third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

magnitude of digital espionage incidents, the number of incidents in the Netherlands is suspected to be significantly higher. China Globally various large-scale attacks targeted among other things at governments institutions, dissident organisations, NGOs, knowledge institutions and companies in a range of sectors have been recognised. There are indications that in China, various actors such as the army, hackers’ groups, educational institutions, plus intelligence and security services are related to these attacks. The aim of these attacks is to obtain relevant military and economic information. Last year, various attacks on companies, dissident organisations, government and knowledge institutions were confirmed in the Netherlands, with characteristics all pointing to a Chinese actor. The AIVD is investigating a large-scale digital attack against a sector that develops sophisticated technological applications for economic and military purposes. Companies in this sector in Europe, America and Asia have been the target of this attack. At various companies in different countries the attacker successfully gained access to a business network. These business networks were examined for a long time without anyone noticing and the attacker was able to get hold of large volumes of highly specialist confidential information. In addition to companies, Dutch public authorities, NGOs based in the Netherlands and inter-governmental organisations have also been the target of digital attacks originating from China. Research by the AIVD into a large-scale international digital attack targeted at various inter-governmental organisations revealed that these attacks were carried out by sending e-mails with malware to employees of these organisations. To increase the chance of the e-mails being opened by the person they were addressed to, they were sent from fake e-mail addresses that looked like addresses from trusted (government) institutions connected to the organisations concerned. The subject and attachments to these e-mails appeared authentic and related to the employees’ concerned current topics and activities. Although there is no conclusive evidence for this, the scope, duration, choice of target and professional set up of the above attacks suggest an attack initiated or sponsored by a government. Given the use of Chinese domain names and IP addresses and the Chinese time and language settings found in the malware it is probable that the attacker originates from China or wants to suggest this. The AIVD and MIVD currently estimate China to have large cyber capacity. Although actors from China often use relatively simple digital espionage methods, the attacks on the aforementioned (Dutch) targets were on such a large scale, structured and tenacious in nature that there is now a permanent high risk. Chinese actors also use the Dutch IT infrastructure for digital espionage on other countries. Given the increase in the number of Chinese actors linked to digital espionage attacks and the increase in the number of Chinese actors involved in these attacks, this threat is increasing. Russia The digital intelligence activities on the part of actors that may be connected to Russia are directed at public authorities (in particular the ministries of Defence and Foreign Affairs), international organisations (in particular NATO), defence companies, banking, the energy sector and Russian dissidents. In the past year, digital attacks on foreign public authorities were blamed in particular on Russian actors. The AIVD has also established that the Netherlands was the target of digital attacks for which Russia can be attributed. The AIVD and MIVD currently estimate Russia to have large cyber capacity. The attacks identified were carried out professionally using unique and sophisticated malware, making them difficult to detect. The data stolen with this malware indicates a motive for the espionage. Given the choice of target and the sophisticated set up of these attacks, it is likely that the Russians authorities are involved in these attacks. The Russian digital intelligence activities pose a realistic threat to the Netherlands. Iran The cyber activities on the part of the Iranian government are targeted primarily at digital control and intelligence gathering from their own citizens. The Iranian government has domestic internet traffic under virtually full control, with the prime focus being on opponents to the regime. AIVD research has revealed that in recent years Iran has focused more heavily on disruptive cyber activities targeted at countries abroad. One example that can probably be attributed to Iran are the attacks using Mahdi malware in mid-2012. This virus was spread through e-mails with infected attachments. Despite the fact that the attachments gave a virus warning by anti-virus software, a few hundred people worldwide still opened the file. The Mahdi malware appears to have a dual aim: to spy on individuals, companies and organisations in Iran itself and outside of Iran (in particular Israel). Given the small number of infections in the Netherlands it is unlikely that the Netherlands was a specific target of this malware. Considering the choice of target, the Iranian government is probably involved in some way in this attack. Furthermore, a high number of defacements and DDoS attacks on websites of domestic and foreign opponents to the Iranian regime originate from Iran and the assessment is that these are carried out with the Iranian’s government’s knowledge. One example of this is a defacement attack at the beginning of 2012 on various Azerbaijani government websites, which also involved abuse of the Dutch IT infrastructure. The hackers placed inflammatory and religiously tinted images and text on the home pages of these websites opposing the alleged close ties between Israel and the current Azerbaijani government. The hackers also called for the start of an ‘Arab Spring’ in Azerbaijan. There are indications that Iranian hackers were involved in carrying out this attack. 60
Detailed section » 2 Cyber espionage » The AIVD and MIVD estimate the current cyber capability from Iran to be moderate but also believe that Iran is now working on further developing its capability. Iran has a young, well educated population, including in technical fields. There are presently no indications that this capability is specifically targeted at the Netherlands. If tensions between Iran and the Netherlands rise, this capability could in theory also be aimed at the Netherlands. For their cyber objectives, Iranian actors abuse digital vulnerabilities in systems and the international infrastructure, including in the Netherlands. Syria Digital intelligence activities from Syria are directed specifically at intimidating Syrian dissidents and disrupting their communication. The AIVD has determined that the Syrian government, among other things, appears to have deployed a group of patriotic hackers to be united in the Syrian Electronic Army (SEA). They primarily carry out digital attacks on the websites and social media sites of dissidents in Syria and abroad, including the Netherlands. The SEA has also carried out similar attacks on the sites of world leaders, celebrities, public authorities, human rights and news organisations who have spoken negatively about the Syrian authorities. Random Dutch websites have also been attacked and pro-Syrian messages have been added. The AIVD and MIVD are investing in cyber security The AIVD and MIVD investigate digital attacks that affect national security, the democratic system of law, furtherance of the international system of law or other weighty interests of state. This also includes digital attacks resulting in social disruption or that harm economic security. The AIVD focuses primarily on digital espionage, sabotage and terrorism. The MIVD focuses primarily on threats of military relevance and developments in the digital domain, such as cyber in relation to armed conflicts, digital attacks against the defence industry and safeguarding the effective deployment of the armed forces. A further important task is to increase the government’s and the vital sectors’ resilience against digital attacks. The AIVD and MIVD are working closely together on the planned joint sigint/cyber unit and exchange knowledge with foreign intelligence and security services. In addition, both services work with the NCSC and the THTC. As well as intimidating dissidents, the Syrian authorities also attempt to spy on dissidents’ activities using relatively simple malware. Such attacks have not yet been seen in the Netherlands. The threat for Syrian dissidents living in the Netherlands is for the moment restricted to digital intimidation (DDoS and defacements). 2.3 Conclusion The biggest cyber espionage threat against Dutch interests at the moment is from actors originating from China, Russia, Iran and to a lesser degree Syria. The current cyber espionage threats which pose a danger to national security are considerable. These cyber threats are expected to increase further in the near future. This expectation is based on a number of developments: »» Society will become more dependent on complex systems and networks that are connected through the internet. This dependency leads to increased vulnerability. »» Many (potential) targets have low resilience against such attacks and with the increasing complexity of IT, this resilience is expected to fall rather than increase. »» Current and future IT developments happen at such a rapid pace that legislation and regulations will lag even further behind. »» As a result of these developments, the ease and success with which unwanted cyber activities can be carried out will increase further. Ease and success are determined in part by the range of a digital, the speed and low cost with which such an attack can be carried out and the increasing opportunity to operate (almost) completely anonymously. « 61
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?