CCC News


IT and Cyber Security News Update from

Centre for Research and Prevention of Computer Crimes, India


Courtesy - Sysman Computers Private Limited, Mumbai (

Since June 2005                                         December 12, 2014                                          Issue no 1518

Tenth year of uninterrupted publication

Today’s edition – 


CAUTION : MHA Employees Cautioned Against Use of Social Media

CYBER-ATTACK : Was Mysterious 2008 Turkey Pipeline Blast Opened a Cyberwar?

OLD HACK : Powerful, highly stealthy Linux trojan may have infected victims for years

HACKED : Iranian hackers used Visual Basic malware to wipe Vegas casino’s network

IT Term of the day

Quote of the day


(Click on heading above to jump to related item. Click on “Top” to be back here)



CAUTION : MHA Employees Cautioned Against Use of Social Media


10th December 2014


NEW DELHI: All employees in the Home Ministry have been cautioned against the use of social media and directed that no confidential information should be divulged on such platforms.


The Home Ministry told its employees that though they are free to post response in their personal capacity, it is mandatory that while doing so they must clearly identify themselves and they must not divulge confidential information.


"Their views should not be seen to represent 'official view' unless authorised to do so. For any official work involving transmission of public records, they must use an email identity connected to a server, located in India and for this purpose they must preferably take service of National Informatics Centre," Home Ministry Joint Secretary Kumar Alok said in a circular.


The Ministry said that social media is increasingly being used in government for public engagements for disseminating information, policy making, recruitments, generating awareness, education etc.


"Most of the social media platforms are based outside  India and are not governed by Indian laws. It is very important to ensure that Public Records Act 1993 and other applicable laws are complied with and adequate provisions for security are in place in view of current threat scenario in cyber space," the circular said.


Prime Minister Narendra Modi, Home Minister Rajnath Singh and most of the Union ministers are frequent users of social media platforms like Twitter and Facebook.



CYBER-ATTACK : Was Mysterious 2008 Turkey Pipeline Blast Opened a Cyberwar?

By Jordan Robertson and Michael Riley

December 10, 2014


The pipeline was outfitted with sensors and cameras to monitor every step of its 1,099 miles from the Caspian Sea to the Mediterranean. The blast that blew it out of commission didn’t trigger a single distress signal.


That was bewildering, as was the cameras’ failure to capture the combustion in eastern Turkey. But investigators shared their findings within a tight circle. The Turkish government publicly blamed a malfunction, Kurdish separatists claimed credit and BP Plc had the line running again in three weeks. The explosion that lit up the night sky over Refahiye, a town known for its honey farms, seemed to be forgotten.


It wasn’t. For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The main weapon at valve station 30 on Aug. 5, 2008, was a keyboard.


The revelation “rewrites the history of cyberwar,” said Derek Reveron, a professor of national security affairs at the U.S. Naval War College in Newport, Rhode Island.


Countries have been laying the groundwork for cyberwar operations for years, and companies have been hit recently with digital broadsides bearing hallmarks of government sponsorship. Sony Corp.’s network was raided by hackers believed to be aligned with North Korea, and sources have said JPMorgan Chase & Co. blamed an August assault on Russian cyberspies. Security researchers just uncovered what they said was a campaign by Iranian hackers that targeted commercial airlines, looking for vulnerabilities that could be used in physical attacks.


Energy Politics


The Refahiye explosion occurred two years before Stuxnet, the computer worm that in 2010 crippled Iran’s nuclear-enrichment program, widely believed to have been deployed by Israel and the U.S. It turns out the Baku-Tbilisi-Ceyhan pipeline hackers were ahead of them. The chief suspect, according to U.S. intelligence officials, is Russia.


The sabotage of the BTC line -- which follows a route through the former Soviet Union that the U.S. mapped out over Russian objections -- marked another chapter in the belligerent energy politics of Eurasia. Days after the explosion, Russian fighter jets dropped bombs near the line in neighboring Georgia. Alexander Dugin, an influential advocate of Russian expansionism and at the time an adviser to the Russian parliament, was quoted in a Turkish newspaper declaring the BTC was “dead.”


Kinetic Effects


The obituary was premature, but the attack proved to U.S. officials that they were right to be concerned about the vulnerability of pipelines that snake for hundreds of thousands of miles across Europe and North America. National Security Agency experts had been warning the lines could be blown up from a distance, without the bother of conventional weapons. The attack was evidence other nations had the technology to wage a new kind of war, three current and former U.S. officials said.


“The timing really is the significance,” said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center, which works with utilities and pipeline companies. “Stuxnet was discovered in 2010 and this was obviously deployed before that. This is another point on the timeline” in the young history of cyberwar.


U.S. intelligence agencies believe the Russian government was behind the Refahiye explosion, according to two of the people briefed on the investigation. The evidence is circumstantial, they said, based on the possible motive and the level of sophistication. The attackers also left behind a tantalizing clue.


Infrared Camera


Although as many as 60 hours of surveillance video were erased by the hackers, a single infrared camera not connected to the same network captured images of two men with laptop computers walking near the pipeline days before the explosion, according to one of the people, who has reviewed the video. The men wore black military-style uniforms without insignias, similar to the garb worn by special forces troops.


“Given Russia’s strategic interest, there will always be the question of whether the country had a hand in it,” said Emily Stromquist, an energy analyst for Eurasia Group, a political risk firm based in Washington.


Nikolay Lyaschenko, a spokesman for the Russian Embassy in Washington, didn’t respond to two e-mails and a phone call.


Eleven companies -- including majority-owner BP, a subsidiary of the State Oil Company of Azerbaijan, Chevron Corp. and Norway’s Statoil ASA (STL) -- built the line, which has carried more than two billion barrels of crude since opening in 2006.


Circumventing Russia


It starts in Azerbaijan, traverses Georgia and then enters Turkey, ending at the port city of Ceyhan. It was routed south to circumvent Russia, a blow to that country’s aims to reassert control over Central Asia, a major pipeline deliberately built outside Russian territory to carry crude from the Caspian.


Traversing strategic, politically unsettled terrain, the line was built to be one of the most secure in the world. The 3-foot 6-inch diameter pipe is buried underground and punctuated by fenced valve stations designed to isolate sections in case of emergency and to contain leaks.


According to investigators, every mile was monitored by sensors. Pressure, oil flow and other critical indicators were fed to a central control room via a wireless monitoring system. In an extra measure, they were also sent by satellite.


The explosion, at around 11 p.m. on a warm summer night, was spectacular. Residents described feeling the heat a half mile away, and patients at a nearby hospital reported hearing a thunderous boom.


First Mystery


Almost immediately, the Kurdistan Workers’ Party, or PKK, an armed separatist group in Turkey, claimed credit. It made sense because of the PKK’s history of bombing pipelines. The Turkish government’s claim of mechanical failure, on the other hand, was widely disputed in media reports. Hilmi Guler, then Turkey’s energy minister, said at the time there was no evidence of sabotage. Neither he nor officials at the Energy Ministry responded to requests for comment.


Huseyin Sagir, a spokesman for Botas International Ltd., the state-run company that operates the pipeline in Turkey, said the line’s computer systems hadn’t been tampered with. “We have never experienced any kind of signal jamming attack or tampering on the communication lines, or computer systems,” Sagir said in an e-mail. He didn’t respond to questions about what caused the explosion. BP spokesman Toby Odone referred questions to Botas.


The BTC was shut down because of what BP referred to in its 2008 annual report simply as a fire.


Malicious Program


The investigators -- from Turkey, the U.K., Azerbaijan and other countries -- went quietly about their business. The first mystery they set out to solve was why the elaborate system in place to detect leaks of oil or a fire didn’t work as planned.


Instead of receiving digital alerts from sensors placed along the line, the control room didn’t learn about the blast until 40 minutes after it happened, from a security worker who saw the flames, according to a person who worked on the probe.


As investigators followed the trail of the failed alarm system, they found the hackers’ point of entry was an unexpected one: the surveillance cameras themselves.


The cameras’ communication software had vulnerabilities the hackers used to gain entry and move deep into the internal network, according to the people briefed on the matter.


Once inside, the attackers found a computer running on a Windows operating system that was in charge of the alarm-management network, and placed a malicious program on it. That gave them the ability to sneak back in whenever they wanted.


Extensive Reconnaissance


The central element of the attack was gaining access to the operational controls to increase the pressure without setting off alarms. Because of the line’s design, the hackers could manipulate the pressure by cracking into small industrial computers at a few valve stations without having to hack the main control room.


The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques. The super-high pressure may have been enough on its own to create the explosion, according to two of the people familiar with the incident. No evidence of a physical bomb was found.


Having performed extensive reconnaissance on the computer network, the infiltrators tampered with the units used to send alerts about malfunctions and leaks back to the control room. The back-up satellite signals failed, which suggested to the investigators that the attackers used sophisticated jamming equipment, according to the people familiar with the probe.


Investigators compared the time-stamp on the infrared image of the two people with laptops to data logs that showed the computer system had been probed by an outsider. It was an exact match, according to the people familiar with the investigation.


‘Terrorism Act’


Years later, BP claimed in documents filed in a legal dispute that it wasn’t able to meet shipping contracts after the blast due to “an act of terrorism.”


The explosion caused more than 30,000 barrels of oil to spill in an area above a water aquifer and cost BP and its partners $5 million a day in transit tariffs during the closure, according to communications between BP and its bankers cited in “The Oil Road,” a book about the pipeline.


Some of the worst damage was felt by the State Oil Fund of the Republic of Azerbaijan, which lost $1 billion in export revenue while the line was shut down, according to Jamala Aliyeva, a spokeswoman for the fund.


A pipeline bombing may fit the profile of the PKK, which specializes in extortion, drug smuggling and assaults on foreign companies, said Didem Akyel Collinsworth, an Istanbul-based analyst for the International Crisis Group. But she said the PKK doesn’t have advanced hacking capabilities. “That’s not their modus operandi,” she said. “It’s always been very physical, very basic insurgency stuff.”


Potential Rivals


U.S. spy agencies probed the BTC blast independently, gathering information from foreign communications intercepts and other sources, according to one of the people familiar with the inquiry. American intelligence officials believe the PKK -- which according to leaked State Department cables has received arms and intelligence from Russia -- may have arranged in advance with the attackers to take credit, the person said.


The U.S. was interested in more than just motive. The Pentagon at the time was assessing the cyber capabilities of potential rivals, as well as weaknesses in its own defenses. Since that attack, both Iran and China have hacked into U.S. pipeline companies and gas utilities, apparently to identify vulnerabilities that could be exploited later.


Critical Services


As tensions over the Ukraine crisis have mounted, Russian cyberspies have been detected planting malware in U.S. systems that deliver critical services like electricity and water, according to John Hultquist, senior manager for cyber espionage threat intelligence at Dallas-based iSight Partners, which first revealed the activity in October.


Russian hackers also targeted sensitive documents related to a NATO summit in September, hitting dozens of computers belonging to the Ukrainian government and others, according to an iSight report.


In the U.S., “it is only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic,” Michael Rogers, director of the NSA and commander of the U.S. Cyber Command, told the House Intelligence Committee on Nov. 20. “I fully expect that during my time as the commander we are going to be tasked to help defend critical infrastructure.”


Three days after the BTC blast, Russia went to war with Georgia, and Georgian Prime Minister Nika Gilauri accused Russia of sending the jets to bomb the BTC near the city of Rustavi. The bombs missed their presumed target, some by only a few feet, and the pipeline remained undamaged. The keyboard was the better weapon.



OLD HACK : Powerful, highly stealthy Linux trojan may have infected victims for years

Backdoor tied to espionage campaign that has targeted governments in 45 countries.

by Dan Goodin

Dec 9 2014


Researchers have uncovered an extremely stealthy trojan for Linux systems that attackers have been using to siphon sensitive data from governments and pharmaceutical companies around the world.


The previously undiscovered malware represents a missing puzzle piece tied to "Turla," a so-called advanced persistent threat (APT) disclosed in August by Kaspersky Lab and Symantec. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries. The unknown attackers—who are probably backed by a nation-state, according to Symantec—were known to have infected several hundred Windows-based computers by exploiting a variety of vulnerabilities, at least two of which were zero-day bugs. The malware was notable for its use of a rootkit that made it extremely hard to detect.


Now researchers from Moscow-based Kaspersky Lab have detected Linux-based malware used in the same campaign. Turla was already ranked as one of the top-tier APTs, in the same league as the recently disclosed Regin for instance. The discovery of the Linux component suggests it is bigger than previously thought and may presage the discovery of still more infected systems.


"The [Turla] operations are being carried out in broader environments than we previously knew," Kaspersky Lab expert Kurt Baumgartner told Ars. "All the other stuff we've seen from Turla has been windows based. This piece of the puzzle shows us that they do not limit themselves."

Magic Numbers


Like its Windows counterparts, the Linux trojan is extremely stealthy. It can't be detected using the common netstat command. To conceal itself, the backdoor sits dormant until attackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware may have sat unnoticed on at least one victim computer for years, although Kaspersky Lab researchers still have not confirmed that suspicion. The trojan is able to run arbitrary commands even though it requires no elevated system privileges.


"It's a very interesting piece of code," Baumgartner said. "Not only does it run on Linux, but you can't detect it in the usual ways."


Even a regular user with limited privileges can launch it, allowing it to intercept traffic and run commands on infected machines. Capabilities include the ability to communicate with servers under the control of attackers and functions allowing attackers to run commands of their choice and perform remote management.


Even after its discovery, the Linux component remains a mystery. The underlying executable file is written in the C and C++ languages and contains code from previously written libraries, a property that gives the malicious file self-reliance. The code is also stripped of symbol information, making it hard for researchers to reverse engineer or analyze. As a result, Baumgartner said the trojan may have capabilities that have not yet been uncovered.


Administrators who want to check for Turla-infected Linux systems can check outgoing traffic for connections to news-bbc.podzone[.]org or, which are the addresses of known command and control channels hardcoded into the Linux trojan. Admins can also build a signature using a tool called YARA that detects the strings "TREX_PID=%u" and "Remote VS is empty !"


Given the power and stealth of the backdoor—not to mention its connection to one of the more sophisticated espionage campaigns discovered to date—it wouldn't be surprising for the discovery to open the door to discoveries of more infections or malware components.


"The research is ongoing," Baumgartner said. "I would assume at some point this is going to bridge into another finding because of the way this backdoor is used."



HACKED : Iranian hackers used Visual Basic malware to wipe Vegas casino’s network

Attack in February aimed at punishing majority owner for “nuke Iran” statements.

by Sean Gallagher

Dec 12 2014


Stop us if this sounds familiar: a company executive does something that makes a foreign government’s leadership upset. A few months later, hackers break into the company’s network through a persistent cyber attack, and plant malware that erases the contents of hard drives, shuts down e-mail servers and phone systems, and brings operations to a screeching halt.


That’s not just what happened to Sony Pictures Entertainment in late November—it’s also what happened to Las Vegas Sands Corp., owners of the Sands, Venetian and Palazzo hotels and casinos in a cyber attack that began last January. The attack and the damage it did were kept quiet by the company until it was reported in a story by Bloomberg Businessweek today.


Attempts to reach Las Vegas Sands Corp. have gone unanswered, and a spokesperson for Dell SecureWorks—which was brought in to clean up the mess afterward and determine its cause—declined to speak about the article as it is the company’s policy not to discuss work done for a customer. But according to Bloomberg’s sources, the Sands attack was undertaken by “hacktivists” who were responding to a speech by Sands majority owner Sheldon Adelson. The billionaire 52-percent owner of the Sands and Israeli media mogul made an October 2013 appearance on a panel at the Manhattan campus of Yeshiva University, where he called for a nuclear attack on Iran to get the country to abandon its own nuclear program.


“What I would do,” he said during the panel, rather than negotiating, “would be to say, ‘Do you see that desert over there? I want to show you something.’ You pick up your cell phone and you call somewhere in Nebraska and you say ‘Ok let it go.’…Then you say, ‘See? The next one is in the middle of Tehran.” The statement, which circulated on YouTube from smartphone video, reached Iran’s leadership; Supreme Leader Ayatollah Ali Khameeni said in a November speech that the American government should “slap these prating people in the mouth and crush their mouths.”


Apparently inspired by the speech, the attackers started probing Sands’ network, launching an all-out brute force password attack on the company’s virtual private network gateway at its slots casino in Bethlehem, Pennsylvania. Then, on February 1, they breached a Microsoft IIS development and staging server for the casino’s website and used an open tool called mimikatz to obtain usernames and passwords. Eventually, they found the credentials of a senior systems engineer who had visited the Bethlehem site from Las Vegas—which gave them the keys to the corporate castle.


“As they rifled through the master network,” Bloomberg’s Ben Elgin and Michael Riley reported,”the attackers readied a malware bomb. Typing from a Sony (SNE) VAIO computer, they compiled a small piece of code, only about 150 lines long, in the Visual Basic programming language.”


The Visual Basic malware the written by the attackers (who according to investigators from Dell SecureWorks were likely “hacktivists” based in Iran and not attached to the Iranian government) worked in the same way as the Shamoon attack on Saudi Aramco, the “DarkSeoul” attack on South Korean media companies and banks, and the recent Sony Pictures attack. It overwrote portions of the hard drive of the affected machines, and then rebooted them to complete the job.



IT Term of the day

Disk Drive

A disk drive is a device that reads and/or writes data to a disk. The most common type of disk drive is a hard drive (or "hard disk drive"), but several other types of disk drives exist as well. Some examples include removable storage devices, floppy drives, and optical drives, which read optical media, such as CDs and DVDs.


While there are multiple types of disk drives, they all work in a similar fashion. Each drive operates by spinning a disk and reading data from it using a small component called a drive head. Hard drives and removable disk drives use a magnetic head, while optical drives use a laser. CD and DVD burners include a high-powered laser that can imprint data onto discs.


Since hard drives are now available in such large capacities, there is little need for removable disk drives. Instead of expanding a system's storage capacity with removable media, most people now use external hard drives instead. While CD and DVD drives are still common, they have become less used since software, movies, and music can now often be downloaded from the Internet. Therefore, internal hard drives and external hard drives are the most common types of disk drives used today.



Quote of the day

The major western democracies are moving towards corporatism. Democracy has become a business plan, with a bottom line for every human activity, every dream, every decency, every hope. The main parliamentary parties are now devoted to the same economic policies - socialism for the rich, capitalism for the poor - and the same foreign policy of servility to endless war. This is not democracy. It is to politics what McDonalds is to food.


John Pilger



Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.