Cyber Crime and Espionage by Will Gragido & John Pirc

Author:Will Gragido & John Pirc
Language: eng
Format: epub
ISBN: 9781597496148
Publisher: Elsevier Science
Published: 2013-01-22T16:00:00+00:00

Modus Operandi

The great thing about cybercrime, state-sponsored, and nonstate-sponsored activity is that they sometimes use the same modus operandi in terms of malware, and command and control nodes on the Internet. Although, these command and control nodes can go online very quickly and, just as quickly as they went up, they can be brought down. However, companies such as Damballa, which is leading the industry in botnet detection and remediation, have found similarities in criminal activity from various nefarious cyber actors. On the basis of the type of malware, and command and control infrastructures, they are able to assign group names that help them in identifying similarities in activities that are carried out by nefarious cyber actors. In terms of the attack sophistication model, this would apply to Tier 2 and some Tier 1 attacks. Tier 1 often involves malware that might not call back or beacon to the Internet as these attacks are typically on air-gapped networks. In specific cases such as Stuxnet, researchers were able to find clues left by the author of the code. For example, researchers found the following numeric string in the code: 19790509, which by the way is ISO 8601 for capturing dates. According to Wired magazine “Researchers suggest this refers to a date—May 9, 1979—that marks the day Habib Elghanian, a Persian Jew, was executed in Tehran and prompted a mass exodus of Jews from that Islamic country.” There were additional messages found in the code that would indicate that it came from Israel or the United States because of their support of Israel. Additionally, extremist groups such as terrorists are keen on dates and conducting operations that coincide with those dates. Our thoughts on the matter might differ; deception is key and someone could have easily placed those markers in the code to misdirect the analysis to start looking for attribution vectors for the author of the code. That date is also the anniversary of the second Unabomber attack. Does this mean that the code was created at Northwestern University? At the time of writing this book, we have not come across anything that links attribution or modus operandi to a state-sponsored actor. However, the sophistication of this specific piece of malware and its possible destructive properties indicate that it is highly suspected that a criminal organization did not create it as such an organization will be typically focused on preserving data for the purpose of selling rather than destroying them. Modus operandi is just an additional step on our way to attribution.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.