|KABUL, Afghanistan- NATO’s newly appointed Secretary General, Anders Fogh Rasmussen, is interviewed at Kabul International Airport North. Image by MSgt Chris Haylett (Photo credit: Wikipedia)|
MICHAEL FIELDSpark's big internet crash at the weekend was not about naked celebrities but linked to Russia's cyberwar on Ukraine and Western powers' sanctions on Moscow, security sources say.
Last updated 15:47, September 9 2014
The attack, which has eased off, was neither about cyber criminals nor nude photos of actress Jennifer Lawrence, but online aggression launched under Moscow's direction at Kiev and its friends.
New Zealand was not the target, sources say, but Ukraine and several big international banks enforcing sanctions were.
The attack coincided with the Nato summit in Wales which had just affirmed "that cyber defence is part of Nato's core task of collective defence".
The National Cyber Security Centre (NCSC) – part of the Wellington-headquartered Government Communications Security Bureau – issued no warnings about the attack.
Like much of the Western world, New Zealand has been drawn unwillingly into the deepening crisis.
A New Zealand Russian has been wounded fighting in the conflict in Ukraine and has flown home to be treated by the New Zealand health services.
Sources say he suffered a gunshot wound to the leg and concussion after a firefight in eastern Ukraine.
A well placed expert here says the Russians have "actively worked on cyber attacks" and says it was clear New Zealand was now "caught up in the cyberwar which is an integral part of the Russian war against Ukraine".
Russia had the skills to do it and denial of service (DOS) attacks "could be expected to be chasing the new routes ... "
Spark says its internet service is getting back to normal but a spokesman said today it was not sure who the target had been.
"What we know is that the requests were coming from various international locations, being bounced off some Spark customer connections, with the destination domain names being located in Eastern Europe," he said.
The domain names involved included destination domains for countries whose suffix included .su – the still active domain for the Soviet Union, .sk (Slovakia) and .cz (Czech republic). Spark have no clear idea on the source but a source familiar with part of its operation, say tracking destinations and sources may not in a practical way point to the source of the attacks.
The modus operandi centred on a false promise of illicit pictures of naked Hollywood stars, including Lawrence.
Several dozen computer users may have clicked emails, links on Facebook and Twitter hashtags on the promise of views of naked stars and without knowing it, installed malware that turned their computer into a device to launch a DOS attack beyond New Zealand.
Tweets with the hashtag #jenniferlawrence include a shortened link to a video, but users are directed to download a "video converter" that is actually malicious software.
The Financial Times reported last week that dozens of computers in the Ukrainian prime minister's office and at least 10 of Ukraine's embassies abroad had been infected with a virulent cyber espionage weapon linked to Russia.
The Times quoted security experts saying the infections were a result of the spread and penetration of the Snake or Ouroboros malware. It is used by hackers linked to the Russian Government.
The report said the target was Ukraine and quoted a Royal United Services Institute expert, Peter Roberts, who said Snake was spreading.
"If you take a normal virus, its spread and infection is fairly uncontrollable," he told the Financial Times. "The thing about Snake is that it is a far more targeted piece of malware. It is being carefully targeted at security and defence systems of governments and key government partners in a very specific way.
"It has all the hallmarks of being generated by Russian operatives," he added. "There is a very high degree of probability, just short of certainty, that it is Russian."
Snake is installed by emails or the like asking people to install "convertors" for video or shockwave players.
Spark say it does not yet know what malware was installed in New Zealand.
The latest attack has not drawn any warning from NCSC, which says it "provides enhanced services and advice to government agencies and critical infrastructure providers to help them to defend against cyber-borne threat".
Its latest warning was on August 12 over a "spearphishing" attack on civil servants in which and email explains that a fictitious earlier email was sent to the recipient, but that the delivery had failed. The email requests that the recipient follow a hyperlink to view the email.
NCSC has yet to respond to a Fairfax Media request for comment on the Spark attack.
Nato leaders met in Wales last week with its secretary-general, Anders Fogh Rasmussen, declaring that cyber defence was a core task.
It now comes under an article of the Nato charter which states that an attack on one member state will be treated as an attack on all member nations.
"As the Alliance looks to the future, cyber threats and attacks will continue to become more common, sophisticated, and potentially damaging," the Wales Summit Declaration says.
"Cyber attacks can reach a threshold that threatens national and Euro-Atlantic prosperity, security, and stability. Their impact could be as harmful to modern societies as a conventional attack."
A similar-style cyber attack last month to that New Zealand witnessed last weekend resulted in large amounts of sensitive data being lifted from JP Morgan Chase and at least one other bank.
Bloomberg.com reported that the Federal Bureau of Investigation and the National Security Agency were investigating.
Earlier London's Daily Telegraph reported the biggest threats were coming from Evgeniy Bogachev, a hacking mastermind who was thought to be running the most sophisticated cyber crime network the world has ever seen from his home on Russia's Black Sea coast.
- © Fairfax NZ News