Posts Tagged: CyberESI


28
Jul 14

Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System

Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertaining to the shield technology, KrebsOnSecurity has learned.

The never-before publicized intrusions, which occurred between 2011 and 2012, illustrate the continued challenges that defense contractors and other companies face in deterring organized cyber adversaries and preventing the theft of proprietary information.

The Iron Dome anti-missile system in operation, 2011.

A component of the ‘Iron Dome’ anti-missile system in operation, 2011.

According to Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), between Oct. 10, 2011 and August 13, 2012, attackers thought to be operating out of China hacked into the corporate networks of three top Israeli defense technology companies, including Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems.

By tapping into the secret communications infrastructure set up by the hackers, CyberESI determined that the attackers exfiltrated large amounts of data from the three companies. Most of the information was intellectual property pertaining to Arrow III missiles, Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other technical documents in the same fields of study.

Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.

The Israeli government has credited Iron Dome with intercepting approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict. The U.S. Congress is currently wrangling over legislation that would send more than $350 million to Israel to further development and deployment of the missile shield technology. If approved, that funding boost would make nearly $1 billion from the United States over five years for Iron Dome production, according to The Washington Post.

Neither Elisra nor Rafael responded to requests for comment about the apparent security breaches. A spokesperson for Israel Aerospace Industries brushed off CyberESI’s finding, calling it “old news.” When pressed to provide links to any media coverage of such a breach, IAI was unable to locate or point to specific stories. The company declined to say whether it had alerted any of its U.S. industry partners about the breach, and it refused to answer any direct questions regarding the incident.

arrow3“At the time, the issue was treated as required by the applicable rules and procedures,” IAI Spokeswoman Eliana Fishler wrote in an email to KrebsOnSecurity. “The information was reported to the appropriate authorities. IAI undertook corrective actions in order to prevent such incidents in the future.”

Drissel said many of the documents that were stolen from the defense contractors are designated with markings indicating that their access and sharing is restricted by International Traffic in Arms Regulations (ITAR) — U.S. State Department controls that regulate the defense industry. For example, Drissel said, among the data that hackers stole from IAI is a 900-page document that provides detailed schematics and specifications for the Arrow 3 missile.

“Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”

WHAT WAS STOLEN, AND BY WHOM?

According to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations.

Image: FBI

Image: FBI

The Comment Crew is the same hacking outfit profiled in a February 2013 report by Alexandria, Va. based incident response firm Mandiant, which referred to the group simply by it’s official designation — “P.L.A. Unit 61398.” In May 2014, the U.S. Justice Department charged five prominent military members of the Comment Crew with a raft of criminal hacking and espionage offenses against U.S. firms. Continue reading →


1
Mar 13

New Java 0-Day Attack Echoes Bit9 Breach

Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9.

The discovery of the Java zero-day is being co-credited to FireEye and CyberESI, two companies that specialize in tracking cyber espionage attacks. In its writeup, FireEye said multiple customers had been attacked using a newly-found flaw in the latest versions of Java — Java 6 Update 41, and Java 7 Update 15.

FireEye said the Java exploit used in this attack downloaded a remote access Trojan called McRat. This threat, also known as HiKit and Mdmbot.F, calls home to a malicious control server at the Internet address 110.173.55.187. Turns out, this is the same malware and control server that was used in the attack on Bit9, according to details that Bit9 released in a blog post this week documenting a sophisticated attack that resulted in a breach of its own systems last year.

Alex Lanstein, a senior security researcher at FireEye, said it’s unlikely in this case that multiple attack groups are using the same infrastructure and malware.

“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein said.

Continue reading →


27
Oct 11

Chasing APT: Persistence Pays Off

The IT director for an international hedge fund received the bad news in a phone call from a stranger: Chinese hackers were running amok on the fund’s network. Not seeing evidence of the claimed intrusion, and unsure about the credibility of the caller, the IT director fired off an email to a reporter.

“So do you think this is legit, or is the guy trying to scare us?” the IT director asked in an email to KrebsOnSecurity.com, agreeing to discuss the incident if he and his company were not named. “He has sent me the logs for the connections to the infected server. I checked the firewall and am not seeing any active connections.”

The call, from Hermes Bojaxhi of Columbia, Md. based threat intelligence firm Cyber Engineering Services Inc. (CyberESI), was indeed legit, and a follow-up investigation by the hedge fund revealed that at least 15 PCs within the financial services company were compromised and were sending proprietary information to the attackers.

CyberESI knew about the incident because it was monitoring several hacked, legitimate servers that the attackers were using to siphon data from multiple victims. Bojaxhi said the hedge fund notification was one of several he made that week to Fortune 500 companies that also had been hacked and were communicating with the same compromised servers.

And it wasn’t his first call to the hedge fund.

“On that particular victim, I tried to reach out to them a month prior, but I was handed off to an administrative assistant,” Bojaxhi said. “We had 25 [victim organizations] to call that day. But when they popped back up on the radar a month later, I tried again.”

The hedge fund incident illustrates the complexities of defending against and detecting targeted attacks, even when victims are alerted to the problem by an outside party.

Joe Drissel, founder and CEO for CyberESI, said too many companies think of cyberattacks as automated threats that can be blocked with the proper mix of hardware and software.

“So many firms are stuck in a paradigm of drive-bys, not targeted attacks,” Drissel said. “There seems to be a real disconnect with what’s really happening on a daily basis. We’re trying to fight an asymmetrical war in a symmetrical way, sort of like we’re British soldiers [in Revolutionary War], all walking in line and they’re picking us off one by one. By the time we turn around and aim, they’re already gone.”

None of the first three Trojans installed on the hedge fund’s computers were initially detected by any of the 42 anti-virus products bundled into the scanning tools at Virustotal.com.

Drissel said victims that his company notifies sometimes mistakenly think his firm is involved in the attack, or that they’re somehow joking.

“One guy laughed and said, ‘Thank you for watching out for our company,’ but he didn’t call us back,” Drissel said of a conversation with a victim earlier this year, declining to name the victim. “We watched [the attackers] exfiltrate weapons systems data for the Defense Department out of their systems, and ended up having to text the same guy a file stolen off their servers. Fifteen minutes later, we got a call back from him, and they unplugged their entire corporate network.”

Some say that the attacks CyberESI notifies companies about — often referred to as the advanced persistent threat (APT) —  are over-hyped, and that the malware and exploits used in these incursions usually aren’t that sophisticated. APT attacks also are frequently associated with targets in the U.S. government and companies in the defense industry.

But most APT attackers tend to be only as sophisticated as they need to be, which often isn’t too sophisticated, said Gavin Reid, senior manager of Cisco’s computer security incident response team. Speaking at a conference in Warsaw, Poland this week, Reid said successful APT attacks need not use zero-day software flaws.

“People will say, ‘Well, this attack wasn’t very advanced, so it can’t be APT’, but I will tell you the folks who are behind some of this stuff are not going to use cool zero-day stuff if they can go in the underground economy and say, ‘Hey, I need [access to] an infected machine in this organization,’ and pay $50 in Paypal in order to get that,” Reid said.

Continue reading →