Iranian Hackers Hit NASA: Isolated Attack or Act of Cyberwar?

Thursday, May 24, 2012

Plagiarist Paganini


(Translated from the original Italian)

Exactly one week ago a group of Iranian hackers called the "Cyber Warriors Team" claimed to have compromised an SSL certificate issued to the Research and Education Support Services of NASA.

The press release by the Cyber Warriors Team said that hackers have written an HTTPS protocol scanner to find weaknesses in the NASA website. A NASA spokesman hasn't denied the hack, declaring that the agency is currently investigating the event.

Why steal a certificate?

Last year I wrote an article on the main reasons behind the theft of digital certificates, let's look again at the principal motivations:

Malware production - Installation for certain types of software requires that its code is digitally signed with a trusted certificate. By stealing the certificate of a trusted vendor reduces the possibility that malicious software will be detected as quickly. That is exactly what happened with the Stuxnet virus.

Cyber warfare - Criminals or governments could use the stolen certificates to conduct “man-in-the-middle” attacks, tricking users into thinking they were at a legitimate site when in fact their communications were being tampered with and intercepted. That is what occurred in the DigiNotar case for example… companies like Facebook, Google and also agencies like the CIA and MI6 were targeted in the Dutch certificate hack.

Economic Fraud - Digital signatures provide a warranty for who created a document so you can decide if you trust the person or company who signed the file, and if you trust the organization who issued the certificate. If a digital certificate is stolen we will suffer of a form of identity theft, and we can imagine the implications.

In this specific case, the hackers have alluded to their motivation for the attack in a message published on Pastebin, declaring that the certificate is necessary to perform a man-in-the-middle attack.

"Our main work and we target Is in use.Our target was not Internet sabotage , Our Target was Do "MAN IN THE MIDDLE" attack. (with using Confirmation obtained) and also Clear the track after each connection in the network For Hide and Disclosing my presence in Two-way communication between."

"But the problem still exists And its use isn't Hard For We (CW.T) [ ] <<<< we obtain User information for thousands of NASA researcher With Emails and Accounts of other users.Send For You soon Videos of Man in the middle attack and Stealing relationship ( Addressing security managers at NASA )."

(click image to enlarge)

Analyzing the screenshot published by the hackers, it appears that the certificate was utilized on the site of NASA’s Solicitation and Proposal Integrated Review and Evaluation System (NSPIRES).

The hackers have successfully exploited the authentication process obtaining the administrator's credentials.

(click image to enlarge)

In the message, it is reported that the hackers have exploited thousands of NASA researcher's accounts, and they have promised that they will release a video of the operation.

Anyway, it's clear the intent of cyber espionage of the group.

What is interesting to examine is the real origin of the attack - is it an isolated operation conducted by a group of Iranian hackers, or is it a state-sponsored act of cyber warfare?

For the sake of the hypotheses, let's remember the content of significant report “The Iranian Cyber Threat to the U.S. Homeland” p[resented to the U.S. House of Representatives Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies and Subcommittee on Counterterrorism and Intelligence.

In the document the growing Iranian cyber capabilities are analyzed, and it shows that the country is expanding exploitation of cyberspace which can be attributed to two principal geopolitical drivers:

  • The first is the Iranian regime’s efforts to counter Western influence and prevent the emergence of a “soft revolution” within its borders. That digital barrier has grown exponentially over the past three years, as Iran’s leadership has sought to diminish domestic dissent and curtail the ability of its opponents to organize.
  • The second geopolitical driver of Iran’s interest in cyberspace relates to the expanding conflict with the West over its nuclear ambitions.

The report declares that Teheran considers itself engaged in a cyber war with West, and due to this the Iranian regime is mobilizing in response by launching an ambitious $1 billion governmental program to boost national cyber capabilities, acquire new technologies, invest in cyber defense, and create an army of cyber experts.

The Iranian Government is working on several fronts in my opinion: On one side it is recruiting internal hackers in the name of religious motivations, and on the other hand it is acquiring knowledge from mercenary hackers coming from Eastern Europe and from Asia.

It will not be difficult for Iran to prepare its own cyber arsenal, and these cyber weapons could hit vulnerable western critical infrastructures. I personally think that the cyber attack is linked to the Iranian government.

It's not the first time that the NASA has been hacked, as in the beginning of the year several attacks revealed that the agency is unprepared for cyber attacks.

The situation is worrying, and we must consider the strategic importance of intellectual property exposed due to these incidents. We have repeatedly stressed the interets by foreign governments in strategic technology solutions in industries such as defense and aerospace.

These sectors contribute in terms of research and innovation to new technologies that are introduced in later years in the commercial sectors. Being able to steal this information means bridging a gap in technology and research for decades, and with disastrous consequences for the targets in economic terms.

NASA Inspector General Paul K. Martin declared that in 2011 the agency was the target of 47 cyber attacks known as advanced persistent threats (APTs) surely made by groups of expert hackers with deep knowledge of their target and of the information they wish to steal. This is proof that we are faced with cyber intelligence operations conducted by hostile governments.

Martin admitted:

“the attackers had full functional control over these networks.”

Since the declaration of the officials, a number of security experts claimed that some actions were done to improve security of the infrastructure of the agency, but the events seem to demonstrate that they are not sufficient.

Cross-posted from Security Affairs

Possibly Related Articles:
Iran Cyberwar Digital Certificates Attacks NASA Espionage National Security hackers Cyber Warriors Team
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.