Image: Melanie Gamarra

More than a week after Iran said it had been the victim of another cyber attack by foreign adversaries, computer security experts around the globe are voicing their skepticism about the country’s claims.

After the Stuxnet incident last year, Iran claims it was recently hit with another cyber attack. The Iranian government said it suspected a virus called “stars” being responsible for the attack, but did not share any information on the malware or the damage it might have caused.

McAfee security strategist Toralv Dirro told Reuters he is unsure of what to believe.

“If it is real or a hoax, it is impossible to tell,” he said. “There is a possibility that they are working with some anti-virus company under a nondisclosure agreement for analysis/remediation, something that is not uncommon.”

Even if the “stars” virus was a genuine foreign attack, it could be created to extract information rather than do physical damage.

“It sounds more like cyber espionage than cyber sabotage,” said Mikko Hypponen, chief research officer at F-Secure. “Cyber espionage happens all the time. Cyber sabotage doesn’t.”

Image: wikileaks.org

A hacker known as the Jester claimed responsibility for the DoS attack that left WikiLeaks.org crippled for hours on Sunday, shortly before the site began posting its largest-to-date release of classified U.S. diplomatic cables, according to CNN.

The cyber vigilante, who describes himself as a “hacktivist for good,” tweeted he took the site down “for attempting to endanger the lives of our troops, ‘other assets’ & foreign relations.”

According to CNN, the Jester has a history of attacking extremist websites. He recently targeted a handful of websites for reasons including “online incitement to cause young Muslims to carry out acts of violent jihad,” “distributing jihadist instructional materials,” and “for the online radicalization of young Muslims in US and Europe.”

F-Secure Chief Research officer Mikko Hyppönen told AFP he believed the Jester was indeed behind the WikiLeaks attack:

“He’s demonstrated previously that he is capable of launching effective denial-of-service attacks, and he’s claimed the responsibility for this one as well,” Hyppönen said in an email. “He has the capability and the motive.”

In 2006, U.K. authorities arrested Matthew Anderson, following an investigation into the hacker group called m00p. Prosecutors said Anderson, who used the aliases of “warpigs” and “aobuluz,” headed the group and handled the malware distribution via spam.

Anderson used his security software company Optom Security as a front for the operation. When police searched his computers, they found wills, medical reports, resumes, photographs, and other sensitive documents copied from infected systems.

Anderson pleaded guilty to one count of causing unauthorized modification to the content of computers.

F-Secure’s Chief Research Officer Mikko Hyppönen commented on the case:

“We here at F-Secure are happy to get some closure on this long case, with which we’ve been working for a number of years. This malware group produced several different malware families over several years. They were created for financial gain.”

Graham Cluley, senior technology consultant at Sophos, told V3.co.uk the malware could have been created by someone with detailed knowledge of Siemens’ computer systems, possibly a current or former employee.

Attending the Virus Bulletin 2010 conference in Vancouver, Cluley said the worm appears to have been written by someone with inside knowledge of how Siemens’ systems work. However, “unless we get access to the computer it was written on, or someone admits writing it, we’ll probably never know,” he said.

F-Secure Chief Research Officer Mikko Hyppönen told V3.co.uk that based on the evidence he had seen, the Stuxnet worm looks like a government attack.

“The obvious conclusion from Stuxnet is that there isn’t any clear motive other than sabotage,” he said. “Crucially, no one has found a way that anyone could make money from this, which makes criminal involvement unlikely. If you look at the level of difficulty and complexity behind Stuxnet, it has to be a government effort.”

The Stuxnet malware was discovered in July of this year, and according to F-Secure, its “kill date” is June 24, 2012.

Some researchers claim the intricacy of Stuxnet indicates the malware could only have been created by a national government agency. Experts believe the malware to be the first of its kind to target critical infrastructure such as power stations, water plants and industrial units. Although the worm was first detected it June, it may have been circulating in 2009.

“The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it,” Symantec’s Liam O’Murchu told BBC .

Some have suggested Stuxnet could have been aimed at disrupting Iran’s delayed Bushehr nuclear power plant or the uranium-enrichment plant at Natanz. However, other experts, including cybersecurity guru Bruce Schneier, said there currently was not enough evidence to conclude what the worm’s intended target was or who had written the malicious code.

The Stuxnet worm targets systems that are traditionally not connected to the Internet for security reasons, infecting Windows machines via USB drives containing malware. After infecting a machine on a firm’s internal network, it seeks out a specific configuration of industrial control software made by Siemens. Once hijacked, the code can reprogram programmable logic control software to give attached industrial machinery new instructions.

“It is rare to see an attack using one zero-day exploit,” Mikko Hypponen, chief research officer at security firm F-Secure, told BBC. “Stuxnet used not one, not two, but four.”

O’Murchu said that his analysis suggested that whoever had created the malware had put plenty of effort into it.

“It is a very big project, it is very well planned, it is very well funded,” he said. “It has an incredible amount of code just to infect those machines.”

Cyber Command chief Gen. Keith B. Alexander confirmed this week that U.S. armed forces are aware of the dangers of Stuxnet, saying early indications showed the worm was “very sophisticated,” Guardian reported.

Basketball star-turned-one-time-rapper Shaquille O’Neal has been accused of hacking the phone of a former employee and lover as well as destroying evidence by throwing a laptop into a lake–all of which the NBA star denies.

Shawn Darling, who worked as a personal computer consultant for O’Neal from 2007 to 2009, claims O’Neal hacked into his voicemail and those of an alleged former lover because he had proof the veteran player had cheated on his wife with several women. Darling sued O’Neal for intentional infliction of emotional distress, racketeering and invasion of privacy.

Security firm F-Secure said O’Neal’s alleged actions cannot be qualified as hacking.

“For us who work with computer security, it’s a bit hard what to make of these allegations,” Chief Research Officer Mikko Hyppönen wrote on the company blog. “Listening to someone else’s voicemail isn’t very hard at all, neither is trying to hide computer evidence by throwing a laptop into a lake. As such, we wouldn’t categorize Mr. O’Neal as a hacker. But I guess we’ll learn more when the case progresses.”

In a motion filed yesterday to dismiss Darling’s lawsuit, O’Neal’s lawyer claims that Darling illegally obtained the supposedly incriminating emails, text messages and voicemails to support his “baseless” lawsuit in an effort to “extort” O’Neal and ruin his reputation, CNN reports.

Habbo Hotel, a virtual world where users meet friends and buy virtual goods, has been targeted several times. In 2007, a Dutch teenager was arrested for allegedly stealing virtual furniture worth thousands of euros on the site, which is said to have more than 100 million registered users. Then, earlier this year, several Habbo Hotel members in Finland contacted the police, reporting their virtual belongings had been stolen.

Mikko Hyppönen, chief research officer at F-Secure, said to BBC this kind of theft is common, and Habbo Hotel is only one of many sites stalked by cyber criminals.

“We see malicious attacks and Trojans stealing accounts for all the games you can imagine, including World of Warcraft, Farmville and so on,” he said.

Before the Internet, drug trafficking, money laundering and smuggling were considered international crimes without borders. Although those problems still exist, the element of Internet crime has been added to the list of growing plagues law enforcement agencies now face, said F-Secure Chief Research Officer Mikko Hyppönen.

“There has been a huge explosion of online crime, which is always international, always across the borders,” he said.

Highlighting some of this year’s biggest arrests of cyber criminals from all over the world, Hyppönen and Sean Sullivan, security adviser at F-Secure’s North American Labs, discussed captures ranging from U.S.-based T.J.Maxx hacker Albert Gonzales to the 70-member-strong Romanian phishing gang to hackers in St. Petersburg, Russia, who hacked online-trading accounts.

Another incident involved a Bank of America employee who installed malware on ATMs to make his withdraws “invisible” and was able to steal more than $200,000 from the hacked machines over a seven-month period before getting caught.

Once a pastime activity, malware became a money-making business controlled by criminals around 2003. However, for a long time the transition of malware from an online annoyance to criminal activity was not reflected by the number of arrests and convictions of the perpetrators. In the rare cases of individuals getting arrested and prosecuted, the sentences were not very strict.

However, as evidenced by the major arrests this year, cyber criminals today are getting a different kind of treatment, where no one is turning a blind eye.

“Online crime is no longer a risk-free business,” Hyppönen said. “Crime is crime after all. It was only a matter of time before law enforcement started catching up and we hope that news of arrests and convictions become commonplace.”

Foreign governments seek information for U.S.-based networks for a variety of reasons, including intelligence gathering and economic espionage, enabling domestic industries to copy U.S. products. This pursuit of intellectual property alongside intelligence information on U.S. government intentions and capabilities significantly undermines U.S. interests on the world stage.

The federal government is not the only target of cyber espionage. Government contractors are a prime target for foreign intelligence services. Earlier this year, The New New Internet reported government contractors were recently victims of an inventive cyber attack.

In this instance, an email invitation to an event was sent out to a variety of government contractors. The email contained a PDF file that appeared to come from the Department of Defense. The document discussed an invitation to an actual event that will take place in March in Las Vegas.

Researcher Mikko Hypponen, of F-Secure, wrote, “While the Aurora attacks against Google and others happened in December 2009, this happened just last week.”

The attack exploits a vulnerability in Adobe Acrobat Reader which was recently patched by Adobe. The exploit was a backdoor, which connected to an IP address in Taiwan.

“Anybody who controls that IP will gain access to the infected computer and the company network,” Hypponen wrote.

This is also not a one-off event. F-Secure, a security provider who found the exploit, also found a more recent one for a different conference, which targeted the Intelligence Community. The email with the corrupted attachment exploits the same vulnerability as the false DoD communication.

The dates of the conference align with a US European Command Intelligence Summit and Technology Expo that will be held in Germany. When compared, the agenda sent in the PDF file matches the actual agenda of the conference.

These attacks appear to be quite similar to those experienced by a number of Indian government agencies which took place in December. The attacks involved a corrupted PDF file that was designed to look like official correspondence. The Indian government claimed that the attacks came from China.

With each of these attacks, it is unclear how many organizations or individuals received the files or opened the attachments. These attacks point to the increasingly sophisticated nature of attacks using social engineering.

Skilled social engineering attacks are generally not defeated by technology, particularly software. Good anti-virus programs can pick up the threat once it has infected the computer. However, for the attack to work successfully, an individual sitting at a computer within an organization needs to open the email and download the attachment.

Proper education that provides consistent reinforcement with clear examples can help to defend a company with much less investment in IT infrastructure