Cyberwarfare: How foreign wars can affect us at home

On April 13, 2024, for the first time from their own country, Iran launched a huge missile and drone attack against Israel. This is all over the news, but did you know there was a cyber-attack prior to the strike against the Israeli radar systems? The pro-Iranian cyber gang known as Handala claimed to have breached radar systems and sent 500,000 text messages to Israeli citizens. The attack was meant to soften up the Israeli defense system and intimidate citizens, although it appears not to have had the desired effect.

More and more, cyberwarfare is part of the multi-pronged attack in kinetic warfare. So far, it has not been something that wins wars directly, but it contributes to the effects of other strategies. Cyberwarfare encompasses a range of activities, from espionage and sabotage to propaganda and disinformation campaigns. It is characterized by its low visibility and high impact, making it an attractive tool for state and non-state actors seeking to achieve strategic objectives without resorting to conventional military force. Additionally, the cyber domain offers a level of deniability and the ability to strike at the heart of critical infrastructure and societal functions.

There are three types of cyberwarfare commonly used today: wipers, distributed denial of service (DDoS), and defacement. The objective of wipers is to delete information from a network. This denies users access to their own data. Wiper attacks may include ransomware. A DDoS attack aims to take down a website or online resource by overwhelming it with malicious traffic. This is usually done with botnets (remotely controlled malware infected computers). Both types of attacks deny the end user access to their information or network. The third type of attack goes about their objective slightly different. Defacement deletes or modifies information on a website. The objective is to mislead the public into thinking the malign planted news is reliable with the hopes of that news going viral. This can be part of a wider psychological operation in the campaign.

There are estimates that the Iranian Ministry of Intelligence (MOIS) carried out more than 2,000 attacks each in the first week of April. Together, they operate more than 10 different attack groups. A cybertracker from CyberKnow reveals that 65 groups were involved in the campaign against Israel from the 1st to the 8th of April 2024, carrying out DDoS, defacement, and other types of attacks.

The targets of these attacks are not always digital. During the April 13th missile attack, Iranian-backed hacktivist group, the “CyberAv3ngers,” caused power outages in several Israeli cities. The CyberAv3ngers became famous in the U.S. in November and December 2023 for targeting U.S water facilities. Water utilities in Pennsylvania, Texas, and Florida were compromised. Although the consequences of the compromises were not dire, the group was sending a message that it could compromise high value targets and do damage if it wanted. The group targeted U.S. utilities for the U.S. support of Israel.

Although Iran’s cyber-attacks are noted above, it is not specific to that country. Cyberwarfare is being employed by all major powers across the globe. Israel, the U.S.A, China, Russia, North Korea, the UK, and European Union countries use these activities as part of their wider strategy to affect their influence.

Even though a kinetic war is being waged over 6000 miles away, cyber-attacks can affect us at home. Public utilities should especially be cyber prepared for anything in this environment.

You can find the original article here from the Sierra Vista Herald.

The Anatomy of a Social Engineering Attack

John Podesta, a key staffer for the Hillary Clinton presidential election campaign received an email, appearing to be from Google, warning him that someone had attempted to access his account and prompted him to change his password. John clicked on the link and entered his current username and password. Unfortunately for John, this was a phishing email and the link that he used to change his password was set up by the hackers to steal his credentials. The hacker used his credentials to download all his emails. These emails were later released to the public by WikiLeaks causing a bit of a stir.

Why are we so susceptible to falling for these attacks? There are six (6) principles that social engineers use to deceive us. The first is reciprocity. Reciprocity suggests that people feel obligated to reciprocate favors received by others. If you do something for me, I will be happy to do something for you. Many scams use a free gift or a prize to entice the victims to click their link or provide information.

Another method that social engineers use is social proof. This concept suggests that people are more likely to conform to the actions if they see others doing it. This works especially well in ambiguous or unfamiliar situations. A familiar tactic would be the website that says 57 people in your area have recently purchased this item.

Authority is a huge tactic that social engineers use, and the one employed above to get John to click on that link. Scammers often pretend to be people from the government or your IT department or one of your trusted vendors. Since they are in authority, you usually trust them and do what they suggest.

Commitment and consistency suggest that once individuals make a public commitment or take a small initial action, they are more likely to remain consistent with that commitment or action in the future. Some phishing scams ask recipients to confirm their email addresses for security purposes. Once they click the link, the victim feels commitment to engage in the sender. The scammer subsequently asks for more personal information or login credentials.

Social engineers use “likability and empathy” to build rapport and trust with their targets by establishing a sense of familiarity and likability. They may mirror the victim’s behaviors, interests, or communications styles.

The final principle to discuss is scarcity. The emotion being pushed here is the fear of missing out. This may look like those familiar statements “for a limited time only” or “while supplies last.” This encourages the target to act quickly out of emotion, rather than slowly, logically, and methodically considering what is being offered.

Let us look at some of the scams out there to see what they are using. The tax collector scam impersonates an IRS agent usually contacting by text or a prerecorded voicemail. They may send you a form to pay and may ask for gift cards or bitcoin in payment. The scammer uses “Authority” to intimidate people to do what they ask, sometimes threatening arrest or revocation of driver’s license. They also use commitment and consistency. Once they pull the victim into the trap, they are committed to continue the discussion. Some issues to note on this scam are the IRS will not ask for payment in Bitcoin or gift cards. They will not send forms via email – forms pulled from the website. The IRS cannot revoke your driver’s license.

The “pig butchering” scam uses “likability and empathy” to capture the victim’s trust and “commitment and consistency” once the victim is engaged. This scam usually starts with a wrong number text or a dating app. Once the scammer builds trust, they mention their success in Bitcoin and connection to an insider. This is the concept of “scarcity.” They share their fake website for trading with the victim.

When the victim uses the site, they watch their money grow and invest more money hence the name of the scam. They are fattening the victim up until they cut contact and take their money. Do not use any digital wallet that you have not thoroughly researched.

So, if you are approached via email, text, or phone slow down, take the emotion out, and determine if it is legitimate. If the proposal sounds too good to be true, identify what social engineering principles are being employed and why.

Original article can be found here.

The Cyber Guys: Critical Vulnerabilities in Voting Machines – Easy To Hack

J. Alex Halderman, a Computer Science professor at the University of Michigan, walks into a courtroom in Georgia. He borrowed a pen from the defense attorney and in under a minute he had broken into a Dominion voting machine where he could make the results anything that he wanted without a trace of his breach. 

Dr. Halderman was an expert witness that demonstrated just how vulnerable these voting machines are to tampering. He used a pen to hold down the power button on the voting machine. He waited 7 seconds until it came up in “safe” mode. From there he could open files and change the contents of files to include the results and audit files without a password.

Later Dr. Halderman showed how with just a $30 purchase on Amazon, he was able to create a technician card for the voting machines that gave him super user access. Once programmed, a hacker could make as many technician cards as needed and distribute across the voting area.

At this point you might be thinking, OK, but how many computer science professors are going to hack a voting machine? Well, it turns out in August of 2018 at a DEFCON hackathon conference, it took an 11-year-old boy 10 minutes to hack a simulated Florida state voting website and change the results of the election. There was not just one child, but 30 of the 50 children with age ranging from 8 to 16 were able to hack the simulated election website. 

Over the last 6 years there have been many lawsuits concerning the use of these machines all over the country. Not only in Georgia, but Pennsylvania, Michigan, Texas, Arizona, and more.

But it’s not just Dominion machines that have vulnerabilities. In the summer of 2020, students from the University of Pennsylvania conducted an audit of the ES&S voting system1. ES&S claims to be the world’s largest e-voting system vendor, supporting more than 67 million voter registrations with 97,000 touchscreen voting machines installed in 20 states, with optical ballot readers in 43 states. 

The team reported numerous critical vulnerabilities existed in nearly every component of the ES&S system. They identified serious and undetectable attacks that could be carried out by poll-workers and even individual voters. What makes matters worse is that these attacks are not limited to the local machines. There are several attacks that propagate like a virus to the backend systems on the network affecting all the results of a precinct or an entire county. According to their report, virtually every mechanism for assuring the integrity of precinct results and backend systems can be circumvented. With these machines, they found that almost every major component of ES&S can be altered or replaced by other components with which it communicates. In other words, there are many ways to get to the back end to modify the results. 

The calibration of the touchscreen affects how the voters’ input maps to different locations on the screen. If the calibration is incorrect, it could alter the voters’ choices. For example I vote for Alice for the school board on the touch screen, but the machine selected the opponent, Bob. This happened in Pennsylvania in the 2023 Superior Court election. When a voter would select ‘yes’ or ‘no’ on their ballot for one of the candidates, the vote was recorded on the paper ballot and the machine for the other candidate.

Some countries like Argentina and the Philippines have recently banned the use of the machines due to their vulnerabilities. There is talk in different states around the country about doing the same. What should we do to ensure that each voter’s choice counts?

The original article was published in the Sierra Vista Herald here.

The $100 Million Phone Call – Tale of the MGM Hack

In 2008, an Australian man received a $147,000 phone bill while traveling in Europe. It appeared his 12-year-old son was playing a game of “Tap, Tap, Revenge” on his iPhone the whole time. That was quite a bill, but it is peanuts compared to the 10-minute phone call to technical support that cost MGM Resorts close to $100 Million.  

In September of 2023, a group of cyber hackers from the US and UK, ranging in age from 19-22 called Scattered Spider, used social engineering to take down many of the operations of the almost $34 Billion gambling giant. Cyber criminals went to the Linked-In social media page to find an employee that works in IT for MGM Resorts. A member of the State sponsored group named Scattered Spider called the MGM tech support team impersonating a hard-working IT employee that needed a password reset. After 10 minutes on the phone, the hackers owned that account. This was the cornerstone of the operation. If tech support verified who they were talking to prior to resetting the password, this attack may have been less damaging. The helpful tech support worker had an amygdala hijacking. The urgency to help took over the logical part of the brain that would have verified the caller.  

Once in the network, they escalated their privileges (gained admin rights) and found their way into the most valuable computers. The computers were responsible for the hospitality applications used to run the hotels and casinos. The hacking group loaded ransomware on over 100 servers. One by one the ransomware encrypted the systems and the applications crashed. Hotel keys no longer worked. Slot machines were unavailable. Point-of-Sales systems (credit cards) were unable to take payments. Guests were not able to reserve rooms and check in or out. MGM saw operations in eight states affected by the intrusion.  

Because MGM did not immediately pay the ransom, their systems were in a state of upheaval for 10 days. The losses from the disabled slot machines alone cost MGM an estimate of $5 Million a day. Some estimate a total loss of $8.4 Million per day. MGM Resorts International claimed the disruption in service caused a $100 Million loss in the third quarter results. Additionally, they spent another $10 Million on legal fees and technical consulting. As a result of the attack, their stock dropped $850 Million in market value. They have since recovered that loss. However, their biggest loss might be the damage to their reputation.  

Just a week before, another casino giant, Caesars Entertainment, suffered a ransomware attack. In contrast they immediately negotiated the ransom from $30 to $15 Million and saw only minimal disruption. The bright side (if there was one) for both corporations was that they both carried excellent cybersecurity insurance policies which covered the cost.  

There may be legitimate business reasons to pay the ransom, but it comes with an additional ethical price. The ransom you pay funds other elicit criminal activities like drug smuggling and human trafficking. We will save that discussion for another day.  

Don’t think this only happens to huge corporations, it happens to small and medium sized companies every day in America. Employees need cybersecurity training, so they don’t fall for the kind of trick played on MGM. You need to have company policies in place to protect against impersonation. You need business plans such as Incident Response Plans and Contingency of Operation plans developed and ready in case of an attack or disaster.

Keep all that in mind for your business the next time you receive an unexpected call. What will this phone call really cost? 

Original article in the Sierra Vista Herald found here: