Former hackers protect NSW's critical infrastructure

Some of the more interesting attacks were conducted over McDonalds' 860 stores that offer free wireless networks, monitored by Earthwave.

“My colleague gets a call from some company who says someone had logged on from our IPs and deleted their entire file server and web server,” Minassian said.

“The attacker had logged on using a VPN back to his office from a [McDonalds] Stanmore store and used a content management system to delete everything. Then he logged on to his Facebook and Twitter.”

Within an hour, Earthwave had the attacker's name and friends list. The unnamed victim, which would normally require legal authority to obtain details of the attacker, had quickly pinned the assault on an IT staffer who was fired days earlier.

“It was hacking 101. He thought he was safe, but we had his logs.”

Another recent investigation saw engineers tracking IT staff within a Federal Government agency who for months had stolen and forwarded sensitive internal emails to hundreds of staff.

The culprits were caught siphoning emails from the agency’s board and chief executive to external Hotmail and Gmail accounts, and sending those messages to hundreds of staff inboxes from there.

“We went in after hours and put in an appliance which captured every packet that went through. We found the IP addresses linked to those emails and they called the police,” Minassian said.

Earthwave also investigates more serious offences, including a large child pornography ring in which some members accessed monitored web sites from McDonalds stores.

The current investigation spans multiple countries and involves law enforcement from the FBI and Interpol.

Malware

Malware writers were increasingly deploying new malware variants against SCADA (Supervisory Control and Data Acquisition) networks, according to a chief engineer within the SOC.

He said those targeted attacks, while generally ineffective, were often a prelude to wider attacks.

“They might feel that SCADA, with all the media hype, is less secure -- which is not necessarily the case -- so they try to target them first.”

But the majority of attacks targeted vulnerabilities that admins had neglected to patch.

In the last month, engineers had spotted an uptick in attacks against Cisco firewalls within the finance sector that targeted vulnerability that was patched years ago. The hole enabled attackers to access the management console on the firewalls.

Copyright © SC Magazine, Australia