The fight against ISIS might have been decided in Syria, but in cyberspace, it rages on. As ISIS fighters from around the world rallied around their infamous black banner, Anonymous hacktivists answered the call to counter ISIS online.
This on-demand presentation, led by Benjamin Preminger, Cyber Threat Intelligence Specialist at Sixgill, will trace how ISIS used online networks to grow their influence, and how ISIS has taken measures to enforce strong cybersecurity measures among its members Like a Russian-language ISIS cybersecurity manual shared on a dark web forum.
We discuss anonymous and “OP” campaigns, focusing on the DecryptISIS campaign by the hacking group Ghost Squad Hackers (GSH). GSH were able to infect ISIS members’ phones and computers with malware and expose their IP addresses, physical addresses, names, and faces. The DecryptISIS operation provides a rare glimpse into threat actors’ tactics, techniques, and procedures (TTPs), and can help cybersecurity professionals better understand anonymous cyber threats, and how to defend against them.
BENJAMIN PREMINGER: Hey, everyone.
My name is Benjamin Preminger.
In case you're at the wrong place, we're talking about OP/ISIS and the modern age of cyber war.
Just a bit about myself.
I'm a threat intel specialist at Sixgill.
We're an Israeli-based cyber security company.
We have a couple of feeds on Anomali.
Our main focus is on crawling deep and dark web sources and providing that through the platform in an automated actionable way.
I'm not going to talk too much about the company, but just so you hear about some of the use cases we provide for, from basic deep and dark we're monitoring, some brand protection elements, fraud detection, of course, and then a dynamic vulnerability assessment tool that's looking at the patching of CDs.
Anomali, again, we have the financial threat intel feed, the targeted actionable intelligence feed, and then the Sixgill platform to augment all those capabilities.
I'll mention it again at the end but if you're interested in anything I have said here as well as some additional information, we're at booth 106 over in the main hall.
OK, so let's talk about why I chose today's topic of conversation.
Well, two main intelligence items really brought it to the fore.
One is the photo of this guy.
His fake name is Ali.
He's a born and bred in Gaza.
His aunt's name is Nuwal, and he's also an ISIS operative.
I know this because an anonymous hacktivist group called Ghost Squad Hackers hacked his phone, his Telegram account, Whatsapp account, et cetera, as part of Operation Decrypt ISIS.
And they revealed all that information earlier this year in February.
On the other side of that coin, we've seen this document-- the Russian instruction on cyber security manual published on the dark web Russian language forum, and it was meant for ISIS operatives, how to maintain proper cyber security proceedings or procedures.
I think both of these intelligence agencies basically show two sides of the same coin.
How are underground threat actors, non-state actors-- on one side, we're seeing ISIS, on the other side, anonymous hacktivists-- how are they using underground networks, all the sort of cyber security tools we know and protect against, hacking techniques, malware, and so on, how are they using it against each other?
And then what lessons can we take as a result of that both if you're on the government side, law enforcement, homeland security things, or that nature, as well as of course in the private sector side, how can we learn from these TTPs, methods of operation?
And how can we use that to enrich our understanding of the threat landscape and in turn, obviously, improve our cybersecurity posture?
I'll leave some time-- the end by the way.
Just a bit on today's agenda, I'll try to keep on the and then have time for Q&A at the end.
We'll start by ISIS online presence, things probably some of you may already be aware of.
Looking it up, ISIS, so the anonymous hacktivism operation against ISIS.
Moving on, we'll discuss Ghost Security Group, one of the main groups operating in the OP/ISIS space.
Looking at Ghost Squad Hackers, and specifically, Operation Decrypt ISIS.
So the operation to decrypt and expose ISIS hacktivists.
Looking at some of the TTP, some of the tools they might have used as part of this operation.
And then conclude with some thoughts about how can we take all of this information, how can we reflect on it, and again, improve our cybersecurity posture as cybersecurity professionals.
OK, so let's start with ISIS online presence.
I'm sure you all know some of these things.
So broadly, I've categorized four main avenues of their cyber operations.
One is external propaganda, the beheading videos, and all of those things they've used to spread their message.
We've seen internal propaganda, so Quranic texts and things to boost internal morale of ISIS members.
Training materials, so anything from hand-to-hand combat training to how to make explosives at your own home.
And the thing I'm going to focus most on is their cybersecurity awareness.
How are these individuals, members, terrorists actually educating themselves and each other on cybersecurity proceedings or procedures.
And in turn, what does that tell us about how threat actors are operating and how much are they aware of what we're trying to protect against and how we're trying to monitor and detect their attacks.
On the external propaganda site, threats against Western countries-- by the way, all of the information here, I got just from looking at our own platform at Sixgill platform.
So for example, threats against Western countries shared on Telegram groups.
I've seen threat against America, against other terrorist groups, threats against apostates-- so in this case, depicting Saudi Arabia as the cattle and America as the shepherd.
And of course direct and targeted threats of attack.
In this case, looking at the Russian UEFA football or soccer champions league games in Ukraine last year.
Additionally, we're looking at multilingual content.
So in this case, the same type of propaganda was shared in 11 different languages.
Anything from moves back to, of course, English, Armenian, and so on.
And I think just as a point of how we can use that to improve our own fed intelligence operations, analyzing what languages they use both provides us context on who are they trying to target, who's the audience that they're trying to message this with, as well as where they're likely operating and all.
So areas like Central Asia, Eastern Europe, of course, and even Southeast Asia.
In this case, we're seeing some in Indonesian.
Looking at their internal propaganda, anything from updates on the ISIS operation.
In this case, how many activists were involved, how many activities-- mujahideen, so 60 terrorists, a pie chart of where these activities took place and what form they took.
All those posters about boosting morale and so on, and even messages from ISIS leadership, in this case Abu Bakr Al-baghdadi.
In terms of training materials, anything from instructions on how to protect yourself against Sarin gas attacks.
That's more in the Syrian context.
Instructions on the use of drones and actually how to outfit drones with explosives or firearms, as well as combat and weapons training, anything from sort of operational security, weapons training, and even videos on how to make explosives in your own home.
OK, this is really I think the interesting point in the context of this conference and probably most relevant to your work.
How does ISIS educate its operatives, its members, its soldiers in cybersecurity practices?
And what lessons we can take that in reflecting on how we monitor and think about the threats that are out there?
I mentioned before the instructions on cybersecurity.
This is in Russian, found in a dark web forum.
We're seeing big brother is watching you in Russian.
We're seeing the type of software they use to encrypt data-- I think from Tails.
So diverting traffic through TOR to using VeraCrypt to encrypt your files.
And of course, all this is encased in a layer of ideology.
So we're not just looking at, quote unquote, regular hackers.
We're having everything in an Islamic sort of extremist ideology that, again, also informs our understanding of their threat operations.
Their awareness of mobile phone malware.
I don't know if you've seen recently, there are some articles on US cybercrime operations against ISIS.
So we're look at how the US is actually attacking ISIS operatives.
Here, we're seeing an example from an ISIS Telegram group, collected in May of 2017, that they're actually aware of how US or Western intelligence agencies are monitoring them, trying to infect them with the malware.
In this case, we're seeing specific mentions of AndroRAT type of remote access Trojan.
And interestingly, the distribution method involves Islamic State ringtones.
So we're actually seeing the using of essentially social engineering to direct and specifically tailor the type of malware to the specific target.
In this case, we're talking about Islamic state activists.
We're probably don't feel very sorry for them but if we take it out of that context and think OK, if hackers are trying to use the same methods to target bank executives, local law enforcement, any type of spear-phishing a social engineering attempt, you can imagine how they're using the same type of tailoring of malware to target what we call innocent victims.
Advice and common vulnerabilities.
So again, we're seeing the mention of AndroRAT.
We're seeing preference of specific operating systems, iOS over Android, as well as SIM cards are considered inherently compromised.
I don't know if you can see item number three in this post.
By using SIM cards, you already have been cracked by cybersecurity Intelligentsia.
So we're seeing, again, the awareness of the other side, the threat actors of counter-intelligence or sort of Western intelligence capabilities in their activity as a result of it.
A specific example is AFAQ, Arabic for horizons.
This is a very interesting I think use case of how threat actors are actually distributing and educating themselves on good cybersecurity measures.
And if we're thinking about our own cybersecurity posture and the cybersecurity or savvyness of people at key positions in government and private sector, I think it's interesting to see the gap between what the other side has and what we have.
So AFAQ, it's an Islamic-focused organization aimed to, quote unquote, raise security awareness among Muslims.
I've actually only seen mentions of this organization in Jihadi forums, Telegram groups, et cetera.
So it is very highly correlated with Jihadi activity in the underground.
It uses traditional website.
A paste-based site, so similar to Pastebin, as well as three main communication platforms-- Telegram which we all know, Threema which is another into an encrypted network, as well as Conversations, which is a Jabber client similar to Pidgin, if you guys know that platform.
Again, trying to take away this type of analysis, we're also able to understand what type of platforms they use.
And then in turn, we can sort of evolve that investigation to understand, OK, we should be tracking this specific paste site, we should be tracking this specific platform as a way of correlating intelligence to a specific area.
The type of materials they distribute it, in case, caution against using Google services.
But we're seeing all the various Google services and one information Google has about you as a user.
And as a response to that, a few weeks later, in this case, in January 2019, alternative to Google services, anything from an alternative search engine, cloud storage, alternative browser, email services, app store, media player, and even an alternative to YouTube called NewPipe.
Additionally, we're seeing competitive analysis of VPN services.
I thought this was interesting both because it's showing the sort of very business-like approach of Jihadis to evaluate VPN services.
If you didn't know, and if this was in English, you'd expect it to be in some, I don't know, Gartner report or something like that.
But we're seeing the type of interesting things they're interested in.
Specifically, I thought country of origin matters.
You would imagine that if you're doing whatever nefarious activities, terror-related or otherwise, you wouldn't want to do it in a country where the VPN services are likely monitored or susceptible to warrants by the government.
So potentially, you'd prefer not to pick on any specific countries but maybe Bulgaria over the US, as a country where you'd use VPN services.
Or countries that are less likely to be monitoring that type of activity.
And again, of course, which VPN services are popular among threat actors.
This, again, also gives you the sort of broader scope view of which services threat actors are using.
Again, mobile/IM platform security.
So looking at how to remove your phone number for Telegram, how to redirect Telegram communications through TOR, and how to set up TOR on Android.
And all of these, again, are pretty recent.
I think from June, April of this year.
So if we're looking at sort of broader view of where ISIS is in the real world is, we're seeing increased and continuous activity underground, even though the sort of physical presence of ISIS is not what it used to be.
Just as an Israeli, I thought this would be interesting.
They've also have specific articles and a sort of think-tank approach out of Hadoop, Know Your Enemy, an article shared about the dangers of Israel's intelligence services.
So we're seeing now just sort of tips about what not to use and what to use, but actually intelligence about your opponent, in this case, Israel.
As a sort of small subset of that activity, ISIS, I detected some specific file sharing sites and services they used.
This is screenshot from our platform.
So top4top.net is a file sharing service that I only saw in the context of Jihadi Islamic terrorist activity.
We're seeing a peak in June of 2017 and dimensions of that specific file sharing services.
Majority of results are from Telegram.
And if we're filtering by language, we're seeing Arabic is the most common language.
But again, we're seeing some additional results in, for example, Indonesian, Farsi, sort of some of the results you might expect in that context.
Internally, it's interesting, and this is sort of the inside baseball of threat actors.
There are a lot of internal factions inside the ISIS cyber operation, various factions that are banding together.
In this case, the UCC or the United Cyber Caliphate , specific subgroups that joined forces together to fight the West, quote unquote.
And we're also seeing infighting and false flag operations inside those.
Potentially, some of this was conducted by Western intelligence agencies or defense establishment.
But we're seeing, in this case, a warning used by the Cyber Caliphate Shield that some other threat actors are actually feds right there, operated by intelligence agencies.
And we've seen that sort of back and forth of them accusing each other of being fake imposters and trying to infiltrate those systems.
For example, in one case the Dawhla Hacker Division-- Dawhla is state in Arabic-- response to the claim here that they are imposters, specifically that they are not impostors, and specifically outing or doxxing the CCS as leader.
CCS leader Omar.
He is a spy.
He is a dog.
Don't be like Omar.
Obviously this is slightly comical, but I think to get a really deep understanding of the threat landscape and I think Mike Rogers will be talking about the ecosystem of threat actors, you really got to go to these places and understand the inner relationship between all these different groups.
And that in turn both obviously informs your understanding of it.
And then, in turn, also helps you to detect or maybe even prevent attacks.
Moving onto the other side of OP/ISIS, the operation by Anonymous, the hacktivist collective against ISIS.
For those of you who are not familiar, OP campaigns are basically operations against specific entities, specific company, specific countries.
Anything from, of course, OP/Israel campaign to hack Israeli institutions.
OP/Icarus, I think earlier this year, targeting financial institutions.
And most recently, OP/Amazon or Amazonia due to the fires in the Amazon, anonymous hacktivists are attacking Brazil-affiliated entities that have some sort of vested interest in the Amazon as a way of sort of protesting what's going on there.
Specifically in the context of OP/ISIS, we're seeing things like the doxxing, the revealing of personal details of ISIS operatives.
In this case, close to 3,000 ISIS member email exposed.
You can imagine how just the very fact that your email works both even in the sense of you being a victim, credential stuffing, brute force, dictionary attacks, all the ways in which you can exploit email addresses, super easy.
Obviously, in the context of ISIS, we care less about the victims but if we take a step back and think about what is the implications of having this type of information if it was in a private or public sector context, how can that be exploited against myself, my organization.
Twitter users reported.
This is sort of the most well-known I think part of OP/ISIS.
And again, phone numbers disclose even more discreet or personal identification, information.
Additionally, we have TangoDown.
So taking down of websites that are affiliated with ISIS.
Again, if you think about the same methods used against private sector organizations, how can that affect us?
Interestingly, one example I found, I think it was late last year, I found a post where people were describing about how to exploit ISIS digital infrastructure, specifically S3 or Amazon web service storage used by ISIS to distribute it mostly propaganda videos and so on.
So they found this exposed ISIS cloud storage.
And what they suggested was to abuse the bandwidth to exact financial costs.
So to download over and over again all these files and basically rack up a huge cost on ISIS.
And that way, basically taking something that's sort of very cyber-focused and bringing it to the real world in terms of actually taking a huge financial, acute, somewhat of a financial toll on the victim.
If we're taking it from a broader perspective, how can that affect us, exposed as the buckets of any public or private organization can be exploited in the same type of way.
And I think it's interesting to understand how this could be a potential way in which threat actors will be attacking us.
And additionally, there was a list of thousands of files shared.
You can imagine a script very easily automating the whole downloading files day and night.
One of the prominent OP/ISIS groups I've seen is Ghost Security.
It goes by a number of names.
So again, not to go into the inside baseball but there's a lot of internal groups there.
It's loosely affiliated with Anonymous.
It used to have a website where you could, again, report ISIS sites to be taken down, specific members or specific roles from communications to engineering, and so on.
There's also a splinter group that claims to even be working with the US federal government.
Unclear how real that claim is, but it's also interesting to understand how they're trying to affiliate themselves.
On the one side, we have anonymous that's trying to completely disassociate from any government entity, and on the other side we're actually seeing hacktivists trying to associate with sort of nation state entities.
Analyzing the specific threat actors.
Tor Reaper, one of the main actors involved with that group.
It's a major player.
Notice the time zone analysis on the activity?
We're seeing actually-- we're seeing specific time zone in which they're not active.
So this actually corresponds with an Eastern Standard Time time zone.
This is set to GMT.
And we're actually seeing week-long activity-- Sunday through Saturday.
So in this case, this person is actually-- it's even beyond a full time job.
Seven days a week, this person is posting in response to ISIS.
So what does that tell us about?
The sort of dedication and devotion they have to defeating ISIS.
We're also seeing, by the way, on the social network chart, some other threat actors they have interact with on the source.
In this case, additionally, what you will, a ghost, another main player in that group.
We're seeing the similar tactics we've discussed before TangoDown, taking down of websites.
And additionally, the reporting of ISIS Twitter users.
So CtrlSec is essentially a bot that reports ISIS Twitter users.
In this case, they claim to have reported over 300,000 ISIS Twitter accounts.
A huge number, but again, for thinking about how can that reflect on our activity, a bunch of people reporting legitimate Twitter accounts and then sort of having this sort of PR onslaught over legitimate entities.
A bit about the motivation.
It's interesting to hear that they claim to be not anti-Muslim, anti-islamic, but actually talking about-- we have Arabic speakers, we have Muslims among us.
We're just trying to fight extremism.
And additionally, some of the methods they use included crowdfunding on two separate platforms to finance their operations.
I mean, this is a fairly unique example from what I've seen.
But the fact that they actually tried to raise finances on the web to finance their operations, I think, again, goes to speak to the way things are going in terms of non-state actors, hacktivists, collectives and proto-states are operating underground.
Specifically, the Ghost Squad Hacker operation against ISIS or decrypt ISIS, I first found that out through actually a secondary site.
But Ghost Squad Hack is the main, in this case, Twitter user used by this group.
It's been active since 2016.
We're seeing a fairly broad time range of time of day, every day of the week.
So potentially, a number of people were using the same account.
And we've actually have on our system more posts that there actually are on Twitter.
So potentially, some of them were deleted, erased, or edited in some way.
So both of that speaks to the value of having threat intelligence platforms, but also interesting to see why some posts, some tweets are available or unavailable on the platform and what we can glean from that intelligence.
Looking at their members, were able to connect various identities through the Twitter accounts associated with the main account.
When they're defacing websites, we can follow the tagged accounts to the original users and then automatically map their interrelated connections and understand, OK, who's the main threat actor operating as part of this group, what are the various connections, in this case, the thickness of the line indicates the strength of the connection.
So we're able to really map and correlate that information to build a cohesive picture of who this hacking group is.
Siege is ostensibly the main leader of this group.
It's likely multiple people using the same alias.
I've seen multiple evidence and discussion of that.
And certainly, by the activity in our analysis, again, we're seeing activity that spans across time of day and day of the week.
And we've also seen doxxing by competitors and adversaries.
So again, looking back how the infighting occurs.
We're seeing them doxxing, revealing personal details as a way of combating each other.
In this case, Siege is redacted.
Siege is this one person, or potentially, Siege is this one other person.
Potentially, by the way, this could be counter-intelligence, but assuming it's not Siege, it is a fed named X, Y and Z.
And again, speaking about what I mentioned earlier, a potential government involvement.
So who are Ghost Squad Hackers?
Are they feds?
Are they not feds?
It could be a potential attempt by Anonymous hacktivists or even ISIS to discredit their threat actors.
Let's assume they're not feds.
This is again part of the infighting that goes on in this ecosystem is really relevant I think to understanding the inner relationships and dynamics between all these different groups.
Operation Decrypt ISIS is revealed in February of this year in which GSH basically disclosed information about ISIS admins of Telegram and Whatsapp groups.
The information include anything from contact lists from Whatsapp, Telegram, and phone call logs, and so on, as well as streaming video, front-facing cameras.
So front and back-facing cameras without the users or victims actually knowing that they're being watched, as well as exact geolocation of all these activists.
And I think it's important to think about these methods are out there by non-state actors.
How does that inform our understanding of them?
And then we're thinking-- and I'll mention that in the conclusion as well-- how can we think about the modern threat landscape, the capabilities that Mike Rogers and Ray Mabus talked about earlier that are used to be the purview of nation states are now being decentralized and being transferred to non-state actors, whether it's proto states like ISIS or individuals, small-hacking collectives.
This is really, I think, where things are going.
And how does that inform our understanding and our ability to improve cybersecurity posture?
Just as one example, I focused on one ISIS admin from Australia that was exposed in this incident.
Again, they hacked front and back cam.
They actually used systems to hide the green light or red light that shows that the camera's operating.
Photos of their car, including license plate number, photos of their credit card, personal background checks, family information including full family, children's names, wife names, et cetera.
By the way, in this case, it's interesting railway training.
If this was actually an ISIS operative, you can think about the type of implications of that.
Actual text messages.
In this case, we're seeing he's messaging Suwadji a lot, my wife, as well as of course, who this?
Current and previous address, so there are specific security training which also include martial arts.
Their type of phone and IP.
I saw evidence of the specific platforms they used, in this case, NordVPN plus TOR and Threema, which we mentioned earlier.
And then how can you additionally exploit all this information?
So I dug down deeper into the information.
For example, the credit card we just saw.
I looked at the contact list the person had and they actually had a Saint George card that had a Saint George contact on their contact list, including the full number, the expiration date, the last three digits, and of course passwords and so on.
And I think it's important to think about, OK, this is a guy that's actually part of a terrorist group.
And this is his cybersecurity awareness.
Now, if we take a step back and think about how do we inform and educate people in our own community and the people we protect, executives, not even fed intel teams people, or in accounting, human resources, people who have access to sensitive systems.
All of this and all of these tactics can be used on them just as well.
And the type of exploitation you can do is mind-boggling.
In this case, information about the children and where were their children go to school.
Under his wife, I saw email addresses and then look at our brief credentials database, you can find the passwords to those email addresses.
There's multiple ways in which all of that information can then additionally, be exploited.
But if you think about, OK, how are we taking this information?
And I think translating the need to educate on cybersecurity, improve cybersecurity procedures, just showing, OK, this is what you can do on one person.
It might as well or is likely to happen to people in positions of influence, whether it's a high-level executive or someone again with access to sensitive systems.
And additionally, I mean, all the information extracted from Telegram and Whatsapp, this was shared as part of the disclosure.
All these are ISIS operatives and numerous, numerous countries, geographic locations.
Overall, I think I've found, yeah, I was able to connect over to these ISIS operations or members from these countries.
So again, looking that type of activity, how can you learn from this type of disclosure about foot landscape and the threat actors involved.
Looking beyond ISIS, just this one example-- GSH targeted numerous other entities.
They're involved in OP/Icarus, the attacks against financial institutions.
They TangoDown, they took down the website of Black Lives Matter.
They took down government website in Thailand as well as OP/Amazonia.
I mentioned earlier, they're targeting Brazilian government and military entities because of the events in the Amazon.
Looking in some of the TTP, some of the techniques they might have used to execute these attacks.
So let's go back to the ISIS admin from Gaza.
The streaming video, you might see it.
So earlier, I showed you just a screenshot.
But this is actually the streaming.
It's a bit slow but you can see the actual video.
There's actually part of the video that had this falling white screen where it showed Metasploit.com.
This tells us that potentially they're using Metasploit to execute this attack, the pen-testing platform.
So again, taking every little bit of detail and trying to connect that to TTP to the ways threat actors think and operate.
And then in turn, use these insights to inform our activity.
Additionally, I found one folder, storage emulated, zero download, which is actually associated with an Android emulator.
Again, talking about how potentially this attack was executed.
Some additional methods that the potential use-- and this is sort of caveat, I have no direct way of knowing this is actually what they used.
But one technique potentially is QRL Jacking, QR code or Quick Response Log-in code.
Basically, hijacking the sort of same barcode access everyone uses on financial banking accounts, Gmail accounts, and so on, and hijacking that session.
So a regular QR code operation looks like this.
User visits the website, opens a session, the barcode, the QR code appears, you scan it, you're authenticated and gained access to the service.
In a QRL Jacking operation, what happens is usually in the sort of social engineering phishing page type of attack, you're being duped into scanning a QR code that actually the hacker inserted.
So what we're seeing here is the victim side on the left, the attacker side on the right.
The attacker side sends the actual QR code they want to be scanned to the victim's side and then they essentially scan their own code and the hacker or the attacker gains access to whatever system the victim is trying to access.
So for example, you can imagine how you can very easily design a page that looks exactly like the Whatsapp login page, and most people don't even look at the URL, it would be Whatsapp.login with whatever zero instead of an O, and you do people into providing access to the hacker, or you can even do SSL stripping, man in the middle attack, and injecting an actual ad-- Whatsapp is giving a free one year subscription, just QR this code.
And this is really dynamic.
This is updating.
As the hacker updates their QR code, this updates so we're seeing a really high level of sophistication in this type of attack.
Again, this is potentially one of the ways in which GSH gained access to that information.
And the type of applications and services that are vulnerable to this, I mean, are endless.
Chat applications, mail services, e-commerce, and so on.
Essentially any service that relies on QR code is potentially susceptible to this type of attack vector.
Another type of attack that potentially was used in the GSH operation is using rats.
In this case, I'll take as one example the Orcus rat.
It was Canadian-based guy that was actually arrested a couple of months ago.
There was publishing this remote access Trojan on their website.
It was actually pretty legit looking.
They had a full list of the features, reliability, and so on.
And all for the measly price of $40.
This was actually on a clear website.
There's no attempt to hide it in some dark web forum or whatever.
And this was available to everyone.
And the type of features included anything like a key logger right recording the keystrokes of the user, steal browser cookies, as well as access the victim's webcam and disabling the light.
So it matches really closely to I think the type of information that was extracted in the attack.
And this is just one example, by the way.
There are additional examples.
But it's interesting to see that more researchers discovered that there was malware campaign that was distributing it actually encased in a Ramadan-themed Coca-cola video.
So what would happen is you download this file and with it the Orcus Rat, would automatically download the malware and infect your device.
So again, looking about the ringtones, Islamic State ringtones example I showed you earlier, socially engineering and tailoring the type of attack vector to match the type of target audience or target victims.
And this was actually discovered in February of 2019, the same month that Decrypt ISIS, the GSH operation was discovered.
So again, I don't know for sure if this was the exact attack vector used.
But you can think about how both it matches and additionally, how all of these tactics and these attack vectors can potentially be used against your organizations, your clients, and so on.
All right, let's wrap up with some thoughts about all of this.
What kind of insights we can glean from this information?
So one, non-state actors with national power.
There was some talk about the Cold War, how there used to be sort of nuclear deterrence and all of that.
I think we're going into an era where the decentralization and distribution of power in terms of cyber power is not anywhere close to what nuclear weapons used to be.
Essentially, everyone have access to more or less-- I'm not talking about the sort of Stuxnet level of hacking tools, but on sort of low-hanging fruit type level.
There are a lot of threat actors out there with a lot of capability, a lot of time on their hand, and the motivation-- whether ideological or financially motivated-- to use these tools.
We're also seeing what I would call asymmetric warfare in the cyber realm.
So sort of traditional warfare-- army on army, sort of fairly even paired.
If we're thinking about cyber threats, it's one person in some basement in Ukraine or wherever.
That's not only that's able to access and attack threats on scale.
Automatically, DDoS, multiple, multiple sites.
As well as we think about the organizational perspective, we're seeing threats coming from everywhere, not just from your geographic vicinity but also from the entire world.
So threat actors are completely decentralized, distributed globally, and they're able to attack targets in a sort of massive whole scale way, the same way that maybe the machine gun allowed people to attack people in a sort of mass casualty way in World War I.
This is a type of threat pattern we're looking at now.
TDDs are transferable.
Every technique attack vector we just saw here are transferable to every vertical, every industry, every threat environment.
It's not just Anonymous attacking ISIS or ISIS attacking Anonymous, or even federal government attacking ISIS.
All of these techniques are in turn available to everyone, whether it's this year or next year.
We all know what happened with Shadow Brokers, et cetera.
Eventually, all of these techniques will leak out to the web and then in turn be used against legitimate, quote unquote, innocent victims.
And for that reason, we really I think have to explore and understand the threat environment, not just in our own siloed, OK, I'm in the fraud team, I'm only going to look at fraud mitigation or prevention.
We really got to take a broader contextual view and learn from every bit of learning opportunities we have.
Not all threat actors are the same.
So I talked about the internal factions within ISIS, within Anonymous.
How can we understand these different factions of these different groups?
And then in turn, how can we both learned from that and potentially exploit that?
Weaknesses, not just in terms of exploiting whatever zero days and things of that nature.
But also how do we exploit the internal dynamics of these organizations to potentially pit them against one another or understand, OK, these are their weak spots, these are their blind spots, and so on.
Private sector implications.
I mean, I've already mentioned this, but especially if you're in the private sector, this is not just for the NSA or whatever three-letter agency.
These are threats that are impacting in the president everyone and will be impacting more so the private sector in the future.
Lastly, and this is what I would call a cyber war of attrition.
So there's been a lot of talk of cyber 9/11, cyber Pearl Harbor, the sort of cataclysmic event that will shut down the US power grid or whatever.
I think we're going to an era where it's going to be much more of-- for example, the low scale exacting financial costs through the exploitation of the S3 AWS buckets we saw earlier.
These sort of low-level, low-hanging fruit type of attacks that on scale will actually exact a huge cost for talking about attacking American targets, financial cost, cost in resources, cost in time.
It could be anything from spear-phishing financial entities to basically erode their capability to operate, and thereby giving the opponent an advantage.
But basically, looking at small, low-level but continuous attacks that if we're judging them on whole, we'll actually have a much more, I think, significant effect as opposed to if we're just thinking, OK, we're just protecting sicker, we're just protecting critical infrastructure and key resources.
What we're likely to see is all these low-level attacks that are hard to attribute it, when we're talking about large, they potentially could be very easy to prevent.
But again, that depends on your attack surface which at the end of the day is really the individual operating the systems, the VIP that has access to the confidential emails, the engineer that has access to the server, and even the consumers who have access to the log-in portal.
So I think by adopting that type of mind frame, I think both educating ourselves, educating our consumers in terms of people actually using the systems we protect, I think that's sort of the mind frame we should be looking at as opposed to these sort of Stuxnet, cyber 9/11, Pearl Harbor type scenarios that are, A, probably going to be prevented by nation, states, governments, and so on.
And B, are much I think both likely and certainly in the near and midterm future, are going to be less likely to affect our operations as opposed to these sort of low-level attacks.
All right, thanks everyone.