Assessing MH17-Themed Cyber Threats
July 30, 2014 • Matt Kodama
In our webinar today we assessed the aftermath of the MH17 tragedy from a threat intelligence perspective. Together with our guest Rich Barger, Chief Intelligence Officer of Cyber Squared Inc., we expanded on our previous assessment to address MH17-themed cyber threats by blending open source intelligence (OSINT) with network-derived intel – with a particular focus on NetTraveler.
As IT security experts have noted, it’s highly predictable any natural or man-made disaster which fixates popular attention will be exploited to create lures. The specific implementation could be phishbait for a malicious email link or attachment, or it could be clickbait posted on social media which leads to a malware infection, or even targeted reconnaissance through a watering hole attack. The fundamental “vulnerability” is human nature – we care about the disaster event.
It was sadly predictable the MH17 tragedy would be leveraged in this way, just like the MH370 tragedy before it. The threat intel question for defenders of a particular network is targeting and motivation. A few infected endpoints related to some ad serving scam is a nuisance. A spearphishing email that fosters an advanced persistent threat (APT) in your network is an urgent incident.
Together with Rich, we looked at the MH17 aftermath from this perspective. We reviewed the relevant threat history and highlighted prior use of the NetTraveler malcode line, one to watch carefully for MH17-themed attacks. Rich enriched this discussion with infrastructure and CnC specifics developed using the ThreatConnect® Threat Intelligence Platform.
If you missed our webinar, you can still access the recording and find information about IOCs and CnC through ThreatConnect incident “20140722A: MH17 Black Boxes NetTraveler APT.”