Friday, October 28, 2016

Gaming Platforms Attacked, Customer Info Targeted

Cyber hacktivism, threat actor group activity, and online gaming often go hand-in-hand because many threat actors also play online games. The combination of these activities can often result in the theft of credit card data and other forms of Personally Identifiable Information (PII) from online gaming accounts. In previous instances, threat actor groups that have attacked gaming and entertainment companies were later identified as having launched similarly styled attacks at financial institutions. Thus, knowledge of attacks against gaming and entertainment companies has the potential to provide future insight in to the Tactics, Techniques, and Procedures (TTPs) of attacks that may evolve to target the financial sector directly.

Key Findings:
  • Compromise of a gaming account can result in theft of credit card data and other forms of PII because many gaming services require payment for additional Downloadable Content (DLC), and credit card information is sometimes mandatory for creating an account.
  • Malware samples that were found inside Sony’s network in the U.S. were reported to share unique traits similar to the malware used to target the SWIFT network.
  • Threat actor groups Anonymous, Lizard Squad, LulzSec, and PoodleCorp have all attacked online gaming and entertainment companies as well as financial institutions.
  • Awareness and knowledge of threat actor groups attacking gaming and entertainment companies can provide potential insight into similarly styled attacks that may take place against the financial sector. 
  • Phantom Squad is one such threat actor group that has attacked gaming and entertainment companies but has not yet, at least, attacked financial institutions.


Publication date:                   26 October 2016
Handling requirements:       Traffic light protocol (TLP) AMBER.
Attribution/Threat Actors:  Criminal
Actor Type:                           Adversary capabilities have been assessed as Tier I-III*
Companies Targeted:           Online gaming and Entertainment Companies, Financial Sector

Past Reporting:                     DOC-3970, 3964, 1858, 2594, 4170, 1412

*Practitioners with between a novice and moderate depth of experience who rely on currently available tools and are also capable of discovering vulnerabilities.

The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or feedback@wapacklabs.com.

About Wapack Labs

Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

Yevgeniy Nikulin - LinkedIn, Dropbox and Formspring

Wapack Labs has routinely exposed Russian malicious cyber activity. From the alleged Russian rigging of Ukrainian elections, electrical grid shutdowns and telecommunication manipulation to the recent hacking activity of Fancy Bear - Russia has been at the vortex of numerous cyber-attacks. This activity represents support of the Russian, “Ivanov Doctrine.” The current arrest of Yevgeniy Nikulin in the Czech Republic, who was indicted for the cyber- attacks of Linkedin, Formspring and Dropbox, highlights the gravity of Russian cyber activity. These attacks of big data companies have exposed Personally Identifiable Information (PII) and other breached data to unknown factions. This information is being supplied for your situational awareness.

  • The “Ivanov Doctrine-New Generation Warfare,” was introduced in Russia approximately 15 years ago
  • Russian cyber-attack activity has escalated in recent years.
  • Yevgeniy Nikulin was arrested in the Czech Republic for hacking large U.S. data companies. 

Publication date:                     26 October 2016
Handling requirements:         Traffic light protocol (TLP) GREEN
Attribution/Threat Actors:    Yevgeniy Nikulin

Actor Type:                              Adversary capabilities have been assessed as Tier IV*

Potential Targets:                    U.S. corporations (targeting PII)

Past Reporting:                        Red Sky Alliance: DOC-2183, DOC- 2349, DOC-2543, DOC-4287, Msgs #6498 #8612

* State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest. 

The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or feedback@wapacklabs.com.

About Wapack Labs


Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

Thursday, October 27, 2016

NFC – Friend or Foe


Wapack Labs has previously exposed the hazards of using near-field communication (NFC) devices in our support during the 2016 Summer Olympics in Rio De Janeiro and other collection and research projects.  NFCs are now being supplied in the United Kingdom (UK) to rapidly order pizzas through a swipe of a smart phone.  The “tattoos,” as they are being marketed, are being affixed to objects which enable smart phone users to quickly order pizzas and other food products. If corrupted, as with past USB jump drive compromises, an NFC device could run in the background of a cell phone and secretly forward personal identifying and financial information during a food order.  This information is being supplied for your situational awareness.

  • Near-field communication devices have been used for the past several years with low security parameters and are currently marketed for ease and convenience of e-transactions. 
  • NFC’s can be corrupted at the production level, similar to the past jump drive virus launches.
  • Heightened NFC cyber security awareness, education and training is desired for future use.

Publication date:                           25 October 2016
Handling requirements:               Traffic light protocol (TLP) GREEN
Attribution/Threat Actors:           Unknown hackers

Actor Type:                                     Adversary capabilities have been assessed as Tier II*

Potential Targets:                           Smart Phone users using NFC devices

Past Reporting:                               Red Sky Alliance: DOC-4113, DOC-3718, msg/3507 and blog/2016/09/30/nato-and-europol-cyber-reports-of-interest



*Practitioners with a greater depth of experience, with the ability to develop their own tools from publicly known vulnerabilities.


The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or feedback@wapacklabs.com.



About Wapack Labs

Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.