Cyber Research

Cyber News

Cyber Info


February, 2018







 In this issue



*         Russian military ‘almost certainly’ responsible for destructive 2017 cyber attack

*         Smart meters could leave British homes vulnerable to cyber attacks, experts have warned

*         Researchers Find New Twists In ‘Olympic Destroyer’ Malware

*         A Faraday cage or air gap can't protect your device data from these two cyberattacks

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Russian military ‘almost certainly’ responsible for destructive 2017 cyber attack

February 15, 2018

An assessment by the National Cyber Security Centre has found that the Russian military was almost certainly responsible for the ‘NotPetyacyber attack of June 2017.

The UK Government has made the judgement that the Russian government was responsible for the attack, which particularly affected Ukraine’s financial, energy and government institutions but its indiscriminate design caused it to spread further, affecting other European and Russian business.

The destructive attack masqueraded as ransomware, but its purpose was principally to disrupt. Several indicators seen by the NCSC demonstrated a high level of planning, research and technical capability.

The decision to publicly attribute this incident reiterates the position of the UK and its allies that malicious cyber activity will not be tolerated.

Foreign Office Minister of State with responsibility for Cyber, Lord (Tariq) Ahmad of Wimbledon, said:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty.  Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

“The Kremlin has positioned Russia in direct opposition to the West: it doesn’t have to be that way.  We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

“The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm.

“We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

The NotPetya attack saw a malicious data encryption tool inserted into a legitimate piece of software used by most of Ukraine’s financial and government institutions.

Once an organisation’s machine was infected, the highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins. The malware spread via trusted networks, rather than widely over the internet. Therefore, it effectively bypassed the processes put in place to prevent ransomware attacks.

The ransom note instructed victims to make payments to a single Bitcoin wallet with confirmation that they had paid. However, flaws in the payment process quickly became apparent as the ransom note did not display a ‘personal identification ID’ which would enable the attacker to know whose data to decrypt and the payment collection infrastructure was quickly taken down by the attacker’s email provider.

The malware was not designed to be decrypted. This meant that there was no means for victims to recover data once it had been encrypted. Therefore, it is more accurate to describe this attack as destructive than as ransomware.

NotPetya used the EternalBlue and EternalRomance exploits, which the Shadowbrokers group released in early 2017. Microsoft issued a patch for both exploits.

More info https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack

Smart meters could leave British homes vulnerable to cyber attacks, experts have warned

February 18, 2018

New smart energy meters that the Government wants to be installed in millions of homes will leave householders vulnerable to cyber attacks, ministers have been warned.

The intelligence agency GCHQ is said to have raised concerns over the security of the meters, which could enable hackers to steal personal details and defraud consumers by tampering with their bills, it is alleged.

The Government wants every home in the country to have a smart meter, but only 8 million out of 27 million households have so far signed up to the £11 billion scheme.

They are designed to help consumers keep on top of their energy use and send meter readings electronically to suppliers, removing the need for visits to people’s houses to read their meters.

However, the rollout of a second generation of smart meters, known as SMETS 2, has been delayed because of worries about security.


There are fears the meters could be hijacked Credit: AFP

The new meters will be common to all electricity and gas suppliers, meaning customers will no longer have to change their smart meter if they change supplier, as they currently have to do.

Cyber security experts say that making the meters universal will make them more attractive to hackers because the potential returns are so much greater if they can hack every meter using the same software.

In some foreign countries hackers have already attacked smart meter networks to defraud customers.

The cyber criminals are able to artificially inflate meter readings, making bills higher.

They then try to intercept payments, and if they simply skim off the difference between the real reading and the false reading, energy companies will think the bill has been paid normally.

Another potential problem is the meters being used as a “Trojan horse” to access other computers and gadgets around the home if the meters are able to “talk” to the other devices.

That would potentially give hackers the ability to steal personal information that could be sold on to other criminals.


The meters measure energy use

There are also fears that countries such as North Korea might carry out a state-sponsored cyber attack to create a power surge that would damage the National Grid.

Nick Hunn, a wireless technology expert from London-based WiFore, told The Mail on Sunday: “This smart meter technology has created a Trojan horse. My understanding is that GCHQ was not best pleased when it realised how insecure these devices could be and is still not happy.

“The big problem is that the smart meter project is being blindly driven forward by career civil servants who do not have a clue about cyber security and who do not care as the taxpayer is footing the bill.”


The meters could leave families vulnerable, experts warned Credit: PA

Robert Cheesewright, of Smart Energy GB, the Government-funded agency promoting the smart meter roll-out, said: “Smart meters are one of the safest and most secure pieces of technology in your home.

“Only energy data is stored on a meter and this is encrypted. Your name, address, bank account or other financial details are not stored on the meter.”

Smart meters were developed by the Government with the help of GCHQ. Dr Ian Levy, of GCHQ, says in an article about smart metering on the National Cyber Security Centre website: "Of course, no system is completely secure, and nothing is invulnerable.

"However, we’re confident that the Smart Metering System strikes the best balance between security and business needs, whilst meeting broader policy and national security objectives."

Read more: https://www.telegraph.co.uk/news/2018/02/18/smart-meters-could-leave-british-homes-vulnerable-cyber-attacks/

Researchers Find New Twists In ‘Olympic Destroyer’ Malware

February 14, 2018.

Researchers have uncovered new wrinkles in the “Olympic Destroyer” malware attack that targeted the Winter Olympics in Pyeongchang, South Korea.

Cisco Talos researchers now believe the malware also wipes files on shared network drives. Originally researchers believed the malware only targeted single endpoints. Researchers also now believe the credentials-stealing component of the malware is more dynamic than originally thought.

Olympic Destroyer was deployed during the games’ opening ceremony on Feb. 9, and is blamed for disrupting TV broadcasts of the event and taking down the official Winter Games website. The results of the attack were far reaching and left attendees unable to print tickets and brought down the WiFi network made available for journalist covering the opening ceremonies.

Researchers at Cisco’s Talos unit said the sole purpose of the attack was to take down systems and not to steal information.

Olympic Destroyer’s goal is to make systems unusable by “deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment,” in similar fashion to the Bad Rabbit and Nyeyta ransomwares, Cisco Talos initially wrote.

Olympic Destroyer includes a binary that targets machines with a pair of “stealing modules.” One grabs any user credentials embedded in the Internet Explorer, Firefox and Chrome browsers, and the other plucks them from Windows’ Local Security Authority Subsystem Service, the Windows process that handles security policies. “The malware parses the registry and it queries the sqlite file in order to retrieve stored credentials,” Talos said.

In a tweet, Talos researcher Craig Williams, noted its analysis of attacks also suggest a “prior compromise” of targeted Olympic Games systems.  “Our post has been update to include the impact on network shares – Shocker – they are effectively wiped: Olympic Destroyer Takes Aim At Winter Olympics with indications of prior compromise,” he wrote.

Talos’s updated blog notes, “the malware author knew a lot of technical details of the Olympic Game infrastructure such as usernames, domain name, server names and obviously passwords.”

When researchers took a closer look at Olympic Destroyer binaries associated with the attack, they discovered that new credentials were added to the code with each infection.

“A new version of the binary is generated with the newly discovered credentials,” Talos wrote in an update first noted by BleepingComputer. “This new binary will be used on the new infected systems via the propagation. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems.”

However, the method by which the malware was delivered remains unknown, Talos added: “If the attacker already had access to the environment, this attack could have been carried out remotely. This would allow the actors to specifically pinpoint the moment of the opening ceremony and would allow them to control their time of impact.”

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” the report stated

More Info https://threatpost.com/researchers-find-new-twists-in-olympic-destroyer-malware/129937/




A Faraday cage or air gap can't protect your device data from these two cyberattacks

February 8, 2018.

Long thought impenetrable, these forms of physical security continue to be found vulnerable. The latest attack vector is low-level magnetic fields.

·         Researchers have found a way to bypass Faraday cages and air gaps to transmit data using low-level magnetic fields that are impossible to stop with traditional methods.

·         It's important for security professionals in high-security environments to take recommended steps to secure against magnetic field attacks now, before they appear in the wild.—TechRepublic

Two common methods of physical cybersecurity, air gapping and Faraday cages, have been found breachable in two papers released by researchers from Ben-Gurion University.

Faraday cages are grounded cages made of electrically conductive material that can completely block electromagnetic fields and signals. Air-gapped computers are those completely isolated from outside networks and signals. Air-gap setups commonly include Faraday cages.

Anyone who has interacted with a Faraday cage can attest to their effectiveness—put a smartphone in a Faraday cage and you can watch the signal drop instantly. What researchers found, however, is that commonly overlooked low-level magnetic fields can still penetrate air gaps and Faraday cages, allowing attackers to intercept and steal data.

Blame magnets

Take a basic compass into a Faraday cage, research lead Dr. Mordechai Guri said, and it will still work. "While Faraday rooms may successfully block electromagnetic signals that emanate from computers, low frequency magnetic radiation disseminates through the air, penetrating metal shields within the rooms," he said.

It's that low-level field that allows attackers to covertly access any device with a CPU hidden inside a Faraday cage or air-gapped room. That's worth reiterating: Anything with a CPU can be manipulated using what Guri and his team call the Odini method.

A device infected with Odini malware can control the low-level magnetic field emitted by a CPU by regulating the load on its cores. Data can then piggyback on the CPU's magnetic field, transmit outside the Faraday cage or air gap, and be picked up by a receiving device designed to detect magnetic field manipulation.

A second attack, which the team calls Magneto, uses the same method of CPU magnetic field manipulation but allows it to be picked up by a nearby smartphone.

Don't think sticking the smartphone in a Faraday bag or putting it into airplane mode will stop it from detecting the signal: It's magnetic, so it passes right through and is picked up by the device's magnetic field sensor, a standard feature in most modern smartphones.

Faraday cages and air gaps: Pointless?

It's impossible to escape magnetic fields—they're a basic part of nature and a fundamental part of computing, which makes Odini and Magneto seriously threatening. The researchers do propose several methods for blocking the attacks, though their practicality is questioned by the team recommending them.

First is shielding sensitive computers from magnetic fields, which the researchers point out is impractical in all but the most sensitive military and scientific applications. In order to reliably shield against the low-frequency fields manipulated by Odini and Magneto, multiple layers of ferromagnetic material, which would weight multiple tons, would need to be built into secure rooms. The paper adds that these ferromagnetic rooms are incredibly expensive.

The second suggestion the team gives is signal jamming using either magnetic field-generating hardware or software. The hardware needed can produce magnetic fields much stronger than CPUs, rendering their emissions unreadable. Software is also available that can run dummy tasks that generate random magnetic signals, but it is processor-intensive and can severely reduce performance.

Third, the team recommends zoning. This would be physical restriction of certain devices, like smartphones, from being anywhere near sensitive machines. It's no longer enough to just drop the devices into a small Faraday cage—they need to be across the building from vulnerable hardware.

Guri and his team also recommend monitoring hardware for abnormal processes and magnetic radiation, which can be done with standard antivirus, intrusion detection, and intrusion prevention software.

There's no reason to assume that these attacks exist in the wild, and executing one would require planting malware on the target machines, making it quite difficult, though not impossible.

Don't take chances if you're responsible for systems secure enough to warrant Faraday cages and air gaps—make plans to enhance your security knowing these kinds of nearly unstoppable attacks are possible.

Read more: https://www.techrepublic.com/article/a-faraday-cage-or-air-gap-cant-protect-your-device-data-from-these-two-cyberattacks/

Latest Cyber Security News

Individuals at Risk

Identity Theft

Social Security numbers from thousands of California state workers exposed in data breach at Department of Fish and Wildlife: Social Security numbers for thousands of state employees and contractors were exposed in a recent data breach at the Department of Fish and Wildlife, according to a memo that the department sent to its workers this week. Fresno Bee, February 20, 2018

IRS Scam Leverages Hacked Tax Preparers, Client Bank Accounts: Identity thieves who specialize in tax refund fraud have been busy of late hacking online accounts at multiple tax preparation firms, using them to file phony refund requests. Once the Internal Revenue Service processes the return and deposits money into bank accounts of the hacked firms’ clients, the crooks contact those clients posing as a collection agency and demand that the money be “returned.” KrebsOnSecurity, February 19, 2018

Half A Million People Don’t Know Criminals Stole Their Identities to Get Jobs: A programming error kept the IRS from notifying hundreds of thousands of identity theft victims about criminals using their Social Security numbers to get themselves jobs in 2017, according to an internal investigation. NextGov, February 16, 2018

Beware This Incredibly Silly—But Still Effective—Tax Scam: It’s almost Tax Day, which also means it’s peak tax fraud season. The Internal Revenue Service has played some epic games of cat-and-mouse with phone and online scammers over the past 10 years, but the latest scamming trend for 2018 has a particularly devious twist. Wired, February 23, 2018

Information Security Management in the Organization

Information Security Management and Governance

93% of Cloud Applications Aren’t Enterprise-Ready, says Netskope Review. Researchers reviewed more than 40 security parameters from each cloud service, including business continuity, data security, access control, privacy, and auditing: The average business uses 1,181 cloud services, and most don’t meet all recommended security requirements, Netskope says. DarkRading, February 23, 2018

Cyber Warning

GDPR Extortion Warning as Cyber-Criminals Get Smart in 2018: The forthcoming GDPR could offer cyber-criminals new opportunities to extort money from their victims, according to Trend Micro. InfoSecurity, February 20, 2018

New Saturn Ransomware offers Free Ransomware-as-a-Service (RaaS) as Cybercriminal Cost-of-Entry Falls to $0. Cybercriminal Affiliates Keep 70% of Collected Ransoms: The authors of the newly-discovered Saturn ransomware are allowing anyone to become a ransomware distributor for free via a newly launched Ransomware-as-a-Service (RaaS) affiliate program. BleepingComputer, February 18, 2018

Cyber Threat

Hackers evading malware detection by’signing’ their code with legitimate code-signing certificates: Code-signed apps are harder to detect by network security appliances, making it easier to sneak malware onto a vulnerable system. The downside? Certificates aren’t cheap — and hackers usually are. ZDNet, February 22, 2018

Cyber Law

More than 30 lawsuits have been filed by Intel customers and shareholders against chip giant following disclosure of Meltdown and Spectre flaws: More than 30 lawsuits have been filed by Intel customers and shareholders against the chip giant following the disclosure of the Meltdown and Spectre attack methods. SecurityWeek, February 19, 2018

Cyber Talent

Demand for Cybersecurity Talent Soars, Study Finds: The cybersecurity talent gap is a known quantity. Companies across the globe are feeling the strain as demand for security support, innovation and skills soar despite a shortage of incoming IT professionals. SecurityIntelligence, February 23, 2018

Cybersecurity in Society

Cyber Crime

IBM uncovers phishing campaign that has stolen millions from Fortune 500 companies: A sophisticated business email compromise phishing campaign has been targeting companies around the world, including several in the fortune 500, and it has been wildly successful. TechRepublic, February 23, 2018

Global Cost of Cybercrime between $445 and $608 Billion in 2017, says Report from McAfee & Center for Strategic and International Studies (CSIS): The global cost of cybercrime rose to unprecedented levels in 2017, according to recent research. SecurityIntelligence, February 23, 2018

Bitcoin exchange founder charged with covering up hack: It’s one thing to launch cryptocurrency businesses with programming weaknesses that lead to them getting hacked and hoovered. NakedSecurity, February 23, 2018

Tesla Cloud Hacked, Used To Mine For Cryptocurrency: A cloud environment owned and operated by Tesla was breached back hackers who used the company’s compromised machines and computer resources to mine for cryptocurrency, according to security researchers. IBTimes, February 20, 2018

Money Laundering Via Author Impersonation on Amazon?: Patrick Reames had no idea why Amazon.com sent him a 1099 form saying he’d made almost $24,000 selling books via Createspace, the company’s on-demand publishing arm. That is, until he searched the site for his name and discovered someone has been using it to peddle a $555 book that’s full of nothing but gibberish. KrebsOnSecurity, February 20, 2018

FBI says ransomware victims paid $209 million to recover stolen files in first quarter of 2016. This compares to $24 million in ransom payments made throughout all 2015: The FBI has announced that ransomware could become a $1 billion dollar industry, after early estimates of ransomware losses from only the first quarter of 2016 eclipse that of 2015. SCMedia, January 10, 2017

Cyber Attack

Allentown, Pennsylvania, hit with ransomware attack that may cost it nearly $1 million to mitigate. Public safety operations and financial systems affected: The city of Allentown, Pennsylvania, is struggling to remediate a malware attack that could cost nearly $1 million to mitigate. InfoSecurity, February 21, 2018

Know Your Enemy

Russian cybercrime bust shows that companies are not just up against solo hackers, but highly skilled enterprises that rely on an international collection of criminal and cyber expertise, former FBI official says: On February 7, the Department of Justice unsealed a sweeping indictment against 36 defendants for their role in the “Infraud Organization.” The indictment reads at times like a 21st century crime novel, giving the public an insight into the size, sophistication, and discipline of criminal cyber networks operating online (something well known to those who track these organizations). CNBC, February 22, 2018

Cyber security firm FireEye backs UK, US govts on Russian cyber attack claims; identifies link between Petya ransomware and Russian-based Sandworm Team: Cyber security firm FireEye has said it found links between a Russian-based hacking group, Sandworm Team, and the Petya ransomware attack that crippled IT systems globally last year. ITP, February 19, 2018

Cyber Freedom

2018 Election Vulnerability: Voter Registration Systems: The Russian information-operation strategy can be summed up as “chaos monkeys”: agents seeking to destabilize the United States by exploiting fissures in our society. The Mueller indictments announced Friday show just one aspect. Guccifer 2.0 and WikiLeaks were another. And there is no indication that these efforts are over. So if Russia’s goal is chaos, and its tools include hacking and blatantly circulating that stolen information and otherwise disrupting U.S. political systems, its No. 1 target in 2018 stands to be voter registration, not vote tabulation. And there is reason to think that Russia has already targeted these systems. LawFare, February 23, 2018

State elections officials fret over cybersecurity threats: State elections officials said Saturday that they want more information from federal officials to ensure they are protected from cybersecurity threats in light of evidence that foreign operatives plan to try to interfere in the midterm elections. The Washington Post, February 17, 2018

National Cybersecurity

Microsoft joins calls for a ‘national cybersecurity agency’: Microsoft has advocated a “national security agency” to avoid a “national security quagmire.” The company has compiled guidelines to follow when establishing a federal cybersecurity agency. It said it would create a “focal point” for cyber defence. Digital Journal, February 23, 2018

Cyber Regulation

SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures: The Securities and Exchange Commission (SEC) issued a press release announcing its unanimous approval of a statement by SEC Chairman Jay Clayton and interpretive guidance (the “2018 Guidance”) to assist public companies in preparing disclosures about cybersecurity risks and incidents. This is the first interpretive guidance published by the full Commission on the topic of cybersecurity for public companies, and it may foreshadow increased SEC action to protect investors from the potential negative effects of increasingly common large-scale data breaches. The 2018 Guidance formalizes and expands on the SEC staff’s earlier position that cybersecurity risks and incidents may trigger disclosure obligations for public companies and addresses the SEC’s expectations for public company disclosure controls and procedures as they relate to cybersecurity. Alston & Bird Privacy & Data Security Blog, February 2018

Internet of Things

Hackers Can Hijack over 52,000 Baby Monitor Video Feeds: Vulnerabilities in the Mi-Cam smart baby monitor allow hackers to hijack video feeds from all devices, located anywhere in the world. BleeepingComputer, February 21, 2018

Cyber Sunshine

Visa: EMV Cards Drove 70% Decline in Fraud: Merchants who adopted chip technology saw a sharp decline in counterfeit fraud between 2015 and 2017, Visa reports. DarkReading, February 23, 2018

Security Leadership

Tech and telecom lobbying groups announce joint cybersecurity initiative: Lobbying groups representing major technology and telecommunications firms are teaming up to jointly tackle cybersecurity issues. The Hill, February 23, 2018

Fake News

Russian Twitter bots keep up attack after Florida shooting: After last week’s school massacre, bots tied to Russian propaganda groups began sending gun-related tweets, even though Twitter has vowed to stop such efforts. CNet, February 20, 2018


The Four Horsemen of Cryptocurrencies: Volatility, criminal activity, security issues, and human error: In Robert Braun’s article, Cryptocurrencies – Does the Next Big Thing have Staying Power?, published by FinTech Weekly, he describes four challenges that arise in the use of cryptocurrencies, and potentially in other blockchain applications: volatility, criminal activity, security issues, and human error. Robert Braun, Michael Gold, JMBM Cybersecurity and Privacy Group & SecureTheVillage Leadership Council, Cybersecurity Lawyer Forum, February 22, 2018




Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2018

www.crc-ics.net or www.cyber-research-center.net