22 October 2014

The Joy of Fraud Fighting

Uri Rivner - BioCatch

77 | posts 315,965 | views 35 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Eternal Flame: A super-grade cyber weapon

30 May 2012  |  3437 views  |  0

The Eternal Flame is something you’ll probably recognize as the ever burning fire in ancient Greece; but in fact it has deeper roots in the Middle East. The first records of such custom are, interestingly enough, set in ancient Iran and Israel.

The security industry’s skies are now alight with Flame, the latest discovery in the chain of super-grade cyber weapons targeting Iran. Reported by Kaspersky, Flame is a high-yield reconnaissance tool that targets Internet-connected PCs in Iran and other targets, doubling as an intelligence collection mechanism using multiple channels and a penetration tool into corporate networks.

After Stuxnet, which was really off-the-scale as it comes to advanced threats due to its unique ability to disrupt air-gapped industrial control networks, no one should have any illusion as to the extent of cyber espionage campaign led by western cyber-powers against the Iranian regime.

Flame was developed a few years back, and was successfully deployed in the field. I bet the original life span projected for Flame was probably a few months, and the original set of targets was no more than a few dozen carefully selected critical infrastructure resources; but it just worked. It roamed the sensitive networks unhindered and undetected, and its operators must have felt a bit like the NASA scientists that launched the 2003 Mars Rovers. Designed for a 90-day scientific mission in the harsh environment of the red planet, these two tiny envoys of humanity kept going and going, and one of them – Opportunity – is still surveying our heavenly neighbor after all these years.  Flame must have been the same: an extremely targeted mission that developed into an ongoing campaign simply because it worked.

Compared to Stuxnet, Flame is far more similar to the type of cyber attacks attributed by US officials to China, although here it’s focused on covert intelligence gathering while many APTs are part of a mass-scale industrial espionage campaign designed to gain economic advantage. It hits computers connected to the Internet – which means it was never designed to attack military targets as they often use segregated networks. To attack a military network you need something more – often a USB infection like in Stuxnet or the worm that attacked the Pentagon in 2008 and required a 14-month clean up operation.

How Flame got into its target victims is still unclear, but the likely method is spear phishing pinpointing specific employees or a drive-by-download hijack of a popular site frequented by the target population.

There are hundreds of examples for the use of spear phishing in an APT; an example for the second method is the highly targeted attack against the website of the Israeli Institute for National Security Studies, which penetrated deep and caused visitors to be infected with the Poison Ivy remote administration tool. The INSS is a prominent Israeli think tank in the field of national security, headed by a retired general who until recently was Israel's Director of Intelligence. Its publications are read by thousands of people from the intelligence, military and government communities, mostly in Israel, US and other western nations. Having their PCs remotely controlled by the attacker is a bad idea for all those concerned.

Lets remember that Cyber reconnaissance efforts like Flame are a natural extension of good old human-based intelligence networks and, in a way, the clandestine behind-enemy-lines field work that sets the infrastructure for signal intelligence operations. It’s the digital equivalent of a state- sponsored covert reconnaissance operation. Unlike a physical operation conducted by spies or paramilitary troops, where people might actually get caught, here it’s a far cleaner operation with less traces leading to the origin and more ways to camouflage the exact identity of the attacker.

There’s one other thing you can bet on:  there are other, far more advanced cyber espionage campaigns set in the field, and more than one actor is staging them against the Iranians. Flame is visible now, but the rest of the virtual iceberg is well hidden. 

 

This 2003 Rover is still roaming Mars after all these years! TagsSecurityOnline banking

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  2284 views  |  1  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  1736 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  16970 views  |  1  |  Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  2855 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

The Dark Side of Security

11 September 2013  |  2124 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services
name

Uri Rivner

job title

Head of Cyber Strategy

company name

BioCatch

member since

2008

location

Tel Aviv

Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strateg...

Uri's expertise

What Uri reads
Uri writes about

Who is commenting on Uri's posts

Ketharaman Swaminathan
Brett King