Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Appendix J: Case Studies<br />
to understand own network health, vulnerabilities and mitigation options. Take a proactive and<br />
more informed view towards the challenges and opportunities to enhance your security by<br />
keeping apprised of hostile techniques, tactics and procedures (TTP) like the two illustrative<br />
examples above.<br />
Disruption through swarming<br />
Creating an open call for volunteers in an ad-hoc, extemporaneous way to do something is<br />
popularly known as crowd sourcing. It’s leaderless or structure-less network of people coming<br />
together for a common purpose and then disbanding. Adversaries use this tactic. The<br />
Anonymous (a loose knit global hacktivist group) hive is the personification of this but there are<br />
others.<br />
In 2008, at the onset of war between Russia and Georgia, a distributed denial of service attack<br />
(DDoS) began against government websites. As hostilities began, this was extended to Georgian<br />
media websites covering the hostilities. These various DDoS attacks lasted for hours and had a<br />
peak of over 800Mbps. A few months later an analysis under the moniker of “Project Grey<br />
Goose” was released. This report outlined the coordination ground for these DDoS to a website<br />
called stopgeorgia.ru. This was a password-protected forum launched within 24 hours of<br />
hostilities. These DoS attacks were interspersed with website defacements posting pro-Russian<br />
propaganda.<br />
These DoS activities and defacements were seemingly self-organized or crowd sourced on sites<br />
such as stopgeorgia.ru. Many believe the Russian government was in the background of these<br />
pro-Russian hackvists. At the very least, the Russian government appeared to condone the<br />
activities as evidenced by their clear restraint in not launch any investigation of the attacks.<br />
Anonymous uses surprisingly similar tools to organize (online forums) - and similar tools to<br />
launch attack activity (denial of service attacks). Their tool of choice is called Low Orbit Ion<br />
Cannon (LOIC). LOIC is an application designed to launch DDoS attacks. LOIC by itself is<br />
uninteresting. It’s the forums that are interesting. You’ll see a long list of independently<br />
organized “operations” or “ops”. Each of those operations are public and open to the<br />
community to comment on. There are dozens of ops at any given time, most of them become<br />
background noise. Others take off and develop a life of their own. The HBGary Saga is a good<br />
example of a successful op. But for each successful op there are countless that don’t see the<br />
light of day. Combine this with the LOIC tool: when you give it to the hands of 10,000 who point<br />
it at the same target then you have a distributed denial of service. This is what was used in<br />
Operation Payback when Anonymous attacked PayPal and others after they refused to provide<br />
services to wikileaks.<br />
This is a noteworthy tactic as indications are that it is employed by a wide range of adversaries.<br />
Pro Russian groups used it as a propaganda and disruption tool, and Anonymous continues that<br />
tradition.