Vladimir Cicović
DevOps/ GitOps
Topor Live, a Telegram channel with over 3.9M followers, reported on 06/14/2023 that in the next 48 hours REvil, Anonymous Sudan and KillNet will "bring down" the entire European banking system.
Source: Twitter
The announced attack, however, did not happen. Nevertheless, this text analyzes the factors that affect the success of a cyber attack in a situation where the attack is announced in advance, as was the case here.
1) FACTORS AFFECTING THE SUCCESS OF THE ATTACK
Secrecy of the operation
The success of any engagement in cyberspace is most influenced by the secrecy of the operation. There, the target/victim feels safe in his daily routine and work without emergency measures. Any hint of an operation jeopardizes it because the opposing side can adapt to the potential attack and the attacker. A target in case of activity recognition can raise the level of commitment of manpower, assets and the expected effect of the attack. If it is recognized, for example, that a DDOS attack will be carried out on the network where the target is located - they can either be extended to new (for several days or weeks) networks/outputs/inputs or additional resources can be hired to ensure smooth operation. This may be temporary and limited in time. Therefore, there is a possibility of failure of the attack.
Secrecy of the target/objective of the operation
In the case of discovery of a target/goal, additional personnel and resources are engaged again, an analysis of the entire IT sector is carried out, a regime is established in which (for a limited period) protection of the target/goal is carried out. All the focus is on the target, the analysis of the target and its operation - with the aim of creating a model where the target/goal still works. For example. theft of all computers in one branch of the bank - where additional reserves are made (at another place) and backup of workstations/servers for a limited period of time.
Secrecy of the participants of the operation
Participant secrecy can be one of the factors of success. In case of disclosure, there is a possibility of obstruction or manipulation of the participants. Participants can be obstructed technically, psychologically and physically. Technical means of execution: computers, internet connections, electricity. Psychological: causing conflict between group members, creating feelings of guilt or other types of manipulation. Physical, liquidation or kidnapping.
Secrecy of the start of the operation
Depending on the final goal towards the target - just discovering the beginning can help rationally deploy resources and fail the entire operation. The possibility of covert operations of the other side in order to ultimately affect the failure or disruption of the attack.
Secrecy of the chain of operation
This is where the ransomware group/DdoS model is taken. The entire chain used for the operation (ransomware needs IA initial access, C2 servers, C2 tools and operators for the same) (DDoS uses paid DDOS services, people who establish their own DDoS services, money/cryptocurrencies) (remote exploit, vulnerability, 0day brokers ).
In the event that the entire chain used for the operation or only a part is known, then they can influence a smaller part to disable the attacker or make it impossible for him to continue the attack.
- Initial Access: inserting FBI agents/agents of private intel companies with false access to certain companies. The complete fake IT structure of the company is introduced, or exactly access is given with accounts in a controlled environment - where the attacker is prevented from attacking the entire IT structure, but only the smaller part that is in the controlled environment (isolated, disconnected from the main part).
- C2 servers: by inserting a server with full control over the attacker's server side software and disabling work in a certain part of operations or monitoring connections to targets
- C2 tools: sale of backdoored tools, monitoring, destruction of the entire infrastructure
- DDoS services: acquiring clients, faking attacks (in agreement with the target/objective) DDoS services "poisoning": by inserting a huge number of DDoS services at favorable prices and working without problems - in order to "cancel" or fake attacks on target/goal
- Money/Crypto-Currency: Building Exchanges by FBI/CIA/NSA/EU/Interpol - Monitoring Sends/Receives Between Criminals. Shutdown of a complete protocol for a certain part of the internet or main routing points, DDOS crypto exchange, finding vulnerabilities in cryptocurrencies/blockchain/smart contracts
- Remote 0day exploiti: sama potražnja prema vrsti softwera može ukazivati na mete. Od postavljanja 0day brokera, do informacije koji soft žele “napasti” – takve informacije već mogu pomoći da se smanji broj meta i onemogući napad
Resources, group size vs. Resources and number of targets
The biggest challenge for the attacker is that he causes a psychological effect through the media/internet ( f he does not have the strength to hit the target/targets). The target/target can do the same through media exposure and demeaning the attacker. In case the group's resources and numbers are very small compared to the target's resources and numbers. If there is an attack on a certain sector - then services that are disabled can be transferred to other companies through legal work and everything else (legal problem, regulations, if possible). In the case of Killnet and Revil, there is a pooling of resources, but again this cannot result in success due to the number of targets, geographical spread and lack of knowledge of how banks work. The plan of attack is probably web services and the like, but there is also the possibility of setting up Anycast on multiple providers, dislocation, geo-blocking, and more. Banks are more prepared for such things.
TTP – tactics, technical procedures, limited set of TTP for operations
By revealing the TTP of a certain group (say Anonymous Sudan, DdoS) we get to focus and analyze the details they use and what tools they use. It is possible to find certain weaknesses within the work and principles of the tools. For example, DNS query, packet sending and others can have a vulnerable point. Example - setting *.meta.com to 127.0.0.1 for Russian or VPN providers around the world can cause an attacker to crash his own infrastructure. We can use to slow down attacks, redirect attacks, fake attack success, or similiar.
2) POSSIBLE TYPES OF ATTACKS ON EU BANKS
DDOS attack
Ovisno o koga napadaju – jedan dio napada Killnet i Anonimusi Sudana nije imao efekta. U slučaju Anonimusi Sudana koji imaju svoju infrastrukturu za DDoS + rentaju istu drugima za novac, mete biraju koje se nalaze iza cloudfare i sličnih servisa (zaštita od DDoS) kako bi pojačali efekat napada u medijima. Male i srednje mete (male kompanije, kompanije sa manjim brojem ljudi i nedovoljnom anti-DDoS zaštitom) pod DDOS napadom grupe Anonimus Sudan, uglavnom od 5 do 15 min. U nekim slučajevima i duže ali se radi o 1 serveru sa HTTP portom iza cloudfare kojeg je moguće oboriti sa manjim DDoS napadom. Nekoliko puta im je DDoS “propao” ili nisu bili u mogućnosti da održe napad duže od 5 minuta (uglavnom mete koje su imale daleko bolju zaštitu ili se bave cybersec). Sve banke posluju SWIFTom, ATM mreža je povezana sa bazom u bankama ali može biti izmještena tako da se nalaze na različitim ISP/mrežama i da imaju “hibridni” pristup (kombinacija 4G mreže i računarske mreže, ili wifi pristup). Najranjiviji dio banaka su web portali – ali je moguće i taj dio zaštiti ukoliko se preduzmu mjere na vrijeme ili se u toku napada donese odluka. Ovdje može doći do prekida pristupa klijenata na web platformi (reći ćemo da pristup preko softwera na telefonima, desktop računarima može biti “izmješten”)
Ransomware attack
They depend on several factors: Initial Access to brokers, the availability of 0day exploits and the number of operators, and then the attack synchronization process itself (we are talking about the fact that they want to attack all EU banks). Banks invest in the security of their IT sector. There are mechanisms at the level of the entire bank, where services are isolated and ensured that they work without interruption during an attack (high availability, service replication, backups, and so on). A single group would not be able to ensure access to the IT sector of these banks in a short period of time. One of the approaches could be insiders inside the banks who would help with the initial access, but even there the level of security of the banks differs, so it is not certain that all attacks will be successful - if it happens, it will again be a smaller part. The success of the attack depends on a lot of factors, so they are once again at the mercy of how prepared the bank is in a technical sense.
3) PROMOTING ATTACKS
Media promotion of the attack
The only certain element in all this is the psychological effect of the alleged attack. Even if an attack does not happen, the very fact that the information appeared in the media can help to have a stronger effect when the website of a bank is taken down (let's say that is the only goal, the fastest to perform in this case). From the stock market, loss of clients, other things. There is a possibility to cause the withdrawal of money from the banks and thus cause a problem with the operation of the banks.
Attack of competitors
Ovako “sivu” situaciju može iskoristiti (ali je manje vjerovatno iz više razloga) konkurencija određenih banaka da uništi one druge (kroz spinovanje, stvarne napade i drugo). Opet postoji mogućnost da se napadi povežu i da organizator napada (u ovom slučaju banka) bude pronađen i doživi propadanje/gubitak novca/zatvaranje. Tako da je malo il nikako vjerovatno. U slučaju da jeste, onda možemo pričati o povezanosti banke sa Killnet/REvil grupom kroz udio vlasništva banke (recimo da je neko iz Rusije vlasnik dijela neke banke). Opet postoji mogućnost pronalaženja veza grupa-banka konkurent.
Support of foreign countries to KillNet and REvil groups
States often use criminal groups to achieve a specific goal. There is a possibility of Russia's involvement as a sponsor. Such things can be detected based on how much resources the group had before and after a certain time. What kind of impact do their attacks have (not in the media, but the technical part of the attack) and there can be found a connection in the sense that they have a lot of money, that they are better organized, that they have changed the methods of attack and so on. But as I said, something becomes visible. Can they direct them towards specific targets? Yes, but again in that case the state would ensure that the attack was effective, which would be visible and easy to spot.
Source >>