Public Intelligence

In February and March 2012, unauthorized IP addresses accessed the Industrial Control System (ICS) network of a New Jersey air conditioning company, US Business 1. The intruders were able to access a backdoor into the ICS system that allowed access to the main control mechanism for the company’s internal heating, ventilation, and air conditioning (HVAC) units. US Business 1 was using the Tridium Niagara ICS system, which has been widely reported in the media to contain multiple vulnerabilities that could allow an attacker to remotely control the system.

Do you want to know what kind of information fusion centers gather on you and your friends? A document contained in the recent Anonymous/AntiSec hack of the Lake County Sheriff’s Office provides a great deal of insight into what kind of information is gathered and processed by fusion centers at the request of local law enforcement. The document is described as a “biographical profile” and was produced by the Central Florida Intelligence Exchange (CFIX), a regional fusion center serving a number of counties including Brevard, Lake, Orange, Seminole and Volusia. CFIX is one of several fusion centers in the state of Florida, part of a larger network of more than seventy operating all around the country. When the Lake County Sheriff’s Office asked for a “workup” on a man being investigated for charges relating to child pornography, CFIX produced a six page profile on the subject, who had no prior criminal history. The report has a flashy cover festooned with logos, restrictive markings and even a graphical depiction of the man’s name, meaning that an employee of the fusion center did not just type the man’s name into a word processor, but actually took the time to produce an individualized graphic with stylistic highlights and shadows.

Indictments and criminal complaints for Anonymous/LulzSec members Sabu, Kayla, Topiary, Anarchaos, Palladium, Pwnsauce released March 6, 2012.

Currently, the intelligence warfighting function includes a formidable set of capabilities across all echelons from “mud-to-space.” This flexible force of personnel, organizations, and equipment collectively provides commanders with the timely, relevant, accurate, predictive, and tailored intelligence they need. We provide the intelligence that continuously supports the commander in visualizing the operational environment, assessing the situation, and directing military actions through ISR synchronization and the other intelligence tasks. The intelligence warfighting function is comprised of nine powerful intelligence disciplines. Eight of those disciplines essentially feed the discipline of all-source intelligence which in turn is focused on the commanders’ requirements. Technological advances have enabled single-discipline analysts to leverage other analysts and information and to conduct multi-discipline analysis to an extent not possible in the past. However, all-source intelligence is still the nexus that integrates information and intelligence from all units and the other intelligence disciplines.

On January 16, 2012 an unauthorized party associated with the hacktivist collective Anonymous gained access to this site’s web server. The attacker gained root access and posted a number of versions of a photo of a naked man. These images were used to deface the front of the site in multiple locations and contained the message “WAS HERE WITH 0DAY, ONLY SHIT I FOUND BAD WAS U LOGGING IN FROM A DSL CONNECTION… THEN AGAIN U BOUGHT THIS SERVER WITH UR PERSONAL CARD SO U CAN BE DOX’D… LEFT U THESE COX AS A FRIENDLY REMINDER THAT YOUR BOX CAN BE PWNED AT ALL TIMES…” The attackers then manipulated configuration files for the server which caused an error message to appear to visitors of the site. This state persisted for approximately eight hours blocking access to the site before it was later fixed by the attacker, who left a longer explanation for the hack in the server’s root directory.

US citizens and assets – including the White House, the Central Intelligence Agency, InfraGard, the state of Arizona, and major defense contracting companies – experienced high-profile cyber threats and attacks in the first half of 2011. Most of the tactics and techniques used were not new, however the increase in attacks during the past few months exemplifies the growth of cyber incursions and reinforces the need to be aware of risks and mitigation techniques associated with cyber threats.

The FBI assesses with high confidence a that law enforcement personnel and hacking victims are at risk for identity theft and harassment through a cyber technique called “doxing.” “Doxing” is a common practice among hackers in which a hacker will publicly release identifying information including full name, date of birth, address, and pictures typically retrieved from the social networking site profiles of a targeted individual.

The purpose of this bulletin is officer awareness. Officers should know that instigators involved in violent demonstrations might be familiar with, and might try to apply, techniques from the “Crowd Control and Riot Manual.” The handbook, from Warrior Publications teaches protestors how to defeat law enforcement crowd control techniques. Although it does not address specific groups or organizations, the information is widely applicable.

The loosely organized hacking collective known as “Anonymous” has announced through several mediums that they plan on conducting cyber attacks, peaceful protests, and other unspecified activity targeting a variety of organizations. The purpose of this product is to judge the likelihood of occurrence for these events, as well as the potential impact.

The National Security Agency, a secretive arm of the U.S. military, has begun providing Wall Street banks with intelligence on foreign hackers, a sign of growing fears of financial sabotage. The assistance from the agency that conducts electronic spying overseas is part of an effort by American banks and other financial firms to get help from the U.S. military and private defense contractors to fend off cyber attacks, according to interviews with U.S. officials, security experts and defense industry executives. The Federal Bureau of Investigation has also warned banks of particular threats amid concerns that hackers could potentially exploit security vulnerabilities to wreak havoc across global markets and cause economic mayhem. While government and private sector security sources are reluctant to discuss specific lines of investigations, they paint worst-case scenarios of hackers ensconcing themselves inside a bank’s network to disable trading systems for stocks, bonds and currencies, trigger flash crashes, initiate large transfers of funds or turn off all ATM machines.

The following photos taken in October 2011 demonstrate the global distribution of support for the ideas of the hacktivist group known as Anonymous.  Protesters wearing Anonymous’ trademark Guy Fawkes mask are pictured in Rome, Vienna, Lisbon, Toronto, Ljubljana, Berlin, Los Angeles, Paris, Amman, New York, Washington D.C., Florida, Miami, Mexico City, Bucharest, Stockholm, Brasilia, Seoul and [...]

The loosely organized hacking collective known as Anonymous has recently expressed an interest in targeting industrial control systems (ICS). This product characterizes Anonymous’ capabilities and intent in this area, based on expert input from DHS’s Control Systems Security Program/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in coordination with the other NCCIC components.

The hacker collective known as ‘Anonymous’ has successfully attacked a wide range of public and private sector entities since 2003 with relatively crude tools. Historically, they rely on tools such as the Low Orbit Ion Cannon (LOIC) or Botnets to deny access to websites, or hijack or deface web pages and post quasi-political statements, or perform other malicious activity. Since many of these older tools made it relatively easy for law enforcement and other government forces to identify the source of an attack and then arrest the perpetrator, Anonymous members may have recognized a need to have more advanced tools that offered a lesser degree of exposure. They recently claimed to have developed and possibly employed several new cyber attack tools for use in their self-proclaimed ‘internet civil disobedience’ campaigns. The NCCIC, coordinating with several of its partners, believes there are at least four new tools being shared among and employed by Anonymous members: #RefRef, Apache Killer, Anonware, and Universal Rapid Gamma Emitter (URGE).

The FBI assesses that the hacktivist group Anonymous is likely to participate in the “Day of Rage” protest scheduled for 17 September 2011 in New York City‟s financial district. While the extent of group members‟ participation in the event is unknown, in late August 2011 Anonymous endorsed the event through propaganda consisting of a video posted on YouTube and a campaign poster, as well as references in their Twitter accounts. In the past, Anonymous has been involved in physical protests that coincided with planned cyber attacks. This could indicate an intention to conduct a cyber attack in conjunction with the “Day of Rage” protest.

Photos taken on September 24, 2011 of march to Union Square and subsequent arrests. Photographers Marnie Joyce, Brennan Cavanaugh and especially Paul Weiskel are to be commended for choosing to license their photos under a Creative Commons license.  See also:
Occupy Wall Street Photos September 2011
Occupy Wall Street Protest Police State Photos
 

U.S. District Court of Northern California Christopher Doyon and Joshua John Covelli Anonymous Santa Cruz DDoS Attack Indictment from September 21, 2011.

Department of Homeland Security National Cyber Security Division presentation on “Cyber Resilience” with overviews of recent hacking incidents, including many connected with the hacktivist group Anonymous.

This Bulletin is being provided for your Executive Leadership, Operational Management, and Security Administrators situational awareness. The actors who make up the hacker group “Anonymous” and several likely related offshoots like “LulzSec”, continue to harass public and private sector entities with rudimentary exploits and tactics, techniques, and procedures (TTPs) commonly associated with less skilled hackers referred to as “Script Kiddies”. Members of Anonymous routinely claim to have an overt political agenda and have justified at least a portion of their exploits as retaliation for perceived ‘social injustices’ and ‘freedom of speech’ issues. Attacks by associated groups such as LulzSec have essentially been executed entirely for their and their associates’ personal amusement, or in their own hacker jargon “for the lulz”.

Comprehensive Agreements on Security of Information Within the North Atlantic Treaty Organization signed in June 2002.

NATO Restricted Outsourcing Balkans Communications and Information Systems Support from January 2008.

U.S. District Court of Northern California indictment of sixteen people filed July 13, 2011 in connection with Anonymous DDoS attacks on PayPal.

The National Cybersecurity and Communications Integration Center (NCCIC), through coordination with its partners and monitoring of multiple sources, is tracking reports that members of the hacktivist collectives ‘LulzSec’ and ‘Anonymous’ have combined their efforts and continue to perpetrate cyber attacks targeting U.S. and foreign networks. LulzSec Members have posted statements on the internet claiming the attacks, referred to as ‘Operation AntiSecurity’ (AntiSec), are ‘designed to demonstrate the weakness of general internet security’ and have allowed them to collect massive amounts of data. LulzSec is purported to be a group of former Anonymous members who typically use widely available and crude tools to hijack or deface web pages as a political statement. They also routinely post information regarding planned and ongoing activities on publicly available Internet Relay Chat (IRC) sessions and social networking sites like Twitter. Recent attacks by LulzSec and Anonymous have proven simple Tactics, Techniques and Procedures (TTPs) are often successful, even against entities who have invested a significant amount of time and capital into designing and securing their information networks.

A bulletin released in late June by the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center (NCCIC) warning of the recent activities by LulzSec and Anonymous has surfaced online. The unclassified bulletin titled “Hacktivist Groups Target U.S. and Foreign Networks” was recently posted to an unknown online network security website Aisle.net before being subsequently removed. The site it was posted to has also disappeared and now visitors to the domain are greeted with a blank screen. While the full document is not recoverable at this point in time, a cached version of the document’s summary contains a number of surprising admissions regarding the effectiveness of basic techniques utilized by LulzSec/Anonymous.

Emails released by a member of Anonymous relating to the supposed concealment of mortgage fraud by Bank of America. Due to extreme interest, the main site distributing the documents (bankofamericasuck.com) has been intermittently inaccessible. Also, a somewhat confusing presentation makes the actual emails themselves difficult for some people to interpret. Text renditions of the emails contained in the leak are presented.

A representative of Morgan Stanley has demanded the removal of a document originally released by the online hacktivist group Anonymous. Morgan Stanley’s Computer Emergency Response Team (CERT) Physical Memory Standard Operating Procedures is a 23-page document that details procedures written by HBGary employee Phil Wallisch for Morgan Stanley’s CERT. The original source of the document is an email from Phil Wallisch to the Morgan Stanley CERT in June 2010. The document is available in other formats from a variety of sites hosting the AnonLeaks HBGary files.