoon attacks against this organization means it is possible that the two incidents are linked.” Even though it is not clear whether Shamoon was deployed by the Elfin threat actor, Symantec believes this entity could be responsible for the attack due to timeline proximity of the Stonedrill malware attack also deployed by Elfin in 2018.
Weaponizing Power Supplies
Realcomm: “Control System Cybersecurity & What It Means to Buildings.” 19 December 2018 by Joe Weiss, @JosephWeissBlog. While much of the focus on our security and resiliency rests on the integrity of infrastructure within physical confines of entities and organizations, the potential cyber vulnerabilities of the life-giving power supplies outside these confines are rarely explored. At least two significant hardware vulnerabilities among power suppliers have the potential to damage buildings and data centers: “the Aurora vulnerability and Uninterruptible Power Supplies (UPS).” The Aurora vulnerability takes place in the electric substations breakers when they are opened and closed without proper precautions to sync the current back to the grid, which can damage or destroy equipment with electric spikes. Similarly, The UPS helps dampen fluctuations in the current when there is an outage, and if tampered with, it “can directly lead to data center equipment damage.” Cyber-incidents in the Ukraine (December 2015) and within British Airways (May 2017) exemplify the weaponization of the Aurora and UPS vulnerabilities.
“The common thread between Aurora and the UPS attacks are the systems designed to protect mission critical systems were co-opted to be used as attack vectors against the systems they were meant to protect.” – Joe Weiss, Managing Partner, Applied Control Solutions
As we head into 2019, the security and resilience of our spaces–from government to industry–will more heavily depend on our collective ability to utilize the full understanding of complex and blended threats to operationalize measures that will guarantee the continuation and prosperity of our critical infrastructure and we the people who highly depend on it.
Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (HISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.
Our team includes security updates in our free daily paper, the Gate 15 SUN. We encourage readers to consider the evolving blended threat environment and to take that into consideration as you plan and conduct preparedness, security and operations. Read some of our previous posts on blended and complex threats in the links below.
- Complex and Blended Threats: Global Cyber Attacks are Now Human Attacks
- Complex Threats: Ransomware, Hurricanes, Murder, Defacements, Bots, and Blackouts…
- Potatoes and Tomatoes: You Say Blended, I Say Complex…
- Blended Threats! McAfee Labs Addresses Digital Impacts to Physical Infrastructure
- Blended Threats: Mining Takes a Toll!
- Blended Threats (update 1.1): Understanding an Evolving Threat Environment
- Blended Threats: The Oracle Has Spoken!
- More on blended threats, some of our associated preparedness activities, and other content that may be of interest can be accessed from our blog.
Understand the Threats. Assess the Risks. Take Action.