From 2007 to 2015, a cyberwarfare tale on nuclear matters to “prevent” WW III.

220px-Iranische_Atomenergieorganisation_logo
In March 2014, Le Monde journalists – Martin Untersinger and Jacques Follorou, released an article providing documents from the Communications Security Establishment Canada (CSEC) accusing France of cyber-attacks against Iran between November 2009 and 2010 including the Atomic Energy Organization of Iran (AEOI).

In July 2012, two years after the first discovery of Stuxnet, Meghan Kelly wrote for Venture Beat mentioning that an Iranian AEOI scientist sent an SOS e-mail to F-Secure Chief Research Officer Mikko Hypponen, saying the AEOI was under a cyber attack. In his email, the scientist explained the malware shutdown the AEOI their automation networks in Natanz and Fordo facilities. As a reminder, Stuxnet is believed to be a joint project between the U.S. and Israel as covered by David Sanger for the New York Times back in June, 2012.

In conclusion, those events provide additional context on the political alignment between the U.S. and France on the current talks over Iran.

Last week again, during his polemical intervention, Bibi raised his “concerns” on Iranian Nuclear capabilities and urged the congress to “act quickly” because “time is running out”. As Jon Stewart and the Intercept recently reminded us, Bibi made a strangely similar claim in front of congress 19 years ago. In addition of the Israeli concerns on the Iranian nuclear capabilities, adds the 2007 Israeli airstrike during the night of the 5th September targeting Syria’s Al Kibar Nuclear Reactor as covered by Erich Follath and Holger Stark for Der Spiegel in November 2009. This was also one of the first notable cyber-attack, as initially covered by David Fulghum for Aviation Week in November 2007 – that subscribes to the “War on Fear” Era. Pierre Razoux, Head of Research at NATO, provided a detailed analysis of the raid mentioning that the North Korean supplied nuclear components were part of the targets of the airstrike.
An airstrike where the U.S. denied any involvement:

There was no U.S. active engagement other than consulting on potential target vulnerabilities, says a U.S. electronic warfare specialist.

babar
The recent discoveries of BABAR, EVILBUNNY and CASPER are currently putting French General Directorate for External Security (DGSE) in the spotlight of current nation state cyber-attackers due to the allegation from CSEC. Although, BABAR (allegedly French malware) and STUXNET (allegedly U.S.-Israeli malware) seem to share the same political goal, the motives behind CASPER, which had been discovered in April 2014 on the Syrian Judicial Private Investigation Commission website (jpic.gov.sy), still remain unclear.

This translates as three different alleged main actors who targeted Iran and Syria on nuclear matters since 2007, the third and most recent potential actor (France) is not so surprising if you remember the nature of the relationship between France and Iran was in late 2009. On 25 September 2009, David Sanger and William J. Broad wrote an article for the NYT explaining that the U.S. and France were “warning” Iran over “Nuclear Deception” where we can read the following:

President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands, and Mr. Brown said, “The international community has no choice today but to draw a line in the sand.”

WMI Query :: “SELECT * FROM AntiVirusProduct”

WMITrick

efbe18eb8a66e4b6289a5c53f22254f76e3a29bd

evilbunny_left
One of the technique shared across from BABAR, EVILBUNNY, and CASPER – as highlighted by Marion Marschalek and Paul Rascagneres – is the ability to to retrieve AntiVirus information by using the following WMI Query “SELECT * FROM AntiVirusProduct”. A very simplistic trick as you can see in the above screenshot, but which only publicly appeared during 2008. The first occurrence of the above WMI SQL Query is from May 2008 in a blogpost of a Microsoft employee, Alejandro Campos Magenci who first provided a proof of concept (POC) VB script – then a second occurrence appeared few months later on a French online forum called “Comment Ca Marche” (How Does It Work, an online collaborative website like StackOverflow) by user operating the nickname cs_omnia and authored by Hanteville Nicolas on the 12th September 2008. This time, the POC appeared as a C++ implementation – providing enough information on using the Win32 WMI APIs – making it the first public usable C++ implementation. If the authors are the French government as what the CSEC suggest, this suggest that the authors heard of this trick from this French collaborative forum.

 

Those recent events demonstrate the alignment between the Five Eyes, Israel and France regarding Iran, Syria and North Korea on the nuclear matters – and this goes without mentioning the rise of Daesh (ISIS) cells from Syria & Iraq in Europe.

Although, cyber-attack attribution is known to be difficult, controvertial and that there is still a possibility that CSEC attribution to the French government may be erroneous. But as @thegrugq, an Operation Security expert, would ironically say:

After extensive research of the most likely suspect, it turns out over 5 million Chinese speak French! There are 1.3Bn Chinese, so 5/1,300 malware samples are expected to be in French – The Grugq

Timeline

Date Description
1996 First Bibi’s congress speech on the Iranian nuclear plan concerns.
6 Sept 2007 Israeli airstrike on Syrian Nuclear Plant (with nuclear components supplied by North Korea)
12 May 2008 Microsoft employee, Alejandro Campos Magencio, posted trick to retrieve antivirus using WMI on Microsoft MSDN blog
12 Sept 2008 French developer cs_omnia released published first public C++ implementation of WMI “SELECT * FROM AntiVirusProduct” trick, authored by Hanteville Nicolas, on “Comment ca marche
Sept 2009 President Nicolas Sarkozy of France was more blunt, giving Iran two months to meet international demands
Nov 2009 Allegedly French malware BABAR (SNOWBALL) discovered by CSEC.
Nov 2009 The Story of ‘Operation Orchard': How Israel Destroyed Syria’s Al Kibar Nuclear Reactor by Der Spiegel
Mid-2010 Allegedly French malware SNOWMAN (Improved version of SNOWBALL) discovered by CSEC
2010-2011 STUXNET, DUQU, and FLAME – were all spotted in Iran and were mainly targeting Iranian Nuclear interests.
2011 CSEC internally issues SNOWGLOBE: From Discovery to Attribution report
25 Oct 2011 EVILBUNNY compile time as highlighted by Marion Marschalek
1 Jun 2012 an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called “Operation Olympic Games”, started under President George W. Bush and expanded under President Barack Obama.
24 Jul 2012 an article by Meghan Kelly from VentureBeat reported how the Atomic Energy Organization of Iran e-mailed F-Secure’s chief research officer Mikko Hyppönen to report a new instance of malware.
21 Mar 2014 Le Monde released initial partial documents on SNOWGLOBE
7th Apr 2014 CASPER XML configuration file timestamp
28 Apr 2014 Vyacheslav Zakorzhevsky (Kaspersky) observed that the website “jpic.gov.sy” was hosting two Flash zero-day exploit
2 Sept 2014 Syrian Judicial Private Investigation Commission website defaced by anti-Iranian hackers
17 Jan 2015 Der Spiegel release complete documents on SNOWGLOBE The Digital Arms Race: NSA Preps America for Future Battle
18 Feb 2015 Common patterns between EVILBUNNY and BABAR identified by Paul Rascagnere and Marion Marschalek
5 Mar 2015 Common patterns identified between BABAR, BUNNY and CASPER

SwishDbgExt goes open-source.

As the world is shaking because North Korea is intimidating American public companies with “the most sophisticated” cyber-attacks ever seen, I figured it would be a good timing to support intelligence agencies by open-sourcing my Windows Debugging Extension designed for Digital Forensics and Incident Response.

But also, I’m unfortunately lacking of time to support that extension – but I am sure open-sourcing it may results in interesting development from the community. I apologize in advance, I wrote that extension in 1-2 months so don’t expect it to be perfectly designed or written :-)

https://github.com/msuiche/SwishDbgExt

Happy Holidays !

Features request for international mobile users

Here is a short-list of missing features for international mobile users. Feel free to contact me on @msuiche or over e-mail if there is any feature you think is missing but more necessary than changing the colors of your icons at every release.

1. Smart address book
There is no reason your contact book would not allow you to automatically sort your contacts out per country using the Prefix Country Code, nor per city or region using the prefix following the country code.
Moreover, a map-based browsing would be more intuitive for its users – as per example the illustrative screenshot below.
smart_address_book

And also timestamps your contacts to provide better triage mechanism based on time / day / month / year.

2. Smart international keyboard
There is no reason Messaging application could not remember what keyboard layout I use for different contacts. If you message different people using multiple languages, your app should at least remember your preferred keyboard layout per contact.

3. The end of the single number identity
There is no reason applications would tie your identity to a single number. Applications such as messaging applications (WhatsApp, etc.), food delivery applications, or even car booking applications (Uber etc.) only allow their users to have one single number. Users should have the ability to have multiple verified numbers, people who travel usually have one number per country.

U.S. / France cyber-security budget

Pentagon Five-Year (until 2018) Cybersecurity Plan Seeks $23 Billion (cf. 2015 Fiscal Year Budget request)
That is around 1.6x times ($4.6 Bn/Year) the annual budget of DARPA ($2.8 Bn/Year)

France Five-Year (until 2019) Cybersecurity plan is EUR 1 Billion
This is around 1.33x times (EUR 200M/Year) the budget allocated to the call for projects in cyber-security from last year. The budget allocated was supposed to be EUR 150M but no updates had been communicated by officials since the initial press release, and any attempts to obtain more information had been dismissed or ignored.

U.S. cyber security budget is 17+ times more the French budget.
And in addition of that the U.S. is developing partnerships at different levels within its own ecosystem, which is something yet to be seen in France even through claims had been mentioned by the government to strengthen its sovereign technology.