Cyber Terror Attacks

Title: Zeus Botnet Gang Targets Accounts Of Large US Broker
October 18, 2010
Computer World

Abstract: Criminals are using a Zeus botnet to pillage investment accounts at US broker Charles Schwab, a security researcher has said.

The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks.

"They're expanding their horizons," said Derek Manky, project manager for cybersecurity and threat research at Fortinet. "We've seen some discussion of investment accounts [being targeted] by Zeus, but I've never seen proof that they actually are."

The Zeus infections stem from messages posing as LinkedIn reminders that include disguised links to malicious sites. Those sites then hit the Windows PC with numerous drive-by exploits, looking for one that works. Among the exploited vulnerabilities: the Windows Help & Support Center bug disclosed in June by a Google security engineer and patched by Microsoft in July.

Fortinet's analysis of the malware's configuration file uncovered evidence that the attacks pilfer money from Charles Schwab investment accounts, said Manky.

After sneaking onto a PC via an exploit, the Zeus bot watches for, then silently captures log-in credentials for a large number of online banks, as well as usernames and passwords for Schwab accounts.

The attack code also injects a bogus form that asks victims to provide additional information the thieves can later use to confirm that they are the legitimate owner of the Schwab investment account. On that form are fields asking for the user's mother's maiden name, driver license number and employer.

Manky speculated that the criminals based the original infection on fake LinkedIn messages because they expected a high correlation between LinkedIn membership and investment account ownership.

The Zeus attacks began in late September and peaked in early October, said Manky, who warned that because criminals commonly conduct campaigns in waves, more are likely. The botnet's command-and-control domains are still functioning, still receiving stolen information from infected PCs and still transmitting new orders to the botnet.

"They're injecting code silently into the live session while you're at the [legitimate] Schwab site," said Manky of the fake form. It would be impossible for a user to know that the form was bogus. "As far as you're concerned, you're still in a valid secure session, since they're piggybacking this malicious content."

Manky said the attackers use the injected form to acquire additional authentication information so that they can parry confirmation queries after they conduct online transactions using the stolen usernames and passwords.

Like most Zeus botnet gangs, this one siphons cash, then uses "money mules" to transfer funds to the brains behind the organization, Manky said. With access to investment accounts, the crooks can not only vacuum up cash, but also sell securities to restock the cash account for further withdrawals.

Although police in the US, the UK and Ukraine collared more than 100 members of a Zeus crimeware gang three weeks ago, experts warned that the arrests wouldn't stop the botnet. Other gangs can simply step into the void.

Manky agreed. "Zeus is widely supported, has such a large pool of developers now, that the cat and mouse game will just continue," he said (Computer World, 2010).

Title: Symantec Report Shows Increase In Cyber Attacks
November 1, 2010
Computer World

There was no let up in so-called targeted attacks by cyber criminals this month across all sectors and geographies, according to the October 2010 MessageLabs Intelligence Report of Symantec. While some types of attacks saw marginal decreases, the report noted that the threats remain.

Globally, attacks increased to 77 attacks per day from only one to two attacks per week five years ago when the attacks were first discovered. Among the different types of security attacks, from e-mails to website and domain attacks, e-mail attacks were lower in volume but are "one of the most damaging types of malicious attacks", said MessageLabs Intelligence senior analyst Paul Wood.

Wood added: "Although the number of unique attack exploits being deployed has diminished slightly, the number of attacks used by each exploit has increased."

Spam attacks decreased 4.2 per cent from last month to 87.5 per cent while viruses decreased 0.01 percentage points to one in 221.9 e-mails. Phishing attacks also decreased 0.06 percentage points to one in 488 e-mails.


Countries in Asia experienced a similar trend. Hong Kong posted highest spam rates at 92.4 per cent in October from 92.7 per cent. India had the highest virus rate with one in 84.8 e-mails from one in 177.1 last month.

Across industries, MessageLabs noted an increase in attacks in a particular industry, retail.

"For the first time, targeted attacks hit the retail sector hardest this month where they increased from a steady monthly average of 0.5 per cent of all attacks over the past two years to 25 per cent in October characterised by a retail organisation that was the intended recipient of three waves of highly targeted spear phishing attacks. In October, 1 in 1.26 million e-mails comprised a targeted attack," the report stated.

The attacks in the industry also targeted specific operational units, human resources and IT.

"The spear phishing attacks, launched in three waves each one week apart, used social engineering techniques to distribute legitimate-looking e-mails from HR and IT staff of the targeted organisation but in actuality contained malicious attachments," said MessageLabs.

The report theorized that the attackers might be trying to steal client information from the retail industry.

One unidentified large retailer was attacked 324 attacks (63 per cent) of the total 516 attacks last month.

MessageLabs said the attack on any particular industry may happen any time. "This month it was the turn of the retail sector to be subjected to a persistent series of targeted attacks, but next month it may well be your business," the report read (Computer World, 2010).

Title: Cyberattacks On Company Websites Intensify
January 5, 2011
USA Today 

Abstract: It will be much harder this year for companies to deflect the rising onslaught of cyberattacks orchestrated to knock them off the Internet.

Hundreds of times each day, attackers use a technique called distributed denial of service, or DDoS, that involves coordinating home PCs to flood targeted websites with nuisance requests — to the point where no one else can access the site.

Most DDoS attacks get blocked or filtered. But the volume and sophistication of such attacks accelerated in 2010, a trend that looks to intensify in 2011. "The good guys are slightly ahead," says Craig Labovitz, chief scientist at network security firm Arbor Networks. "But it's not clear this equilibrium will continue."

One major driver: More home PCs than ever have broadband connections capable of sending large streams of data to commercial websites. That's made it easier for protest groups to rally like-minded cohorts to join in attacks.

In September, protesters used their home PCs to bombard the Motion Picture Association of America's website, knocking it offline for 20 hours. The motive: payback for MPAA's alleged efforts to shut down, a popular site for downloading pirated music and movies.

Home PCs were behind the December attacks that disrupted the websites of PayPal, Visa, MasterCard and PostFinance, a Swiss bank. Protesters sought to punish them for cutting off services to the WikiLeaks whistle-blower site.

While such outages are temporary, "brand damage" can be lasting, says Danny McPherson, head of research at Internet infrastructure firm VeriSign. "Losing customer trust can translate into lost revenue," he says. No industry estimates of such losses are available.

Another big driver: DDoS attacks that stem from cybergangs controlling networks of infected home PCs, called botnets, are becoming more elaborate. "As it stands today, any Web service can be taken down at any time," says Gunter Ollmann, head of research at network security firm Damballa.

In November, Akamai Technologies, which helps big websites deliver content, blocked an intricately designed attack against five major Internet retailers, says spokesman Michael Cucchi, who declined to name the retailers.

The attacks began the day after Cyber Monday, the start of the online Christmas shopping season. Thousands of infected home PCs in four nations were instructed to bombard the retailers' websites with 10,000 times their normal daily traffic. The retailers might have lost up to $15 million, Cucchi says. It is unknown whether the attackers intended to extort payments in return for halting the attacks, he says.

Even so, the episode revealed a "sophisticated and motivated attacker," says Ted Julian, cybersecurity analyst at research firm Yankee Group (USA Today, 2011).

Title: Zeus Trojan Intercepting Bank Text Messages
February 22, 2011
Computer World

A version of the Zeus malware that intercepts one-time passcodes sent by SMS (Short Message Service) is targeting customers of the financial institution ING in Poland.

The security vendor F-Secure blogged on Monday about the issue, which was analyzed on the website of security consultant Piotr Konieczny. F-Secure wrote that it appears to be the same style of attack found by the Spanish security company S21sec last September, which marked a disconcerting evolution in Zeus, one of the most advanced banking Trojans designed to steal passwords.

Zeus has changed its tactics, since some banks are now using one-time passcodes sent by SMS to authorize transactions performed on a desktop machine. First, attackers infect a person's desktop or laptop. Then, when that person logs into a financial institution such as ING, it injects HTML fields into the legitimate Web page.

Those fields ask for a person's mobile phone number and the model of their phone. When that information is entered, the attacker sends an SMS leading to a website that will install a mobile application that intercepts SMSes and forwards messages to another number controlled by the attackers. The Zeus mobile component will work on some Symbian and Blackberry devices.

Once that setup is complete, the attacker can simply do a transfer whenever it is convenient, such as when an account has just received a deposit. An attacker can log onto the account, receive the SMS code and begin transferring money.

ING officials contacted in the Netherlands on Monday afternoon did not have an immediate comment.

The SMS ability of Zeus has prompted vendors such as Cloudmark to warn about how SMS spam, or SMS messages designed to enable other malware, are a growing threat. Cloudmark sells a system to operators that analyses SMS messages and can filter ones that have spam or other offensive content (Computer World, 2012).

Title: NASA Computer Hacked, Satellite Data Accessed
May 17, 2011
Tech News Daily

A Romanian hacker claims to have breached a computer server at NASA's Goddard Space Flight Center and gained access to confidential satellite data.

The hacker, who calls himself TinKode, took to Twitter shortly before noon today (May 17) to boast: "NASA Goddard Space Flight Center (Hacked) 1 Server Access."

On his blog, TinKode posted a screen grab of what he said was a Goddard Space Flight Center FTP server. The screen shot shows files that appear to be connected with NASA's SERVIR program, which uses satellite data to aid in disaster relief, health risk assessments, and climate change and biodiversity issues, wrote Paul Roberts from the security firm Kaspersky Lab.

Rob Gutro, deputy news chief at the spaceflight center, located in Greenbelt, Md., confirmed "there was a breach in the NASA Goddard FTP site" but said it actually took place in April.

"The necessary steps were taken to protect the infrastructure at that time," Gutro told SecurityNewsDaily, adding, "NASA doesn't discuss the details of our IT security but remains vigilant to secure the security of our sites."

TinKode's announcement of his hack came just one day after the final launch of the NASA space shuttle Endeavour before its retirement, and one month to the day after TinKode allegedly hacked into the servers of the European Space Agency (Tech News Daily, 2011).

Title: LulzSec Claims New International Hacking Victory
Date: June 22, 2011
Source: Telegraph

Abstract: In a tweet in the early hours of Wednesday morning, LulzSecBrazil wrote: "TANGO DOWN &"

Another Twitter message from the main LulzSec page then added: "Our Brazilian unit is making progress. Well done @LulzSecBrazil, brothers!"

The websites are the official pages of the Brazilian Government and the President's office, the equivalent of the Downing Street site.

Attempts to access the websites this morning proved unsuccessful and the attacks appeared to have swamped the pages with internet visits, causing them to crash.

The Brazilian government has become the latest high-profile victim claimed byLulzSec in a list which has allegedly included the CIA, the US Senate, the US television broadcaster PBS, Britain's Serious and Organised Crime Agency and the technology firms Sony and Nintendo.

If the claims are accurate, it would not be the first time that LulzSec has reacted hard to attempts to damage it.

Yesterday, the group posted the private details, including the home addresses, of one hacker and his associate who "tried to snitch on us", accusing the hacker of "countless cybercrimes".

Addressing the post to the "FBI & other law enforcement clowns", they signed off: "There is no mercy on The Lulz Boat. Snitches get stitches."

The 19-year-old arrested in the UK on Monday night is Ryan Cleary, the son of a college lecturer. The teenager is accused of being a “major player” in LulzSec.

He was held in a raid at his family home in Wickford following a joint investigation between Scotland Yard and the FBI, which was also aimed at finding the hackers who breached security at the video games firms.

No messages were posted on the Twitter account of LulzSec for about 10 hours after the arrest before two denials came.

One read: "Clearly the UK police are so desperate to catch us that they've gone and arrested someone who is, at best, mildly associated with us. Lame"

Another read: "Seems the glorious leader of LulzSec got arrested, it's all over now... wait... we're all still here! Which poor b-----d did they take down?"

It was alleged last night that Mr Cleary was online in the middle of hacking when he was held. The arrest came hours after an anonymous internet user claiming to be from LulzSec threatened to publish the entire 2011 census database, though this was later dismissed as a hoax. A Scotland Yard spokesman said a “significant amount of material” had been seized from Mr Cleary’s family home by officers from its specialist e-crime unit, and would now be subjected to forensic examination.

Mr Cleary’s family expressed disbelief that the self-confessed computer “nerd” had anything to do with hacking. His mother Rita, 45, said her son “lives his life online” but she thought he had been playing computer games in his bedroom at the detached family home.

She added that, as he was led away by police, he told her he feared he would be extradited to America.

His older brother Mitchell, 22, said: “Ryan is obsessed with computers. That’s all he ever did. I was stunned to hear he had been arrested.

”He's not the sort of person to do anything mad or go out and let his hair down or do anything violent. He stays in his room - you'll be lucky if he opens the blinds, but that's just family, isn't it? I barely see him - I'm more of a football person - he's more of an inside person."

He said his brother had fallen out with people over WikiLeaks: "He used to be part of WikiLeaks and he has upset someone from doing that and they have made a Facebook page having a go at him."

James Rounce, a neighbour of Cleary, said: "They moved in about 10 years ago and have been pleasant neighbours. I think he had been away at university and had come back for the holidays or because he had finished his exams. You could tell he was very bright just from the way he spoke and presented himself."

Mr Cleary’s father Neil, 44, worked as musical director on the West End production of the Andrew Lloyd Webber musical Starlight Express. He later became a lecturer at Peterborough Regional College in Cambridgeshire and director of its orchestra. Nick Stamford, a former classmate of Ryan Cleary, said: “He used to spend a lot of time at home and that is when I think he got into computers. He was quite bright but he didn’t really have too many friends.”

LulzSec has emerged in recent weeks as a rival to the hacking group Anonymous, which targeted banks that had refused to process donations to the WikiLeakswebsite.

The organisation claimed credit for hacking into the accounts of Sony PlayStation users. On Monday it bombarded the website of the Serious and Organised Crime Agency with so much internet traffic it had to be taken offline.

Mr Cleary’s arrest is likely to lead to comparisons with the case of Gary McKinnon, the 45-year-old Briton fighting extradition to the United States, where he could face 60 years in jail if convicted of hacking into Pentagon and Nasa computers (Telegraph, 2011)

Title: Biggest Series Of Cyber-Attacks In History Uncovered
 August 3, 2011

Abstract: Security experts have discovered the biggest series of cyber attacks to date, involving the infiltration of the networks of 72 organisations including the United Nations, governments and companies around the world.

The security company McAfee, which uncovered the intrusions, said it believed there was one "state actor" behind the attacks but declined to name it. One security expert who has been briefed on the hacking said the evidence pointed to China.

The long list of victims in the five-year campaign includes the governments of the US, Taiwan, India, South Korea, Vietnam and Canada; the Association of South-east Asian Nations ; the International Olympic Committee (IOC); the World Anti-Doping Agency; and an array of companies from defence contractors to high-tech enterprises.

In the case of the UN the hackers broke into the computer system of the secretariat in Geneva in 2008, hid there unnoticed for nearly two years and quietly combed through reams of secret data, according to McAfee.

"Even we were surprised by the enormous diversity of the victim organisations and were taken aback by the audacity of the perpetrators," McAfee's vice-president of threat research, Dmitri Alperovitch, wrote in a 14-page report released on Wednesday.

"What is happening to all this data ... is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat."

McAfee learned of the extent of the hacking campaign in March this year when its researchers discovered logs of the attacks while reviewing the contents of a "command and control" server that they had discovered in 2009 as part of an investigation into security breaches at defence companies.

Alperovitch said McAfee had notified all the 72 victims of the attacks, which are under investigation by law enforcement agencies  around the world. He declined to give more details, such as the names of the companies hacked.

Jim Lewis, a cyber expert with the Centre for Strategic and International Studies, was briefed on the discovery by McAfee. He said it was very likely that China was behind the campaign because some of the targets had information that would be of particular interest to Beijing.

The systems of the IOC and several national Olympic committees were breached in the run-up to the 2008 Beijing Games, for example. And China views Taiwan as a renegade province – political issues between them remain contentious even as economic ties have strengthened in recent years.

"Everything points to China. It could be the Russians but there is more that points to China than Russia," Lewis said.

He added that the US and Britain were capable of pulling off this kind of campaign but "we wouldn't spy on ourselves and the Brits wouldn't spy on us" (Guardian, 2011).

Title: Hacking Group 'Compromised 72 Large Organisations' In Five Years
August 3, 2011
Computer World

Security vendor McAfee has published a detailed report about a hacking group that penetrated 72 companies and organizations in 14 countries since 2006 in a massive operation that stole national secrets, business plans and other sensitive information.

McAfee said the attackers are likely a single group acting on behalf of a government, differing from the recent wave of less sophisticated attacks from cyber activist groups such as Anonymous and LulzSec, according to the report.

McAfee did not say what country might have been working with the hackers, in contrast to companies such as Google, which as recently as last month blamed China for hacking into the Gmail accounts of several high-profile US officials.

The intrusions, which McAfee called Operation Shady RAT, was discovered after the security vendor gained access to a command-and-control server that collected data from the hacked computers and logged the intrusions.

"After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators," wrote Dmitri Alperovitch, vice president of threat research at McAfee, and author of the report.

Alperovitch wrote that over the past five to six years there has been nothing short of a "historically unprecedented transfer of wealth" due to the hacking operation.

The data stolen consists of everything from classified information on government networks, source code, e-mail archives, exploration details for new oil and gas field auctions, legal contracts, SCADA (supervisory control and data acquisition) configurations, design schematics and more, Alperovitch said.

McAfee declined to name most of the organizations attacked, referring to businesses such as "South Korean Steel Company," "U.S. Defense Contractor #1" and "Taiwanese Electronics Company," among others.

Those that were named include the International Olympic Committee (IOC), the World Anti-Doping Agency, the United Nations and the ASEAN (Association of Southeast Asian Nations) Secretariat. Those organizations, however, were not of economic interest to hackers, and "potentially pointed a finger at a state actor behind the intrusions," Alperovitch wrote.

The hacking group gained access to computers by first sending targeted e-mails to individuals within the companies or organizations. The e-mails contained an exploit that, if executed, would cause the download of a piece of malicious software that communicates with the command-and-control server.

In 2006, eight organizations were attacked, but by 2007 the number jumped to 29 organizations, according to the report. The number of victimized organizations increased to 36 in 2008 and peaked at 38 in 2009 before starting to fall, "likely due to the widespread availability of the countermeasures for the specific intrusion indicators used by this specific actor," Alperovitch wrote.

The duration of the compromises ranged from less than a month to up to more than two years in the case of an attack on the Olympic committee of a unnamed nation in Asia (Computer World, 2011).

Title: Cyber Attacks Mounting Fast In U.S.
Date: September 30, 2011
Source: CBS News 

AbstractU.S. utilities and industries face a rising number of cyber break-ins by attackers using more sophisticated methods, a senior Homeland Security Department official said during the government's first media tour of secretive defense labs intended to protect the U.S. power grid, water systems and other vulnerable infrastructure.

Acting DHS Deputy Undersecretary Greg Schaffer told reporters Thursday that the world's utilities and industries increasingly are  becoming vulnerable as they wire their industrial machinery to the Internet.

"We are connecting equipment that has never been connected before to these global networks," Schaffer said. Disgruntled employees, hackers and perhaps foreign governments "are knocking on the doors of these systems, and there have been intrusions."

According to the DHS, Control System Security Program cyber experts based at the Idaho National Laboratory responded to 116 requests for assistance in 2010, and 342 so far this year.

Department officials declined to give details about emergency response team deployments, citing confidentiality agreements with the companies involved. Under current law, the reporting of cyber attacks by private organizations is strictly voluntary.

The Obama administration has proposed making reporting mandatory, but the White House could find the idea difficult to sell at a time when Republicans complain about increased regulation of business.

Officials said they knew of only one recent criminal conviction for corrupting industrial control systems, that of a former security guard at a Dallas hospital whose hacking of hospital computers wound up shutting down the air conditioning system. The former guard was sentenced to 110 months in prison in March.

The Homeland Security Department's control system program includes the emergency response team, a Cyber Analysis Center where systems are tested for vulnerabilities, a malware laboratory for analyzing cyber threats and a classified "watch and warning center" where data about threats are assessed and shared with other cyber security and intelligence offices.

The offices are located at nondescript office buildings scattered around Idaho Falls. No signs announce their presence.

Marty Edwards, chief of the control system security effort, said the malware lab analyzed the Stuxnet virus that attacked the Iranian uranium enrichment facility in Natanz last year. He did not describe the group's findings in detail, except to say that they confirmed that it was "very sophisticated."

Edwards said that several years ago he had asked the German company Siemens to study the same kind of industrial controllers used at Natanz for vulnerabilities to attack, because they were so widely used in industry.

But he said the study was not part of any effort to target the controllers with malware, and said his program's work on the controllers could not have helped Stuxnet's designers.

A senior Homeland Security cyber official, who spoke on condition of anonymity because of the sensitivity of the topic, said the Stuxnet worm exploited well-known design flaws common to many system controllers, vulnerabilities that in general can't be patched.

Many independent experts and former government officials suspect that Stuxnet was created by the United States, perhaps with the help of Israel, Britain and Germany.

The U.S. and other nations believe Iran is building a nuclear weapons program, but Tehran insists it is interested only in the peaceful uses of nuclear technology.

While U.S. officials talk frequently about the threat of cyber attacks to America, they seldom discuss the country's offensive cyber weapons capability. The U.S. is thought to be the world's leader in cyber warfare, both defensive and offensive.

U.S. officials and others long have feared that future wars will include cyber assaults on the industries and economies of adversaries, and the potential targets include power plants, pipelines and air traffic control systems.

Foreign nations could also target military control systems, including those used for communications, radar and advanced weaponry.

Because of its advanced industrial base and large number of computer controlled machines connected to the Internet, the U.S. is thought to be highly vulnerable to a cyber attack on its infrastructure.

In a 2007 test at the Idaho National Laboratory, government hackers were able to break into the control system running a large diesel generator, causing it to self-destruct.

A video of the test, called Aurora, still posted on YouTube, shows parts flying off the generator as it shakes, shudders and finally halts in a cloud of smoke.

James Lewis, a former State Department official now with the Center for Strategic and International Studies in Washington, said in an interview that the Aurora test ushered in a new era of electronic warfare.

Before the test, he said, the notion of cyber warfare "was mainly smoke and mirrors. But the Aurora tests showed that, you know what? We have a new kind of weapon."

Homeland Security officials said they have not conducted such a test on that scale since. But they demonstrated Thursday how a hacker could tunnel under firewalls in computer systems to take command of industrial processes.

"All systems deployed have vulnerabilities," Edwards said (CBS News, 2011).

Title: Chinese Hackers May Have Attacked US Satellites
October 28, 2011
Computer World

Chinese hackers may have interfered with two US satellites on four separate occasions in 2007 and 2008.

On one occasion, the attackers had enough access to take complete control of one of the satellites but chose not to do so, according to a Bloomberg Businessweek story that cites a soon-to-be published report by a congressional commission.

According to Bloomberg, a Landsat-7 earth observation satellite managed by NASA and the US Geological Survey and a Terra AM-1 satellite managed by NASA were both attacked by hackers thought to be from China.

The attackers appear to have gained access to the satellites via compromised ground control systems at the Svalbard Satellite Station in Spitsbergen, Norway, Bloomberg said.

Hackers "interfered" with the Terra AM-1 satellite twice in 2008 - once for about two minutes in June and again for nine minutes in October. The Landsat-7 system, meanwhile, experienced more than 12 minutes of interference in October 2007 and July 2008.

The October 2007 attack on the Landsat-7 satellite was discovered only when the July 2008 interference was being investigated.

"Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions," the draft report says, according to Bloomberg. "Access to a satellite's controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite's transmission."

The report does not directly accuse the Chinese government or its military of being behind the attacks. But it does note that the disruptions are consistent with Chinese military strategies that advocate the disabling of enemy space systems and ground-based satellite control systems, Bloomberg said.

China's stated strategy in a conflict is to "compromise, disrupt, deny, degrade, deceive or destroy" US space and computer systems, the report says, according to Bloomberg.

A spokesman for the Chinese embassy in Washington is quoted as denying any involvement in the attacks and accusing the commission of collecting unsubstantiated stories for the purposes of "vilifying" China.

Though Chinese officials have denied involvement in such attacks, China has frequently been suspected of being behind cyberattacks against US government, military and commercial targets. Privately many security experts say that such attacks allow multiple terabytes of sensitive data and IP to be siphoned out of the country. So far, few have been able to or willing to substantiate those claims publicly.

Based on the Bloomberg story, the incidents described in the report appear similar to a scenario described earlier this year in the US Air Force's Strategic Studies Quarterly.

The report, authored by Christopher Bronk, a former diplomat with the US Department of State and a fellow specialising in IT policy at Rice University's Baker Institute, described how a hypothetical cyberwar between the US and China might play out.

In the report, Bronk theorised that China's strategy in any cyberwar will be to degrade and disrupt communications but to not completely disable an opponent's networks. The goal will be to own as much of a network as possible in order to control it when hostilities break out, he said (Computer World, 2012).

Title: French Nuclear Power Company Hit By Cyber Attack
November 2, 2011
eSecurity Planet

Abstract: French energy conglomerate Areva may have been hit by an attack first detected in September.

"Local reports are consistent only in terms of talking about cyber-espionage, perhaps involving malware rather than some kind of terrifying Stuxnet-style nuclear kit sabotage caper," writes The Register's John Leyden.

"Staff reportedly learned that all might not to be well with Areva systems in mid-September, following a weekend security upgrade that left some systems out of action for three days," Leyden writes. "The National Security Agency Information Systems (ANSSI) reportedly assisted the security upgrade."

Go to "French nuke biz slapped in mystery cyberattack" to read the details (eSecurity, 2011).

Title: U.S. Calls Out China And Russia For Cyber Espionage Costing Billions
Date: November 3, 2011
Source: Fox News 

Abstract: Hey, China and Russia, get off of our clouds.

That's the warning from a new U.S. national intelligence director's report to Congress released Thursday that states China and Russia are the biggest perpetrators of economic espionage through the Internet.

The report, Foreign Spies Stealing U.S. Economic Secrets in Cyberspace, also warns that the efforts to calculate the cost of lost research and development is nearly impossible to calculate but could be costing up to $398 billion. As mobile devices proliferate, it's only going to get easier for spies to steal.

Analysts note that this is the first time the U.S. government report has so openly blamed countries that support cyber attacks and espionage at the national and state level.

"The computer networks of a broad array of U.S. government agencies, private companies,

universities, and other institutions -- all holding large volumes of sensitive economic information -- were targeted by cyber espionage; much of this activity appears to have originated in China," reads the report.

Drawing on data from 13 agencies, including the CIA and FBI, over the past two years, the report concludes that attacks against U.S. government networks and military contracts are on the rise. But one of the most worrying trends is the growing number of attacks on businesses that are smaller than the Fortune 500 companies.

Additionally, the report states that China's intelligence services -- as well as private companies and other entities -- are exploiting Chinese citizens or others with family ties in China who have "insider access to corporate networks to steal trade secrets using removable media devices or e-mail."

As for Russia, the report noted that the "10 Russian Foreign Intelligence Service 'illegals' arrested in June 2010 were tasked to collect economic and technology information."

House Intelligence Committee Chairman Mike Rogers said the report confirms what he's heard previously about the Chinese.

"Their continued theft of sensitive economic information is a threat to our national security, hurts American businesses and workers, and causes incalculable harm to global economy," Rogers said in a written statement. "This once again underscores the need for America's allies across Asia and Europe to join forces to pressure Beijing to end this illegal behavior."

Rogers and other lawmakers are calling on the Obama administration to confront Beijing in a public way, saying back-channel efforts have been largely ignored.

The report also warns that countries could take advantage of political or social activists who may use the tools of economic espionage against U.S. companies and agencies. It specifically called out "hactivist" groups like WikiLeaks and other "disgruntled insiders leaking information about corporate trade secrets or critical U.S. technology" (Fox News, 2011).

Title: Israel Defense Sector 'Hit By Cyberattack'
November 8, 2011

AbstractIsrael's military and intelligence services Web sites crashed for several hours last weekend in what appeared to be a cyberattack, an event that carried the potential of crippling the computer systems of the country's high-tech defense industry.

The Haaretz daily reported Monday that the shutdown was the "biggest computer crash in the history of Israel's online government."

The Web sites of the armed forces, the Mossad foreign intelligence agency and the General Security Service, Israel's internal security branch known as Shin Bet, and several government ministries broke down Sunday.

Authorities denied there had been a cyberattack and blamed a "malfunction" in "the IBM-manufactured storage component" of the government computer system.

The sites were down for several hours.

There was skepticism about the official explanation because the breakdown occurred just days after Anonymous, a shadowy group of global hackers and online activists, threatened to retaliate against Israel for its maritime blockade of the economically crippled Gaza Strip.

In a YouTube video posted Friday, the group accused Israel of "piracy on the high seas" for intercepting two ships -- one Canadian, one Irish -- carrying humanitarian aid for the Gaza's beleaguered 1.2 million Palestinians in international waters earlier that day.

Israeli naval commandoes boarded the ships and took them to the port of Ashdod in southern Israel.

"Your actions are illegal, against democracy and human rights, international and maritime law," a computer-generated voice declared on the video.

"If you continue blocking humanitarian vessels to Gaza … then you leave us no choice but to strike back again and again until you stop."

There was no way to authenticate the video. Anonymous threatened Israel in June, although there's no record of a cyberattack before Friday.

Anonymous, which claims to fight for human rights and against Internet censorship, has carried out cyberattacks on several governments and international conglomerates since 2008. During the Arab Spring pro-democracy uprisings in Egypt, Tunisia and Syria it repeatedly paralyzed government Web sites to support the protesters.

Suspected Anonymous activists have been arrested in a half a dozen countries, including Britain, Australia and Turkey.

The Israeli security establishment has been building a cyberdefense apparatus for some time. But in September, reservist Maj. Gen. Yiftach Ron-Tal, chairman of the Israel Electric Corp., warned the cyberthreat to Israel is growing but that the country isn't adequately prepared to cope with it.

He raised the possibility that Israel's enemies had already implanted viruses in its computer systems that control military and civilian infrastructure like the defense industry and the national power grid.

Israel's military is digitalized down to platoon level and thus becomes vulnerable to cyberattack during combat.

Israel's water, transportation and financial systems, as well as its military command network, face potential cyberattacks.

Ron-Tal, a former commander of Israel's land forces, declared: "We could already have witnessed a silent infiltration that will be activated when the enemy wants.

"We need to be prepared for the possibility that critical infrastructure will be paralyzed."

Sunday's shutdown, if it was a cyberattack, came amid growing tensions over Iran's nuclear program and increasing speculation that Prime Minister Binyamin Netanyahu was pushing for pre-emptive strikes against the Islamic Republic.

Israel's intelligence establishment has been widely blamed for sabotaging Iran's nuclear program in 2010 with a malignant virus known as Stuxnet. The Iranians claim their systems were hit later by another virus they dubbed "Stars," and blamed Israel again.

Since then the Iranians have made a major effort to build up cyberdefenses and the capability to retaliate.

Little is known of the status of these efforts but the possibility of payback against Israel is clearly a strategic objective for Tehran in the emerging cyber battlefield.

Iranian Gen. Ali Fazli, commander of the Revolutionary Guard's paramilitary Basij organization, claimed in March that Tehran has launched attacks against the Web sites of "the enemies."

The Jerusalem Post reported in August that Israel's military had set up a cyberdefense division, primarily to counter any Iranian threat, within the C4I -- command, control, communications, computers and intelligence -- Directorate.

That move followed Netanyahu's announcement in July that a National Cybernetic Task Force had been established to defend the country's vital infrastructure from Internet strikes (UPI, 2011)

Title: Brazilian ISPs Under Cyber Attack
Date: November 8, 2011
IT Pro Portal 

Abstract: Security experts warn that several Brazilian ISPs are under attack after a large number of their subscribers were exposed to various malware attacks when visiting Gmail, Hotmail, and also other trusted websites.

The attackers poisoned the cache of the domain name system, which ISPs use to translate domain names into Internet protocol numbers.

This process ultimately affects end users who are directed to some other website which is capable of exploiting software vulnerabilities and trick the user into installing various malware programs.

A researcher with Kaspersky Labs, Fabio Assoloni, on a blog post, stated, "Last week, Brazil's web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail," published at Secure List.

Assolini also stated, "In all cases, users were asked to run a malicious file as soon as the website opened."

In most of the cases, the malware pushed into the compromised system is a Trojan which steals various online banking credentials and other sensitive information (IT Pro Portal, 2011)

Title: Net Bandits Charged In $14 Million Ad-Fraud Case
 November 9, 2011
Fox News

Abstract: They took a byte of crime.

A crew of Internet bandits devised an international scheme to hijack more than 4 million computers worldwide so websurfers visiting Netflix, and other popular websites would be rerouted to sites that generated at least $14 million in fraudulent profits, an indictment unsealed in New York alleged Wednesday.

The indictment says 500,000 computers in the United States were infected, including some used by educational institutions, nonprofits and government agencies like NASA. Six Estonians were in custody in that country, and extradition was being sought, authorities said. One Russian remained at large.

“The defendants hijacked four million computers in a hundred countries, including half a million computers in the United States, rerouting Internet traffic and generating $14 million in illegitimate income," assistant director in charge Janice K. Fedarcyk said.

The defendants "engaged in a massive and sophisticated scheme that infected at least 4 million computers located in over 100 countries with malicious software or malware," the indictment said. "Without the computer users' knowledge or permission, the malware digitally hijacked the infected computers to facilitate the fraud."

Searches done on infected computers would be redirected to websites set up by the defendants to generate payments any time a user clicked on an advertisement, the indictment said. The doctored websites mimicked legitimate sites for Netflix, the IRS, ESPN, Amazon and others, it added.

The indictment estimated the defendants "reaped least $14 million in ill-gotten gains."

"The Internet is pervasive because it is such a useful tool, but it is a tool that can be exploited by those with bad intentions and a little know-how,” Fedarcyk said (Fox News, 2011)

Title: Steam Hacked, Valve 'Truly Sorry'
 November 11, 2011

Game download service Steam has been hacked, with intruders getting access to a Steam database that contained gamers' personal information.

Steam is run by Half-Life maker Valve, whose co-founder Gabe Newell confirmed the breach in a statement, saying that the company was "truly sorry this happened."

Newell said the database that was compromised contained user names, encrypted passwords, details of game purchases and email addresses, as well as billing addresses and 'hashed and salted' passwords (hashing and salting are techniques for making passwords difficult to crack, and also make our stomachs rumble).

Credit card information was also contained on the database, but it was encrypted. Steam says it has no evidence of credit card misuse, but advises customers to "watch your credit card activity and statements closely".

Gaming services are still working, but the Steam forums have been shut down for now. Anyone using the Steam forums will have to change their password next time they log in, and customers have been advised to change their passwords on other accounts, if those accounts use the same password.

We have to applaud Valve's response to the situation -- issuing what appears to be a frank account of what happened, as well as an apology, goes a long way to mending broken hearts.

Sony came under fire for failing to quickly notify its customers during the PSN breach and subsequent outage earlier this year -- an attack that saw millions of gamers' personal data nicked and, almost more importantly, the PS3's online services unavailable for a considerable length of time.

Does this latest breach shake your confidence in Steam? How well do you think Valve handed this situation? Let us know in the comments below, or on our Facebook wall (CNET, 2011)

Title: Alarm Stems Cyber Attack On Italian-Jewish Facebook Page
November 13, 2011
JTA News 

A Facebook group dedicated to friends of several Jewish communities in northern Italy came under an apparent anti-Semitic cyber attack.

Facebook members with clearly false profile names on Sunday joined the open Facebook group Friends of the Jewish community of Vercelli, Biella, Novara and V.C.O province, and in the course of several hours posted a series of pro-Nazi, anti-Semitic and, in some cases, obscene posts, pictures and videos on the group’s Facebook wall.

A leftist pro-Israel Italian group on Facebook raised the alarm with a post warning that the “Friends” group was under “Neo-Nazi attack” and calling on supporters to alert Facebook and the group’s administrators. Within hours of the alarm, the offending group was listed as "closed" with only six members, and no offensive posts were visible (JTA News, 2011)

Title: Another US Firm Sues Bank After Cyber-Attack
Date: November 15, 2011

Abstract: A US title insurance firm that lost more than $200,000 after cybercrooks using the Zeus Trojan accessed its online account, is suing its bank, accusing it of lax security.

In a case picked up by security blogger Brian Krebs, Virginia-based Global Title Services had its computers infected with Zeus sometime before June last year.

This gave crooks access to the firm's passwords for their online accounts with Chevy Chase Bank (since rebranded by owner Capital One).

On the first of June the criminals began an eight day process of wiring money from the company's account to money mules. A total of 18 transfers, worth more than $2 million, were made.

The bank managed to reverse all but the first three transfers, meaning that Global Title Services suffered actual losses of around $200,000.

The company is suing Capital One, accusing it of failing to act in good faith and arguing that by not employing two-factor authentication it "failed to implement commercially reasonable security procedures for its online banking clients," says Krebs.

According to the complaint: "By operating a single factor identification online banking system, Capital One lefts its customers open to identity theft and failed to take sufficient safeguards to prevent unauthorized access to its client's online banking accounts, including the ability to send wire transfers."

Global Title is asking for a $500,000 judgment, plus pre- and post-judgment interest and attorney's fees with the case slated for trial in April.

Some of the crooks involved have already been convicted and imprisoned for their roles in cyberheist.

The question of whether a bank is responsible for ACH wire fraud committed against customers has been in the spotlight in recent months thanks to several court cases, the outcomes of which have been mixed.

In August Comerica Bank ditched plans to appeal the ruling of a Michigan court and reimbursed a small business customer that was hit by wire fraud scammers. However, previously a presiding magistrate in Maine ruled that Ocean Bank was not responsible for the loss of around $345,000 from a business customer account following a similar cyber-attack (Finextra, 2011)

Title: Virginia Cyber Attack Exposes More Than 175,000 Campus Affiliates
November 16, 2011
CR80 News 

 Virginia Commonwealth University (VCU) released a statement regarding an incident of unauthorized access to a campus computing server. The VCU server housed files with the personal information on more than 175,000 current and former faculty, staff, students and affiliates.

Servers supporting a VCU system uncovered suspicious files on one of its servers. During forensic investigation, subsequent analysis then showed the intruders had compromised a second server - thru the first server attack - which contained data on 176,567 individuals.

Data items included either a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information.

Officials asserted the likelihood is very low that any personal data on the individuals in the files was compromised, but it is still notifying all involved via email and first-class mail (CR80 News, 2011)

Title: Norway Hit By Major Cyber Attack On Oil, Defence Industries
Date: November 18, 2011
International Business Times 

Abstract: Data from Norway's oil, gas and defence systems have been stolen in what is feared to be one of the most extensive data espionage in the country's history.

Industry secrets and information about contract negotiations were stolen and "sent out digitally across the country," according to a statement released by Norway's National Security Agency (NSM).

At least 10 different firms, perhaps more, had been targeted in the biggest wave of cyber-attacks seen by the country.

None of the industries, mostly the oil, gas, energy and defence, have been named and it is feared that the number of attacked firms is higher as some may not realise they have been hacked.

Cybercrime: Prevention, Protection, Punishment Against Cyber Attacks (Conference)

"The attacks vary slightly from each other and are tailor-made so they are not discovered by anti-virus solutions. Companies that are targeted are therefore not aware of the attacks until after they have taken place," the NSA said in a statement.

"This means it is probable that industrial secrets from various companies have been stolen and sent digitally out of the country."

It is thought that the attacks may have been carried out by more than one person over the past year.

The methods used were varied, but it is thought that in some individual cases emails armed with viruses which did not trigger anti-malware detection systems were used to steal passwords, documents and other confidential material from hard-drives.

"This is the first time Norway has revealed extensive and wide computer espionage attacks," said NSM spokesperson Kjetil Berg Veire in a statement.

The attacks have occurred more often" when companies were negotiating large contracts," he said.

The NSM said that this type of internet espionage was an extremely cost-effective type of data-theft as that "espionage over the internet is cheap, provides good results and is low-risk."

Norway's oil and gas industry is ranked the third largest in the world, with 2.8 million barrels being produced each day (International Business Times, 2011)

Title: U.S. Probes Cyber Attack On Water System 
Date: November 21, 2011

 Federal investigators are looking into a report that hackers managed to remotely shut down a utility's water pump in central Illinois last week, in what could be the first known foreign cyber attack on a U.S. industrial system.

The November 8 incident was described in a one-page report from the Illinois Statewide Terrorism and Intelligence Center, according to Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks.

The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Weiss. It did not explain the motive of the attackers.

He said that the same group may have attacked other industrial targets or be planning strikes using credentials stolen from the same software maker.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.

"At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," he said, declining to elaborate further. An FBI spokesman in Illinois did not return phone calls seeking comment.

SCADA Security
Cyber security experts said that the reported attack highlights the risk that attackers can break into what is known as Supervisory Control and Data Acquisition (SCADA) systems. They are highly specialized computer systems that control critical infrastructure -- from water treatment facilities, chemicals plants and nuclear reactors to gas pipelines, dams and switches on train lines.

The issue of securing SCADA systems from cyber attacks made international headlines last year after the mysterious Stuxnet virus attacked a centrifuge at a uranium enrichment facility in Iran. Many experts say that was a major setback for Iran's nuclear weapon's program and attribute the attack to the United States and Israel.

In 2007, researchers at the U.S. government's Idaho National Laboratories identified a vulnerability in the electric grid, demonstrating how much damage a cyber attack could inflict on a large diesel generator.

Lani Kass, who retired in September as senior policy adviser to the chairman of the U.S. Joint Chiefs of Staff, said the United States should take the possibility of a cyber attack seriously.

"The going in hypothesis is always that it's just an incident or coincidence. And if every incident is seen in isolation, it's hard -- if not impossible -- to discern a pattern or connect the dots," Kass told Reuters.

"Failure to connect the dots led us to be surprised on 9/11," she said, describing the September 11, 2001 hijacking attacks as a prime example in which authorities dismissed indicators of an impending disaster and were caught unaware.

Representative Jim Langevin, a Democrat from Rhode Island, said that the report of the attack highlighted the need to pass legislation to improve cyber security of the U.S. critical infrastructure.

"The stakes are too high for us to fail, and our citizens will be the ones to suffer the consequences of our inaction," he said in a statement.

Illinois Attack
Several media reports identified the location of the attack as Springfield. City officials said that was inaccurate.

Don Craven, a lawyer and a trustee for the Curran-Gardner Township Public Water District, said late Friday that the small water utility was aware that "something happened" but that he did not have much information on the matter.

"We are aware there may have been a successful or unsuccessful attempt to hack into the system," Craven said by telephone from his Springfield, Illinois, office.

"It came through a software system that's used to remotely access the pumps," he said. "A pump is burned out."

The district serves some 2,200 customers in a rural district West of Springfield. He said there was no interruption in service as the utility operates multiple pumps and wells. Its water comes from an aquifer underneath the Sangamon River.

Craven said he did not know what software at the utility was involved but said he was confident that no customer records were compromised. He said he was mystified as to the reason hackers might have targeted the tiny district.

The general manager of the utility has not returned messages.

Other Attacks?
Quoting from the one-page report, Weiss said it was not yet clear whether other networks had been hacked as a result of the breach at the U.S. software maker.

He said the manufacturer of that software keeps login credentials to the networks of its customers so that its staff can help them support those systems.

"An information technology services and computer repair company checked the computer logs of the system and determined the computer had been hacked into from a computer located in Russia," Weiss quoting from the report in a telephone interview with Reuters.

Workers at the targeted utility in central Illinois on November 8 noticed problems with SCADA systems which manages the water supply system, and discovered that a water pump had been damaged, said Weiss, managing partner of Applied Control Solutions in Cupertino, California (Reuters, 2011).

Title: Cyber Criminals Attempt To Hack Into AT&T, No Accounts Compromised
Date: November 21, 2011
Mobil Beat 

Abstract: AT&T was the target of an attack today when cyber criminals attempted to access customer information by connecting phone numbers to online accounts.

“We do not know the intent, but we are concerned they may attempt to deceive our customers by sending them unsolicited texts or emails claiming to be from AT&T and requesting sensitive personal information like Social Security numbers or passwords,” an AT&T spokesperson said in an e-mail to VentureBeat regarding the company’s concerns about affected one percent.

The company explained the attack was “an organized attempt to obtain information,” meaning a number of people working together as opposed to a lone hacker. No accounts were successfully breached, however. Those trying to gain access to customer accounts were using “auto script technology,” according to a company statement, which attempted to link AT&T phone numbers to online accounts.

Currently AT&T is looking into who is behind the attack and what they wanted with the information. “In the meantime, out of an abundance of caution, we are advising the account holders involved,” the company said in a statement.

According to Bloomberg, company spokesperson Mark Siegel says less than 1 percent of the company’s mobile customers were affected. To put this in perspective, however, AT&T recently announced over 100 million wireless subscribers. That means less that less than one percent can still be hundreds of thousands of affected customers. Exactly how hackers affected these customers remains to be seen, other than account information was not compromised.

The company also recently experienced a three hour service outage in the Northeast, but says the downtime and the attack are unrelated (Mobil Beat, 2011)

Title: Another Cyber Attack On Japan Parliament
Date: November 22, 2011
Voice of Russia

Abstract: Japan’s parliament came under a new cyber attack on Tuesday, when malicious emails were found on computers used in the upper house, officials said on Tuesday.

They added that at least 700 computers had been hit by a virus, with passwords and other sensitive information possibly compromised.

The hack is the latest in a series of cyber attacks on the Japanese parliament in the past few months (Voice of Russia, 2011)

Title: United Nations Agency 'Hacking Attack' Investigated
Date: November 29, 2011

Abstract: A group of hackers has posted more than 100 email addresses and login details which it claimed to have extracted from the United Nations.

Many of the emails involved appear to belong to members of the United Nations Development Programme (UNDP).

The group, which identified itself as Teampoison, attacked the UN's behaviour and called it a "fraud".

A spokeswoman for the UNDP said the agency believed "an old server which contains old data" had been targeted.

"The UNDP found [the] compromised server and took it offline," said Sausan Ghosheh.

"The server goes back to 2007. There are no active passwords listed for those accounts.

"Please note that was not compromised."

The details were posted on the website Pastebin under the Teampoison logo.

The message preceding the login details accused the UN of acting to "facilitate the introduction of a New World Order" and asked "United Nations, why didn't you expect us?"

Many of the email addresses given end in, but others appear to belong to members of the Organisation for Economic Co-operation and Development (OECD), the World Health Organisation (WHO) and the UK's Office for National Statistics (ONS).

The poster noted that several of the accounts had "no passwords".

The message ended with the taunt: "The question now is how? We will let the so called 'security experts' over at the UN figure that out... Have a Nice Day."

The poster claimed the usernames and passwords had been sourced from the UN

Credit Card Attacks
The security company Sophos noted that Teampoison hackers had previously attacked the maker of the Blackberry smartphone's website and had published private information about former UK Prime Minister Tony Blair.

"Teampoison recently announced they were joining forces with Anonymous on a new initiative dubbed 'Operation Robin Hood', targeting banks and financial institutions," the firm's senior technology consultant, Graham Cluley wrote on Sophos's blog.

The groups said at the time that their operation aimed to take money from credit cards and donate it to individuals and charities.

They said people would not be harmed as the banks had to refund fraudulent charges.

Teampoison added a "shoutout" to Anonymous in its UN attack posting, adding a link to a Youtube video with more information about its banking attack plan.

These latest moves serve as a reminder that so-called hacktivists are skilled and willing to collaborate to take down their targets, according to Professor Alan Woodward from the University of Surrey's department of computing.

"One of the big problems is that there is so much data around that people forget about their older systems that still have valuable data on them," he said.

"The lesson here is that anything that holds any data of any value must be protected" (BBC, 2011)

Title: Cyber Attacks Bombard Energy Sector, Threatening World Oil Supply
Date: December 8, 2011
Huffington Post

Abstract: Hackers are bombarding the world's computer controlled energy sector, conducting industrial espionage and threatening potential global havoc through oil supply disruption.

Oil company executives warned that attacks were becoming more frequent and more carefully planned.

"If anybody gets into the area where you can control opening and closing of valves, or release valves, you can imagine what happens," said Ludolf Luehmann, an IT manager at Shell Europe's biggest company .

"It will cost lives and it will cost production, it will cost money, cause fires and cause loss of containment, environmental damage - huge, huge damage," he told the World Petroleum Congress in Doha.

Computers control nearly all the world's energy production and distribution in systems that are increasingly vulnerable to cyber attacks that could put cutting-edge fuel production technology in rival company hands.

"We see an increasing number of attacks on our IT systems and information and there are various motivations behind it - criminal and commercial," said Luehmann. "We see an increasing number of attacks with clear commercial interests, focusing on research and development, to gain the competitive advantage."

He said the Stuxnet computer worm discovered in 2010, the first found that was specifically designed to subvert industrial systems, changed the world of international oil companies because it was the first visible attack to have a significant impact on process control.

But the determination and stamina shown by hackers when they attack industrial systems and companies has now stepped up a gear, and there has been a surge in multi-pronged attacks to break into specific operation systems within producers, he said.

"Cyber crime is a huge issue. It's not restricted to one company or another it's really broad and it is ongoing," said Dennis Painchaud, director of International Government Relations at Canada's Nexen Inc. "It is a very significant risk to our business."

"It's something that we have to stay on top of every day. It is a risk that is only going to grow and is probably one of the preeminent risks that we face today and will continue to face for some time."

Luehmann said hackers were increasingly staging attack over long periods, silently collecting information over weeks or months before attacking specific targets within company operations with the information they have collected over a long period.

"It's a new dimension of attacks that we see in Shell," he said.

Not In Control

In October, security software maker Symantec Corp said it had found a mysterious virus that contained code similar to Stuxnet, called Duqu, which experts say appears designed to gather data to make it easier to launch future cyber attacks.

Other businesses can shut down their information technology (IT) systems to regularly install rapidly breached software security patches and update vulnerable operating systems.

But energy companies cannot keep taking down plants to patch up security holes.

"Oil needs to keep on flowing," said Riemer Brouwer, head of IT security at Abu Dhabi Company for Onshore Oil Operations (ADCO).

"We have a very strategic position in the global oil and gas market," he added. "If they could bring down one of the big players in the oil and gas market you can imagine what this will do for the oil price - it would blow the market."

Hackers could finance their operations by using options markets to bet on the price movements caused by disruptions, Brouwer said.

"So far we haven't had any major incidents," he said. "But are we really in control? The answer has to be 'no'."

Oil prices usually rise whenever tensions escalate over Iran's disputed nuclear program - itself thought to be the principal target of the Stuxnet worm and which has already identified Duqu infections - due to concern that oil production or exports from the Middle East could be affected by any conflict.

But the threat of a coordinated attack on energy installations across the world is also real, experts say, and unlike a blockade of the Gulf can be launched from anywhere, with no U.S. military might in sight and little chance of finding the perpetrator.

"We know that the Straits of Hormuz are of strategic importance to the world," said Stephan Klein of business application software developer SAP.

"What about the approximately 80 million barrels that are processed through IT systems?," said Klein, SAP vice president of oil and gas operations in the Middle East and North Africa.

Attacks like Stuxnet are so complex that very few organizations in the world are able to set them up, said Gordon Muehl, chief security officer at Germany's SAP said, but it was still too simple to attack industries over the internet.

Only a few years ago hacking was confined to skilled computer programmers, but thanks to online video tutorials, breaking into corporate operating systems is now a free for all.

"Everyone can hack today," Shell's Luehmann said. "The number of potential hackers is not a few very skilled people -- it's everyone" (Huffington Post, 2011)

Title: U.S. Authorities Probing Alleged Cyberattack Plot By Venezuela, Iran
Date: December 13, 2011
Washington Times

Abstract: U.S. officials are investigating reports that Iranian and Venezuelan diplomats in
Mexico were involved in planned cyberattacks against U.S. targets, including nuclear power plants.

Allegations about the cyberplot were aired last week in a documentary on the Spanish-language TV network Univision, which included secretly recorded footage of Iranian and Venezuelan diplomats being briefed on the planned attacks and promising to pass information to their governments.

A former computer instructor at the National Autonomous University of Mexico told Univision that he was recruited by a professor there in 2006 to organize a group of student hackers to carry out cyberattacks against the United States, initially at the behest of the Cuban Embassy.

In an undercover sting, instructor Juan Carlos Munoz Ledo and several selected students infiltrated the hackers and secretly videotaped the Iranian and Venezuelan diplomats.

Reports about Iran’s involvement in the suspected plot come amid the Islamic republic’s refusal to return a sophisticated, unmanned U.S. spy plane that crashed inside its borders this month. Iranian officials have laid claim to the drone, vowing to research it for its technology.

Calling the reports “disturbing,” State Department spokesman William Ostick said federal authorities are examining the cyberplot allegations but added that U.S. officials “don’t have any information at this point to corroborate them.”

Sen. Robert Menendez, New Jersey Democrat and chairman of the Senate Foreign Relations subcommittee on the Western Hemisphere, called for hearings in the new year about Iranian activities in Latin America.

Some House lawmakers called for the expulsion of a Venezuelan diplomat in the U.S. who is implicated in the suspected plot.

The Univision documentary fanned fears among lawmakers that Iran’s recent diplomatic outreach in the region, particularly to Venezuela’s anti-American leftist President Hugo Chavez, might be a front for nefarious activities.

Earlier this year, U.S. prosecutors charged an Iranian official based in Tehran with trying to recruit a Mexican drug cartel to kill the Saudi ambassador to the United States by bombing a Washington restaurant.

“If Iran is using regional actors to facilitate and direct activities against the United States, this would represent a substantial increase in the level of the Iranian threat and would necessitate an immediate response,” Mr. Menendez said.

An aide to Mr. Menendez told The Times that the Univision report, which also said that Iranian extremists were recruiting young Latin American Muslims, is “one of a variety of concerns we have about Iran’s efforts to engage with countries and other actors in the region.”

Next year’s hearing will examine Iran’s “political and commercial outreach, as well as more nefarious activities,” the aide said.

“We monitor Iran’s activities in the region closely,” Mr. Ostick said. “That vigilance led to the arrest of the individual responsible for the recent assassination plot” against the Saudi ambassador.

“We constantly monitor for possible connections between terrorists and transnational criminals.”

A congressional staffer said members of the Senate subcommittee and their staffs had requested a classified intelligence briefing before the hearing.

In the secretly recorded meetings with the Venezuelan and Iranian diplomats, the hackers discussed possible targets, including the FBI, the CIA and the Pentagon, and nuclear facilities, both military and civilian.

The hackers said they were seeking passwords to protected systems and sought support and funding from the diplomats.

At one point in the documentary, according to a translation provided by Univision, Iran’s ambassador to Mexico at the time, Mohammed Hassan Ghadiri, is seen telling the students that it was “very important to know about what [the United States has] in mind, attack Iran or not.”

Interviewed from Iran by Univision, Mr. Ghadiri acknowledged meeting the students and consulting Tehran about whether the Iranian government should back the attacks.

“I wrote to Iran that a person can do this. They said do not allow him in [the building] anymore because this not an embassy’s job,” he said.

The ambassador denied any involvement in a plot, telling Univision that the students’ sting was a provocation by “CIA agents.”

“They proposed this, and we told them that this is not our job. We rejected it,” he said. “We don’t have any interest in doing those types of things.”

“A good ambassador with good intentions would have thrown [the hackers] out and contacted the Mexican authorities,” said the documentary’s director, Gerardo Reyes. “Instead, he listened to them, he asked questions, he made suggestions.”

One of the other diplomats implicated by the documentary - Livia Antonieta Acosta Noguera, then the second secretary at the Venezuelan Embassy in Mexico - is currently the Venezuelan consul in Miami.

Students secretly taped her asking for more information about the planned cyberattacks and promising to pass it along to Mr. Chavez via his head of security, Gen. Alexis Lopez.

Rep. Ileana Ros-Lehtinen, Florida Republican and chairwoman of the House Foreign Affairs Committee, wrote to Secretary of State Hillary Rodham Clinton to urge her to investigate and expel Ms. Antonieta if the reports are true.

The consul represents “a potential threat to our national security,” Mrs. Ros-Lehtinen said in the letter, which was co-signed by Reps. Mario Diaz-Balart and David Rivera, both Florida Republicans; and Albio Sires, New Jersey Democrat.

Officials at the Venezuelan Embassy in Washington and the consulate in Miami were unavailable for comment Tuesday.

In Venezuela, Mr. Chavez denied the allegations in the documentary.

“They are using a lie as an excuse to attack us,” he said of the U.S. during a TV and radio address. “We must be on our guard.”

Meanwhile, Iranian Defense Minister Gen. Ahmad Vahidi shrugged off President Obama’s request for the return of the unmanned spy plane and demanded an apology from the United States, the Associated Press reported.

Tehran last week identified the drone as the RQ-170 Sentinel and said it was captured over the country’s east. U.S. officials say the aircraft malfunctioned and was not brought down by Iran, the AP reported (Washington Times, 2011).

Title: FBI Says Hackers Hit Key Services In Three US Cities
Date: December 13, 2011

Abstract: The infrastructure systems of three US cities have been attacked, according to the Federal Bureau of Investigation.

At a recent cybersecurity conference, Michael Welch, deputy assistant director of the FBI's cyber division, said hackers had accessed crucial water and power services.

The hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall, he said.

Industrial control systems are becoming an increasing target for hackers.

'Ego Trip'
"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city," Mr Welch told delegates at the Flemings Cyber Security conference.

"Essentially it was an ego trip for the hacker because he had control of that city's system and he could dump raw sewage into the lake, he could shut down the power plant at the mall - a wide array of things," he added.

Such systems - commonly known as Supervisory Control and Data Acquisition (Scada) - are increasingly being targeted by hackers, following reports that they rely on weak security.

It follows two alleged break-ins to city water supplies. The first, to a water supply in Springfield, Illinois, was later played down by the FBI which said it could find no evidence of cyber-intrusion.

Initially it had thought a hardware fault was caused by Russian hackers but it later emerged that this was not the case.

In another attack a hacker named pr0f claimed to have broken into a control system that kept water supplied to a town in Texas.

The hacker said the system had only been protected by a three-character password which "required almost no skill" to get around.

Mr Welch did not confirm whether this breach was one of the three he was talking about.

Default Passwords
Security experts predict there will be a rise in such attacks.

"Such systems have become a target partly because of all the chatter about the lack of security. Hackers are doing it out of curiosity to see how poorly they are protected," said Graham Cluley, senior security consultant at Sophos.

He said that many relied on default passwords, and information about some of these passwords was "available for download online".

Furthermore the firms that run Scada systems, such as Siemens, often advise against changing passwords because they claim the threat from malware is not a great as the problem that will be caused if passwords are changed.

"Not changing passwords is obviously slightly crazy. Proper security needs to be in place otherwise it is laughable," said Mr Cluley.

24-Hour Surveillance
Industrial-scale hacking hit the headlines in 2010 with news of a worm aimed at Iran's nuclear facilities. Stuxnet was widely rumoured to have been developed by either the US or Israeli authorities and, according to experts, was configured to damage motors used in uranium-enrichment centrifuges by sending them spinning out of control.

Iran later admitted that some of its centrifuges had been sabotaged although it downplayed the significance of Stuxnet in that.

This year a Stuxnet copycat, Duqu, was discovered by security experts.

Initial analysis of the worm found that parts of Duqu are nearly identical to Stuxnet and suggested that it was written by either the same authors or those with access to the Stuxnet source code.

Unlike Stuxnet it was not designed to attack industrial systems but rather to gather intelligence for a future attack.

Mr Welch also revealed at the conference that, to date, the FBI's cyberteam had worked a 9 to 5 day. He said that a 12% increase in its budget would mean the team could now expand and begin monitoring cyberthreats around the clock (BBC, 2011)

Title: Stratfor Hacked; Anonymous Claims Responsibility
Date: December 26, 2011

Abstract: The New York Times reports that hackers associated with Anonymous have apparently stolen subscriber information, including names and credit cards, from the security news site
Stratfor. In an email to subscribers, Stratfor’s chief executive, George Friedman, confirmed that the site had been hacked.

Here’s more details from the Times:

The hackers posted a list online that they say contains Stratfor’s confidential client list as well as credit card details, passwords and home addresses for some 4,000 Stratfor clients. The hackers also said they had details for more than 90,000 credit card accounts. Among the organizations listed as Stratfor clients: Bank of America, the Defense Department, Doctors Without Borders, Lockheed Martin, Los Alamos National Laboratory and the United Nations.

The group also posted five receipts online that it said were of donations made with pilfered credit card details. One receipt showed a $180 donation from a United States Homeland Security employee, Edmund H. Tupay, to the American Red Cross. Another showed a $200 donation to the Red Cross from Allen Barr, a recently retired employee from the Texas Department of Banking. Neither responded to requests for comment.

Interestingly enough, it appears that one of the reasons why Anonymous was able to attack the website was because Stratfor neglected to encrypt the credit card and other personal information about its subscribers. This has BoingBoing blogger Rob Beschizza perplexed:

It’s true that websites are like storefronts, and that it’s more or less impossible to stop determined people from blocking or defacing them now and again.

Here, however, it looks like Stratfor left private files in the window display, waiting to be grabbed by the first guy to put a brick through the glass.

Now, I’m not America’s premier intelligence and security research group, and I’m not a member of its national IT security planning task force. But I’m pretty sure that putting unencrypted lists of credit card numbers and client details on public-exposed servers isn’t quite explained by “no matter what you do, every system has some level of vulnerability.”

If it’s true that Strafor didn’t encrypt their client’s information, that’s a pretty big lapse in their security. For a company which such a reputation like Stratfor’s, I’d say that’s pretty embarrassing (Forbes, 2011)

Title: Huge Security Breach At Security Firm Symantec No Threat To Consumers, Analyst Says
Date: January 6, 2012
Fox News

Abstract: One of the biggest security firms in the world may need to boost its own security: A hacker stole the source code behind Symantec's industry-leading antivirus program.

The code theft from the security giant will not likely affect the average computer user or compromise his computer, an analyst told -- but the breech is certainly to leave the Fortune 500 company red faced.

"This is going to end up being egg on the face of Symantec more than anything else," Anup Ghosh, founder and CEO of Virginian security firm Invincea, told "What they're trying to do here is embarrass companies. These guys are out there flexing their muscles, saying 'Hey, I have source code from Symantec to publicly humiliate them."

Ghosh called the security breech a real business risk more than anything else, one that may lead to a loss of confidence in Symantec and potential loss of market share for the publicly traded firm.

"The headline is very embarrassing to Symantec," Ghosh continued. "But this has now become the normal in securities. Every single corporation is susceptible to threats."

Calls seeking comment from Symantec were not immediately returned on Friday.

In a statement to late Thursday, the Californian firm confirmed that source code used in two of its older enterprise security products was publicly exposed by hackers this week.

The compromised code -- between four and five years old -- does not affect does not affect Symantec's consumer-oriented Norton products as had been previously speculated, Symantec said.

"Our own network was not breached, but rather that of a third-party entity," the statement read. "We are still gathering information on the details and are not in a position to provide specifics on the third-party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions."

Symantec spokesman Cris Paden told Computerworld that the two affected products were Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, both of which are more than five years old.

"We're taking this extremely seriously, but in terms of a threat, a lot has changed since these codes were developed," Paden told the website. "We distributed 10 million new signatures in 2010 alone. That gives you an idea of how much these products have morphed since then, when you're talking four and five years."

An Indian hacking group reportedly identifying itself as Lords of Dharmaraja claimed it had accessed source code for Symantec's Norton AV products. Using the handle "YamaTough," a member of the group initially posted several documents on Pastebin and Google+ that were purportedly proof that the group had accessed Symantec's source code.

Those initial documents, however, were not source code, but rather publicly available information from a 1999 document, Paden told Computerland. A second set of documents posted by the group did contain segments of source code, he said.

In a blog post on the code leak, Rob Rachwald, director of security for Imperva, a U.S.-based data security company based, said the incident isn't likely to keep the Symantec folks "awake too late" at night.

"After all, there isn’t much hackers can learn from the code which they hadn’t known before," Rachwald wrote. "Why? Most of the anti-virus product is based on attack signatures. By basing defenses on signatures, malware authors continuously write malware to evade signature detection (in 2007, antivirus could only detect between 20-30% of malware)" (Fox News, 2012)

Title: Cyberworm Gobbles Up 45,000 Facebook User Loginsm
Date: January 6, 2012
Fox News

Abstract: The infamous "Ramnit" computer worm has taken on a new life as a piece of financial malware, and it's currently spreading through 
Facebook and scooping up thousands of users' login credentials.

Researchers at the Israeli firm Seculert found a variant of Ramnit that has stolen more than 45,000 Facebook users' credentials, mostly United Kingdom and French users, and infected approximately 800,000 machines from September to December 2011.

Spreading through wall posts with links to rigged websites, the new Ramnit worm takes a page from the Zeus Trojan, stealing people's Facebook account information and using it to target their online banking details.

Ramnit can "bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks," Seculert wrote in a blog post today (Jan. 5).

Discovered in April 2010, Ramnit originally infected HTML and Windows executable files to steal browser cookies and stored FTP credentials. Last August, however, Seculert believes the hackers used portions of the leaked Zeus Trojan's source code to create a "hybrid creature" that could efficiently spread, and steal, on a large scale.

The hackers behind the reworked Ramnit Facebook worm have their sights set on more than just targets' banking credentials, Seculert said. The attackers, "are taking advantage of the fact that users tend to use the same password in various Web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."

This is as good a case as can be made for the dangers of multiple-use passwords, and the importance of choosing different passwords for all your online accounts and for making each one difficult to crack. For a guide on how best to create and remember secure passwords, click here (Fox News, 2012).

Title: Hacker Takes Credit For Wave Of Cyber Attacks On Israel
Date: January 6, 2012
Fox News

Abstract: A hacker claiming to be Saudi is taking credit for the wave of thefts in Israel over the past week, Reuters reported.

A hacker posted credit card information of thousands of Israelis on the Internet, credit card companies said Tuesday, in what appeared to be a politically motivated attack concerning Israeli officials. 

The hacker has identified himself as OxOmar and said he is part of a Saudi Arabian hacker team. Reuters reported that in a post on Thursday the hacker said he had leaked information about more than 400,000 Israelis and said the "Jewish lobby" was hiding the scale of the attack.

The Israeli Ynet news website said the hackers called the cyber attack a "gift to the world for the New Year" that they hoped "would hurt the Zionist pocket."

They claimed to have compromised 400,000 credit-card holders, but Israel's central bank said only about 15,000 active cards were affected.

Cyber expert Gadi Evron told The Associated Press that it would be almost impossible to verify the attackers were Saudi.

Evron, who once oversaw security for the Israeli government Internet provider, said the attack was "nothing special" technically and was mundane, given the millions of credit card numbers stolen online daily.

"Potentially, such attacks could be devastating," he said. "This is not one of them."

It focused attention again about potential dangers for consumers in using electronic commerce services, he said, and demonstrated how relatively simple attacks could affect an entire country.

Ynet said the information was posted on an Israeli sports website and removed shortly after it appeared. Credit card companies said they blocked Internet purchases on the compromised cards and would issue replacement cards soon.

Israeli security officials said Israel's Shin Bet internal security agency has a special unit that advises sensitive sectors considered vital to security, like public utilities, about Internet security. It recently added banks and cell phone companies.

The officials spoke on condition of anonymity because they were not authorized to discuss security matters.

Evron said Israel, a high-tech powerhouse, is one of the most frequently hacked countries in the world, though the attacks generally are not sophisticated. Many of the attacks are linked to pro-Palestinian or pro-Arab hackers, he said.

"As a rule, whenever there is some sort of ethnic or political tension around the can guarantee that two days later or an hour later, for at least a few weeks, there are going to be some kind of online attacks going on," Evron said.

There have been no confirmed reports of sensitive Israeli government sites being hacked. Several weeks ago, websites of Israeli spy services and other official sites briefly went down, but the government denied pro-Palestinian hackers were to blame and characterized the event as a technical malfunction (Fox News, 2012)

Title: Hackers Attack Two Israeli Websites
Date: January 16, 2012

 The websites of the Tel Aviv Stock Exchange and of El Al, the Israeli airline, were brought down Monday morning by an apparent hacking attack.

An internet hacker who calls himself Ox Omar sent an e-mail to the Jerusalem Post Monday in which he claims that together with a hacking group calling themselves "Nightmare" that the websites of the Tel Aviv Stock Exchange and that of El Al would be brought down.

Idit Yaaron, the spokeswoman for the Tel Aviv Stock Exchange, told CNN that the main site of the stock exchange where the trading takes place was not harmed and operates on a very high level of Internet security. Trading has continued unaffected, she said. A secondary internet web site was affected for a short period of time.

El Al spokesman, Ran Rahav, released a statement saying, "El Al is aware that for the past two weeks a cyber war is raging against Israel. The company is closely monitoring the Saudi hacker activity. El Al is taking precautions regarding its website and as a result there may be disruptions in the activity of the website."

The "cyber war" started at the beginning of the month when a group claiming to be Saudi Arabian hackers posted the credit card information and other identifying data of thousands of Israelis on line, prompting an international investigation.

"Hi, It's Ox Omar from the group xp, largest Wahhabi group of Saudi Arabia" read a statement posted on an Israeli sports web site the group hacked into. "We are anonymous Saudi Arabian hackers. We decided to release (the) first part of our data about Israel." Wahhabism is an Islamic religious movement.

The Bank of Israel released a statement last Tuesday saying that, based on information from credit card companies, only around 15,000 credit card numbers were exposed and those credit cards were blocked for use in Internet and phone purchases.

Yoram Hacohen, who heads the Israeli Law, Information and Technology Authority at the Israeli Ministry of Justice, told CNN in a phone interview on Friday that he is more concerned about the private information that was released than the actual credit card numbers; he fears that the publishing of e-mail addresses, phone numbers and home addresses could lead to identification theft.

Hacohen said that hacking is a criminal act against citizens and the Israeli authorities have begun a criminal investigation, including a computer forensic probe to search for electronic evidence in an attempt to locate the group. The theft of personal information is a criminal act under Israel's Privacy Protection law.

Hacohen acknowledged that in the digital world, offenders are difficult to track and authorities are asking for international help in the matter.

Israeli Deputy Foreign Minister Danny Ayalon, speaking at a public event, called the Saudi hackers attack "a breach of sovereignty comparable to a terrorist operation and (it) must be treated as such." A few days later his own website was targeted in a cyber attack. In a statement on his Facebook page, Ayalon wrote that "Muslim extremists" hacked into his website "to try and prevent me from continuing to do my work on behalf of the State of Israel, especially my online public diplomacy.

Prime Minister Benjamin Netanyahu created a National Cyber Directorate in 2011, noting the emergence of cyber attacks that could "potentially paralyze life systems -- electricity, communications, credit cards, water, transportation, traffic lights."

He said in December that the new agency -- along with a rocket defense system and a physical fence -- would help protect Israel against its enemies (CNN, 2012)

Title: Hacked; 24 Million Customers Affected
Date: January 16, 2012

Abstract: Online retailer is asking its 24 million customers to reset their passwords after a cyberattack, according to a posting on the company's website.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," says the posting, which was sent out as an e-mail from company CEO Tony Hsieh to Zappos employees on Sunday.

The company said it had expired and reset customers' passwords and would be sending an e-mail with further instructions to all its customers. It also posted password reset instructions on its website.

Zappos said that hackers gained access to customers' names, e-mail addresses,  billing and shipping addresses, phone numbers, and the last four digits of credit card numbers and encrypted passwords.

Full credit card numbers and other payment info were stored on a separate server which was not hacked, the company said.

Because it expects a deluge of phone calls related to the hacking, Zappos said it was temporarily turning off its phones and would answer all inquiries by e-mail.

"If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place," the company's e-mail to employees said.

"We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," Hsieh's e-mail said..

The e-mail also went out to customers of Zappos discount website, 6pm. com.

While large, the hacking attack was not the largest of the past year. In April, Sony's PlayStation Network, with 70 million customers, was hacked, with an "unauthorized person" obtaining users' names, home addresses, e-mail addresses, birth dates and passwords, according to Sony (CNN, 2012)

Title: Chuck Grassley Twitter Account Hacked
Date: January 23, 2012

Abstract: The Twittter account of Sen. Chuck Grassley (R-Iowa), a former supporter of the anti-piracy legislation PIPA, was hacked Monday by a follower of the Anonymous “hacktivist” group.

“Dear Iowans, vote against ACTA, SOPA, and PIPA, because this man, Chuck Grassley, wants YOUR internet censored and all of that BS,” read Grassley’s account Monday afternoon. “Yes I was hacked.”

Grassley withdrew his support for PIPA last week.

The person who wrote unauthorized tweets said he was supportive of the Anonymous “hacktivist” group.

“Yes, I am an Anonymous follower,” read a tweet from Grassley’s verified social media account.

Grassley’s office, confirming unauthorized tweets, said it noticed the hacking after the first false Tweet was posted. Aides immediately contacted Twitter to obtain access to the account.

“The password has been changed, and Senator Grassley controls the account again,” said Grassley spokeswoman Beth Levine.

Grassley was a supporter of PIPA, the Protect IP Act, which Anonymous has condemned, along with SOPA, the Stop Online Piracy Act, a similar bill in the House.

“Chuck is a supporter of SOPA, PIPA, and ACTA, meaning he wants no privacy for private accounts,” read one of the unauthorized tweets.

The hacker also wrote on less weighty matters.

“I really wanted Herman Cain to get president this year,” one apparently unauthorized tweet read.

“#Winning,” read another.

“Yes, its surprising that I’m actually writing in full sentences with spaces and correct grammar/spelling,” said one tweet, poking fun of the short-hand that Grassley often employs with his Twitter account.

The tweets started around 1:30 p.m. and ended about 15 minutes later. Nineteen tweets were made over that time period.

“Well, its been fun getting Chuck’s account this week, so I better get off. I got nothing better to do since we got a snow day here in Osage,” read the last tweet.

Osage is a name associated with multiple places in the United States, including places in Iowa, New Jersey, Oklahoma, West Virginia, Wyoming and other states.

The senator usually tweets himself from his BlackBerry. At the time of the breach, he was traveling from Iowa to Washington.

Grassley had previously decided to back away from his support for the PIPA anti-piracy legislation.

“It’s critical we protect the intellectual property rights of our businesses and fight online infringement, but at the same time, we can’t do harm to the internet, the Constitution, or the ability of businesses to grow and innovate. Internet piracy is illegal, and we need to find a way that works for all sides. The current Protect IP Act needs more due diligence, analysis, and substantial changes. As it stands right now, I can’t support the bill moving forward next week,” Grassley said in a statement withdrawing his support for PIPA last week (Politico, 2012)

Title: Poland Reviews Stance On Treaty After Internet Attacks
Date: January 23, 2012
Fox News

Abstract: Poland's government went into defense mode on Monday after a network of online activists paralyzed government websites in opposition to Warsaw's plans to sign an international copyright treaty.

Poland had originally planned to sign the Anti-Counterfeiting Trade Agreement, or ACTA, in Tokyo on Thursday. ACTA is a far-reaching international agreement that would fight copyright infringement and online piracy. Critics fear it could lead to censorship on the Internet.

Twitter account using the name "AnonymousWiki" announced plans to attack government websites to protest the government's support for ACTA.

Within hours on Sunday, the websites of the prime minister, parliament and other government offices were unreachable or sluggish, the hallmarks of a denial of service attack. The technique works by directing streams of bogus traffic at a website, jamming it in the same way that a telephone line can be overwhelmed by hundreds of prank calls.

In an initial response, government spokesman Pawel Gras on Sunday suggested there hadn't been an attack at all on the sites. "This isn't an attack by hackers, but just the result of huge interest in the sites of the prime minister and parliament," he said, a comment that quickly became a source of ridicule on Facebook and other Internet sites.

By Monday, with the sites still paralyzed, the prime minister and other leaders were holding a meeting to reconsider their stance on the treaty.

"It was a velvet attack by hackers, but still it was an attack. Pawel Gras was wrong," said Slawomir Neumann, a lawmaker with the government Civic Platform party. Neumann said the situation showed that the Polish government is poorly prepared to handle such attacks.

And Michal Boni, the minister for administration and digitization, acknowledged in a radio interview Monday that the government had failed to hold enough consultations with the public on the matter.

An opposition party, the Democratic Left Alliance, also called on the government to not sign in it in a gesture of solidarity with those who warn it could hurt Internet freedom.

Anonymous, the group suspected of involvement in the attacks, made a number of threats before and during the Internet disruptions.

"Dear Polish government, we will continue to disrupt and interfere with your government official websites until the 26th. Do not pass ACTA," one tweet by AnonymousWiki said.

It also threatened more trouble should Poland sign ACTA.

"We have dox files and leaked documentations on many Poland officials, if ACTA is passed, we will release these documents," AnonymousWiki said in a separate tweet (Fox News, 2012).

Title: Hackers Target More Israeli Websites
Date: January 26, 2012

Abstract: Hackers have attacked the websites of two Israeli hospitals, the Dan Public Transportation company, the Israel Festival, the Cinematheque and the Ha’aretz newspaper.

The cyber attack began when the websites of Tel Hashomer and Assuta, two of the largest medical centers in central Israel, were hacked Jan. 25. Spokesmen for both facilities said no harm came to their sites, and patient information was not compromised.

The Israel Festival website included the slogan “Free Palestine, death to Israel,” and a message on the other websites said that four more “Gilad Shalits” would be abducted and that “Jew = Nazi.”

This apparently coordinated cyber assault was the latest in a string of hacks into various Israeli websites, including those of credit card companies, El Al and the Tel Aviv Stock Exchange.

Also on Jan. 25, the National Cyber Command and the Counter Terror Bureau launched Israel’s first official cyber emergency drill, a multiday exercise aimed at testing readiness and contingency plans vis-à-vis a widespread, multisource cyber terror attack on Israel’s infrastructure systems (JWeekly, 2012)

Title: Pro-Government Hactivists Deface Al Jazeera Coverage Of Syrian Violence
Date: January 29, 2012
ARS Technica

Abstract: The Al Jazeera English website was attacked and defaced on January 29 by hackers supporting Syrian president Bashar al-Assad. Targeting the news organization's "
Syria Live Blog," which has been providing ongoing coverage of the Arab League's observer mission to Syria and developments in the ongoing unrest in the country, the hacker group calling itself the Syrian Electronic Army posted pro-Assad and pro-Syrian government images to the site.

The relationship of the Syrian Electronic Army to the government itself is unclear. However, the group's domain was registered in May of 2011 in Tartous, Syria, and its site is hosted on servers maintained by the Syrian Computer Society—a group Assad was the head of before assuming Syria's presidency, and which introduced the Internet to Syria in 2001.

The attack started at about 2:30 PM Central Time, just after Al Jazeera posted a report on casualties reported by the Local Coordinating Committees, an activist network in Syria. On their own site, the Syrian Electronic Army announced the "code re-penetration" of the site by a "professional Syrian battalion" of hackers, denouncing Al Jazeera for broadcasting "false and fabricated news" to "ignite sedition" among the people of Syria and achieve the goals of "Washington and Tel Aviv."

This is the second attack against Al Jazeera this month claimed by the pro-Assad hacktivist group. In September, the group attacked Harvard University's site, and keeps a graphic from Harvard's site on its homepage as a trophy of that exploit. In August, the group attacked the Tumblr site set up by YourAnonNews in response to Anonymous' attacks on Syrian government sites (ARS Technica, 2012)

Title: Banco do Brasil, Country's Largest State-Run Bank, Hacked By Anonymous Brasil
Date: February 2, 2012
Huffington Post

Abstract: A group of Internet hackers said Wednesday it took down the website of the Banco do Brasil, Brazil's largest state-run bank. It's the third such attack against financial institutions in a week.

"Attention sailors: Target hit! ... BancodoBrasil is sinking. TANGO DOWN," said a Twitter post from the group that calls itself "Anonymous Brasil."

It threatened further attacks on other banks.

Banco do Brasil said in a statement that its website was not taken down but was "slowed down" by a flood of traffic." The Associated Press was unable to access the site in repeated attempts.

On Monday, the group attacked the website of Itau Unibanco Banco Multiplo SA, Brazil's largest private sector bank and one day later it did the same against Banco Bradesco SA, the country's second largest private bank, using a denial of service attack that essentially swamps a website with false users.

Anonymous Brasil posted a video on the UOL Internet news portal in which a man wearing a mask depicting the character "V'' of the film "V for Vendetta" said the attacks against the banks' websites are aimed at "calling attention to the corruption and inequality in Brazil" (Huffington Post, 2012)

Title: Law Enforcement Websites Under Attack By Hackers
Date: February 3, 2012
CNS News

Abstract: Saboteurs stole passwords and sensitive information on tipsters while hacking into the websites of several law enforcement agencies worldwide in attacks attributed to the collective known as Anonymous.

Breaches were reported this week in Boston, Syracuse, N.Y., Salt Lake City and Greece.

Hackers gained access to the Salt Lake City Police Department website that gathers citizen complaints about drug and other crimes, including phone numbers, addresses and other personal data of informants, police said.

The website remained down Friday as police worked to make it more secure.

Anonymous is a collection of Internet enthusiasts, pranksters and activists whose targets have included financial institutions such as Visa and MasterCard, the Church of Scientology and law enforcement agencies.

Following a spate of arrests across the world, the group and its various offshoots have focused their attention on law enforcement agencies in general and the FBI in particular.

The group also claimed responsibility for hacking the website of a Virginia law firm that represented a U.S. Marine involved in the deaths of civilians in Iraq in 2005.

Anonymous also published a recording on the Internet Friday of a phone call between the FBI and Scotland Yard, gloating in a Twitter message that "the FBI might be curious how we're able to continuously read their internal comms for some time now."

FBI spokeswoman Jenny Shearer said in an email to The Associated Press the agency was aware of the incidents, and an investigation was ongoing.

In Greece, the Justice Ministry took down its site Friday after a video by activists claiming to be Greek and Cypriot members of Anonymous was displayed for at least two hours.

In Boston, a message posted on the police website before it was taken down Friday said, "Anonymous hacks Boston Police website in retaliation for police brutality at OWS," an apparent reference to the Occupy Wall Street movement. The message also promised "there is plenty more mayhem to deliver."

A police spokesman would not confirm Anonymous was responsible.

Another message on the department's website said a hack several months ago unearthed hundreds of passwords that were released in retaliation for what was called brutality against Occupy Boston.

In October, Boston police acknowledged that various websites used by members of the police department — including the website belonging to the police patrolmen's association — had been hacked and possibly compromised. The department said it asked all police personnel to change their passwords on its network.

The Occupy movement in Boston set up camp in the city's financial district for two months this fall. The first hack came about 10 days after Boston police arrested 141 Occupy demonstrators on Oct. 11.

Police dismantled the camp Dec. 10, citing public health and safety concerns.

"So you get your kicks beating protesters? That's OK; we get kicks defacing ... your websites — again," the message on the department's website said Friday.

Boston police called it unfortunate that the hacking has interrupted the department's ability to inform the community about important safety matters.

Salt Lake City authorities continued their investigation and said criminal charges were being considered.

Police said Anonymous had taken credit for the attack through local media but hadn't contacted the department directly.

The hackers claim to have targeted the site in opposition to an anti-graffiti paraphernalia bill that eventually failed in the state Senate. The bill would have made it illegal to possess any instrument, tool or device with the intent of vandalizing an area with graffiti.

Salt Lake City police Detective Josh Ashdown downplayed any danger to citizens.

He said the department's website is used by residents to report crimes or suspicious activity, and that some submit the tips anonymously while others include personal information.

Ashdown said investigators believe the group is bluffing about the extent of the information it got from the website, and he noted authorities didn't think any of the details would be widely distributed.

He said police don't have any reason to believe that citizens who reported crimes on the website are going to be targeted specifically.

"Our main concern is for the public not to lose confidence in the department," Ashdown said.

In New York, Syracuse police said the department website had also been hacked in an attack attributed to Anonymous.

Sgt. Tom Connellan said names and passwords of people authorized to alter the site were stolen earlier this week and posted on Twitter.

No private information about officers or citizens was accessed, he said, though the site remained down Friday while the FBI and state police continued to investigate. In an online post attributed to Anonymous, the group claims to have targeted the Syracuse site for failing to aggressively pursue child abuse allegations against a former assistant basketball coach.

Another incident struck the website of the Alexandria, Va., law firm of Puckett & Faraj, which represented a U.S. Marine convicted of negligent dereliction of duty in a 2005 attack in Haditha, Iraq, that resulted in the deaths of 24 unarmed civilians.

Attorney Neal Puckett did not immediately return a telephone message and email seeking comment Friday, and the firm's website remained offline (CNS News, 2012)

Title: 'Anonymous' Hackers Intercept Conversation Between FBI And Scotland Yard On How To Deal With Hackers
Date: February 3, 2012

Abstract: The conversation covered updates to on-going court cases, the recent arrest of a 15-year-old for hacking his school website, and even touched on cheese and the merits of Sheffield.

One officer appears to refer to the city as a “khazi” - slang for toilet – and tells an American colleague: “You’ve missed nothing, it’s not exactly a jewel in England’s crown.”

They seem to think the Bullring shopping centre in Birmingham is actually in Sheffield and also refer to a colleague as an “old school detective but mad as a box of frogs”.

The Anonymous hacker managed to listen in to the call after accessing an FBI email which gave details of the intended call. The email was also posted online.

Writing on the Twitter account, AnonymousIRC, one hacker said: “The FBI might be curious how we’re able to continuously read their internal comms for some time now.”

The FBI confirmed hackers had intercepted a confidential phone call, and said it was hunting those responsible.

An FBI spokesman said: “The information was intended for law enforcement officers only and was illegally obtained. A criminal investigation is under way to identify and hold accountable those responsible.”

The FBI email referred to an investigation on both sides of the Atlantic into a number of hacking groups.

It read: “A conference call is planned for next Tuesday (January 17, 2012) to discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups.”

The recording, which was posted on Youtube, refers to the on-going court case against Ryan Cleary, arrested last June for his alleged role in the group LulzSec, and reveals legally sensitive information.

It also refers to a 15-year-old listed as a member of CSLSec - meaning “can’t stop laughing security”- a copy-cat group of hackers with just three members.

In the conversation, British police officers named only as Matt and Stuart explain that the teenager was arrested before Christmas for an alleged incident involving his school and that he apparently claimed to have taken part in a hacking incident called “Operation Mayhem.”

“Basically he’s doing all this for attention, he’s a bit of an idiot,” one officer says. They add claim that he has written a confession through his school that runs to two sides of A4 and one officer says he writes about “how he got involved, whet he’s done, almost clearing the slate now he’s come to the notice of the police.”

“A smack from mum and dad is behind it all,” the officer adds, saying he is “just another juvenile, another wannabe character.”

One Anonymous member tweeted to the boy, criticising him for helping the police, saying: “Man you’re f*****g dumb. It’s a conversation discussing anonymous/lulzsec and your wanna-be ass. your UK agent calls you an idiot.”

The 15 year-old, who is not being named by the Daily Telegraph for legal reasons, has sent out a number of tweets responding to the posting saying: “lol [laughs out loud] I’m UK not USA, no FBI can touch me. Idiot...why wud FBI talk about me? I’m not even US & haven’t been arrested. I’m still here ain’t I? lol...I haven’t heard it yet...& I haven’t got a UK agent lol.”

The boy says claims he started hacking aged 12 and spends up to seven hours a day reading eBooks, tutorials, forum posts and watching Youtube videos.

He said he designed websites for family, friends and people online, making a “couple $100 a month” and used his pocket money of around £10 each week and funds from hacking to invest in “advertising and other things such as stocks etc, which some I still hold and are growing today (all under my mother’s name of course who had no clue at the time.)”

In mid-May last year he says he got caught after he had hacked into his school’s website and they traced his IP number, got the phone number from Virgin Media and called his house.

“My nine-year-old brother picked up and of course, gave my name away,” he writes, adding: “I got a police referral order for six months, where they would regularly check my PC BUT I had a laptop, netbook and other people’s/family’s computers at my disposal.”

Since then he claims to have hacked the BBC and PBS, the American TV station, along with GoodYear tyres.

A Scotland Yard spokesman said: “We are aware of the video, which relates to an FBI conference call involving a PCeU [Police Central e-crime Unit] representative.

“The matter is being investigated by the FBI. At this stage no operational risks to the MPS have been identified; however, we continue to carry out a full assessment” (Telegraph, 2012).

Title: Department Of Homeland Security Website Hacked By Anonymous
Date: February 4, 2012

Abstract: Only hours after two of its biggest releases ever, the online collective Anonymous is taking credit for crashing the website of the US Department of Homeland Security.

Shortly before 4 p.m. EST Friday afternoon, the Homeland Security Department’s website,, was taken offline. It was announced on the Web by members of the loose-knit hacktivist collective Anonymous and some claiming allegiance to the group have have taken credit for the attack.

Within minutes, was back up.

The crippling of the DHS website comes on the same day that Anonymous relaunched its FuckFBIFriday campaign. Throughout 2011, the group regularly released information they obtained by infiltrated government computers. After a break in the campaign, the group revisited it early Friday with two rounds of releases.

Earlier in the day, Anonymous released the audio of a conference call between the US Federal Bureau of Investigation and Britain’s Scotland Yard in which both organizations discuss Anonymous. The call was conducted this January and the FBI has since confirmed the authenticity of the recording.

Hours later, Anonymous hacked the website for the attorneys of Sgt. Frank Wuterich, a US Marine who was recently on trial for a massacre of Iraqi civilians stemming from a 2005 incident in Haditha, Iraq. Despite admitting his role in orchestrating a raid on two civilian homes and asking his Marines to “shoot first, ask later,” Wuterich was sentenced to no time in jail (RT, 2012)

Title: Anonymous Hacks CIA Website
Date: February 10, 2012

Abstract: “CIA TANGO DOWN” reads an Anonymous-affiliated Twitter account. It’s military-speak for eliminating a hostile force that has infilitrated hacker circles as an announcement of a successful attack. was taken down Friday afternoon, and Anonymous hackers seem to be taking credit for the latest in a series of high-profile internet attacks that have included the FBI, Foxconn, the State of Alabama, the Boston Police, theOakland Police, and many more.

The CIA probably doesn’t store much classified information on its website, but even symbolic attacks like this continue to give the impression that Anonymous is running unchecked.

Tensions have been running high between law enforcement and hacker groups due to the controversy concerning controversial copyright legislation such as SOPA, PIPA, TPP and ACTA, as well as crackdowns on Occupy protests. The new year has been an especially volatile time in what seems to be an escalating war for the internet, and there aren’t any signs that either side will be relenting any time soon (Forbes, 2012)

Title: Hacker Claims Porn Site Users Compromised
Date: February 11, 2012
Fox News

Abstract: A hacker claims to have compromised the personal information of more than 350,000 users after breaking into a discussion forum maintained by pornography website Brazzers.

A spokeswoman for the site's owner says it's "currently investigating the issue" but that no credit card information has been leaked. The forum was unreachable Saturday.

The hacker who claimed responsibility for the breach told The Associated Press that he exploited a vulnerability in the site's code which he said was "pretty easy to find."

He identified himself only as a 17-year-old living in Morocco and claimed allegiance to Anonymous, the global movement of cyber-mischief-makers who've carried out embarrassing attacks on record companies, the Church of Scientology and the FBI (Fox News, 2012)

Title: 'Lay Down Your Arms!' Anonymous Attacks US Tear-Gas Maker
Date: February 14, 2012

Abstract: Hackers have sent a sweet Valentine to an American weapons manufacturer, knocking out its website. The group says it was an act of retaliation for the company’s arming of security forces against pro-democracy protests in Egypt, Bahrain, and the US.

The one-year anniversary of the Arab Spring uprising in Bahrain seems to have ignited pro-protest feelings in the hackers’ hearts. The Anonymous-aligned activists have accused Combined Systems, a tear-gas maker located in the US, of selling "mad chemical weapons to military and cop shops around the world.

Putting out the company's website, the hackers slammed the producer over alleged war profiteering on demonstrations in Egypt and elsewhere.  

"You shot and gassed protesters, running them off public parks in the US. Several dozen died because of your tear gas used in Egypt. Did you think we forgot? Why did you not expect us?" read the statement.

It is unclear if the hackers accuse Combined Systems of selling tear gas to Mubarak’s government or the country’s current ruling Supreme Council of the Armed Forces. However, they accuse the company of working for governments and armies, and as they see it, that is a good enough reason for an attack.

"Combined Systems, lay down your arms: you just lost the game. In the past we have marched on your offices in Jamestown, Pennsylvania: now it is time to march on your websites." 

The website for Combined Systems Inc. was down on Tuesday. Messages to the site's administrative staff were not immediately returned ahead of business hours. 

In addition to defacing the website, the hackers say they have stolen and published personal information belonging to clients and employees of the company.

The latest attack has been credited by the shady collective as part of both the HackVDay Valentine’s Day rampage and protests commemorating the Bahrain uprising's first anniversary.

Bahraini activists have called for demonstrations on Sunday, Monday and Tuesday to commemorate the Shiite-dominated protest that erupted last year. At least 40 people have been killed during months of unprecedented political unrest in Bahrain, inspired by the Arab Spring uprisings (RT, 2012).

Title: Shylock Online Banking Malware Raises Ugly Head
February 17, 2012
Computer World

Web security firm Trusteer issued a warning this week about the return "with a vengeance" of Shylock, a polymorphic financial malware variant the company discovered last September that is now showing up again in end user machines.

It is aimed primarily at global financial institutions. Trusteer codenamed it Shylock because, "every new build bundles random excerpts from Shakespeare's 'The Merchant of Venice' in its binary," according to Trusteer CTO Amit Klein.

"These are designed to change the malware's file signature to avoid detection by antivirus programs," wrote Klein.

In an interview, Klein said there are hints in Shylock terminology to suggest it comes from Russia or the Ukraine. But who is involved and exactly where it is coming from remain unknown. "These are very difficult to track," he said.

Klein said the authors of the malware are running a surgical operation aimed at specific targets, a dozen or so large banks, some payment card providers and several web mail providers. Shylock amounts to customised financial fraud capabilities for the malware, including an improved methodology for injecting code into additional browser processes to take control of the victim's computer, according to Trusteer.

So far, while it does not appear to have caused widespread damage, Klein said Trusteer has received some reports from banks regarding compromised machines where fraud took place before they cleaned them.

And he suspects the reason Shylock has not been seen much in recent months is because it has been under development and improvement. "It is malware in progress," he said. "They keep throwing in new features, and perhaps have decided it's stable enough to distribute."

Klein said Shylock is distinguished by its ability to almost completely avoid detection by antivirus scanners after installation, using a unique three step process.

First, it doesn't run as a separate process, but embeds itself within applications running on a machine. Second, once it detects antivirus scanning, it deletes its own files and registry entries, and remains active only in memory. That would normally mean it could not survive a system shutdown/reboot. But, Klein says, that is where its third capability comes in to hijack the Windows shutdown.

"It hooks into the Windows shutdown procedure and reinstates the files and registry keys (previously removed) just before the system is completely shut down and after all other applications are closed (including antivirus)," he said.

Beyond that, Klein said Shylock is "pretty sophisticated" malware that not only has its own HTML language, "but appears to have a converter that can take Zeus or SpyEye and turn it into its own format."

Trusteer said machines running its primary product, Rapport, designed to help online banks, brokerages and retailers secure the consumer desktop from financial malware attacks and fraudulent websites, are not vulnerable to Shylock. Klein said machines already infected can get rid of it by installing Rapport. About the only other way to eliminate a Shylock infection, if the machine does not have an internal battery, is to unplug its power source. But that will also clean the memory.

"If you unplug the computer and force a brutal shutdown, the memory will be reset and Shylock will be gone," Klein said. "But Windows is going to whine a bit when it wakes up next. It's tricky to turn off a computer in this way, and you can't be sure it will restart properly" (Computer World, 2012).

Title: FTC Sites Hacked By Anonymous
Date: February 17, 2012
USA Today

Abstract: The hacking group known as Anonymous has claimed a new series of hacks against the U.S. Federal Trade Commission and consumer rights websites.

The loosely organized collection of cyber rebels said it attacked the FTC's consumer protection business center and the National Consumer Protection Week websites.

Both sites were replaced with a violent German-language video satirizing the Anti-Counterfeiting Trade Agreement, or ACTA.

ACTA was recently signed by several countries, but restrictions on online piracy have prompted a growing protest movement.

A call to the Trade Commission rang unanswered before business hours Friday. An email seeking comment was not immediately returned.

The organization's main home page appeared unaffected by the attacks (USA Today, 2012).

Title: Anonymous Attacks WSJ Page Hours After Story Warning Group Is Getting More Powerful
Date: February 22, 2012
Washington Post

Abstract: A number of Wall Street Journal Facebook pages were the subject of a comment flashmob Tuesday, claimed by Anonymous, just hours after the Journal published a report that warned the hacker group was getting more powerful.

The Anonymous Kollektiv, believed to based in Germany, told participants to copy the following message on Journal sites:

“Dear editors of the German Wall Street Journal, You equated Anonymous with al-Qaeda in your February 2012 article and the related coverage. With this type of coverage you may be able to stir up fear in the United States, but not in the land of poets and thinkers! With this comment, we would like to oppose the deliberate dissemination of false information and express our displeasure with your lobby journalism. We are Anonymous. We are millions. We do not forgive. We do not forget. Expect us!”

The Wall Street Journal report, which cited a number of security officials, warned that the hacker group could take down the U.S. power grid within a couple of years. One official quoted also said that the U.S. should be wary of a foreign government or al-Qaeda trying to hire the hackers to mount a cyber attack.

Until now, Anonymous has focused on attacking the Web sites of government agenciesfinancial companies and security firms. The Web sites go down, but then they come back up. Anonymous has also leakedsensitive phone calls and personal information, but the consequences have been limited.

The hacktivist group has also so far made no indication that suggests it would attack the power grid. But one message posted to pastebin suggests the group could be planning to “take down the Internet” on March 31. And some officials told the Journal the group is gaining the numbers and capability to pull off a large-scale attack.

“A near-peer competitor [country] could give cyber malware capability to some fringe group,” Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff said at a hearing last week, the Journal reported. “Some hacker, next thing you know, could be into our electrical grid. We have to get after this” (Washington Post, 2012)

Title: Interpol Website Suffers 'Anonymous Cyber-Attack'
Date: February 29, 2012

Abstract: Interpol's website appears to have been the victim of a cyber-attack after the international police agency announced the arrests of 25 suspected members of the 
hacking activist group Anonymous in Europe and South America.

The website went down briefly on Tuesday as supporters of Anonymous made online claims that it had been targeted following the arrests in Argentina, Chile, Colombia and Spain. It was quickly back up and running but was loading slowly.

Interpol announced that the arrests had been made under the umbrella of Operation Unmask, which it said was launched in mid-February in the wake of a series of coordinated cyber-attacks originating from the four countries against targets including the Colombian defence ministry and presidential websites, a Chilean electricity company and Chile's national library.

It added that the operation was carried out by authorities in the four countries under the aegis of Interpol's Latin American Working Group of Experts on Information Technology (IT) Crime, which facilitates the sharing of intelligence between the states involved.

Around 250 items of IT equipment and mobile phones were also seized during searches of 40 premises across 15 cities, Interpol said. Payment cards and cash had also been seized as part of the investigation into the funding of illegal activities carried out by the suspected hackers, aged 17 to 40.

Bernd Rossbach, Interpol's acting executive director of police services, said: "This operation shows that crime in the virtual world does have real consequences for those involved, and that the internet cannot be seen as a safe haven for criminal activity, no matter where it originates or where it is targeted."

Cyber-attacks by hackers linked to Anonymous have become a fairly regular occurance. Earlier this month, they marked the one-year anniversary of the uprising in Bahrain by attacking Combined Systems, a tactical weapons company that has been accused of selling tear gas canisters and grenades to Arab governments. Anonymous said the attack was in retaliation for sales by the company of chemical weapons "to repress our revolutionary movements".

Also earlier this month, a leak by the hacking group of an 18-minute discussion between members of the FBI and the Metropolitan policeembarrassed authorities and raised questions over how security was breached.

The call revealed officers discussing the delay of court proceedings against two alleged members of the LulzSec hacking group, which attacked a number of sites in 2011 including the US Congress and the UK's Serious Organised Crime Agency (Guardian, 2012)

Title: Chinese Hackers 'Had Full Access' To Nasa Lab That Commands 23 Spacecraft
Date: March 7, 2012
Daily Mail

Abstract: Chinese hackers gained 'full access' to the computer network in one of Nasa's key control centres, the Jet Propulsion Laboratory. 

JPL manages 23 spacecraft conducting active space missions, including missions to Jupiter, Mars and Saturn.   

The hackers, operating from an internet address in China, gained full system access in November 2011, allowing them to upload hacking tools to steal user IDs and control Nasa systems, as well as copy sensitive files. 

The hackers were also able to modify system logs to conceal their actions. 

‘The intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL's networks,’ said National Aeronautics and Space Administration Inspector General Paul Martin. 

The cyber attack was one of 'thousands' of computer security lapses at the space agency.

Martin said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems. 

National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress on the breaches.

In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees. 

Martin said the his office identified thousands of computer security lapses at the agency in 2010 and 2011.     

He also said NASA has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands.          

Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station, as well as sensitive data on NASA's Constellation and Orion programs, Martin said.

A NASA spokesman told Reuters on Friday the agency was implementing recommendations made by the Inspector General's Office.             

‘NASA takes the issue of IT security very seriously, and at no point in time have operations of the International Space Station been in jeopardy due to a data breach,’ said NASA spokesman Michael Cabbagehe.     

Giving testimony on the space agency's security issues, NASA Inspector General Paul K. Martin told Congress that 48 agency devices were lost or stolen over a two year period.

The mobile devices, which contained personable data, intellectual property, and highly sensitive export-controlled data, were stolen between April 2009 and April 2011, CBS News reported.

Over two years alone NASA was the victim of 5,408 computer security breaches that included unauthorized access to systems or the installation of unauthorized software. The incidents during 2010 and 2011 cost the space agency around $7 million.

Martin told Congress in written testimony: 'The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station,'

Another stolen laptop contained classified information on NASA's space exploration Constellation and Orion programs and employees social security details.

These figures may be the tip of the iceberg, Martin said because the system for reporting lost data or devices is voluntary: 

He said: 'NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files,' CBS News reported.

In 2011 NASA was the victim of 47 serious cyberattacks by individuals or groups attempting to steal information or gain access to systems, Martin said.

13 of these advanced persistent threats or (APTs) were successful including one attack in which system access codes for some 150 NASA employees were stolen. 

Another attack on the Jet Propulsion Laboratory in Pasadena, Calif. stemming from China based USPs is still under investigation. Cyber thieves 'gained full access to key JPL systems and sensitive user accounts,' Martin said. 

Martin painted a gloomy picture of security at NASA explaining while the rate of mandated encryption across government departments was 54 percent, just 1 percent of NASA portable devices are encrypted. 

'Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,' he said (Daily Mail, 2012)

Title: Hackers Anonymous Target Vatican
Date: Mach 7, 2012

Abstract: In a statement, the collective said on its Italian-language website: "Anonymous decided today to besiege your site in response to the doctrine, to the liturgies, to the absurd and anachronistic concepts that your for-profit organisation spreads around the world.

"This attack is not against the Christian religion or the faithful around the world but against the corrupt Roman Apostolic Church."

It also accused the Vatican of being "retrograde" in its interfering in Italian domestic affairs "daily".

Anonymous tried and failed to attack the Vatican website last year.

It has taken credit for a number of high-profile hacking actions against companies and institutions, including the CIA.

Five alleged computer hackers in Britain, Ireland and the United States were charged on Tuesday in high-profile cyber-attacks after a leader of the group became an FBI informant.

The charges against alleged members of Anonymous, Lulz Security and other international hacking groups were unveiled in indictments unsealed by the US District Court for the Southern District of New York.

The indictments cover some of the most notorious hacking incidents of the past several years including those against Sony Pictures Entertainment, private intelligence firm Stratfor and computer security firm HBGary (Telegraph, 2012).

Title: Chinese Hackers 'Had Full Access' To NASA Lab That Commands 23 Spacecraft
Date: March 7, 2012
Daily Mail

Abstract: Chinese hackers gained 'full access' to the computer network in one of Nasa's key control centres, the Jet Propulsion Laboratory. 

JPL manages 23 spacecraft conducting active space missions, including missions to Jupiter, Mars and Saturn.   

The hackers, operating from an internet address in China, gained full system access in November 2011, allowing them to upload hacking tools to steal user IDs and control Nasa systems, as well as copy sensitive files. 

The hackers were also able to modify system logs to conceal their actions. 

‘The intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL's networks,’ said National Aeronautics and Space Administration Inspector General Paul Martin. 

The cyber attack was one of 'thousands' of computer security lapses at the space agency.

Martin said the hackers gained full system access, which allowed them to modify, copy, or delete sensitive files, create new user accounts and upload hacking tools to steal user credentials and compromise other NASA systems. 

National Aeronautics and Space Administration Inspector General Paul Martin testified before Congress on the breaches.

In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees. 

Martin said the his office identified thousands of computer security lapses at the agency in 2010 and 2011.

He also said NASA has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands.          

Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station, as well as sensitive data on NASA's Constellation and Orion programs, Martin said.

A NASA spokesman told Reuters on Friday the agency was implementing recommendations made by the Inspector General's Office.             

‘NASA takes the issue of IT security very seriously, and at no point in time have operations of the International Space Station been in jeopardy due to a data breach,’ said NASA spokesman Michael Cabbagehe.     

Giving testimony on the space agency's security issues, NASA Inspector General Paul K. Martin told Congress that 48 agency devices were lost or stolen over a two year period.

he mobile devices, which contained personable data, intellectual property, and highly sensitive export-controlled data, were stolen between April 2009 and April 2011, CBS News reported.

Over two years alone NASA was the victim of 5,408 computer security breaches that included unauthorized access to systems or the installation of unauthorized software. The incidents during 2010 and 2011 cost the space agency around $7 million.

Martin told Congress in written testimony: 'The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station,'

Another stolen laptop contained classified information on NASA's space exploration Constellation and Orion programs and employees social security details.

These figures may be the tip of the iceberg, Martin said because the system for reporting lost data or devices is voluntary: 

He said: 'NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files,' CBS News reported.

In 2011 NASA was the victim of 47 serious cyberattacks by individuals or groups attempting to steal information or gain access to systems, Martin said.

13 of these advanced persistent threats or (APTs) were successful including one attack in which system access codes for some 150 NASA employees were stolen. 

Another attack on the Jet Propulsion Laboratory in Pasadena, Calif. stemming from China based USPs is still under investigation. Cyber thieves 'gained full access to key JPL systems and sensitive user accounts,' Martin said. 

Martin painted a gloomy picture of security at NASA explaining while the rate of mandated encryption across government departments was 54 percent, just 1 percent of NASA portable devices are encrypted. 

'Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,' he said (Daily Mail, 2012).

Title: Anonymous Take Down Anti-Virus Giant And Vatican, Warn Of ‘March Storm’
Date: March 8, 2012

Abstract: Hacktivist group Anonymous has launched an online assault on anti-virus company Panda Security after Tuesday’s arrest of members of the hackers’ LulzSec collective. The group also raided the Vatican website in protest against the Catholic Church.

The online attack struck 25 websites belonging to the security firm on Wednesday night, defacing them with messages such as "Love to LulzSec/Antisec fallen friends". Anonymous also made off with the emails, passwords and usernames of over a hundred Panda Security employees, which were subsequently posted online.

Anonymous claim that Panda Security had a hand in the arrests 25 people in Spain and Latin America in February accusing them of snitching to law enforcement organizations in exchange for money.

Panda Security denies these allegations and released a statement saying the hackers had not “breached their internal network” and that no customer data had been tampered with.

The online assault follows the arrest of six suspected members of Anonymous/LulzSec on Tuesday in the UK and US. The arrests are reported to be the product of information handed over to the authorities by one of LulzSec’s leaders, Hector Xavier Monsegur, also known as Sabu, who had been acting as a mole for the authorities since last year.

Following the arrests, Anonymous posted on its Twitter feed: LulzSec was a group, but Anonymous is a movement. Groups come and go, ideas remain.”

Nothing sacred for Anonymous

Hackers from the Italian branch of the group attacked the Vatican’s website on Wednesday in protest against the Roman Catholic Church’s scandals, liturgies, conservative doctrines and controversial history.

The website was taken down on Wednesday and was inaccessible for hours. A Vatican spokesman said he could not confirm the crash was the work of the hackers, but said technicians were working to get it back up, Reuters reports.

"Anonymous has decided to put your site under siege in response to your doctrine, liturgy and the absurd and anachronistic rules that your profit-making organization spreads around the world," a statement published on the Italian website of the Anonymous group read.

Anonymous has become increasingly associated with international “hacktivism”, staging protests and high-profile cyber-attacks. The group has carried out attacks on scores of organizations, political parties and governments across the world.

The attack on the Holy See website comes as Anonymous warned of a “storm” to come in March.

“Trust us. You think you've seen the full muscles of #Anonymous up to now? Nah, you ain't seen NOTHING yet. Get ready. #March2012,” the group said on Twitter (RT, 2012)

Title: BBC Suffers Cyber-Attack Following Iran Campaign
Date: March 14, 2012

Abstract:  The BBC has suffered a sophisticated cyber-attack following a campaign by Iranian authorities against its Persian service, director-general Mark Thompson said on Wednesday.

Thompson also reported attempts to jam satellite feeds of the British Broadcasting Corporation services into Iran and to swamp its London phone lines with automated calls.

In extracts from a speech he will make later on Wednesday, Thompson stopped short of explicitly accusing Tehran of being behind the cyber-attack, but he described the coincidence of the attacks as "self-evidently suspicious".

Last month, Thompson accused Iranian authorities of arresting and threatening the families of BBC journalists to force them to quit the Persian news service.

"It now looks as if those who seek to disrupt or block BBC Persian may be widening their tactics," he said in the extracts of his speech, which the BBC released in advance.

"There was a day recently when there was a simultaneous attempt to jam two different satellite feeds of BBC Persian into Iran, to disrupt the Service's London phone-lines by the use of multiple automatic calls, and a sophisticated cyber-attack on the BBC," he said.

"It is difficult, and may prove impossible, to confirm the source of these attacks, though attempted jamming of BBC services into Iran is nothing new and we regard the coincidence of these different attacks as self-evidently suspicious," he added.

There was no immediate comment from Iranian authorities.

BBC Persian staff provide Farsi-language TV, radio and online services. Few Western journalists are permitted to work in Iran where the hardline Islamic government views much of the foreign media with suspicion.

The BBC's TV service has often been jammed and is only available to owners of illegal satellite receivers.

Thompson said he did not want to give any more details of the latest incidents but added: "We are taking every step we can, as we always do, to ensure that this vital service continues to reach the people who need it."

All BBC Persian service staff work outside Iran, and Thompson has accused Tehran authorities of instead arresting and intimidating their relatives who still live inside the country
(JPost, 2012)

Title: Anonymous Hackers Target Pope In Mexico
Date: March 23, 2012
Fox News

Abstract: The infamous Anonymous hacker group is not happy about Pope Benedict XVI's arrival in Mexico on Friday.

The group crashed at least two of the websites in Mexico on the eve of the Pope's visit on Thursday, claiming the papal visit is a political move to support the conservative National Action party.

Samuel Najera, spokesman for the Mexican Episcopal Conference, said its web page on the papal visit was blocked by "a cyber attack."

"We have been aware of the threat that has been making the rounds on social networks, that was brought to fruition today," Najera said. "This is part of a dynamic these days of a lack of safety and acts of intolerance toward certain groups."

"For the moment, this does damage to the logistics" of the papal visit, Najera said 

The site contained information on the pope's planned activities starting Friday in the north-central state of Guanajuato, which is governed by President Felipe Calderón's National Action Party, or PAN.

The Anonymous IberoAmerica website, which has been a channel of communication for such hacker "ops" in the past, said the site crashes were the result of Anonymous operations with names such "Pharisee" and "freeloader."

Anonymous Mexico said in a video posted on social media sites that the pope's visit will cost Mexicans money that could be better spent on the poor, and is meant to support the PAN in the July 1 presidential election. PAN candidate Josefina Vazquez Mota is trailing front-runner Enrique Pena Nieto of the Institutional Revolutionary Party by at least 10 percentage points in most polls on the race.

The official campaign season starts at the end of this month.

The pope's "visit comes precisely at the start of the electoral campaigns," said the faceless Anonymous figure in the video. "The PAN will take this as a political weapon to win the votes of millions of Catholics in Mexico."

Guanajuato is 93.8 percent Roman Catholic, the highest of any state in Mexico.

When asked about the timing of the pope's visit, Calderón's office released a March 11 press release noting that Calderón invited the pope in 2007.

Some people have also questioned the pope's decision not to come to liberal Mexico City, where legislators have legalized abortion and gay marriage in the federal district. The Vatican has said the pope cannot be at high altitudes. Mexico City is about 7,300 feet (2,225 meters) above sea level.

Another website with information on where to stay in Guanajuato and how to attend papal events was also crashed. That site was registered to Juan Carlos Mata Ruiz and a group called NIC Mexico.

The website of the Guanajuato state government was also out of service Thursday, the state press office acknowledged, but it would not say whether that was a result of hacking or a cyber attack (Fox News, 2012).

Title: Hackers 'Shut Down' Home Office Website
Date: April 7, 2012

Abstract: An apparent ‘denial of service’ attack, made it impossible to access the Home Office website for at least an hour.

Those trying to access the website were instead confronted by a notice that “Due to a high volume of traffic this page is currently unavailable.”

The attack appeared to have been partly in protest at extradition proceedings against Gary McKinnon, 46, who is accused of hacking US military computers.

Other posts about “draconian surveillance proposals” suggested the hackers were also angry about recent Government draft proposals that would potentially allow the security services to monitor every email, phone call and website visit to see who people were contacting and what websites they were looking at.

On Twitter, messages purporting to be from the hacking group, were posted under the name AnonOpUK, saying: “Anonymous is famous …. UK Home Office. Maybe you should start to listen to the people.”

Another message, apparently urging the hackers to continue the attack said: “Keep firing!”

A Home Office spokesman said: "We are aware of some reports that the Home Office website may be the subject of an online protest. We have put all potential measures in place and will be monitoring the situation very closely."

He said he was not in a position to discuss who might be mounting the suspected attack or why.

The Home Office added that if a successful denial of service attempt did occur tonight, it would "liaise with the technical team and update as necessary".

A denial of service attack prevents a website from functioning properly, sometimes by swamping it with more traffic than it can handle.

Such an action was believed to have been responsible for crashing the Home Office site.

The apparent attack came after it emerged last week that the Government was planning a massive expansion of its powers to monitor the email exchanges and website visits of every person in the UK.

Under legislation expected in next month's Queen's Speech, internet companies will be instructed to install hardware enabling GCHQ - the Government's electronic "listening" agency - to examine "on demand" any phone call made, text message and email sent, and website accessed, in "real time" without a warrant.

Ministers have faced a backlash over the plans, with senior MPs from both coalition parties, as well as civil liberties groups, lining up to denounce it.

The move has been condemned by opponents as an unnecessary extension of the state's powers to "snoop" on its citizens.

Anonymous, whose genesis can be traced back to a popular US image messaging board, has become increasingly politicised amid a global clampdown on music piracy and the international controversy over the whistleblowing website site WikiLeaks, with which many of its supporters identify.

Authorities in Europe, North America and elsewhere have made dozens of arrests, and Anonymous has increasingly attacked law enforcement, military and intelligence-linked targets in retaliation.

One of Anonymous's most spectacular coups was secretly recording a conference call between US and British cyber-investigators tasked with bringing the group to justice.

The collective has no real membership structure, with hackers, activists, and supporters able to claim allegiance to its freewheeling principles at their convenience (Telegraph, 2012).

Title: Grandpa, Patriot Who Goes By 'The Raptor,' Claims Credit For Taking Down Al Qaeda Websites
Date: April 10, 2012
Fox News

Abstract: An American hacker, who calls himself “The Raptor” and claims to be a grandfather waging his own war on terror, is taking credit for a series of takedowns of online forums used by 
Al Qaeda sympathizers, has learned.

Calling himself a patriot acting on behalf of U.S. troops serving overseas, The Raptor claims to be behind last month’s attack on Al Qaeda’s main online forum, Shamukh Islamic Network, and a handful of other sites and forums, including Ansar al-Mujahideen, where jihadists gather online to issue threats and exhort one another to acts of terror. The sites went down on March 22, and most remained dark for nearly two weeks. As the websites stayed offline, The Raptor taunted his targets on Twitter, daring them to “bring it.”

“Bow. Wave. Exit Stage Right. Curtains. Applause,” he tweeted after Shamukh, the main site used to blast out Al Qaeda content, was taken out of commission, only to return days later with a message blaming the outage on “Enemies of Allah.”

In the online world, where posters and hackers alike take on false personas and play a virtual game of cat and mouse, it is difficult to know if The Raptor is who he says he is, someone simply claiming credit, or if the hack attacks are part of some larger, government-related operation.

“Who is taking it down is an interesting question, but does it matter?” asked Jeff Bardin, cyberterror expert and former Air Force Arabic linguist who is now a principal at the private intelligence firm Treadstone 71.

If experts can’t be sure who is taking the jihadist sites down, it is unlikely the extremists who run them and post on them can, either. But it is all but certain they’ve been stung by the taunts of someone calling himself The Raptor, or as his Twitter handle is spelled, “the3raptor.”

“Just another infidel defending cyberspace for God and country,” The Raptor describes himself on Twitter.

A man who contacted through The Raptor’s Twitter page reluctantly described himself as a grandfather and retired military man with a child serving active duty. These details could not be confirmed independently by, and he declined to provide any other details about his identity.

While The Raptor is cagey about his true identity, he makes no effort to hide his agenda. He tweets frequently, and maintains a blog. Recently, he corresponded at length with via Twitter direct messaging.

“Our kids keep getting killed because jihadists make better bombs than they do cupcakes,” The Raptor said. “Anything I can do to disrupt and demoralize the enemy is worthwhile and on the table.

“Some say I and others like me are Crusaders; that we hate Islam or desire to offend Allah,” he continued. “That is absolutely and fundamentally wrong. Some of my best friends are Muslims, and I love them. They don’t wish me harm, and I would give my life to defend them. This has only to do with violent criminals who cloak themselves in the wool of a good and peaceful religion to bring death and destruction to the world.”

Whoever is behind the latest attacks on jihadist sites appears to be following in the tradition of a hacker who calls himself “The Jester,” and has been a thorn in the side of online extremists for years.

“It used to be just The Jester, taking down these terrorist sites, but he’s gotten really popular and people look up to him and now he has this whole following of people,” said one source close to the pro-American hacking group.

Another source familiar with the online front of the government’s war on terror said the methods employed in the recent takedowns suggest the work of more than one person, and speculated the Jester's following could be working together as a group.

“[The Raptor] claims to have taken down the sites but, of course, it could be anyone. It could be the government, spooks, or even the site administrators themselves,” the source said.

The Raptor claims he got interested in disrupting jihadist sites after realizing their power to radicalize and inspire Islamic extremists to acts of barbarism.

“The realization that some punk could get knowledge or inspiration from one of these sites to send my child home in a coffin,” he said. “It’s time to shut those sites down and get this war over with.”

The Raptor would not say whether he works with The Jester, but did acknowledge that he is part of a small group that took down the jihadist sites last month.

“You could count them on one hand and that is all I will say,” he said. “I worked alone for a while, but sometimes it really does take a village.”

He downplayed the technical savvy required to do the work he claims to have done.

“People place too much emphasis on these so-called skills,” he said in the exclusive online dialogue with “Most sites aren’t as well defended as one might believe -- and that includes legitimate sites we all use every day.”

Bardin agreed that taking down the extremist websites does not require extraordinary computer skill. He said most of the websites frequented by Al Qaeda members and sympathizers use a content management program called vBulletin, one of the first to offer Arabic language support. But Bardin said the system is easy for a skilled hacker to penetrate. Running a vulnerability scan will illuminate weaknesses and another option could be that vBulletin, which was recently purchased by a U.S.-based company, comes with built-in software that facilitates data mining.

“I have no evidence of such activity, but the question must be asked: If you were the government in need of root access to a system that is used to proliferate jihadist information and one that is used in approximately 90 percent of the jihadist online sites, wouldn’t you approach the new U.S. owners to provide such functionality?” Bardin said.

 Finally, the Raptor and other hackers could “drop” sites, or deny or take over online command.

“VBulletin is not built for security but for rapid deployment and ease of use,” Bardin said. “I am actually surprised that the sites have not been taken down by others and done so more frequently.”

While federal investigators decline to endorse or denounce The Raptor’s methods on the record, the hacker believes he’s helping the government wage its war on terror. And he has no desire to step forward and bask in the light of heroism.

“Credit is for banks -- I don't care about credit,” he told “I care about our kids surviving, and innocent people living in distant lands being able to go about their lives without fearing being blown up or being hacked into pieces. People can attribute actions to whomever or whatever they like, I don’t care.

“When the blood stops flowing, the historians can make of it what they wish,” he said. “I’ll just smile and play with my grandkids” (Fox News, 2012).

Title: Trojan Stealing Credit Card Details From Hotel Reception Software
April 19, 2012
Computer World

A remote access computer Trojan (RAT) designed to steal credit card details from hotel point-of-sale (PoS) applications is being sold on the underground forums, according to researchers from security firm Trusteer.

The researchers found an advertisement on a black market forum for a custom RAT designed to infect hotel front desk computers and steal customer credit card and billing information.

The seller was offering the computer Trojan, together with instructions on how to trick hotel front desk managers into installing it on their computers, for $280 (£175). The seller also claimed that the malware won't be detected by any antivirus program when it's delivered to the buyer.

Malware writers often repackage their malicious installers with new algorithms in order to evade signature-based antivirus detection, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender.

The repackaged samples can then be delivered via email or instant messaging without being stopped at the network perimeter. However, if an antivirus product with strong heuristic and behavioural detection capabilities is running on the targeted systems, the malware should be blocked at execution time, Botezatu said.

The hotel RAT's seller specified in the ad that the malware doesn't collect card security numbers, also known as CVV or CID, but this doesn't necessarily make the rest of the stolen information less useful to cybercriminals.

Some merchants are allowed to charge cards without the CVV details, especially in the US, Botezatu said. However, even if that wasn't the case, the data can still be used to phish the security codes from the card owners themselves or to search for the codes in existing data dumps that resulted from older phishing attacks, he said.

Most remote access computer Trojans have the capability to take screenshots, record keystrokes, download/upload files and execute arbitrary code, which makes them suitable for many types of cybercriminal operations.

The hotel RAT advertisement included screenshots of a particular PoS application, but its functionality might not be restricted to that specific program.

"The strength of RATs is their generic nature - they can be used to attack many different applications in use by many industries," said Amit Klein, Trusteer's chief technology officer. "We've seen RATs used against internal applications, banking applications, defense industries, etc."

Hotels typically have a limited IT staff or knowledge of malware and they handle a large number of credit cards on a daily basis, which makes them a perfect target, said Yaron Dycian, Trusteer's vice president of products.

The fact that the RAT's creator decided to target the hospitality industry is consistent with a recently observed change in the focus of cybercriminals - an expansion from online banking attacks to attacks against PoS systems.

"I think the main reason for this shift, or diversification, is the fact that POS machines, and some business machines serve as 'mini repositories' where information about many victims can be collected at once," Klein said. "This is in contrast with consumer machines which typically expose one or two accounts" (Computer World, 2012).

Title: Cyber-Attack Cripples US Website Covering Bo Xilai Scandal
Date: April 20, 2012

Abstract: A cyber-attack has crippled a US-based website that has reported extensively on 
China's biggest political turmoil in years. was forced to move to a another hosting service on Friday after its previous host said the attacks were threatening its entire business, said the website's manager, Watson Meng. He added that he believed the attacks were ordered by China's security services, but that it was unclear where they were launched from.

The assaults on Boxun's server followed days of reporting on Bo Xilai, formerly one of China's most powerful politicians, who was sacked as head of the Chongqing municipality and suspended from the party's politburo amid accusations that his wife was involved in the death of British businessman Neil Heywood.

The scandal has deeply embarrassed party leaders. Six years ago, whenShanghai powerful party chief Chen Liangyu was sacked in a corruption purge, Chinese social media was in its infancy and months went by with no word on the case against him.

The Bo scandal began to emerge in February when his former right-hand man and Chongqing police chief, Wang Lijun, visited the US consulate in a neighbouring city in an apparent attempt to seek asylum. Rumour abound on the internet of a spat with Bo, but neither the Chinese nor the US authorities revealed any details of the visit.

At the time, Bo admitted to not properly managing his staff, but it appeared he would keep his job and remain a candidate for the party's standing committee when a new generation of leaders is picked later this year.

But then suggestions began surfacing online that Wang was spreading the word about the alleged involvement of Bo's wife, Gu Kailai, in the death of Heywood, a business consultant with close ties to the Chongqing party chief's family. Those suspicions first appeared in a brief posting in early March by a reporter from the Southern Weekend newspaper group, who said he had received the information via a text message on 15 February from a number used only by Wang.

That happened after Chinese authorities took the police chief into custody on 7 February, so it was not known who sent the message. However, it was widely circulated online, and the foreign media flocked to Chongqing to investigate, making it had for the government to ignore the case.

A few weeks later, on 15 March, Bo was sacked, and on 10 April the authorities announced he was under investigation and that his wife and a household aide were suspects in the Heywood murder.

Boxun, which has reported on the scandal since early February, was brought down for several hours on Friday in a denial of service attack in which hackers deluge a website to paralyse it.

"We publish articles critical of the Chinese government so we're accused of having ulterior motives," Meng said. "But in the west, most media is critical of its government, so why can't we be?"

Foreign governments and companies often complain of cyber-attacks from China, although proving their origins and who the culprits are is rarely possible. Beijing denies that it uses hackers to attack web sites or steal secrets online.

Meng set up Boxun in 2000 to promote the pro-democracy movement, human rights, and expose corruption. Much of its material is submitted by readers. It has been the target of cyber-attacks before and has gone without advertising since 2005. The US government-funded National Endowment for Democracy provided funding for several years, but Meng says it is now wholly independent.

Not all of Boxun's reports have held water, but many of those alleging Gu's involvement in the Heywood death and Bo's falling-out with Wang have since been proven true or been corroborated by other sources.

Traffic to the site has increased 155% over the past three months, according to internet monitoring firm Alexa, with the second largest chunk of visitors coming from China, despite government blocks.

China heavily censors the internet and blocks Twitter, Facebook, YouTube and scores of other overseas sites. Government monitors swiftly remove sensitive postings and have tried to rein in the Chinese microblogging site Weibo by requiring proof of identification for new accounts and sometimes disabling sections where comments can be posted.

Still, the sites have a profound effect. Witness reports on a horrific train collision last year prompted disgust at officials' callousness and a sweeping safety review.

One reason why the crackdown has not been harder is because elements within the establishment also use it to attack rivals, spread misinformation or advance their own agendas, said Xiao Qiang, director of the China Internet Project at the University of California, Berkeley.

But they cannot completely control the online discussions or filter out all unwanted revelations, Xiao said. "Those facts and opinions generate pressure or create the conditions for the government to take actions such as firing Bo Xilai" (Guardian, 2012).

Title: Android Malware Being Delivered On Hacked Websites In Drive-By Download Attack
May 3, 2012
Computer World

Android malware is being spread by hacked websites in a new attack vector crafted for the mobile operating system, according to analysts at Lookout Mobile Security.

The style of attack is known as a drive-by download and is common on the desktop; when someone visits a hacked website, malware can transparently infect the computer if it doesn't have up-to-date patches.

"This appears to be the first time that compromised websites have been used to distribute malware targeting Android devices," Lookout said.

Lookout said it noticed that "numerous" websites had been compromised to execute the attack, although those sites had low traffic. The company expects the impact to Android users will be low. The malware that tries to install itself, dubbed "NotCompatible," appears to be a TCP relay or a proxy.

"This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy," Lookout said. "This feature in itself could be significant for system IT administrators: a device infected with NotCompatible could potentially be used to gain access to normally protected information or systems, such as those maintained by enterprise or government."

NotCompatible will automatically start downloading if the hacked website detects an Android device is visiting by looking at the web browser's user-agent string, which specifies the device's operating system.

The hacked websites have an hidden iframe, which is a window that brings other content into the target web site, at the bottom of a page. The iframe causes the browser to pull content from two other malicious websites hosting NotCompatible. If a PC accesses either of those websites, a "not found" error is displayed, Lookout said.

After the malware downloads, the device will ask a user to install the application. But for it to be installed, the Android device's settings must have "unknown sources" enabled, Lookout said. If the setting is not enabled, only applications from the Android Market, now called the Google Play store, can be installed (Computer World, 2012).

Title: New 'Unknowns' Hacking Group Hits NASA, Air Force, European Space Agency
Date: May 3, 2012
Fox News

Abstract: A new hacking group calling itself "The Unknowns" has published a list of passwords and documents reportedly belonging to NASA, the European Space Agency and the U.S. Air Force, among other high-profile government targets.

The group's Pastebin post, released yesterday (May 1), includes names and passwords reportedly belonging to NASA's Glenn Research Center as well as the U.S. Military's Joint Pathology Center, the Thai Royal Navy, Harvard University, Renault, the Jordanian Yellow Pages and the Ministries of Defense of France and Bahrain.

Softpedia reports that the hackers also posted screenshots of some of the sites they breached, and that although the post was made public yesterday, some of the hacks date back to March.

NASA's Glenn Research Center and the U.S. Military's Joint Pathology Center did not respond to requests for comment by SecurityNewsDaily.

In its message, The Unknowns explained the impetus for their exploits, and warned they could have caused much more damage than they did.

"Victims, we have released some of your documents and data, we probably harmed you a bit but that's not really our goal because if it was then all of your websites would be completely defaced but we know that within a week or two, the vulnerabilities we found will be patched and that’s what we're looking for."

The hackers said they are "ready to give you full info on how we penetrated threw [sic] your databases," and told the affected organizations to contact them.

SecurityNewsDaily contacted The Unknowns through the address the group posted,, but did not receive a response.

The Unknown's "hacking-for-good" stance is similar to that of Malicious Security (MalSec), a newly formed Anonymous spinoff that, ostensibly for "ethical purposes," leaked email addresses and passwords from several Romanian banks and government organizations (Fox News, 2012)

Title: New Group Of Hackers, Calling Themselves The Unknowns, Steal Codes From Nasa, The U.S. Military...And The Jordanian Yellow Pages
Date: May 4, 2012
Daily Mail

Abstract: Nasa and the U.S. military are among high-profile victims of a new group of hackers, calling themselves 'The Unknowns'.

The group, who professes to use its hacking abilities as a force of good, contacted a range of security-conscious firms and revealed a list of passwords and sensitive documents that they had plundered.

It is unclear whether the companies affected even knew that their security systems had been bypassed.

The Unknowns posted the names and passwords of employees at Nasa's Glenn Research Center, the U.S. Military's Joint Pathology Center, the European Space Agency, Thai Royal Navy, the ministries of defence of France and Bahrain, Harvard University and the Renault automotive firm.

Bizarrely, FoxNews also reports that the group targeted the Jordanian Yellow Pages. 

'We have released some of your documents and data, we probably harmed you a bit - but that's not really our goal, because if it was then all of your websites would be completely defaced. But we know that, within a week or two, the vulnerabilities we found will be patched and that’s what we're looking for' -The Unknowns e-mail 

The hackers also posted screenshots of some of the sites they breached, in raids that date back to March. 

The concept of hacking into companies to 'improve' their security systems is becoming more popular with hackers who want to justify their actions.

A similar stance has been taken by Malicious Security, or MalSec, a spin-off from whistle-blowing WikiLeaks.

In their e-mails to the companies affected, The Unknowns say their intentions were good - and say that they could have caused far more problems if they wanted to.

Addressed to 'Victims', the e-mail - misspelt and lacking punctuation - read: 'We have released some of your documents and data, we probably harmed you a bit but that's not really our goal because if it was then all of your websites would be completely defaced but we know that within a week or two, the vulnerabilities we found will be patched and that’s what we're looking for.' 

It concluded with the promise that The Unknowns were 'ready to give you full info on how we penetrated threw your databases' if the companies contacted them (Daily Mail, 2012).

Title: Cyber Security: Fake Android Antivirus App Linked To Zeus Banking Trojan
June 20, 2012
Computer World

A fake Android security application discovered recently is most likely a mobile component of the Zeus banking malware, security researchers from antivirus firm Kaspersky Lab said this week.

Called Android Security Suite Premium, the rogue app is capable of stealing SMS messages and uploading them to a remote server. When launched, the app displays a shield image that has long been associated with Windows fake antivirus programs, also known as FakeAV or scareware.

"How could I ever forget such an identifiable logo," Nathan Collier, a threat research analyst at antivirus firm Webroot, said . "Now that the developers of the popular FakeAV malware have entered into the mobile world expect to to see a lot more variations of this."

However, this might not be a mobile scareware app, but a new variant of ZitMo - Zeus in the Mobile, said Kaspersky Lab senior malware analyst Denis Maslennikov.

ZitMo apps are malicious mobile applications that are used by cybercriminals in conjunction with the Zeus computer Trojan in order to steal money from online banking accounts. They appeared back in 2010 as a response to banks implementing mobile-based security measures.

Their purpose is to steal mobile transaction authorisation numbers (mTANs) sent by banks to their customers via SMS messages. Without mTANs, fraudsters wouldn't be able to authorise transactions initiated with stolen credentials.

The registration information for the domain names where Android Security Suite Premium uploads stolen SMS messages matches the registration information for 2011 Zeus command-and-control domains, Maslennikov said. This, coupled with the app's SMS-stealing functionality makes it likely that this is a new ZitMo version.

Even though this app displays an activation code when opened, it doesn't display fake security alerts and doesn't ask users for money like scareware applications do, Maslennikov said. "It's not a fake AV - 100%" (Computer World, 2012).

Title: Cybercriminals Earn £48 Million In 'Operation High Roller' Bank Hack
June 26, 2012
Computer World

A global fraud ring has been targeting high net-worth businesses and individuals has netted the criminals an estimated €60 million (£48 million).

According to McAfee and Guardian Analytics which today issued a report on the fraud, "Dissecting Operation High Roller," the attacks, first identified this winter, have hit 60 or more institutions and the total amount stolen may in fact be may be much higher.

The two security firms say they have tracked "at least a dozen groups" that are relying on "server-side components and heavy automation" with about 60 servers processing thousands of attempted thefts from commercial accounts and the rich. This appears to be happening mainly in the European Union countries, though there's also evidence of it in Latin America and the US. These attacks are said to differ from the known malware-based SpyEye and Zeus attacks in that they are far more automated and usually done without human intervention.

"The advanced methods discovered in Operation High Roller show fraudsters moving toward cloud-based servers with multi-faceted automation in a global fraud campaign," said Dave Marcus, McAfee director of advanced research and threat intelligence.

McAfee and Guardian Analytics first spotted evidence of these crime activities in late January in an attack on a bank in Germany in which the victim log data on the server "showed the fraudsters compromised 176 accounts and attempted to transfer nearly one million Euros to mule accounts in Portugal, Greece, and the United Kingdom." The average account targeted held about €509,000

An attack against the German bank was highly automated, and in their report, the security firms say they had seen something similar in an earlier attack on a bank in Italy that involved SpyEye and Zeus malware to transfer funds but was more automated than anything they'd seen before.

The report says all manner of banking institutions have been targeted: credit union, large global bank and regional banks. In March, the fraudsters hit the Netherlands banking system with this newer style of server-side automated attack. They circumvented endpoint security and monitoring tools used for fraud detection at the institution, the report says. The server was based in San Jose, California, and has also apparently been used against victims in the US whose accounts contained at least $1 million.

A hit against two banks in the Netherlands reached into more than 5,000 business accounts. The attempted fraud was estimated to be €35.58 million. Later in March, the security firms also became aware of attacks in Latin America, where more than a dozen businesses in Colombia were targeted, each having an account balance between $500,000 and $2 million. The server used in this wave of attacks was hosted in La Brea, California, though there was evidence of fraudsters logging in from Moscow to "manipulate some of the transactions in an attempt to transfer arbitrary amounts as high as 50% - 80% of the victim's balance." McAfee and Guardian Analytics say they've shared their findings with law enforcement agencies.

According to the report, the wave of Operation High Roller attacks builds on Zeus/SpyEye malware to compromise the victims' computers and skim credentials in order to execute a fraudulent transaction from a bank account. But although "there can be live intervention" in the High Roller attacks, most of them have been "completely automated, allowing for repeated thefts once the system has been launched at a particular bank or for a given Internet banking platform."

According to the report, these "updated attacks found in the Netherlands and the US move fraudulent transaction processing from the client to the server. Fraudulent activities - including the actual account log-in - are performed from a fraudster's server that is located at a 'bullet proof' ISP (one with crime-friendly usage policies), locked down against changes, and moved frequently to avoid discovery. After each move, the web injects are updated to link to the new location."

In addition, the attacks up the ante on evasive maneuvers. According to the report, code customisation that includes rootkits for client-side malware and encrypted links help hide the criminal attack process and avoid antivirus scans. "And some of the web serves move dynamically so that blacklisting and reputation-centric technologies are not effective." The report says the techniques used are basically "a significant breakthrough for the fraudsters" because they represent the "defeat of two-factor authentication that uses physical devices."

The report goes on to state: "We are working to assess and improve the defenses at McAfee and Guardian Analytics financial service customers. This attack should not be successful where companies have layered controls and detection software correctly. We are working to map out appropriate security configurations, such as activation of real-time threat intelligence on client hosts and use of hardware-assisted security to defeat evasive malware."

The report points to the need for anomaly-detection software and strengthening of endpoint controls for consumers. But Operation High Roller was "successful," the security firms acknowledge. "Our research found attacks succeeding in the most respected financial institutions, as well as the small, specialised credit unions and regional banks that may have felt they presented too paltry a target" (Computer World, 2012).

Title: Android Trojan Attacks SMS Smartphone Bank Security
July 11, 2012
Computer World

Security company Trusteer is warning about an Android Trojan that is being distributed by criminals to beat the SMS smartphone authentication systems employed by European banks to verify money transfers.

Man-in-the middle (MitM) attacks on 2FA technology via mobiles started around a year ago based on the simple observation that the apparent strength of SMS verification is also its weakness if hackers are able to compromise the handset itself.

The SMS one-time passcode or transaction PIN looks like a way of shutting out online bank fraudsters who have gained access to a user's online account so criminals have devoted time to working out how to intercept that code.

Trusteer has now seen the first mobile attacks based on the recent 'Tatanga' Trojan, as well as new configurations of the infamous SpyEye Trojan it has named 'SPITMO' (SpyEye in the mobile).

Users infected by the Windows Trojan are asked for their mobile numbers before being directed to a website that installs what is claimed to be a mobile security application. Once they have entered an 'activation code' – actually just a way for the attackers to know the mobile is live – the attackers are free to capture any traffic sent to that device.

The mechanics of the attack vary by country and that is perhaps the biggest feature of this attack – it targets a range of major European online banks, particularly those in Spain and Germany. 

“Once fraudsters have infected a victim’s web and mobile endpoints, very few security mechanisms can prevent fraud from occurring,” said Trusteer CTO, Amit Klein, whose company offers in-browser tools that specialise in blocking such attacks.
Where are the attacks based? Perhaps China or the US, both countries  from which the fake websites were registered but nobody can be sure.

“This discovery confirms that Man-in-the-Mobile attacks are focusing primarily on Android devices. Multiple studies show that Android devices account for more than 60 percent of smartphone market in the targeted countries,” he said.  

“Android popularity and the relative ease of developing and distributing Android applications are probably the reasons why Cybercriminals have singled out this particular platform for mobile malware attacks. “

The attack is really about finding a way around the two-factor authentication systems that are starting to become common on many online banking systems, including those accessed via mobiles. Given the relative simplicity of the social engineering involved this now looks like a serious avenue of attack.

“With nearly 60 percent of the market and a reputation for weak app security, it’s no surprise that Android has become the preferred target for financial malware,” emphasised Klein (Computer World, 2012).

Title: Police Alert After Ransom Trojan Locks Up 1,100 PCs
August 2, 2012
Computer World

UK authorities have issued an urgent warning about a ransomware attack has successfully extorted money from dozens of victims by impersonating the country’s Police Central e-Crime Unit (PCeU).

Ransom attacks using threats that pose as the PCeU and other European police forces in order to issue fine threats have become common in the last two years, but it is still unusual for any hard numbers on infection rates or victim numbers to come to light.

The latest unidentified attack had infected 1,100 computers in the UK, successfully conning 36 people into paying £100 each to the criminals, police said. The true numbers will be much larger because official reports only show a snapshot of what is happening.

The procedure for such attacks is always very similar. Users visit or are redirected to a porn or gambling site that hits them with a drive-by attack, usually based on a software vulnerability in a browser plug-in. The user’s PC is then hijacked and the users asked for money in order to regain control.

Sometimes the attack will issue threats, including that the user will be exposed for visiting a porn site (whether they have or not), while on other occasions the demand is a straight ‘pay us or you will not be able to use your PC.’

“This is a fraud and users are advised NOT to pay out any monies or hand out any bank details,” urged the PCeU.  

“This scam is now affecting many countries in Europe and further afield, with each email tailored to include the branding of that country's law enforcement agency. Europol are coordinating with Europe's law enforcement agencies on this matter,” the PCeU said.

Users can advise of such attacks on the PCeU’s website. This won’t help get lost money back – victims should phone their credit card company immediately – but will help police plot new attacks before they successfully infect more computers.

Earlier this year, Trend Micro published an analysis that pinned the blame for the wave of police impersonation attacks on perhaps a single Russian gang. These have also hit native Russians too.

Another variation on the theme has been to impersonate software companies such as Microsoft, threatening the end user by claiming they are using a pirated copy of Windows. The criminals just never let  up (Computer World, 2012).

Title: Saudi Oil Producer’s Computers Restored After Virus Attack
August 26, 2012
New York Times

Saudi Aramco, the world’s biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations earlier this month, the company said Sunday.

Immediately after the Aug. 15 attack, the company announced it had cut off its electronic systems from outside access to prevent further attacks.

On Sunday, Saudi Aramco said the workstations had been cleansed of the virus and restored to service. Oil exploration and production were not affected because they operate on isolated systems, it said.

“We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever,” Saudi Aramco’s chief executive, Khalid al-Falih, said in a statement.

However, one of Saudi Aramco’s Web sites taken offline after the attack — — remained down on Sunday. E-mails sent by Reuters to people within the company continued to bounce back.

The company said that the virus “originated from external sources,” and that an investigation into the causes of the incident and those responsible was continuing. It did not elaborate.

Information technology experts have warned that computer attacks on countries’ energy infrastructure, whether conducted by hostile governments, militant groups or private “hacktivists” to make political points, could disrupt energy supplies.

Iran, the focus of international economic sanctions focused on its oil industry over its disputed nuclear program, has been hit by several computer attacks in the last few years.

In April, a virus infected the Iranian oil ministry and national oil company networks, forcing Iran to disconnect the control systems of oil facilities including Kharg Island, which handles most of its crude exports.

Iran has attributed some of the attacks to the United States, Israel and Britain.

Current and former American officials have said that the United States built the complex Stuxnet computer worm to try to prevent Tehran from completing suspected nuclear weapons work.

An English-language posting on an online bulletin board on Aug. 15, signed by a group called the “Cutting Sword of Justice,” claimed the group was responsible for the attack and wanted to destroy the 30,000 computers at Saudi Aramco.

It said the company was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain. Saudi Arabia sent troops into Bahrain last year to back the gulf state’s Sunni Muslim rulers against Shiite-led protesters. Riyadh is also supporting Sunni rebels against the Syrian government of President Bashar al-Assad.

The Cutting Sword of Justice was not widely known before this attack, and information security experts contacted by Reuters had no information on the group.

Rob Rachwald, director of security strategy for United States-based data security firm Imperva, said in a blog posting last week that if the Saudi Aramco attack had been carried out by hacktivists, it could be a milestone in computer hacking.

“A group of hobbyists and hacktivists with several very strong-minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish,” Mr. Rachwald wrote.

Symantec, one of the world’s largest Internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus directed against at least one organization in the global energy sector, although it did not name that organization.

“It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable,” Symantec said in a blog posting about the virus, which it called W32.Disttrack. “Threats with such destructive payloads are unusual and are not typical of targeted attacks.”

Mr. al-Falih, the oil company’s chief executive, said in his statement on Sunday: “Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyberattack” (New York Times, 2012).

Title: Qatar Group Falls Victim To Virus Attack
Date: August 30, 2012

Abstract: Qatar’s RasGas, one of the world’s largest producers of natural gas, has become the second major state-owned Middle East energy company to be hit by a severe computer virus in weeks.

The disruption came after Saudi Aramco, the government-backed company that is the world’s largest crude oil producer, was also attacked by a computer virus.

Saudi Aramco said in a statement on Sunday that it has restored its “main internal network services” after the attack on August 15. But oil traders in Houston, Geneva and London on Thursday said they were communicating with Aramco’s counterpart by fax and telex, as the company’s external email services were still down (FT, 2012)

Title: Mole Hack? 30,000 Computers Of World's Biggest Oil Company Hit
Date: September 8, 2012

Abstract: Insiders are thought to have facilitated the cyber-attack on the world’s largest oil company, says a probe. The group behind the hack on state-run Saudi Aramco claim the attack is revenge for “crimes and atrocities” by the Saudi government.

"It was someone who had inside knowledge and inside privileges within the company," a source familiar with investigation told Reuters.

The Shamoon virus spread through the company’s computer network last month, wiping the data from at least 30,000 computers, in one of the most destructive cyber-attacks on a single business in history.

Reports say to prevent any drastic consequences Aramco prohibited its employees from sending or receiving emails outside of the company and had to switch to paper transactions while it was dealing with the virus.

Hackivist group The Cutting Sword of Justice claimed responsibility for the attack on the company. They issued a statement saying that the attack was politically motivated and revenge for the “crimes and atrocities” committed by the Saudi Arabian government.

The previously unknown hacker organization also said that they had obtained classified documents from the hack and threatened to release them, although thus far nothing has been published.

Saudi Aramco has not made any comments regarding its ongoing investigation into the mass hack, refraining from speculating on what it called

“Rumors and Conjecture.”
“This was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack,” said the company’s chief executive Mr. al-Falih. He went on to say “not a single drop of oil was lost and no critical systems were harmed.

Meanwhile, Qatari gas producer RasGas announced that it had been affected by a similar virus at the end of August.

Uncommonly ‘Destructive’
The virus in question, known as Shamoon, is not a sophisticated cyber weapon designed for high-level insurgency. It is used to attack ordinary business computers.

“Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems components or US government agencies,” the Department of Homeland Security’s United States Computer Emergency Readiness Team said in an August 29 advisory.

Once the Shamoon virus has infiltrated a computer network it attempts to infect every computer. The virus is capable of stealing information and erasing all data on the devices, experts say.

“We don’t normally see threats that are so destructive, it’s probably been 10 years since we saw something so destructive,” said Liam O Murchu from computer security firm Symantec.

Repression and marginalization

Saudi Arabia saw a number of protests across the country recently with the country’s Shia Muslim minority protesting against discrimination from the ruling Sunni monarchs. 

The Shia protests were triggered last year in March when the Saudi government sent troops to neighboring Bahrain to crackdown on Shia protesters. Bahrain is also ruled by a Sunni Muslim monarchy (RT, 2012)

Title: Mexican Hackers Attack Political, Official Sites
Date: September 16, 2012
USA Today

Abstract: Mexican hackers have taken over more than a dozen websites belonging to political parties and local governments and posted a message criticizing the government on the nation's Independence Day.

The hackers targeted sites such as that of the government-owned National Auditorium, the National Action Party branch in the Yucatan and the southeastern Mexican town of Macuspana.

The group calls itself Ciber Protesta Mexicana and says it's not connected to the international Anonymous hackers group.

Hacked pages displayed a black screen with text denouncing violence in Mexico, the electoral institute's certification of July 1 election results and what it says was the imposition of President-elect Enrique Pena Nieto.

The page listed the federal Congress's TV site as one of those hacked, but it was working normally Sunday afternoon (USA Today, 2012).

Title: Chinese Hackers Blamed For Intrusion At Energy Industry Giant Telvent
Date: September 26, 2012
Krebs On Security

Abstract: A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.

The attack comes as U.S. policymakers remain gridlocked over legislation designed to beef up the cybersecurity posture of energy companies and other industries that maintain some of the world’s most vital information networks.

In letters sent to customers last week,Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.

The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.

“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company said in a letter mailed to customers this week, a copy of which was obtained by “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.”

The incident is the latest reminder of problems that can occur when corporate computer systems at critical networks are connected to sensitive control systems that were never designed with security in mind. Security experts have long worried about vulnerabilities being introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to so-called “supervisory control and data acquisition,” or SCADA, systems that can be accessed through the Internet or by phone lines. The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely, but experts say it also exposes these once-closed systems to cyber attacks.

Telvent did not respond to several requests for comment. But in a series of written communications to clients, the company detailed ongoing efforts to ascertain the scope and duration of the breach. In those communications, Telvent said it was working with law enforcement and a task force of representatives from its parent firm, Schneider Electric, a French energy conglomerate that employs 130,000 and has operations across the Americas, Western Europe and Asia. Telvent reportedly employs about 6,000 people in at least 19 countries around the world.

The disclosure comes just days after Telvent announced it was partnering with Foxborough, Mass. based Industrial Defender to expand its cybersecurity capabilities within Telvent’s key utility and critical infrastructure solutions. A spokesperson for Industrial Defender said the company does not comment about existing customers.

In its most recent dispatch to customers impacted by the breach, dated Sept. 25, 2012, Telvent executives provided details about the malicious software used in the attack. Those malware and network components, listed in the photocopied Telvent communication shown here strongly suggest the involvement of Chinese hacker groups tied to other high-profile attacks against Fortune 500 companies over the past several years.

Joe Stewart, director of malware research at Dell SecureWorks and an expert on targeted attacks, said the Web site and malware names cited in the Telvent report map back to a Chinese hacking team known as the “Comment Group.”

In July, Bloomberg News published an in-depth look at the Comment Group and its many years of suspected involvement in deploying sophisticated attacks to harvest intellectual property and trade secrets from energy companies, patent law firms and investment banks.

That investigation looked at data gathered by a loose-knit group of 30 security researchers, who tracked the Comment Group’s activity over less than two months last year and uncovered evidence that it had infiltrated at least 20 organizations — “many of them organizations with secrets that could give China an edge as it strives to become the world’s largest economy. The targets included lawyers pursuing trade claims against the country’s exporters and an energy company preparing to drill in waters China claims as its own.”

Politicians in Congress and the Obama administration are becoming more vocal about accusing China and Russia of hacking U.S. computer networks for economic gain, espionage and other motives. But those accusations tend to ring hollow abroad, as Reuters recently observed: “U.S. standing to complain about other nations’ cyber attacks has been undermined, however, by disclosures that Washington, along with Israel, launched sophisticated offensive cyber operations of its own against Iran to try to slow that nation’s suspected quest for a nuclear weapon.” The malware alluded to in that Reuters piece — Stuxnet — was designed to attack specific vulnerabilities in SCADA systems known to be used in Iran’s uranium enrichment facilities.

Nevertheless, a mounting body of evidence suggests the involvement of one or two Chinese hacking groups in a host of high-profile corporate cyber break-ins over the past several years. Symantec Corp. reported earlier this month that a Chinese hacker group responsible for breaking into Google Inc in 2009 – an operation later dubbed Operation Aurora – had since launched hundreds of other cyber assaults, focusing on defense companies and human rights groups. Earlier this week, I detailed additional research on this front which showed espionage attackers often succeed in a roundabout way — by planting malware at “watering hole” sites deemed most likely to be visited by the targets of interest (Krebs On Security, 2012)

Title: Major Banks Hit With Biggest Cyberattacks In History
Date: September 27, 2012
Daily Finance

Abstract:  There's a good chance your bank's website was attacked over the past week.

Since Sept. 19, the websites of Bank of America (
BAC), JPMorgan Chase (JPM), Wells Fargo (WFC), U.S. Bank (USB) and PNC Bank (PNC) have all suffered day-long slowdowns and been sporadically unreachable for many customers. The attackers, who took aim at Bank of America first, went after their targets in sequence. Thursday's victim, PNC's website, was inaccessible at the time this article was published.

Security experts say the outages stem from one of the biggest cyberattacks they've ever seen. These "denial of service" attacks -- huge amounts of traffic directed at a website to make it crash -- were the largest ever recorded by a wide margin, according to two researchers.

Banks get hit by cyberattackers all the time and typically have some of the best defenses against them. This time, they were outgunned.

"The volume of traffic sent to these sites is frankly unprecedented," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."

To carry out the cyberattacks, the attackers got hold of thousands of high-powered application servers and pointed them all at the targeted banks. That overwhelmed Bank of America and Chase's Web servers on Sept. 19, Wells Fargo and U.S. Bank on Wednesday and PNC on Thursday. Fred Solomon, a spokesman for PNC, confirmed that a high volume of traffic on Thursday was affecting users' ability to access the website, but he declined to go into more detail.

Denial of service attacks are an effective but unsophisticated tool that doesn't involve any actual hacking. No data was stolen from the banks, and their transactional systems -- like their ATM networks -- remained unaffected. The aim of the attacks was simply to temporarily knock down the banks' public-facing websites.

To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a "botnet."

That level of pre-planning is a deviation from the kinds of denial of service attacks launched at banks in the past by so-called "hacktivists." Typically, hacktivists use home PCs infected with malware to amass their botnets. Attacks on this scale would be impossible to carry out with home PCs -- users too frequently turn them off or disconnect them from the Internet.

The Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called "Operation Ababil," but researchers are divided about how seriously to take their claims. The group has launched attacks in the past, but those have been far less coordinated than the recent batch.

Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.

"I don't believe these were just hackers who were skilled enough to cause disruption of the websites," he said. "I think this was done by Iran ... and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

A call requesting comment from the Department of Homeland Security's cybersecurity office was not immediately returned.

A cybersecurity firm following the attacks also expressed doubt about the connections between the Cyber Fighters and the bank attacks. On social networks and chat forums, the group urged its followers to use a mobile "low orbit ion cannon" -- a software tool typically used by Anonymous and other hacktivist groups to direct a massive flood of traffic at a targeted site.

That tool was not used in the attack, according to Ronen Kenig, director of security products at cloud security firm Radware.

"Supporters of this group didn't join in the attack at all, or they joined in but didn't use that tool," said Kenig. "The attack used a botnet instead." He doesn't think the Cyber Fighters would have access to a botnet as advanced as the one used by the attackers.

But CrowdStrike's Alperovitch said he is "quite confident" the perpetrator was the Izz ad-Din al-Qassam Cyber Fighters, since they announced each attack well before it was carried out, and the attack wasn't that sophisticated -- it just took significant planning. PNC was the last target on the lists the Cyber Fighters have circulated, but more attacks could still be coming.

Both researchers agree that the controversial anti-Muslim YouTube video was not the initial impetus for the attacks, as the Cyber Fighters claimed in messages recruiting volunteers to join in. Before the video was even released, the group claimed responsibility for similar attacks.

"The video is simply an excuse," Alperovitch said. "It's a red herring"
(Daily Finance, 2012).

Title: Major Banks Hit With Biggest Cyberattacks In History
Date: September 28, 2012

Abstract: There's a good chance your bank's website was attacked over the past week.

Since Sept. 19, the websites of Bank of America (BACFortune 500),JPMorgan Chase (JPMFortune 500), Wells Fargo (WFCFortune 500), U.S. Bank (USBFortune 500) and PNC Bank have all suffered day-long slowdowns and been sporadically unreachable for many customers. The attackers, who took aim at Bank of America first, went after their targets in sequence. Thursday's victim, PNC's website, was inaccessible at the time this article was published.

Security experts say the outages stem from one of the biggest cyberattacks they've ever seen. These "denial of service" attacks -- huge amounts of traffic directed at a website to make it crash -- were the largest ever recorded by a wide margin, according to two researchers.

Banks get hit by cyberattackers all the time and typically have some of the best defenses against them. This time, they were outgunned.

"The volume of traffic sent to these sites is frankly unprecedented," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."

To carry out the cyberattacks, the attackers got hold of thousands of high-powered application servers and pointed them all at the targeted banks. That overwhelmed Bank of America and Chase's Web servers on Sept. 19, Wells Fargo and U.S. Bank on Wednesday and PNC on Thursday. Fred Solomon, a spokesman for PNC, confirmed that a high volume of traffic on Thursday was affecting users' ability to access the website, but he declined to go into more detail.

Denial of service attacks are an effective but unsophisticated tool that doesn't involve any actual hacking. No data was stolen from the banks, and their transactional systems -- like their ATM networks -- remained unaffected. The aim of the attacks was simply to temporarily knock down the banks' public-facing websites.

To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a "botnet."

That level of pre-planning is a deviation from the kinds of denial of service attacks launched at banks in the past by so-called "hacktivists."Typically, hacktivists use home PCs infected with malware to amass their botnets. Attacks on this scale would be impossible to carry out with home PCs -- users too frequently turn them off or disconnect them from the Internet.

The Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called "Operation Ababil," but researchers are divided about how seriously to take their claims. The group has launched attacks in the past, but those have been far less coordinated than the recent batch.

Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.

"I don't believe these were just hackers who were skilled enough to cause disruption of the websites," he said. "I think this was done by Iran ... and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

A call requesting comment from the Department of Homeland Security's cybersecurity office was not immediately returned.

A cybersecurity firm following the attacks also expressed doubt about the connections between the Cyber Fighters and the bank attacks. On social networks and chat forums, the group urged its followers to use a mobile "low orbit ion cannon" -- a software tool typically used by Anonymous and other hacktivist groups to direct a massive flood of traffic at a targeted site.

That tool was not used in the attack, according to Ronen Kenig, director of security products at network security firm Radware.

"Supporters of this group didn't join in the attack at all, or they joined in but didn't use that tool," said Kenig. "The attack used a botnet instead." He doesn't think the Cyber Fighters would have access to a botnet as advanced as the one used by the attackers.

But CrowdStrike's Alperovitch said he is "quite confident" the perpetrator was the Izz ad-Din al-Qassam Cyber Fighters, since they announced each attack well before it was carried out, and the attack wasn't that sophisticated -- it just took significant planning. PNC was the last target on the lists the Cyber Fighters have circulated, but more attacks could still be coming.

Both researchers agree that the controversial anti-Muslim YouTube video was not the initial impetus for the attacks, as the Cyber Fighters claimed in messages recruiting volunteers to join in. Before the video was even released, the group claimed responsibility for similar attacks.

"The video is simply an excuse," Alperovitch said. "It's a red herring" (CNN, 2012)

Title: US Banks Hit By More Than A Week Of Cyberattacks
Date: September 28, 2012
U.S. News

Abstract: U.S. banks have been buffeted by more than a week of powerful cyberattacks, but the mystery surrounding their perpetrators lingers.

One expert said Friday that he was suspicious of claims of responsibility purportedly made by Islamists angry at an anti-Muslim movie made in the United States, explaining that the widely-circulated Internet postings might have been an attempt to deflect attention from the true culprit.

"In the intelligence world, we call that a 'false flag,'" said Mike Smith, whose Web security company Akamai has helped analyze some of the attacks.

The postings, published to the Web earlier this month, suggested that an obscure Islamist group had taken revenge on American financial institutions for the "Innocence of Muslims," a low-budget U.S. film that ridiculed Muhammad, revered by Muslims as the last of God's prophets.

Since then at least half a dozen banks — including the Bank of America, JPMorgan Chase, and Citigroup — have witnessed traffic surges and disruptions. Not all have confirmed they were the victims of an online onslaught, but such surges are a hallmark of denial-of-service attacks, which work by drowning target websites with streams of junk data.

Such attacks are fairly common and generally don't compromise sensitive data or do any lasting damage. Still, they can be a huge headache for companies that rely on their websites to interact with customers.

Most say the recent spate of attacks has been unusually powerful. PNC bank, which was hit on Thursday, has never seen such a strong surge in traffic, spokesman Fred Solomon said in a telephone interview. Smith said he estimated the flow of data at 60 to 65 gigabits per second.

Smith said the profile and power of the attack made it an unlikely fit for the religious youth that the Internet postings called upon to join in the anti-U.S. campaign. He explained that politically-motivated hackers — often called hacktivists — usually flood the Web with appeals for support and post links to software that can turn followers' personal computers into crude cyberweapons.

Twitter and online chat rooms then explode with activity, as casual supporters pile in to coordinate attacks.

"You're not seeing that with this particular set of attacks," Smith said. "At the same time ... the attack traffic is fairly homogeneous. It's not this wide cornucopia of attacks that's coming at you that you see with a hacktivist attack."

So who is behind the campaign?

Cybercriminals often use denial-of-service attacks to shake down smaller websites, but major U.S. banks make unlikely targets for a protection racket.

Could a state actor be at play? U.S. Senator Joe Lieberman, without offering any proof, said he believed the assaults were carried out by Iran in retaliation for tightened economic sanctions imposed by the United States and its allies.

Smith demurred when asked who could be behind the campaign, although he said there were "only a handful of groups out there that have the technical ability or incentive" to carry it out.

In any case, the online attacks appeared to be easing. Solomon, the PNC bank spokesman, said while traffic remained heavy Friday the flow was gradually returning to normal.

Doug Johnson, with the American Bankers Association, echoed that assessment.

"I believe it's tapering off," he said (U.S. News, 2012).

Title: White House Hack Attack
Date: September 30, 2012
Free Beacon

Abstract: Hackers linked to China’s government broke into one of the U.S. government’s most sensitive computer networks, breaching a system used by the White House Military Office for nuclear commands, according to defense and intelligence officials familiar with the incident.

One official said the cyber breach was one of Beijing’s most brazen cyber attacks against the United States and highlights a failure of the Obama administration to press China on its persistent cyber attacks.

Disclosure of the cyber attack also comes amid heightened tensions in Asia, as the Pentagon moved two U.S. aircraft carrier strike groups and Marine amphibious units near waters by Japan’s Senkaku islands.

China and Japan—the United States’ closest ally in Asia and a defense treaty partner—are locked in a heated maritime dispute over the Senkakus, which China claims as its territory.

U.S. officials familiar with reports of the White House hacking incident said it took place earlier this month and involved unidentified hackers, believed to have used computer servers in China, who accessed the computer network used by the White House Military Office (WHMO), the president’s military office in charge of some of the government’s most sensitive communications, including strategic nuclear commands. The office also arranges presidential communications and travel, and inter-government teleconferences involving senior policy and intelligence officials.

An Obama administration national security official said: “This was a spear phishing attack against an unclassified network.”

Spear phishing is a cyber attack that uses disguised emails that seek to convince recipients of a specific organization to provide  confidential information. Spear phishing in the past has been linked to China and other states with sophisticated cyber warfare capabilities.

The official described the type of attack as “not infrequent” and said there were unspecified “mitigation measures in place.”

“In this instance the attack was identified, the system was isolated, and there is no indication whatsoever that any exfiltration of data took place,” the official said.

The official said there was no impact or attempted breach of a classified system within the office.

“This is the most sensitive office in the U.S. government,” said a former senior U.S. intelligence official familiar with the work of the office. “A compromise there would cause grave strategic damage to the United States.”

Security officials are investigating the breach and have not yet determined the damage that may have been caused by the hacking incident, the officials said.

Despite the administration national security official’s assertion, one defense official said there is fairly solid intelligence linking the penetration of the WHMO network to China, and there are concerns that the attackers were able to breach the classified network.

Details of the cyber attack and the potential damage it may have caused remain closely held within the U.S. government.

However, because the military office handles strategic nuclear and presidential communications, officials said the attack was likely the work of Chinese military cyber warfare specialists under the direction of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA.

It is not clear how such a high-security network could be penetrated. Such classified computer systems are protected by multiple levels of security and are among the most “hardened” systems against digital attack.

However, classified computer systems were compromised in the past using several methods. They include the insertion of malicious code through a contaminated compact flash drive; a breach by a trusted insider, as in the case of the thousands of classified documents leaked to the anti-secrecy web site Wikileaks; and through compromised security encryption used for remote access to secured networks, as occurred with the recent compromise involving the security firm RSA and several major defense contractors.

According to the former official, the secrets held within the WHMO include data on the so-called “nuclear football,” the nuclear command and control suitcase used by the president to be in constant communication with strategic nuclear forces commanders for launching nuclear missiles or bombers.

The office also is in charge of sensitive continuity-of-government operations in wartime or crises.

The former official said if China were to obtain details of this sensitive information, it could use it during a future conflict to intercept presidential communications, locate the president for targeting purposes, or disrupt strategic command and control by the president to U.S. forces in both the United States and abroad.

White House spokesmen had no immediate comment on the cyber attack, or on whether President Obama was notified of the incident.

Former McAffee cyber threat researcher Dmitri Alperovitch said he was unaware of the incident, but noted: “I can tell you that the Chinese have an aggressive goal to infiltrate all levels of U.S. government and private sector networks.”

“The White House network would be the crown jewel of that campaign so it is hardly surprising that they would try their hardest to compromise it,” said Alperovictch, now with the firm Crowdstrike.

Last week the senior intelligence officer for the U.S. Cyber Command said Chinese cyber attacks and cyber-espionage against Pentagon computers are a constant security problem.

“Their level of effort against the Department of Defense is constant” and efforts to steal economic secrets are increasing, Rear Adm. Samuel Cox, Cyber Command director of intelligence, told Reuters after a security conference.

“It’s continuing apace,” Cox said of Chinese cyber-espionage. “In fact, I’d say it’s still accelerating.”

Asked if classified networks were penetrated by the Chinese cyber warriors, Cox told the news agency: “I can’t really get into that.”

The WHMO arranges the president’s travel and also provides medical support and emergency medical services, according to the White House’swebsite.

“The office oversees policy related to WHMO functions and Department of Defense assets and ensures that White House requirements are met with the highest standards of quality,” the website states. “The WHMO director oversees all military operations aboard Air Force One on presidential missions worldwide. The deputy director of the White House Military Office focuses primarily on the day-to-day support of the WHMO.”

The office is also in charge of the White House Communications Agency, which handles all presidential telephone, radio, and digital communications, as well as airlift operations through both fixed-wing and helicopter aircraft.

It also operates the presidential retreat at Camp David and the White House Transportation Agency.

“To assure proper coordination and integration, the WHMO also includes support elements such as operations; policy, plans, and requirements; administration, information resource management; financial management and comptroller; WHMO counsel; and security,” the website states.

“Together, WHMO entities provide essential service to the president and help maintain the continuity of the presidency.”

Asked for comment on the White House military office cyber attack, a Cyber Command spokesman referred questions to the White House.

Regarding U.S. naval deployments near China, the carrier strike groups led by the USS George Washington and the USS Stennis, along with a Marine Corps air-ground task force, are now operating in the western Pacific near the Senkakus, according to Navy officials.

China recently moved maritime patrol boats into waters near the Senkakus, prompting calls by Japanese coast guard ships for the vessels to leave.

Chinese officials have issued threatening pronouncements to Japan that Tokyo must back down from the recent government purchase of three of the islands from private Japanese owners.

Tokyo officials have said Japan is adamant the islands are Japanese territory.

Officials said the Washington is deployed in the East China Sea and the Stennis is in the South China Sea.

About 2,200 Marines are deployed in the Philippine Sea on the USS Bonhomme Richard and two escorts.

The U.S. Pacific Command said the deployments are for training missions and carriers are not necessarily related to the Senkaku tensions.

“These operations are not tied to any specific event,” said Capt. Darryn James, a spokesman for the U.S. Pacific Command in Honolulu, according to Time magazine.  “As part of the U.S. commitment to regional security, two of the Navy’s 11 global force carrier strike groups are operating in the Western Pacific to help safeguard stability and peace.”

As a measure of the tensions, Defense Secretary Leon Panetta told Chinese military leaders during his recent visit to China that the U.S. military will abide by its defense commitments to Japan despite remaining publicly neutral in the maritime dispute.

“It’s well known that the United States and Japan have a mutual defense treaty,” a defense official said of Panetta’s exchange in Beijing. “Panetta noted the treaty but strongly emphasized that the United States takes no position on this territorial dispute and encouraged the parties to resolve the dispute peacefully. This shouldn’t have to get to the point where people start invoking treaties.”

A report by the defense contractor Northrop Grumman made public by the congressional U.S.-China Economic and Security Review Commission in March stated that China’s military has made targeting of U.S. command and control networks in cyber warfare a priority.

“Chinese capabilities in computer network operations have advanced sufficiently to pose genuine risk to U.S. military operations in the event of a conflict,” the report said.

“PLA analysts consistently identify logistics and C4ISR infrastructure as U.S. strategic centers of gravity suggesting that PLA commanders will almost certainly attempt to target these system with both electronic countermeasures weapons and network attack and exploitation tools, likely in advance of actual combat to delay U.S. entry or degrade capabilities in a conflict,” the report said.

C4ISR is military jargon for command, control, communications, computers, intelligence, surveillance, and reconnaissance.

Little is known within the U.S. intelligence community about Chinese strategic cyber warfare programs.

However, recent military writings have disclosed some aspects of the program, which is believed to be one of Beijing’s most closely guarded military secrets, along with satellite weapons, laser arms, and other high-technology military capabilities, such as the DF-21 ballistic missile modified to attack aircraft carriers at sea.

A Chinese military paper from March stated that China is seeking “cyber dominance” as part of its efforts to build up revolutionary military capabilities.

“In peacetime, the cyber combat elements may remain in a ‘dormant’ state; in wartime, they may be activated to harass and attack the network command, management, communications, and intelligence systems of the other countries’ armed forces,” wrote Liu Wangxin in the official newspaper of the Chinese military on March 6.

“While great importance is attached continuously to wartime actions, it is also necessary to pay special attention to non-wartime actions,” he said. “For example, demonstrate the presence of the cyber military power through cyber reconnaissance, cyber deployment, and cyber protection activities” (Free Beacon, 2012).

White House Thwarts Cyberattack
Date: October 1, 2012
CBC News

Abstract: The White House is acknowledging an attempt to infiltrate its computer system but says it thwarted the effort.

A White House official said the attack targeted an unclassified network. He said the attack was identified and the system was isolated to prevent spread. He said there was no indication that any data was removed.

The official, who was not authorized to speak on the record about the attack, said there was no attempted breach of classified systems. The official described such "spear phishing" attacks as "not infrequent."

Last year, Google Inc. blamed computer hackers in China for a phishing effort against Gmail accounts of several hundred people, including senior U.S. government officials and military personnel.

Last November, senior U.S. intelligence officials for the first time publicly accused China of systematically stealing American high-tech data for its own national economic gain.

China fingered in past attacks

The White House would not say whether this attack was linked to China.

Defence Secretary Leon Panetta, during a visit to China last month, raised the subject of China-based cyberattacks against U.S. companies and the government.

News of the most recent attack came as the Obama administration is preparing an executive order with new rules to protect U.S. computer systems. After Congress failed this summer to pass a comprehensive cybersecurity bill, the White House said it would use executive branch authorities to improve the nation's computer security, especially for networks tied to essential U.S. industries, such as electric grids, water plants, and banks..

An initial draft of the order included provisions for voluntary cybersecurity standards for companies.

But by issuing the executive order just weeks before the Nov. 6 election, the White House risks complaints that President Barack Obama is anti-business from Republicans and the same pro-business groups that killed the legislation on Capitol Hill. They argued the bill could lead to costly rules and regulations that would burden companies without reducing the risks (CBC News, 2012)

Title: Hacker Cracks 4 million Hotel Locks With 'James Bond Dry Erase Marker'
Date: October 6, 2012
Daily Mail

Abstract: This new hacker invention may look like a harmless dry erase marker, but in truth it's the ultimate electronic lock pick. 

In a post titled 'James Bond's Dry Erase Marker,' hotel hacker Matthew Jakubowski demonstrates how anyone can build this pocket-sized device which will open the lock on an estimated 4 million hotel rooms.

'I guess we wanted to show that this sort of attack can happen with a very small concealable device,' says Matthew Jakubowski, a security researcher with Trustwave, told Forbes. 'Someone using this could be searched and even then it wouldn't be obvious that this isn't just a pen.'

The device exploits a vulnerability in Onity locks, a cheap lock used on millions of hotel room doors.

Onity's site boasts their locks are used in 22,000 hotel worldwide.

The lock has a small port on its bottom designed for hotels to set master keys. 

Hacker Cody Brocious discovered you could read the lock's memory through this port, including a decryption key.

Borcious demonstrated a large, unwieldy device that could open a small percentage of locks this July at the Black Hat security conference.

Onity responded with a way to patch the weakness in August, but the fix required hotels to make costly hardware repairs to millions of locks as well as pay for a more secure version.

Security experts believe the expense has likely left a huge percentage of hotel rooms with the easily cracked model. 

Jakubowski's refined version can pop most locks in a fraction of a second.

Even if security searched a guest, its unlikely many people would see a dry erase marker as a threat. 

And future versions may be even smaller and easier conceal.

'This is by no means the best solution or the only solution to make this fit into a pen, but for what we had available and with the time we had to do it, it's what we were able to come up with,' Jakubowski wrote in a blog post explaining the hack (Daily Mail, 2012).

Title: Report: Iran Blocks Cyberattack On Its Oil Drilling Platforms
Date: October 8, 2012
Fox News

Abstract: An Iranian oil official says the country has successfully blocked a cyberattack on the computer network of its offshore drilling platforms.

The Monday report by semiofficial ISNA news agency quotes Mohammad Reza Golshani, IT head of Iran's state offshore oil company, as blaming Israel for the attack.

He said the attack occurred over the past two weeks, was routed through China, and affected only the communications systems of the network. He did not provide further details.

Iran periodically reports attacks on government, nuclear, oil and industrial targets, blaming Israel and the United States. Israel has done little to deflect suspicion that it uses viruses against Iran.

Iran is odds with the West over its nuclear program. The West suspects the program is aimed at developing weapons, a charge Tehran denies (Fox News, 2012)

Title: Iran Says It Blocks Cyberattack On Oil Platforms
Date: October 8, 2012

Abstract: Iran says it has successfully blocked a cyberattack on the computer network of its offshore drilling platforms, a semiofficial news agency reported Monday.

The report by ISNA quoted Mohammad Reza Golshani, IT head of Iran's state offshore oil company, as blaming Israel for having planned the attack.

Iran periodically reports the discovery of viruses and other malicious programs in government, nuclear, oil and industrial networks, blaming Israel and the United States. In May, Iran shut down part of its oil facilities because of another such cyberattack.

Israel has done little to deflect suspicion that it uses viruses against Iran.

In this case, Golshani said, the attack occurred over the past two weeks, was routed through China, and affected only the communications systems of the network. He said the main network was safe since it was isolated from the Internet, and was back to normal operations. Iran announced that it had temporarily disconnected its oil ministry and its main crude export terminal from the Internet after the May attack.

Iran earns up to 80 percent of its foreign revenue from the export of crude.

Iran is odds with the West over its nuclear program. The West suspects the program is aimed at developing weapons. Tehran denies the charge, saying its nuclear program is geared toward peaceful purposes like power generation and cancer treatment.

A computer worm known as Stuxnet briefly brought Iran's uranium enrichment activity to a halt in 2010 (Guardian, 2012).

Title: Mysterious Algorithm Was 4% of Trading Activity Last Week
Date: October 8, 2012

Abstract: A single mysterious computer program that placed orders — and then subsequently canceled them — made up 4 percent of all quote traffic in the U.S. stock market last week, according to the top tracker of 
high-frequency trading activity. The motive of the algorithm is still unclear.

The program placed orders in 25-millisecond bursts involving about 500 stocks, according to Nanex, a market data firm. The algorithm never executed a single trade, and it abruptly ended at about 10:30 a.m. ET Friday.

“Just goes to show you how just one person can have such an outsized impact on the market,” said Eric Hunsader, head of Nanex and the No. 1 detector of trading anomalies watching Wall Street today. “Exchanges are just not monitoring it.”

Hunsader’s sonar picked up that this was a single high-frequency trader after seeing the program’s pattern (200 fake quotes, then 400, then 1,000) repeated over and over. Also, it was being routed from the same place, the Nasdaq.

 “My guess is that the algo was testing the market, as high-frequency frequently does,” says Jon Najarian, co-founder of “As soon as they add bandwidth, the HFT crowd sees how quickly they can top out to create latency.” (Read More
Unclear What Caused Kraft Spike: Nanex Founder.)

Translation: The ultimate goal of many of these programs is to gum up the system so it slows down the quote feed to others and allows the computer traders (with their co-located servers at the exchanges) to gain a money-making arbitrage opportunity.

The scariest part of this single program was that its millions of quotes accounted for 10 percent of the bandwidth that is allowed for trading on any given day, according to Nanex. (The size of the bandwidth pipe is determined by a group made up of the exchanges called the Consolidated Quote System.) (Read MoreCuban, Cooperman: Curb High-Frequency Trading.)

“This is pretty out there to see this affect this many stocks at the same time,” said Hunsader, adding that high-frequency traders are doing anything to “tip the odds in their favor.”

A Senate panel at the end of September sought answers on high-frequency trading, as investigators look into the best way to stop wealth-destroying events such as the Knight Capital Group computer glitch in August and the market “flash crash” two years ago. (Read MoreEx-Insider Calls High-Frequency Trading ‘Cheating’.)

Regulators are trying to see how they can rein in the practice, which accounts for 70 percent of trading each day, without slowing down progress and profits for Wall Street and the U.S. exchanges.

“I feel a tax on order-stuffing is what the markets need at this point,” said David Greenberg of Greenberg Capital. “This will cut down on the number of erroneous bids and offers placed into the market at any given time and should help stabilize the trading environment.”

Hunsader warned that regulators better do something fast, speculating that this single program could have led to something very bad if big news broke, or if a sell-off occurred and one entity was hogging this much of the system (CNBC, 2012)

Title: Three Bank Websites Threatened In Ongoing Cyber ‘Operation’ 
Date: October 8, 2012
Fox Business

Abstract: A group claiming to be allied with radical Muslims threatened Monday to attack the websites of three financial companies as part of an ongoing cyber “operation” that it said is retribution for an anti-Islam film trailer.

The so-called “Izz ad-Din al-Qassam Cyber Fighters” posted a specific timetable for its attack program on, a website commonly used by hackers to brag about exploits. The posting said the website of Capital One Financial (COF) would be hit on Tuesday, followed by SunTrust (STI) on Wednesday and Regions Financial (RF) on Thursday. It also hinted at more attacks next week.

None of the banks could be immediately reached for comment on the matter. In the past, such attacks have sometimes caused websites to slow to a crawl or become inaccessible for some users; however, the impact cannot be gauged in advance.

The same group has taken credit for attacks on Bank of America (BAC), J.P. Morgan Chase (JPM) and the NYSE Euronext (NYX) in recent weeks.

While none of the financial firms commented specifically on the attacks, or confirmed that they were the subject of an attack, security experts reckon the sites were the subject of distributed-denial-of-service (DDoS) efforts. Such exploits are fairly rudimentary in that they essentially flood web servers with requests, making it difficult or impossible for the sites to be accessed. Customer information is generally not at risk as a result of this method.

FlashPoint Partners, a security company that specializes in cyber attacks, said in a report Monday that this fresh round of attacks would “likely to be limited to large scale DDoS attacks.”

Izz ad-Din al-Qassam said in the posting that the attacks are reprisal for "an insulting film," a reference to the ‘Innocence of Muslims’ trailer that ridiculed the Prophet Mohammad. It threatened to continue attacking what it called “financial centers” until the trailer is removed from the Web (Fox Business, 2012).

Title: Israeli Cyber Attacks Targeted Offshore Oil, Gas Platforms – Iran IT Head
Date: October 8, 2012
Source: RT

Abstract: Iran’s offshore oil and gas platforms were the targets of the cyber attacks aimed at crippling the country. All threats were repelled and Israel was behind them, according to head of IT at the Iranian Offshore Oil Company, Mohammad Reza Golshani.

Golshani told Reuters that the attack happened over the past couple of weeks, was routed through China, and affected only the communications systems of the network.

It is almost two weeks since the managing director of the National Iranian Offshore Oil Company Mahmoud Zirakchianzadeh announced his company’s negotiations over deals worth US$14 billion.

Iran is currently under pressure from the international sanctions, mainly in oil exports, imposed by the UN Security council, the US, and the EU.

On Saturday, the EU threatened to ban Iran’s natural gas export to put pressure on the country’s nuclear program. Iran’s now exporting to Turkey and has swap deals with Armenia and Azerbaijan.

The possible ban was described by a spokesman of the oil ministry Alireza Nikzad-Rahbar as a "propaganda campaign" because “right now no EU member imports Iranian gas supply.”

The UN Security Council imposed four rounds of sanctions in efforts to pressure Tehran to give up its nuclear program, which the West fears is aimed at creating a nuclear weapon. Iran insists its nuclear ambitions are peaceful. The sanctions targeted Iran’s oil exports and cut off access to international banking networks.

Tehran is being pressured not only with sanctions: the country has been variously attacked by Flame, Stuxnet and Gauss, three viruses that gathered information on sensitive Iranian equipment and slowed down its nuclear centrifuges. They were tacitly confirmed to have been launched by the US and Israel, as a way of slowing down the country’s atomic program, which the West says is aimed at eventually producing nuclear weapons. A claim Iran emphatically denies.

Iran has reported several computer attacks in recent months and a Revolutionary Guard commander said last month the country would defend itself in case of a "cyber war".

Tehran is seeking to developing a national Internet system, which it says would improve cyber security. But many Iranians say the plan is the latest way to control their access to the Web, which is already highly censored (RT, 2012).

Title: Hackers Steal Thousands Of Confidential Records At Florida College
Date: October 10, 2012
Source: Fox News

Abstract: The confidential information of nearly 300,000 students, faculty and employees at a Florida Panhandle college have been accessed by computer hackers in a massive security breach, education officials said Wednesday.

A breach that at first involved employees at Northwest Florida State College was much larger than suspected and now potentially involves student records from across the state, state and college officials said.

The Department of Education said hackers stole 200,000 records including names, Social Security numbers and birthdates for any student statewide who was eligible for Florida's popular Bright Futures scholarships for the 2005-06 and 2006-07 school years.

"We speculate this was a professional, coordinated attack by one or more hackers," said Northwest Florida State College President Ty Handy in a memo that went out to employees on Monday.

The hackers also stole more than 3,000 employee records, including some that contained confidential financial information. Some 76,000 records containing personal identification information from students who attended the college was also hacked.

"We want to be sure that we fully understand the situation and provide accurate information to those impacted," said Florida College System Chancellor Randy Hanna in a statement. "While some of the contact information is dated, we will be trying to reach every student whose records may have been captured."

Because of the scope of the breach, federal authorities have joined the local and state investigation that got under way last week, the school said.

The breach occurred sometime between late May and late September.

College officials said in a news release that 50 employees to date have reported issues with identity theft, including the college president, faculty and staff. The information has been used to either obtain personal loans or to take out a Home Depot credit card (Fox News, 2012).

Title: Iran Renews Internet Attacks On U.S. Banks
October 17, 2012

Iranian hackers renewed a campaign of cyberattacks against U.S. banks this week, targeting Capital One Financial Corp. and BB&T Corp. and openly defying U.S. warnings to halt, U.S. officials and others involved in the investigation into the attacks said.

The attacks, which disrupted the banks' websites, showed the ability of the Iranian group to sustain its cyberassault on the nation's largest banks for a fifth week, even as it announced its plans to attack in advance.

U.S. officials said the attacks against banks, and others against Middle Eastern energy companies, were sponsored by the Iranian government (WSJ, 2012).

Title: Barnes & Noble Says PIN Pads In 63 Stores Hacked
October 23, 2012
Yahoo News

Barnes & Noble Inc. said Tuesday that devices used by customers to swipe credit and debit cards have been tampered with in 63 of its stores in nine states.

The company warned customers to check for unauthorized transactions and to change their personal identification numbers, or PINs. It didn't say how many accounts may have been compromised.

But The New York Times, citing a high-ranking company official it did not name, reported that hackers had made unauthorized purchases on some customer credit cards.

The New York-based bookseller said in a statement Tuesday only one of the devices, known as PIN pads, was tampered with in each of the 63 stores. The stores are in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island.

All the PIN pads in its nearly 700 stores nationwide were disconnected on Sept. 14 after the company learned of the tampering. Federal authorities are helping in its investigation.

Barnes & Noble said it is working with banks and card issuers to identify compromised accounts so that additional fraud-protection measures can be taken.

Customers at its book stores will now have to ask cashiers to swipe credit or debit cards on card readers connected to cash registers, a process that is secure, Barnes & Noble said.

Anything bought on Barnes & or with the chain's Nook devices and app were not affected, the company said. It also said its customer database is secure.

Barnes & Noble is only the latest major retailer to be a victim of a serious data breach. In one of the largest, more than 45 million credit and debit cards were exposed to possible fraud because of hackers who broke into the computer system of TJX Cos., the parent company of retailers T.J. Maxx and Marshall's, starting in 2005 (Yahoo News, 2012).

Title: Prison, Massive Fine For French Rogue Trader
October 24, 2012
Yahoo News

The Paris appeals court has upheld former Societe Generale trader Jerome Kerviel's conviction for covering up massive losses, sentencing him to three years in prison and ordering him to pay back a staggering €4.9 billion (about $7 billion) in damages.

A lower court convicted him in October 2010 of forgery, breach of trust and unauthorized computer use in one of history's biggest trading frauds. The appeals court upheld the conviction and the sentence Wednesday.

Kerviel had sought an acquittal, saying the bank had turned a blind eye to his exorbitant trades in 2007 and 2008 as long as they made money (Yahoo News, 2012).

Title: South Carolina Taxpayer Server Hacked, 3.6 million Social Security Numbers Compromised
October 26, 2012

The Social Security numbers of millions of South Carolinians, as well as credit and debit card information for hundreds of thousands, have been hacked in what the state's governor described Friday as an international cyberattack.

"This is not a good day for South Carolina," Gov. Nikki Haley told reporters.

The governor explained that a "server that warehouses all our taxpayer information was breached and taxpayer information was stolen."

The state's Department of Revenue explained in a press release that it first learned of a possible breach on October 10, after which the state contracted information security firm Mandiant to conduct an investigation.

The "hole" in the system was closed October 20. Over the next several days, state authorities determined that more than 3.6 million Social Security numbers may have been affected. So, too, were 387,000 credit card numbers - though only 16,000 of those were unencrypted.

On Friday, state officials laid out efforts to determine what happened and protect the personal information of taxpayers. While noting that not everyone had their information breached, Haley urged everyone who filed a tax return in South Carolina from 1998 through now to take advantage of credit protection services being offered by the state.

"While we now have it protected, we want to make sure that everybody understands that our state will respond with a big, large-scale plan that is somewhat unprecedented to take care of this problem," the governor said (CNN, 2012).

Title: Oregon Student Pleads Guilty To Hacking School District System
November 16, 2012
Fox News

A psychiatric evaluation has been ordered for a 16-year-old North Eugene High School who pleaded guilty of hacking into his school district's computer system and then posting the confidential information of hundreds of students on a webpage.

The Eugene Register-Guard reports that the student pleaded guilty Thursday to a felony computer crime for June hacking event.

A second computer crime count against the student was dismissed under a plea deal, which requires the student to show school officials and Eugene police "what he did and how he did it."

Soon after posting the data on June 9, the boy sent taunting messages to Eugene schools Superintendent Sheldon Berman, to the district's then-technology director and to its network security specialist, directing them to the webpage of an unsuspecting student (Fox News, 2012).

Title: Anonymous Hack Hundreds Of Israeli Websites, Delete Foreign Ministry Database In Support Of Gaza
November 17, 2012

Hacker group Anonymous has launched a massive attack named #OpIsrael on almost 700 Israeli websites, protesting against Operation Pillar of Defense in Gaza. Israeli media confirmed the group’s move.

­The hackers reportedly took down websites ranging from high-profile governmental structures such as the Foreign Ministry to local tourism companies’ pages.

The biggest attack as of now has been the Israeli Foreign Ministry’s international development program, titled Mashav. Anonymous announced on Twitter they’ve hacked into the program’s database, with the website remaining inaccessible at the moment.

“There is [sic] so many defaced Israeli websites right now, that we just made a list of them,” Anonymous tweeted.

The hacktivists also took down the Israeli President's official website and the blog of the country's Defense Force,, posting the news on Twitter using their infamous #TANGO DOWN hashtag.

The Jerusalem Post has confirmed the group’s assault, including the attack on the Foreign Ministry’s website, as well as those of Kadima party, Bank of Jerusalem, and Tel Aviv Municipality. The latter is online as of now. Among other functions, it provides residents with directions to bomb shelters. Meanwhile, the majority of the web pages that were taken down were blank, but some showed pro-Palestinian images and messages, Jerusalem Post reported.

It was mentioned, however, that most of the 663 pages on the list were subdomains of the same site, and many proved to be still online and functioning properly.

Most of the sites were simply unavailable, but others displayed pro-Palestinian images and messages. One site whose front page was replaced with an image of a man wearing a Palestinian kaffiye, displayed a message reading: "This attack is in response to the Injustice against the Palestinian people."

Overnight, the group claimed 9,000 websites were taken down, but the actual number proved to be fewer than that.

­From the very beginning of the Israeli offensive, Anonymous has avidly supported the Palestinian people. On Wednesday, they said in a press statement, "For far too long, Anonymous has stood by with the rest of the world and watched in despair the barbaric, brutal and despicable treatment of the Palestinian people in the so called 'Occupied Territories' by the Israel Defense Force."

Amid the conflict, which has already claimed at least 33 lives, 30 of them Palestinians, Anonymous also pledged to help those who are at the heart of the conflict: many Palestinians were left without electricity, and consequently, without internet access. The hackers gave instructions on their Twitter account for residents to get reconnected: “If you have friends in Gaza who still have phone, but need internet, give them these dial-up numbers and instructions:”

Anonymous put together a “Gaza Care Package,” which contains instructions in Arabic and English to assist Palestinians in the event that the Israeli government cuts their internet connection. Plus, the package includes information on evading IDF surveillance, along with first aid information. The collective encouraged Palestinians to download and share the package with others.

Anonymous members also contacted Israeli forces directly. A tweet from an Anonymous account to an IDF spokesperson warned, “It would be wise of you to expect us”, while a statement on their webpage said, “Stop bombing Gaza. Millions of Israelis and Palestinians are lying awake, exposed and terrified” (RT, 2012).

Title: Paragould Residents Rattled By FBI Malware
November 19, 2012
Fox 16 News

A malicious computer program that is circulating has struck some computers in Greene County and left a number of residents wonder if they're being targeted by the FBI.

First Church of God Pastor Kevin Edgar says his computer became infected recently and he was taken aback by what he saw. Edgar says his webcam activated, showing him at his dining room table surrounded by wording that he had to resolve an FBI investigation.

The Paragould Daily Press reports the malware is a scam that tries to frighten people into giving up a credit card number. Local computer repair businesses say the program has sent dozens of residents in to have their computers scrubbed.

The malware may be transmitted by email attachments (Fox 16 News, 2012).

Title: Report: French Officials Accuse US Of Hacking Sarkozy's Computers
November 20, 2012
The Hill

The United States used U.S.-Israeli spy software to hack into the French presidential office earlier this year, the French cyber-warfare agency has concluded, according to the newsmagazine l'Express.

The magazine reported late Tuesday that the computers of several close advisers to then-President Nicolas Sarkozy — including Chief of Staff Xavier Musca — were compromised in May by a computer virus that bears the hallmarks of Flame, which was allegedly created by a U.S.-Israeli team to target Iran's nuclear program. Anonymous French officials pointed the finger at the United States.

“You can be on very good terms with a 'friendly' country and still want to guarantee their unwavering support — especially during a transition period,” an official told the magazine. The alleged spying attack took place a few days before the second round of the French presidential elections, which Sarkozy lost to Francois Hollande, a socialist.

The Obama administration on Wednesday, though, denied those reports. 

“We categorically deny the allegations by unnamed sources that the U.S. government participated in a cyberattack against the French government,” Homeland Security spokesman Matthew Chandler told The Hill in a statement. “France is one of our strongest allies.

“Our outstanding cooperation in intelligence sharing, law enforcement and cyber defense has never been stronger, and remains essential in successfully combating the common threat of extremism,” Chandler added.

According to the l'Express report, Homeland Security Secretary Janet Napolitano reportedly did not deny the allegations when asked point-blank about them.

“We have no greater partner than France; we have no greater ally than France,” Napolitano reportedly answered, at the opening of an interview with l'Express. “We cooperate in many security-related areas. I am here to further reinforce those ties and create new ones.”

But an Obama administration official says Napolitano dismissed the question out of hand with laughter because it was “preposterous.”

In the interview, Napolitano also said that the Flame and Stuxnet viruses had “never been linked to the U.S. government” (The Hill, 2012).

Title: Man Arrested In Athens Over ID Cyber Theft Of Most Of Greek Population
November 20, 2012
Yahoo News

Greek police have arrested a man on suspicion of stealing the personal data of roughly two thirds of the country's population, police officials in Athens said on Tuesday.

The 35-year old computer programmer was also suspected of attempting to sell the 9 million files containing identification card data, addresses, tax ID numbers and license plate numbers. Some files contained duplicate entries, police said.

Greece's population is 11 million.

"We are investigating what the source of the data was and how they were used by the man arrested, and also the possibility of him providing them to someone else," police spokesman Christos Manouras told reporters.

Police were also looking into whether the man had obtained the data files by hacking into a government server and whether he had an accomplice, officials said. The files were discovered after police raided his home.

No charges have been pressed yet and the man is expected to appear before a prosecutor later on Tuesday (Yahoo News, 2012).

Title: Anonymous Hacks School Board In Retaliation For Spying On Students
November 26, 2012

Hackers say they are responsible for taking down the website of a Texas school district in retaliation for a mandatory surveillance program students are being told to comply with.

The website for San Antonio’s Northside Independent School District was unavailable at times throughout the weekend and into Monday after hacktivists claiming to be involved with the Anonymous movement waged an attack to draw attention to a controversial new program that requires students to be monitored with tiny Radio Frequency Identification (“RFID”) chips.

Through the Twitter account @RemainSilentz, one self-described participant in Anonymous confirmed that was taken offline late Friday.

“DOWN AND OUT – Boom, track my ass like you track children you pervs,” the user wrote.

Two schools in NISD — John Jay High School and Anson Jones Middle School — began asking students earlier this year to carry RFID-equipped identification cards so that educators can monitor their location on school grounds. The school district says tracking students allows for more accurate attendance figures, and therefore better funding. It hasn’t been welcomed with open arms by students, however, and last week a judge had to intervene and issue a temporary restraining order to prevent the principle from Jay High from expelling sophomore Andrea Hernandez for refusing to wear a badge after the school said participation was mandatory.

“We are conditioning kids to live in a surveillance state,” John W. Whitehead, president of The Rutherford Institute, told RT on Friday.

Whitehead has been instrumental in helping Hernandez fight to be free from being monitored, and celebrated the issuing of a restraining order. And as more people become aware of cases like hers, he says he hopes there is a chance at holding onto our right to privacy (RT, 2012).

Title: IAEA Hacked Over Israeli Nuclear Program
November 28, 2012

The UN nuclear agency has confirmed that one of its servers has been hacked. A previously unknown group posted contact details of more than 100 experts working with the IAEA, calling on them to act against Israel’s alleged nuclear activities.

The group, called "Parastoo" – Farsi for the swallow bird and a common Iranian girl's name – published the names along with a statement "Parastoo Hacks IAEA" on November 25.

"Israel owns a practical nuclear arsenal, tied to a growing military body and it is not a member of internationally respected nuclear, biochemical and chemical agreements," the group said demanding the experts sign a petition calling for an “open IAEA investigation” into activities at Israel’s Negev Nuclear Research Center located near the city of Dimona.

It is commonly believed that Israel possesses nuclear weapons, though it has never confirmed, nor denied the fact. Tel Aviv however takes a hawkish stance against Iran, claiming that it is seeking to create weapons of mass destruction and describes the Islamic Republic as the greatest threat to the Middle East.

Tehran has strongly denied any allegations, insisting that its nuclear program is peaceful.

IAEA spokeswoman Gill Tudor said the agency "deeply regrets this publication of information stolen from an old server." She added that the server had been shut down some time ago and agency experts had been working to eliminate any "possible vulnerability" in it even before it was hacked.

The IAEA was doing "everything possible to help ensure that no further information is vulnerable," she said in an email, AP reports (RT, 2012).

Title: IAEA Incursion: Anti-Israel Hackers Invade IAEA Networks Once More
Date: December 3, 2012
Free Beacon               

Abstract: An anti-Israel hacking collective has seized “highly sensitive” nuclear data and satellite imagery from the International Atomic Energy Agency (IAEA), the world’s top nuclear watchdog, according to the website Cryptome.

This is the second time in two weeks that the IAEA’s internal computer systems have been hacked by a group calling itself Parastoo, which is the Iranian word for a swallow (bird).

Parastoo stole the personal information of nearly 200 IAEA scientists and officials last week, including one employee in the United States Department of Energy’s (DOE) Office of Science. DOE is responsible for overseeing America’s nuclear arsenal.

Parastoo now claims to have pilfered reams of documents and personnel information from the nuclear watchdog’s internal “nuclear data section,” according to a statement by the group.

It also has obtained “highly sensitive information, Including Confidential ‘SafeGuard’ Documents, Satellite Images, Official letters, [and] Presentations,” according to the statement.

The hacker group has threatened to release this sensitive information unless the IAEA launches a formal investigation into Israel’s nuclear site, which some believe houses nuclear arms.

“We are demanding IAEA to start an INVESTIGATION into activities at Israel’s secret nuclear facilities,” the group wrote in its second public statement. “There are many PARASTOOs in the world, seeking for an investigation into Israel’s Human-Life threatening nuclear activities.”

The IAEA did not respond to a Free Beacon request for comment about the second infiltration of its servers.

Yukiya Amano, the United Nations’ nuclear head, said last week that he did not believe sensitive nuclear safeguards have been comprised as a result of Parastoo’s initial attack, according to Reuters.

Parastoo responded to this charge by launching a second attack last week aimed at penetrating further into the IAEA’s systems, this time its “nuclear data section.”

“We’re now publishing additional information to prove our ability to gain access to highly sensitive information,” Parastoo wrote in its statement.

“IAEA cannot just keep us away by turning off their Servers (either old or new ones!),” the group wrote. “There are plenty more of where this information came from but we guarantee that these information will stay in a very safe place with us.”

Parastoo has said that it will safeguard this information as long as the IAEA agrees to investigate Israel’s Negev Nuclear Research Center located near the southern city of Dimona. Israel has not publicly acknowledged having nuclear arms.

Parastoo’s demand appears to be in response to the IAEA’s aggressive investigation into Iran’s clandestine nuclear enrichment program, which is believed to be aimed at building nuclear weapons.

“This information only released to open eyes of IAEA and independent media to real threat of world peace, Israel,” the group states. “Our intentions are not to sabotage or misuse such data for any purposes what so ever.”

Included in the group’s statement is a link to the IAEA’s internal “nuclear data section.” The information, which includes critical technical information needed to acquire access to the system, is meant to prove that Parastoo’s claims are legitimate.

Additionally, Parastoo claims to have at least 15 portions of the IAEA’s system under its control and it lists this information for the public to view.

The group also provides a sample of several documents and satellite images it has seized from the IAEA and lists the email addresses of additional employees.

Parastoo is highly critical of Israel, accusing it of espionage and terrorism in past statements.

Both the language and political positions adopted by Parastoo are similar to dispatches from Anonymous, an anarchic collective of “hacktivists” who engage in cyber-attacks against targets it finds objectionable.

Anonymous recently threatened to launch a “cyber war” against Israel in response to its most recent incursion into the Gaza Strip. It then leaked the personal information of nearly 5,000 Israeli officials.

Details regarding Parastoo’s specific location remain vague.

The group was not publicly known before its first attack and claims to have “many” members likely scattered in various locations (Free Beacon, 2012).

Title: Saudi Arabia Says Cyber Attack Aimed To Disrupt Oil, Gas Flow
Date: December 9, 2012

Abstract: Saudi Arabia's national oil company, Aramco, said on Sunday a cyber attack against it in August which damaged some 30,000 computers was aimed at stopping oil and gas production at the biggest OPEC exporter.

The attack on Saudi Aramco - which supplies a tenth of the world's oil - failed to disrupt production, but was one of the most destructive cyber strikes conducted against a single business.

"The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals," said Abdullah al-Saadan, Aramco's vice president for corporate planning, on al-Ekhbariya television. It was the firm's first comments on the apparent aim of the attack.

Aramco and the Saudi Interior Ministry is conducting an investigation into the cyber strike. Interior Ministry spokesman Mansour al-Turki said the attackers were an organised group operating from different countries on four continents.

The attack used a computer virus known as Shamoon which infected workstations on Aug. 15 and the company shut down its main internal network for more than a week.

Turki said that the investigation had not shown any involvement of Aramco employees but he could not give more details as the investigation was not yet complete.

Saudi Arabia's economy is heavily dependent on oil. Export revenues from oil have accounted for 80-90 percent of total Saudi revenues and above 40 percent of the country's gross domestic product, according to U.S. data.

Shamoon spread through the company's network and wiped computers' hard drives clean. Saudi Aramco said damage was limited to office computers and did not affect systems software that might hurt technical operations.

Hackers from a group called "Cutting Sword of Justice" claimed responsibility for the attack, saying their motives were political and that the virus gave them access to documents from Aramco's computers, which they threatened to release. No documents have so far been published.

In a posting on an online bulletin board the day the files were wiped, the group blamed Saudi Arabia for "crimes and atrocities" in several countries, including Syria and Bahrain.

Saudi Arabia sent troops into Bahrain last year to back the Gulf state's rulers, fellow Sunni Muslims, against Shi'ite-led protesters. Riyadh is also sympathetic to mainly Sunni rebels in Syria while Iran backs the Syrian leader Bashar al-Assad, whose Alawite religion is an offshoot of Shi'ite Islam (Reuters, 2012).

Title: Anonymous Takes Down Delhi Police Website Over Gang-Rape Case
Date: December 24, 2012

Abstract: Hacktivist group Anonymous has taken down the Delhi Police website over its reaction to weeklong protests sparked by the brutal gang-rape of a young woman, urging authorities to bring the rapists to justice.

It comes as the authorities have shut down roads and railway stations in the Indian capital in a bid to halt the protests. Meanwhile, the country’s Prime Minister Manmohan Singh has called for calm amid the public outrage gripping India.

“We all know about the shameful incident that happened in Delhi, and we all want the same result i.e. – punish the rapist,” Anonymous said in a statement published on The Hackers Blog.

The hacktivists blamed the police for cracking down on protesters instead of cooperating with them and finding the culprits. They also thanked the public for taking to the streets despite chilly weather.

On Monday police fired water cannons at the demonstrators to prevent them from marching on the presidential palace in New Delhi. “We want justice,” the protesters shouted. “Don't teach us what not to wear. Teach your sons not to rape girls,” and “Government belongs to us, not to anybody's father.” The capital is currently experiencing massive traffic jams due to the barricades.

Indian Prime Minister Manmohan Singh has come under fire for his slow response to the incident; he gave an unusual televised address in response a week after the crime.

"There is genuine and justified anger and anguish at this ghastly incident, but violence will serve no purpose," Singh said. "I feel deeply sad at the turn of events leading to clashes between protesters and police forces. I assure you that we will make all possible efforts to ensure security and safety to all women in this country. As a father of three daughters myself, I feel as strongly as you. We will ensure justice is delivered."

The public outrage was fueled by an incident on a bus on December 16 that left a young woman in critical condition. Police say the attackers gang-raped the woman and beat her and her male companion with iron rods as the bus drove through the city for hours, even passing police checkpoints.

The protests continued despite repeated assurances by Home Minister Sushilkumar Shinde that he would consider the demand that all six suspects face the death penalty (RT, 2012).

Title: Iran Media Report New Cyberattack By Stuxnet Worm
Date: December 25, 2012
Fox News

Abstract: An Iranian semi-official news agency says there has been another cyberattack by the sophisticated computer worm Stuxnet, this time on the industries in the country's south.

Tuesday's report by ISNA quotes provincial civil defense chief Ali Akbar Akhavan as saying the virus targeted a power plant and some other industries in Hormozgan province in recent months.

Akhavan says Iranian computer experts were able to "successfully stop" the worm.

Iran has repeatedly claimed defusing cyber worms and malware, including Stuxnet and Flame viruses that targeted the vital oil sector, which provides 80 percent of the country's foreign revenue.

Tehran has said both worms are part of a secret U.S.-Israeli program that seeks to destabilize Iran's nuclear program.

The West suspects Iran is pursuing a nuclear weapons program, a charge Tehran denies (Fox News, 2012).

Title: 'Anonymous' Threatens To Shut Down California Police Department Website
Date: December 27, 2012
Fox News

Abstract: Manteca Police are taking threats seriously after "Anonymous," a widely known "hacktivist" group, threatened to hack into the police department's public website, reported.

On their YouTube channel, "Annonymous" shows video of Ernesto Duenez Jr., being shot and killed by Manteca Officer John Moody. The group demands that the officer be fired from the force.

"Otherwise, Annonymous users will act appropriately with the inevitable shutdown of the official website," said someone on the site, disguised in a Guy Fawkes mask.

The Manteca Police Department told the Manteca Bulletin that they view this as a valid threat.

The threat comes a little more than a week after Moody was cleared of any wrong doing in the 2011 shooting, where he fired more than a dozen rounds at Duenez.

Since the shooting, many supported the Duenez family, but never has there been a threat of this magnitude.

The Duenez family says while they appreciate the support, they do not condone any illegal activity (Fox News, 2012).

Title: Chinese Hackers Suspected In Cyber Attack On Council On Foreign Relations
Date: December 27, 2012
Free Beacon

Abstract: Computer hackers traced to China carried out an advanced cyberespionage attack against one of America’s most elite foreign policy web groups – the website of the Council on Foreign Relations (CFR).

According to private computer-security forensic specialists, the hacking incident involved a relatively new type of ploy called a “drive-by” website cyber attack that was detected around 2:00 p.m. on Wednesday.

The specialists, who spoke on condition of anonymity, said the attack involved penetrating the computer server that operates the New York City-based CFR’s website and then using the pirated computer system to attack CFR members and others who visited or “drove by” the site.

The activity ended on Thursday and the specialists believe the attackers either removed their malicious software to prevent further details of the attack from being discovered, or CFR was able to isolate the software and remove it.

The FBI was notified of the attack and is said to be investigating.

FBI spokeswoman Jennifer Shearer declined to comment when asked about the attack. But she told the Washington Free Beacon: “The FBI routinely receives information about threats and takes appropriate steps to investigate those threats.”

However, David Mikhail, a Council on Foreign Relations spokesman, confirmed the attack. “The Council on Foreign Relations’ website security team is aware of the issue and is currently investigating the situation,” Mikhail said in an email. “We are also working to mitigate the possibility for future events of this sort.” He provided no details.

According to the computer security specialists, the cyber espionage attack represents a new level of sophistication by foreign hackers seeking government and other secrets by computer.

The method used in a “drive-by” attack requires hackers to covertly plant malicious software in the CFR computer system. Then, they used the software and the web site to attack visitors to the site by infecting their computers in a hunt for secrets and other valuable information. One of the specialists said the attack also involved using the CFR site for what is called a “watering hole” attack, when people who visit the website are infected.

One of the victims who visited the CFR’s website,, discovered the attack and alerted computer security specialists on Wednesday.

In response, a small group of private security specialists launched an investigation into the activity and found that it only targeted computer users using the web browser Windows Internet Explorer 8 and higher versions. The attackers were able to exploit a security flaw in the browser software called a “zero-day” vulnerability – a previously unknown flaw that allows computer hackers to gain access to a targeted computer.

A similar Internet Explorer vulnerability was behind the major Aurora cyber attack on Google and other U.S. corporations that began in 2009 and was traced to China’s government.

Investigators said the computer attackers that targeted CFR were able to set up a covert network capable of identifying, encrypting, and sending stolen information found in targeted and infected computers back to a secret command and control computer.

In the case of the CFR hack, the malicious software involved software that included Mandarin Chinese language, the specialists said. Also, the attackers limited their targeting to CFR members and website visitors who used browsers configured for Chinese language characters – an indication the attackers were looking for people and intelligence related to China.

“This was a very sophisticated attack,” said one of the specialists. “They were looking for very specific information from specific people.”

The extent of the damage is not known but CFR members who visited the website between Wednesday and Thursday could have been infected and their data compromised, the specialists said.

The CFR is one of the most elite foreign policy organizations in the United States with a membership of some 4,700 officials, former officials, journalists, and others. Its members include NBC anchor Brian Williams, Hollywood actress Angelina Jolie, and former Sen. Chuck Hagel, President Obama’s embattled but as yet un-nominated choice for secretary of defense.

Current Secretary of State Hillary Clinton and Assistant Secretary of State Kurt Campbell, the Obama administration’s senior Asian affairs policy maker, also are CFR members. Senate Intelligence Committee Chairman Sen. Dianne Feinstein (D., Calif.) is also a member, as is Secretary of State-designate Sen. John Kerry.

Its board and members include a who’s who of U.S. foreign policy and national security elites, including former U.S. Central Command commander Army Gen. John Abizaid, and former Secretaries of State Madeleine K.  Albright, Colin Powell, and Henry Kissinger.

Fox News CEO Roger Ailes also is a member, as is News Corp. chairman and CEO Rupert Murdoch. Former Presidents George W. Bush and Bill Clinton are members, as is former CIA Director and former Defense Secretary Robert M. Gates and former CIA Director David Petraeus.

The CFR cyberstrike is not the first strategic drive-by cyber attack.

The computer security website Dark Reading reported in May that the Center for Defense Information, and the Hong Kong chapter of the human rights group Amnesty International (AIHK), along with several other organizations, also were attacked using similar drive-by methods.

“The weapon of choice for a cyberspy or advanced persistent threat (APT) actor gaining a foothold inside its target traditionally has been the socially engineered email with a malicious link or attachment,” DarkReading stated. “But cyberspies are increasingly targeting specific, legitimate websites and injecting them with malware in hopes of snaring visiting victims from organizations from similar industries and sectors” (Free Beacon, 2012).