BBC Unleashes Botnet For ?Investigation’
Beginning on 27 April 2007, a series of cyberattacks targeted websites of Estonian organizations, including Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of the Bronze Soldier of Tallinn, an elaborate Soviet-era grave marker, as well as war graves in Tallinn.[1][2]Most of the attacks that had any influence on the general public were distributed denial of service type attacks ranging from single individuals using various methods like ping floods to expensive rentals of botnets usually used for spam distribution. Spamming of bigger news portals commentaries and defacements including that of the Estonian Reform Party website also occurred.[3] Research has also shown that large conflicts took place to edit the English-language version of the Bronze Soldier's Wikipedia page.[4]
BBC Unleashes Botnet For ‘Investigation’
On 2 May 2007, a criminal investigation was opened into the attacks under a section of the Estonian Penal Code criminalising computer sabotage and interference with the working of a computer network, felonies punishable by imprisonment of up to three years. As a number of attackers turned out to be within the jurisdiction of the Russian Federation, on 10 May 2007, Estonian Public Prosecutor's Office made a formal investigation assistance request to the Russian Federation's Supreme Procurature under a Mutual Legal Assistance Treaty (MLAT) existing between Estonia and Russia. A Russian State Duma delegation visiting Estonia in early May in regards the situation surrounding the Bronze Soldier of Tallinn had promised that Russia would aid such investigation in every way available.[13] On 28 June, Russian Supreme Procurature refused assistance,[13] claiming that the proposed investigative processes are not covered by the applicable MLAT.[14] Piret Seeman, the Estonian Public Prosecutor's Office's PR officer, criticized this decision, pointing out that all the requested processes are actually enumerated in the MLAT.[14]
"We don't have directly visible info about sources so we can't confirm or deny that the attacks are coming from the Russian government," Jose Nazario, software and security engineer at Arbor Networks, told internetnews.com.[22] Arbor Networks operated ATLAS threat analysis network, which, the company claimed, could "see" 80% of Internet traffic. Nazario suspected that different groups operating separate distributed botnets were involved in the attack.
Like most countries, Estonia does not recognise Transnistria, a secessionist region of Moldova. As an unrecognised nation, Transnistria does not belong to Interpol.[27] Accordingly, no Mutual Legal Assistance Treaty applies. If residents of Transnistria were responsible, the investigation may be severely hampered, and even if the investigation succeeds finding likely suspects, the legal recourse of Estonian authorities may be limited to issuing all-EU arrest warrants for these suspects. Such an act would be largely symbolic.
Called A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats, the 51-page-long material notes the range of threats for which botnets can be created and used, including distributed denial of service (DDoS) attacks, spewing out spam, and spreading malware. It goes on to spell out several themes that underlie the problem and help explain its magnitude:
Based on the various facets of the botnet menace, the report identifies five goals that are intended to help mitigate the risk of attacks unleashed by botnets and to make the internet ecosystem more resilient. The objectives involve determining a clear pathway toward a secure technology marketplace, promoting innovation both in the infrastructure that underlies the digital ecosystem and in the networking industry, promoting cooperation between various stakeholders, and boosting awareness of the threats.
Task Force on Market Integrity and Consumer FraudJuly 12, 2018The Task Force on Market Integrity and Consumer Fraud was created to provide guidance for the investigation and prosecution of cases involving fraud on the government, the financial markets, and consumers, including cyber-fraud.Source: White House -actions/executive-order-regarding-establishment-task-force-market-integrity-consumer-fraud/
The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint statement saying their investigation indicated that:
The U.S. Justice Department today criminally charged a Canadian and a Northern Ireland man for allegedly conspiring to build multiple botnets that enslaved hundreds of thousands of routers and other Internet of Things (IoT) devices for use in large-scale distributed denial-of-service (DDoS) attacks. In addition, a defendant in the United States was sentenced to drug treatment and 18 months community confinement for his admitted role in the conspiracy.
The FBI and the DOJ had help in their investigation from many security experts, but this post focuses on one expert whose research into the Dark Web and its various malefactors was especially useful in that case. Allison Nixon is director of security research at Flashpoint, a cyber intelligence firm based in New York City. Nixon spoke with KrebsOnSecurity at length about her perspectives on IoT security and the vital role of law enforcement in this fight.
Bakuei is a researcher with Trend Micro FTR team. He has been with Trend Micro since 1997, and worked as Japan product technical support team leader, malware analysis team leader of Japan Regional TrendLabs before he joined Forward-looking Threat Research (FTR) team in 2012. He was seconded to INTERPOL Global Complex for Innovation (IGCI) in Singapore from October 2014 to September 2017 to work for INTERPOL as Cyber Researcher under strategic partnership agreement between INTERPOL and Trend Micro, and was involved on the SIMDA botnet takedown, BEC investigations, a joint research paper on West African Underground, and more. He returned to FTR team in October 2017 as a Senior Threat researcher. Currently, he is actively working based in Japan, and cybercrime and Industry 4.0/Manufacturing are his current specialized areas for research.
Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, Black Hat EU and many others
We will conduct a hands-on demonstration of our tabletop exercise method which introduced investigation steps such as checking logs on a network architecture diagram. Basically, no prior knowledge/skills that attendees will be assumed, and hopefully it is desirable to have basic knowledge about network and system architecture.
The disinformation campaigns in the internet became the real problem. Most of these campaigns, especially those which are well organised, involve technical mechanisms, including malicious activities (like botnets). Thus CSIRT teams are asked for help and direct involvement. Should your team be involved? Should you agree on that and if so, what could be a real value brought by your team to resolve the problem? Are these value related to the monitoring services or rather surly reactive ones?
Jeff helped build and operate one of the world's largest corporate security monitoring infrastructures. Jeff regularly speaks at international FIRST conferences, and occasionally writes for the Cisco Security Blog. He is also the co-author of "Crafting the InfoSec Playbook". Jeff's recent work includes log mining, search optimization, cloud threat research, and security investigations.
DR. ASWAMI ARIFFIN is a digital forensic scientist with vast experience in security assurance, threat intelligence, incident response and digital forensic investigation. Aswami is active in research and one of his papers was accepted for publication in the Advances in Digital Forensics IX. Currently, Aswami is a Senior Vice President of CyberSecurity Responsive Services Division at CyberSecurity Malaysia.
Thomas Mathew is a Senior Security Researcher at Cisco Umbrella (OpenDNS) where he works on implementing pattern recognition algorithms to classify malware and botnets. His interest lies in using time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at Black Hat, Defcon, BruCon, FloCon, Kaspersky SAS, Infosecurity Europe, and O'Reilly Security.
Piotr is a member of The Shadowserver Foundation, a non-profit with a mission of making the Internet a more secure environment. He has a strong CSIRT background, previously working in incident response at a national level for 14 years in the CERT Polska (CERT.PL) team. He managed the team for nearly 7 years up till 2016, building up its various security data gathering and analysis projects as well as managing its anti-malware operations, including numerous botnet disruptions. Piotr currently also serves on the Board of Directors of the Honeynet Project, a well-known and respected non-profit that is committed to the development of honeypot technologies and threat analysis.