By Oscar Levy
On the 12th of June 2016, an American affiliating himself with ISIS opened fire at a gay nightclub in Orlando, Florida. The shooting claimed the lives of dozens and caused major ricochets throughout the US even in the cyber realm. In recent attacks of this nature, such as the March 2016 Brussels bombings, the November 2015 Paris attacks or the January 2015 Charlie Hebdo attacks, cyber-activity went through a massive increase. A similar increase was registered after the Orlando shootings.
In general, the cyber activity level increases exponentially in the days following the attack. In previous terror attacks, hacking groups opposing to ISIS – such as Anonymous and its affiliates – were seen to take direct actions against ISIS digital presence – websites and social media accounts – in order to convey their protest. Analyzing the cyber threat landscape in the days following the Orlando shootings, we found the following trends and patterns (see appendixes for infographics):
– The most active cyber attackers after the Orlando shootings were financial hackers, political cyber-warriors and political activists (hacktivists), in particular, Anonymous affiliated attackers. This being the first consequence, about a week later, retaliation and cyber combat took place between Anonymous and ISIS online affiliates.
– The most targeted industries in North America were IT (as in social media defacements such as twitter or Facebook pages…), Government, Media and Retail.
– The most used attack methods (TTPs) were Malware and social engineering. The most used malwares were Ransomwares, Trojan and Terminal Malware. DDOS or Denial of Service attacks as well as defacements have been observed as a direct consequence.
– The most targeted assets of this peak in activity were client data usernames, passwords, PII, etc. – and available services to clients.
The first reaction to these shootings came, as seen in previous similar situations, from hacktivists related to the Anonymous collective, which took action against ISIS. In order to do so, they hacked high-profile ISIS Twitter accounts as revenge. They defaced the accounts and posted pro-gay messages, as a way of both supporting the gay community which was targeted and shaming ISIS. In order to take control of these accounts, there is a possibility that the collective got access to client data and user data from a Third Party. When a major hack on a user-populated entity such as LinkedIn occurs, data from the hack is dumped and subsequently recycled by other hackers in order to enter the clients other accounts.
Another consequence of such rises in cyber-activity is the creation of opportunities for different entities. The excitement and shift in focus created by “mainstream” hacks, high-profile defacements and PII theft make room for the above-mentioned financial hackers and more serious attackers to perform more advanced and focused attacks. Regarding ratios, our analysis showed that more attacks were conducted by Political Cyber Warriors and financial hackers. However, while the number of attacks conducted by political cyber warriors was very low, its sophistication and impact were far greater than those of the political activists which launched numerous defacements and minor hacks which were more frequent yet less powerful. The attacks from more potent actors such as the cyber warrior DNC Hack (Possibly Russian backed hackers entering U.S administrative records) happened one or two days after the attacj whereas the cyber propaganda combat between ISIS and Anonymous took more time to install itself (about a week after the attack) causing a second wave of disruption.
In future similar events – terror attacks, large scale hate crimes, racial attacks – organization should be aware of the cyber activity patterns and prepare accordingly. Employees should be warned against social engineering practices, including phishing and general spam, and security managers should put in place defenses to prevent or quickly mitigate DDOS attacks and defacements. Consumer wise, when large amounts of data are stolen for different purposes (such as above mentioned defacements) changing passwords is recommended.
Intelligence Update (Appendix):
1. Type of attacker
2. Attacked Industries
3. Targeted Assets
4. Attack Methods used during attack Aftermath (13th to 25th of June 2016)
This document was produced using the Cytegic DyTA intelligence platform.
Cytegic DyTA gathers, processes and analyzes hundreds of thousands of intelligence feeds from multiple sources on a monthly basis, to allow a quick and understandable cyber-trend analysis. DyTA enables cyber-intelligence analysts and CISOs to understand and analyze the threat level of each attacker and attack method relevant to their organization, according to their geo-political region, industry sector and corporate assets.
For further information please contact Cytegic at: firstname.lastname@example.org