Why Security Teams Should Pay Attention to the European Cyber Army

The European Cyber Army (ECA) kicked off 2014 by posting successful cyber attacks on governments, companies, and organizations around the world. One of the earliest mentions of the group occurred on Twitter on January 12 when the ECA, in conjunction with 1775Sec, claimed to have leaked an Apple database, posting the data on Pastebin. This occurred the same day the ECA posted its first tweet under the handle @ECA_Legion.

European Cyber Army Logo

The success of this attack, like many of their subsequent attacks is overstated. According to Appleinsider.com, the Apple leak was not confirmed by Apple, and much of the leaked data was dated and possibly not from Apple. The ECA also claimed to have “nuked,” a term used often by the ECA, Yahoo on February 4th, but this is appears to be a false claim. They also claimed to have hacked WebEx on February 13, but they most likely capitalized on an outage or network problem.


The Russia-Ukraine Cyber Front Takes Shape

In the wake of Kiev protester deaths, Crimea’s occupation, and claimed cyber attacks on the Ukrainian telecommunications systems, the battlefronts in the Russia/Ukraine crisis have taken shape.

Ukraine Turmoil Timeline


Of particular note, Russia has already exerted a measure of control over Ukrainian telecommunication systems. This control is derived from a mix of direct access to equipment and intimate knowledge of Ukrainian lawful intercept systems which are modeled after Russian FSB SORM systems.

What is SORM?

Russia’s SORM (Система Оперативно-Розыскных Мероприятий, literally “System for Operative Investigative Activities”) is a lawful intercept system operated by the Federal Security Service (or FSB – the Russian successor to the KGB).


Comments Off more...

UPDATE: Sochi 2014 Cyber Threats Take Shape; Targets Named

Earlier in the week, Analysis Intelligence highlighted the cyber threat posed by Anonymous Caucasus.  As the 2014 Winter Olympic Games drew closer, Anonymous-affiliated Twitter accounts branded the group a “terrorist supporter from Dagestan” and embarked on a separate OpSochi campaign focused on highlighting animal abuses.

Click for an interactive view.

Click for an interactive view.

As identified in the above temporal visualization, on February 6th, specific targets for OpSochi were posted on justpaste.it/OpSochi.  These include olympic.org and sochi2014.com.

Screen Shot 2014-02-07 at 12.40.23 PM

OpSochi v. OpPaybackforSotchi2014/NoSochi2014:  Anonymous Caucasus seeks to highlight Russian atrocities during the Caucasian War (1817-64) in OpPaybackforSotchi2014 while OpSochi (a campaign supported by LegionOps, the European Cyber Army and Anonymous) seeks to highlight animal cruelty (captured orcas for entertainment at the Games) and the killing of stray dogs in Sochi.  On February 4th, LegionOps claimed to have downed over 700 sites as part of OpSochi.

Screen Shot 2014-02-07 at 11.27.48 AM

Who then is Anonymous Caucasus?:  It appears that there are two distinct voices for Anonymous Caucasus, the self-proclaimed “Electronic Army” of the Caucasus Emirate (a Designated Terrorist Organization by both the US and Russia).  This was demonstrated this afternoon, as the @Anony_Caucasus Twitter account sought contact with @AnonCaucasus.

Screen Shot 2014-02-07 at 1.02.46 PM

The Threat:  While an understanding of the rationale behind these attacks can be useful, the targets remain the same: Russian government and Olympic-associated sites.  Of note, Olympic sponsors have been discussed in Open Source as a potential target.

Screen Shot 2014-02-07 at 1.13.09 PM

Additional Reading: Our Sunday Sochi 2014 post provides further information on Anonymous Caucasus and Caucasus Emirate.

Want to develop your own cyber threat intelligence analysis? Check out Recorded Future.

Sochi 2014: The Terror Threat and Russia’s Response

“The most daunting threat (to Sochi 2014) is suicide bombers,” Grigory Shvedov, chief editor of the Caucasian Knot, told The Associated Press.  By Shvedov’s count 124 suicide attackers have struck Russia over the past 13 years.

While LBGT and other activist protests are planned for the 2014 Winter Olympic Games, it is the threat of terrorist activity that looms greatest over the event which begins February 7th.  Further to our baseline of Sochi 2014 threat intelligence, Analysis Intelligence highlights the following on-the-ground sources which regularly feed Recorded Future original information related to the terrorist threat:

Screen Shot 2014-02-05 at 2.49.43 PM

kavkaz-uzel.ru  - the Caucasian Knot, an online news site that covers the Caucasus region in English and Russian.  Established in 2001, it focuses on politics and human rights with a particular focus on freedom of the press.

Screen Shot 2014-02-05 at 2.54.08 PM

blogsochi.ru – Russian language blog which gained notoriety for its mid-January 2014 reporting on a potential suicide bomber within the Sochi city limits.  Of note, according to the Moscow Times, Blogsochi has a contact in the Federal Security Service of the Russian Federation (FSB).    

Outside the Ring of Steel:  Local language sources have been critical to understanding the Russian response, highlighting counterterrorist efforts undertaken in the Republic of Dagestan, a center of operations for the Caucasus Emirate’s Vilayat Dagestan.  Our previous Sochi 2014 entry details the group, which seeks to establish an independent Islamic state in the North Caucasus.  The below Recorded Future visualization highlights the uptick in security operations in Dagestan as Sochi 2014 approaches.  Earlier today, Russian security forces killed Dzhamaldin Mirzayev, a militant who may have helped to train the two suicide bombers who struck the southern city of Volgograd.

Screen Shot 2014-02-05 at 3.13.29 PM

Click for an interactive view.

Inside the Ring of Steel:  Analysis Intelligence continues to monitor claims and perceptions of Russian security.  Interestingly, local source vedomosti.ru has highlighted a fear that the overabundance of security personnel (estimates up to 100,000) in Sochi will leave the rest of the country vulnerable to an attack.

The below visualization tracks the growth in Russian security force estimates which in recent days have risen to 100,000 total security personnel (police, security agents and army troops).  For reference, Sochi security forces (Operational Staff for the Olympics), fall under the jurisdiction of FSB deputy director Oleg Syromolotov.

Screen Shot 2014-02-05 at 3.56.37 PM

Click for an interactive view.

Analysis Intelligence utilizes Recorded Future’s patented Temporal Analytics Engine, mining threat intelligence from the open web.   We will continue to monitor Sochi 2014′s cyber and physical threats as they emerge.  

Anti-Israel Hackers Parastoo Prepare for OpIsrael Anniversary

Anti-Israel hacker organization Parastoo last week announced its intention to join #OpIsrael2, also touted as OpIsrael Birthday, to commence in April. The group is targeting US, NATO, and ISAF engineering, military communications and technology resources.

This was Parastoo’s second public statement during January after several months of silence. However, those statements continue a pattern that suggests the group, which once rattled off a worrisome string of hacks against international energy organizations, is currently limited to PsyOps and riding the coattails of other hacktivists.

Security blogger John Casaretto has written extensively about Parastoo on SiliconAngle, and previously called out the group’s occasional lack of substance. We ask, after Parastoo’s initial successes during late 2012/early 2013, has the group been limited to unsubstantiated claims and self-proclaimed affiliation with OpIsrael actors?

We’ll use Recorded Future for cyber threat intelligence to analyze the timing of Parastoo’s activity. First, let’s get familiar with the group’s claims on Pastebin and Cryptome through the below timeline of digital and physical attacks claimed by Parastoo.

Parastoo Hacker Timeline

View the interactive timeline

The group’s first claimed data compromises of IAEA information (November 2012) were verified by the target. The subsequent attacks on DOE (January 2013) and Jane’s (February 2013) also appear to have been legitimate and resulted in the publishing of sensitive, if not top-secret, data.

Interestingly, the IHS breach reportedly actually occurred around the same time as the IAEA hack, but information was held until February 2013. The IHS Jane’s data was also posted to Quickleak, which we’ve profiled for its ties to Iran-linked hackers the Islamic Cyber Resistance.

Attribution then quickly gets fuzzy beginning with the Department of Energy breach, which CSO Magazine reported might be the work of Chinese hackers, not Parastoo.

Evaluating the Timing of Parastoo Claims

Parastoo often foreshadows events, but does so in a way that positions the group for opportunistically claiming responsibility. For example, in its announcement on February 22 of the Jane’s data dump, the group referenced the potential for damage from a hijacked drone. This was two weeks prior to the reported UAV sighting near JFK airport on March 5.

Parastoo referenced the drone sighting above New York City on March 8 a day after an anonymous source suggested the group could be responsible. It seems the group either wasn’t ready to take credit or it jumped at the chance to put their name next to a mysterious and unsolved security incident.

The group started referencing Geneva II in mid-2013 as an event around which they would release already captured sensitive information. The international meeting was ultimately delayed until January 2014; as we now know, Parastoo resurfaced during that time but without much of substance. More on that in a moment, particularly their claims of a physical attack on a PG&E substation in San Jose, California.

Verified Incidents Where Parastoo Claims Preceded Official Statements

IAEA Data Dump 1
Announced November 25, 2012 by Parastoo on Pastebin and Cryptome
Confirmed by IAEA on November 26

IAEA Data Dump 2
Announced November 29, 2012 by Parastoo on Cryptome
Confirmed by officials via Reuters on November 30

DOE Server Breach
Announced January 21, 2013 by Parastoo on Cryptome
Internal communication by Department of Energy made on February 1; confirmed by media on February 4

IHS Jane’s Server Breach
Announced February 22 by Parastoo on Cryptome
Confirmed by IHS to Washington Free Beacon with statement that server was compromised but no confidential information was lost and information posted by Parastoo was publicly available in various digital and physical formats.

Delay Emerges in Parastoo Claims Compared to Actual Events

After the IHS information drop last February, we observed a shift in Parastoo’s claims: the group becomes reactive to events. They started hijacking credit or co-opting campaigns carried out by anonymous or unknown parties in order to spread disinformation and fear to Israel and its allies. Read on for examples.

OpIsrael 2013 and OpIsrael Birthday 2014

The broader OpIsrael campaign described as revived at the beginning of this post has been ongoing since fall 2012, and a collective of hackers organized efforts to carry out attacks against multiple targets on April 7, 2013. Last year, Parastoo was not mentioned in an interview with An0nGhost by Hackers Post or in even earlier statements about the planned campaigned published on March 7.

Parastoo, while long referencing the broader online protest against Israel, only included the specific #OpIsrael April 7 operation in its statement of targets on March 9, 2013 two days after the campaign was made public.

For the planned operation during April 2014, An0nGhost announced its plans on December 29, 2013 for OpIsrael anniversary attacks to occur on April 7, 2014. Earlier rumors of the operation were spreading via Twitter on December 22; Parastoo only made its statement more than a month later about their intended participation and recommended targeting.

The group also describes a different data, April 4, rather than the April 7 date called for by An0nGhost and its affiliates. All of this suggests members of Parastoo aren’t closely coordinating with other hacktivist organizations participating in OpIsrael.

Claims of NNSA Breach

During May 2013, Parastoo made a statement distributing public information about the National Nuclear Security Administration (NNSA) while also claiming it had infiltrated secure systems. Nothing has yet come of those claims. Interestingly, NNSA had been breached before, which makes it an ideal candidate for making false claims of data exfiltration. Analysts, media, and the organization itself are challenged to recall and accurately portray what information was previously exposed.

Claims of Second Drone Hack

During early July 2013, Parastoo claims to have hijacked and controlled flight of a UAV over an uninhabited area of Maryland. The group suggested it would release details of this operation and technical spec of the RQ-170 during the Geneva II talks but thus far nothing has been seen. No reports could be verified of the drone supposedly owned by iDirect, but again, this is an opportunistic claims as the group likely will have seen drone activity in that state given the publicity around a crashed drone in June 2012.

Claims Support of Physical Attack on PG&E Substation

On April 16, 2013, vandals cut optic cords and damaged transformers at a PG&E substation near San Jose, California. Eight months after the incident, Parastoo claims to have supported the individuals responsible for that physical security breach. Their statement was made days after attention to the attack resurfaced.

We also recognize that hitting critical infrastructure has long been an intention of Parastoo based on a statement released at Cryptome criticizing the group for such targeting.

What Happens Next with Parastoo and OpIsrael Birthday

This evaluation of open source information from the web suggests that the anti-Israel, Iran-linked hacker group Parastoo hasn’t demonstrated much success of its own for quite some time. However, based on its recent statements, the group remains active and is seeking greater relevance.

Parastoo’s most recent communication claims it is developing a “secure” forum to be hosted at parastoo.ir. We’ll follow this development closely to see if the group gains more sophistication and ammunition for once again conducting successfully disruptive operations after the launching its own communication channel.

OpIsrael BirthdayRecorded Future’s web intelligence for cyber threat intelligence is structured to enable analysts efficient monitoring and analysis for operations such as the upcoming OpIsrael Birthday. Here’s a live feed of the latest to emerge on that operation.

We’re also prepared to monitor developments related to Parastoo to evaluate whether its current pattern continues in claiming attacks, and likely misrepresenting themselves as the perpetrator, or if new threat capabilities emerge as the group launches its own community space. Reach out to us if you’re interested in setting up your own threat intelligence alerts related to Parastoo or other related threat actors in energy and defense domains.

Sochi 2014: Understanding Physical and Cyber Threats

Former CIA Deputy Director Michael Morell recently called the 2014 Sochi Winter Games “the most dangerous Olympics” of his adult life. Recorded Future analysis highlights the following cyber and physical threat actors and provides “sources to watch” to aid risk assessment.

Monitoring the following sources – familiar to many threat intelligence analysts – can provide continued situational awareness if you or your organization is somehow involved with Sochi 2014.

Sochi Tweet

@AnonsCaucasus / @Anony_Caucasus - Official Twitter handles of Anonymous Caucasus aka the “Electronic Army of the Caucasus Emirate.” Using #OpPayBackForSotchi2014 (note spelling) and #OpSochi.

kavkazcenter.com / @KavkazCenter - Official news portal of the Caucasus Emirate (see below).  Banned in Russia, the site has claimed direct contact with Caucasus Emirate officials.

Caucasus Emirate Timeline

Click here for an interactive view.

Background: Hacking collective Anonymous Caucasus has claimed attacks on the Bank of Russia and anti-terrorism site Kavkazpress.ru. In late Dec/2013, they threatened to attack both Russian government and sponsor websites tied to the Games. Analysis has tied their previous domain ”anonymou.so” to a registration including the name “Vilayat Dagestan.”

Vilayat Dagestan (literally: Province of Dagestan, Russian: Вилайят Дагестан, formerly known as Shariat Jamaat), is a member of the so-called Caucasus Emirate (a.k.a. “IK” or Imirat Kavkaz) an umbrella group for Chechan rebels seeking to establish an independent Islamic state in the North Caucasus. In a January 2014 video, two apparent Vilayat Dagestan suicide bombers claimed responsibility for the December Volgograd bombings which took 34 lives.

Doku Umarov (a.k.a. Dokka Abu Usman), a rumored dead Chechen warlord and leader of the Emirate, has urged followers to strike the Sochi Games, which he denounced as “satanic dances on the bones of our ancestors.”

Doku Umarov

As background, some activist groups argue that Russia’s actions during the Caucasian War (1817-64) should be recognized as genocide. Krasnaya Polyana, about 30 miles from Sochi, was the site of the war’s final bloody battle. On February 6, snowboarding events begin at Krasnaya Polyana.

The US State Department in May 2011 designated the Caucasus Emirate as a Specially Designated Terrorist group under Executive Order 13224 and authorized a $5 million reward for information leading to Umarov’s arrest.

Continuing Analysis: Our baseline analysis of Sochi 2014 open source threat information yielded nearly 22,000 references across seven languages.

Screen Shot 2014-02-02 at 12.56.22 PM

With wide ranging estimates of 40,000 – 100,000 personnel, Russia’s military might will provide a significant check on physical threats from the Caucasus Emirate and/or smaller groups. As the Games approach, Analysis Intelligence will provide further information on the Russian response to both the physical and cyber threat.

Interesting in using these threat intelligence analysis? Check out Recorded Future Cyber

Copyright © 1996-2010 Analysis Intelligence. All rights reserved.
iDream theme by Templates Next | Powered by WordPress