Frankenstory: Attack Of The Iranian Cyber Warriors

Who Is Hacking U.S. Banks? 8 Facts

Just in time for Halloween, there's a new bogeyman in town: the Iranian government-sponsored cyber attacker. As with other phantasms, related sightings are growing more numerous, though they remain unsubstantiated by hard evidence.

The appearance of this new and reportedly escalating threat comes after a recent lull that occurred thanks to the coordinated international law enforcement takedown of the LulzSec group and key members of the Anonymous hacktivist collective. New players have move into that vacuum, including a group called the Cyber fighters of Izz ad-din Al qassam, which has claimed credit for the ongoing U.S. bank website disruptions. The group has said that its hacktivist-style distributed denial-of-service (DDoS) attacks will continue -- barring Muslim holy days -- until "Innocence of Muslims," the film that mocks the founder of Islam, gets excised from the Internet. Meanwhile, a self-described activist group, Cutting Sword of Justice, took credit for the Aug. 15 Shamoon malware attack against Saudi Aramco, which was designed to steal data and erase hard drives. [ Read the latest on the U.S. bank hacks. See Fast Flux Botnet Nets Fraudsters $78 Million. ] Despite the Anonymous takedowns, anonymity remains well in vogue. Start with U.S. government officials, who have been granting anonymous media interviews in which they assert that the Iranian government is behind the bank website disruptions as well as a series of wire-transfer attacks. In the latter case, the wire transfers -- aided by credential-grabbing malware and Zeus botnets--have let attackers transfer millions of dollars into overseas accounts. Cue Iran as the culprit again for the Shamoon malware attack against the network of Saudi Aramco, which is the world's largest exporter of crude oil. Defense Secretary Leon Panetta said earlier this month that the attacks against Saudi Aramco managed to "virtually destroy" 30,000 PCs. An internal Saudi Aramco investigation more recently revised that estimate to 50,000 PCs. According to an August blog post by Eugene Mayevski, CTO of security firm EldoS, Shamoon also included a copy of the company's commercial master boot record wiper, RawDisk, which he guessed had been stolen from one of the company's customers. Many observers read Panetta's speech as a thinly veiled threat against Iran, made as a nuclear standoff with Iran becomes more likely. The U.S. government is also reportedly developing contingency plans for a strike against Iran -- not of the cyber variety -- as the country improves its uranium-enrichment capabilities. On the cyber-attack front, however, where's the hard evidence that ties Iran to all of these attacks? Well, that's classified. Furthermore, at least in the case of Shamoon, this week anonymous government officials admitted to Bloomberg that the evidence is only circumstantial. But the case against Iran may not even be that, as digital forensic investigators this week also confirmed earlier reports that -- counter to U.S. government officials' assertions -- Shamoon was an amateurish, copycat Flame attack, carried out by a single individual. Thanks to the individual having incorrectly configured the malware, it not only did less damage than intended, but it helped investigators trace the infection back to a USB stick that had been plugged into the employee's PC while he was logged in. Saudi authorities, according to news reports, have arrested a suspect. Panetta continued to insist this week that the Shamoon malware had been "a very sophisticated tool." To be charitable, that may have been true five years ago, but the state of the art in malware has rapidly advanced since then. What's fueling those rapid advances? Start with Stuxnet, Duqu, Flame, MiniFlame, or any other government forays into cyber weapons. "This is where I get nervous: Oh, great, a massive training ground for criminals and other groups -- here's how you build a massive command-and-control center for criminal attacks," said Eric Byres, CTO of Belden's Tofino Security, in a recent phone interview. In other words, tomorrow's crimeware update will likely incorporate tricks developed by our own country's cyber weapons program. Like so many Frankenstein monsters, what comes for us in the digital dead of night bears a startling resemblance to something of our own making. Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)