Algerian terrorist Mokhtar Belmokhtar claims to have planned the two deadly suicide attacks last week in Niger. One of the recent targets was a uranium mine owned by the French company Areva, which makes it the second foreign energy facility in African to be hit this year by Belmokhtar-organized forces. It’s also the former AQIM man’s first appearance since his alleged death in March. (continue reading…)
We’ve talked previously about the linkages between cyber intelligence and physical warfare. But when we saw the recently executed Operation Guantanamo (#OpGTMO) campaign by Anonymous that culminated this past weekend, it was clear that there are related signals that tie together physical and digital social movements. (continue reading…)
Terrorists are relentlessly evolving tactics and techniques for IEDs (Improvised Explosive Devices), and analyzing reporting on IEDs can provide insight complementary to HUMINT on emerging militant methods. Preparing for an upcoming webcast with our friends at Terrogence, we found incidents using sports balls, particularly tennis balls and cricket balls, more frequently appearing as a delivery vehicle for explosives. (continue reading…)
Note: Massive thanks to Dr. Jarret Brachman for his guidance and support in putting together this post. He’s one of the best out there studying violent extremism, and we recommend that you check out his book ”Global Jihadism: Theory and Practice“ and follow him on Twitter.
The Boston bombing investigation continues to reveal new information on the two primary suspects, but quietly reported last Friday was the discovery of jihadi propaganda Inspire Magazine - produced by al-Qaeda in the Arabian Peninsula (AQAP) - on a computer belonging to the elder Tsarnaev brother’s widow. The publication, particularly its first issue containing instructions for building a pressure cooker bomb, was spotlighted as a possible resource immediately after the bombings.
The news the Tsarnaevs possessed Inspire, whether it directly influenced their actions or not, serves as evidence of the AQAP magazine’s reach and visibility in the jihadist community. (continue reading…)
Observing an organization or person by their activities using web intelligence can provide interesting clues about who and where they actually are. These clues can include targets, methods, tools, language, etc. This is true in both the physical and cyber world.
In this post we’ll look at the temporal signature of activities by hacker groups and use those to discern their pattern of life – basically their work week – for matching with national work weeks/schedules.
Top level conclusion?
Different groups have different temporal signatures that could potentially be used to differentiate between those on very regular schedules – i.e. working a desk job (nation state?) – and those on nights/weekend schedules – independent hackers? – as well as to establish their geographic location.
Temporal analysis has long played a part in cyber defense. For example, Bob Gourley, who was the Director of Intelligence for a new (at the time) military unit responsible for defending all DoD networks, indicated in a conversation with me the initial Moonlight Maze intrusion set matched up very well with working hours in Moscow.
This was just one of many other factors that pointed to Russian involvement, but it helped orient analysts.
Another example is how Mandiant used observations of hacker team activity as one signal of indicating a group being Chinese (or in other other countries in same time zone):
“Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight.”
KPMG calls out in their Cyber threat intelligence and the lessons from law enforcement report:
“Time: Are there any temporal patterns regarding cyber attacks and, similarly, are your information assets more vulnerable at certain times?”
Sample world wide work week patterns
A quick summary of work week data from Wikipedia yields us the following on work week from around the world:
Analyzing hacker groups given work week as baseline
Now given the above temporal signatures – can we say anything about various hacker groups? We’ll find out using the Recorded Future data set, and in particular 250,000 cyber threat events involving various groups and individuals and times of attacks all collected from open web sources ranging from Twitter and other social media to government sites to hacker forums to regular news in seven different languages.
We’ve taken all the time points of the events and transformed them to day of week so that we can determine what days various groups activate and other patterns.
Below we look at a series of hacker groups – Syrian Electronic Army, Anonymous, Al Qassam Cyber Fighters, Lulzsec, Zcompany, and TeaMp0ison – versus a large group of other cyber events that either fall with other groups (Nation states, individuals, and other groups) as well as non-attributed attacks. Our data collection harvests open source data, so obviously, there is potential for skewing towards more media oriented groups (e.g. Anonymous, and yes, we have more data on them), but given that we’re looking at the pattern, not the volume, this should be less of an issue.
The graph above visualizes weekday distribution for each group. A statistical test for non-random distribution is at the very bottom of the post.
Syrian Electronic Army
Activates right after Syrian weekend. Between actual name and pattern of life/temporal signature this certainly indicates a group located in Syria that takes time off during the weekend, i.e. potentially a state sponsored group on a paid schedule.
Anonymous interestingly peaks in activity during the weekend, which indicates that they are mostly students or western people with “normal jobs” that use weekends for hacking. Good example would be how Reuters recently fired an alleged Anonymous member, who probably had a busy regular workweek. We will be back to take apart the temporal signature by various Anonymous groups around the world.
Al Qassam Cyber Fighters
Al Qassam Cyber Fighters activates on Mondays and Wednesdays. Given their focus on hitting US and European banks this could make a lot of sense: hit them Monday morning when online banking activity peaks up. But you could also argue that the pattern indicates activating after Saturday, i.e. a regular state-employed hacker week in the middle East.
Lulzsec (the breakout group from Anonymous) is interestingly enough completely inverted in its temporal signature from Anonymous. It peaks on Wednesday (and this is across many observations.) This might just be the peak of internet traffic…
Fits the “modern Islamic country” calendar perfectly: key activity is Monday-Thursday with little activity Friday-Sunday. The organized work schedule may indicate a state actor/paid schedule. It could also point to Pakistan, which aligns with ZCompany’s targeting of India.
This rival group to Lulzsec activates Tuesday-Wednesday. It’s targeting is inconsistent but includes anti-Islamic targets.
Cross correlation analysis
There is great potential for cross correlation analysis here:
Compare activity with temporal signatures other than the work week such as Thanksgiving, Christmas break, Spring break, Ramadan, etc.
Compare group activity to their Twitter patterns through the use of http://sleepingtime.org/. Potentially a very insightful cross-correlation to be had with this data, for example, TeaMp0ison – http://sleepingtime.org/teamp0ison.
Correlate with other pattern of life variables: targeting, human language used, people association, etc.
If you had access to proprietary IP level data of attacks by these groups you could obviously cross-correlate those activities in a very powerful way. Unfortunately, such data is less readily available to the public.
Temporal signatures can be helpful in developing pattern of life analysis on groups in cyberspace. Obviously it’s only one signal, but potentially a quite interesting one.
Appendix – comments on data and analysis
Data is from Recorded Future collection activities, explore interactively at www.recordedfuture.com
Time stamp is event time, which should be time of event. However, given the nature of cyber attacks it could very well be time of discovery/publication.
There are multiple normalizations that could be done to this data – both within the domain of cyber events as well normalization vs. a total event metric – and we will be back with that.
As a statistical test we did a chi squared test on likelihood that day of week is unrelated a cyber attack. Results below – day of week is significant for all groups except for ZCompany.
Qassam Cyber Fighters.p.value 1.012541e-09
Syrian Electronic Army.p.value 1.349523e-17
Events by Group per Day
Su Mo Tu We Th Fr Sa
Anonymous 5199 3631 3394 4079 5890 4321 6587
Lulzsec 456 488 628 924 257 389 208
Qassam Cyber Fighters 59 91 51 75 37 43 28
Syrian Electronic Army 75 82 51 46 39 22 8
TeaMp0ison 1 6 13 17 26 6 8
ZCompany 1 4 8 6 6 1 2
Untagged 31629 50451 51697 53206 53699 46981 37949