Friday, August 30, 2013

Syrian Gov't Looking to Hire Hackers and DFIR engineers

Syria's Ministry of Communications and Technology website is soliciting "experts in the field of Informatics" including in the areas of ethical hacking, computer forensics, incident response, malware analysis, etc. Here's a copy of the original web page in Arabic and the machine translation to English (via Google Translate). If you click on the image, you'll be able to read it better:

Other than this being Syria, it's not unusual for a nation state in today's network-centric environment to want to develop these disciplines. On the other hand, this being Syria, it's hard to imagine anything other than malicious intent for their "ethical hackers".


"Non-lethal Option for Syria: Interrupt Energy and Telecommunications Services"
"Syrian Electronic Army's Latin American Connection"
"Syrian Electronic Army: Background, Operations, Gov't Affiliations"

Thursday, August 29, 2013

Non-Lethal Option for Syria: Interrupt Energy and Telecommunications Services using Cyber Warfare

What we know: Someone in Syria used Sarin gas and killed an estimated 100,000 people. 

What we don't know: Who did it. So far, no evidence has been collected which identifies the culprit. Was it by order of the Assad government, a rogue action by the Syrian military, or something that the rebels did to force engagement by the West against Assad? Currently, it's a judgment call.

What should we do: So far, the only public options that I've heard involve Tomahawk cruise missiles.
One alternative option that should be (and perhaps is being) considered by Western governments is to send a non-lethal message by breaching and taking control of Syria's national power grid and/or its telecommunications infrastructure. This is certainly within the capabilities of Israel and the U.S., and most likely available to other EU allies, not to mention Russia and China. 

It's a relatively small grid with only about 14 power generating stations that distribute electricity received from PEDEE (Public Establishment for Distribution and Exploitation of Electrical Energy) including:

  • Deir Ali Power Generation Station 
  • Teshreen Power Generation Station
  • Jandar Power Generation Station 
  • Al Zara Power Generation Station

Each of these companies utilizes foreign vendors (another access point) such as the Greek company Metka which services Deir Ali and the Indian company Bharat Heavy Electricals Limited which services Teshreen. 

I'll stop there because the goal of this post isn't to create an order of battle, however I do think that putting the Syrian government into a virtual vise where outside nations can control its critical infrastructure should at least be considered alongside Obama's inclination to use cruise missiles. Talk about "deter and degrade" - how much can Assad or anyone else in Syria do without power?

Syrian Electronic Army's Latin American Connection

There's been a lot of press today about how the Syrian Electronic Army is using Russian servers and who some of it's early website administrators are. One of Digital Dao's readers sent me an email this morning with some new information from a PhP shell left on a host that points to a Latin American supporter.

----// START

    #  .. SyRiAn Sh3ll V7 .... PRIV8! ... DONT LEAK! .... f0r t3am memberz 0nly!
    #  ,--^----------,--------,-----,-------^--,                                
    #  | |||||||||   `--------'     |          O    .. SyRiAn Sh3ll V7 ....     
    #  `+---------------------------^----------|                           
    #    `_,-------, __EH << SyRiAn | 34G13__|                             
    #      / XXXXXX /`|     /                   
    #     / XXXXXX /  `   /                   
    #    / XXXXXX /______(   
    #   / XXXXXX /!        
    #  / XXXXXX /!     rep0rt bugz t0: sy34[at]msn[dot]com
    # (________(!                                         
    #  `-------'                                          
    #.... PRIV8! ... DONT LEAK! .... f0r t3am memberz 0nly!
    #.... PRIV8! ... DONT LEAK! .... f0r t3am memberz 0nly!
    # SyRiAn Sh3ll V7 .                                    
    # Copyright (C) 2011 - SyRiAn 34G13

    $user = 'ar3sw0rmed';  // Username 
    $pass = 'ar3sw0rmed-controlremoto';  // Password
    $shellColor = '#990000'; // Shell Color         
    #       Powered By SyRiAn Shell      # 
    #       By EH SyRiAn 34G13           #
    #         #
    #       Version 7 - priv8            #
    #       Made In SyRiA                #

----// End

Terms of Interest


"controlremoto" is Spanish for "remote control".  


"ar3sw0rmed" is the name of a hacktivist pulling these same DDoS style attacks all across Chile, Brazil, etc.

(UPDATE 2/16/14: Picture removed at ar3sw0rmed's request)

His email address is

And his defacements per Zone-H are extensive


This is a micro example of why it's a mistake to think of the digital landscape as if it's a physical landscape. The Syrian Electronic Army like many of its fellow hacktivist organizations is not limited to Syria's physical borders nor Syrian nationals for its members. In fact, for many hacktivists in particular and some Millennials in general, digital allegiances are replacing physical borders.

We'll be exploring this phenomenon in-depth with experts like Dave Kilcullen, Joel Brenner, Mike Janke and 15 other speakers at the Suits and Spooks conference in New York on Oct 5-6, 2013.

Wednesday, August 28, 2013

Dr. David Kilcullen: Speaking at Suits and Spooks NY on feral cities and other physical and digital stressors

I recently heard Dave Kilcullen speak at the Google INFO Summit on illicit trafficking during the summer of 2012 and ever since then I've been trying to find a way to bring his experience and novel insight into conflict mechanics to a Suits and Spooks conference.

Today, I'm extremely pleased to announce that Dave will be speaking at Suits and Spooks New York on the topic "Out of the Mountains: a future of feral cities, urban systems under stress, and increasing overlaps between the real and virtual worlds."

Dave will also be included on a panel that I'll be moderating with Jonathan Hutson of the Satellite Sentinel Project, retired Navy SEAL Thomas Dzieran, Aaron Weisburd of Internet Haganah and John Scott-Railton of Citizen Lab.

Attendees will have an opportunity to purchase a signed copy of Dave's new book "Out of the Mountains":
"In his third book, David Kilcullen takes us out of the mountains: away from the remote, rural guerrilla warfare of Afghanistan, and into the marginalized slums and complex security threats of the world’s coastal cities, where almost 75 per cent of us will be living by mid-century. Scrutinizing major environmental trends — population growth, coastal urbanization, and increasing digital connectivity-- he projects a future of feral cities, urban systems under stress, and increasing overlaps between crime and war, internal and external threats, and the real and virtual worlds. Informed by Kilcullen’s own fieldwork in the Caribbean, Somalia, the Middle East and Afghanistan, and that of his field research teams in cities in Central America and Africa, Out of the Mountains presents detailed, on-the-ground accounts of the new faces of modern conflict –– from the 2008 Mumbai terrorist attacks, to transnational drug networks, local street gangs, and the uprisings of the Arab Spring."
 We have only 18 seats remaining so register today and don't miss this extraordinary conference where both the speakers and the attendees engage in discussions in the private, exclusive setting of Soho House NYC on October 5-6, 2013.

Wednesday, August 21, 2013

Russian Institute Solicits Foreign Companies But Masks Ties with Russia's Defense Ministry

My company recently published a report which discovered that aerospace companies with joint ventures in Russia and China are hacked 2.4 times more often than those companies who don't. However, hacking a network is small potatoes when compared with the amount of intellectual property that is transferred in other ways.

One of the more surprising discoveries that we made while researching that report had to do with a Russian institute that was set up primarily to engage foreign companies with various types of assistance: the Research Institute of Mathematic Modeling and Intelligent Control Systems. This institute is a part of St. Petersburg State Polytechnical University's Institute of International Educational Programs. The website is in English and is not listed on SPSPU's Russian home page so it's entire focus is foreign-based. 

It conducts applied research in the following areas:
  • Distributed industrial controllers networks for decentralized control of distributed objects and technological processes
  • Intelligent multi-agent based control of android robots and cooperative behavior of robots network 
  • Numerical modeling of external and internal flows aimed at dragand noise reduction
  • Computation of vortical flows and wakes aimed at enhancement of safety in air and ground transportation 
  • Numerical analysis of stress/strain distributions in the real world industrial objects, in particular for those working in the extreme conditions
  • Numerical non-linear analysis of visco-elasticity, contact interaction, large deformations
  • Seismic analysis, simulation of crash-tests, modeling of nucleation and propagation of damage
  • Computation of cooling of electronic devices, heating and air-conditioning systems >> Development of graphic user interface to control virtual objects 
  • Polygonal and NURBS-modeling
A few of the U.S. companies who work with RIMMICS include Boeing and GE. Foreign companies include EADS, Airbus, SAP, LG electronics and Bombardier. I wonder how many of those companies know that RIMMICS also provides avionics services, among others, for the Russian Ministry of Defense because it's not disclosed anywhere on the website.

More information on RIMMICS and other surprises that we've uncovered when investigating foreign vendors who service key U.S. enterprises will be disclosed at our upcoming Suits and Spooks luncheon at the Ritz Carlton Tysons Corner on Sept 10, 2013. Seats are extremely limited so register today. 

Monday, August 19, 2013

The Cyber Kill Chain: Trademarked by Lockheed Martin?

I just learned that Lockheed Martin (NYSE:LMT) filed a trademark for "Cyber Kill Chain" (here and here). That came as quite a surprise since, as far as I know, I was the first to coin and publish that phrase when I described the process that Russian hackers used to attack Georgian government websites (see pages 4 and 15 in the Project Grey Goose Phase I report October 2008).

I also included the Cyber Kill Chain in my presentation about our findings at the Palantir Gov Conference October 2008.

While Lockheed Martin has certainly monetized the phrase (a $4.6B contract), and while I enjoy the fact that the phrase is appealing as well as popular in the InfoSec industry, I hope that Lockheed Martin's trademarking of "Cyber Kill Chain" is just for show and that they don't actually attempt to enforce it.

Sunday, August 11, 2013

High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures (REPORT)

My team and I have completed a report (High Speed. Low Drag: Attack Efficiencies against U.S. Aerospace Joint Ventures) on how much more vulnerable U.S. companies are to being hacked if they engage in joint ventures in Russia and China. Everyone's first response to that is probably - of course! However, our findings might surprise you.

Key Findings:

An aerospace company that has a joint venture in Russia and/or China is 2.4 times more likely to experience a cyber attack than a non-JV company.

Of the study’s control group of 12 aerospace companies that have joint ventures in China and Russia, 8 experienced a cyber attack (67%), including Alcoa, Boeing, General Electric, Honeywell, Pratt & Whitney, Rockwell Collins, Rolls Royce North America and Sikorsky. The other 4 aerospace companies, Eaton, Goodrich, Hamilton Sundstrand, and Parker Aerospace, have not publicly disclosed any cyber attacks.

Of the 21 aerospace companies in the study’s random group, only 6 reported or were claimed to have been the victim of a cyber attack (28%), including General Dynamics, Gulfstream, Lockheed Martin, Northrup Grumman, Orbital Sciences Corporation, and Raytheon.

U.S. companies engaged in joint ventures represent a profit
center for international hacker groups.

This study shows that it is highly likely that the intellectual property owned by U.S. companies with Russian and Chinese JVs also represent high value targets for a variety of state and non-state actors worldwide.

It's unlikely that the Chinese or Russian government will utilize spear phishing or other low-level attacks against a U.S. company with a joint venture in their respective states when other superior means are available to them. 

While official and non-official sources frequently assign attribution to a state military or foreign intelligence organization rather than a mercenary hacker group, the host governments of joint venture companies do not need to craft spear phishing attacks against U.S. companies who operate within their borders; who are required to employ their citizens who are technically PRC government employees; and whose communications networks are supervised and monitored by the State.

Wednesday, August 7, 2013

What kind of military cyber team can't tell a fake ICS plant from a real one?

Evidently, the PLA is either the most incompetent Army in the world or is tasked with exploiting anything and everything that they can, including obvious honey pots. A paper and BlackHat talk by Kyle Wilhoit of Trend Micro got a lot of press including this article at MIT Technology Review "Chinese Hacking Team Caught Taking Over Decoy Water Plant".

My first reaction when I saw this headline was why would anyone bother? Every ICS expert that I know discounts the potential harm that a hacker might be able to do against a water system. My second reaction was - How the f__k would a hacker who knows SCADA systems not know that he was attacking a fake water plant?

I asked my friend Dale Peterson, a world-renowned authority in this area, the same question and he was as perplexed as me. A friend of his who attended BlackHat agreed. "Have you ever seen a plant with one pump?", he asked?

So what does this mean? In my opinion, it raises questions about who Comment Crew aka APT1 aka PLA Unit 61398 really is because they clearly don't know shit about Industrial Control Systems.