Leaders’ Meetings: A Privileged Target for Hackers
Leaders’ meetings are privileged targets for nation-state attackers that launch massive offensives to gather intelligence from the ongoing events.
Let’s analyze together what has happened in concomitance with the recent meetings between President Donald Trump and the North Korean leader Kim Jong Un, as well as the Russian President Vladimir Putin.
Who are the top attacker countries and which kinds of ports did the hackers target?
Security experts at the F5 security firm published two very interesting reports that provide us information on the attacks that targeted the countries hosting the two meetings, Singapore and Helsinki (Finland).
Before we begin, it is important to highlight that the experts have no data to suggest the attacks against Finland and Singapore were successful.
Trump-Kim Meeting: A Spike in the Number of Attacks on Singapore
Researchers at F5 observed a spike in the number of cyberattacks targeting Singapore during the Trump-Kim summit, which was held in the country from June 11 to June 12.
Singapore is known to not be a top attack destination, but something strange happened during the Trump-Kim meeting.
88% of overall attacks originated from Russia, and this data doesn’t surprise the intelligence analysts considering the importance of the event. According to F5 and its partner Loryka, 97% of all the attacks that originated from Russia between June 11 and June 12 targeted Singapore. This means that Russian threat actors were focused in this period in gathering intelligence on the meeting:
“From June 11 to June 12, 2018, F5 Labs, in concert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.” reads the analysis published by F5 Labs. “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel.”
The cyberattacks hit a broad range of computer systems, from VoIP phones to IoT devices.
The attacks began out of Brazil targeting port SIP 5060 of IP phones, where communications are transmitted in clear text.
Looking at the timeline of the attacks, we can see an initial offensive from Brazil that lasted for a couple of hours. Researchers then observed reconnaissance activity originated from the Russian IP address 18.104.22.168, which is owned by ASN 49505, operated by Selectel:
Figure 1 – Attack timeline
Attackers scan for a variety of ports. None of the attacks was carried out to spread malware.
“The number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to gain access to or listen in on targets of interest,” continues the analysis.
“Other ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which was used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime to PDoS MikroTik routers.”
Singapore was hit by 40,000 attacks in just 21 hours, starting at 11:00 PM on June 11 through 8:00 PM June 12, local time.
The experts highlighted that only 8% were exploit attacks, while 92% were reconnaissance scans for potential targets. 34% of the attacks originated from Russia. The list of top attackers also includes China, the U.S., France and Italy.
Figure 2 – Top attacker countries
During the summit time frame, Singapore was the top destination of cyberattacks. It received 4.5 times more attacks than countries like the U.S. and Canada.
The SIP port 5060 was targeted 25 times more than Telnet port 23. Hackers were attempting to gain access to insecure communication systems or VoIP servers and compromise IoT devices to spy on communications. The number-two target was Telnet, suggesting that attackers were attempting to compromise IoT devices — likely to gain access to or listen in on targets of interest.
Attackers also targeted SQL database port 1433, web traffic ports 81 and 8080, port 7541 (which was used by Mirai and Annie to target ISP-managed routers) and port 8291, which was targeted by the Hajime malware to hit MikroTik routers.
“We do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin,” F5 Labs concludes.
Trump-Putin: Finland is the Top Attacked Country
A few weeks later, F5 experts monitored cyberattacks that had hit Finland in the days prior to the Trump-Putin meeting in Helsinki on July 16.
The experts compared the results of their study with data collected during the Trump-Kim meeting, when most of the cyberattacks originated in Russia. This time, a huge number of cyberattacks hit Finland — a country that historically is not a privileged target of attackers. Unlike the Trump-Kim meeting, most of the cyberattacks this time originated from China.
“On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker,” reports F5.
Figure 3 – Cyber attacks against Finland
Researchers observed many similarities between the attacks against the countries that hosted the two meetings. Hackers targeted the same ports, including included SIP port 5060 typically used by VoIP systems (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).
The following table reports the most-targeted ports in the attacks against Singapore and Finland.
Once again, most of the attacks targeted SSH port 22, which is typically used for the secure remote administration of Internet of Things (IoT) devices. The attacks were aimed at devices configured with default credentials; attackers launched brute-force attacks to compromise them.
The second most-targeted port was the SMB port 445.
“The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks,” continues F5.
Experts noticed that some ports targeted by the attacks during the Trump-Putin meeting were not hit during the Singapore summit; for example, the HTTP port 80, MySQL port 3306, the alternate web server port 8090 (often used for webcams) and RDP port 3389.
Which Were the Other Top Targeting Countries During the Helsinki Meeting?
The top targeting countries were
- China (29%)
- United States (14%)
- France (9%)
- Italy (8%)
- Russia (7%)
While China is typically the top Finland-attacking country on a regular basis, followed by the US, Russia fell from its usual #3 position to #5 during the attack spike. The F5 reported noted that Italy and Germany each jumped several slots, rising to #4 and #7 during the Trump-Putin traffic spike.
F5 Labs also provided data on two attacking networks that are not consistently top threat actor networks. This means that threat actors are likely exploiting compromised systems in third-party networks.
According to F5, ChinaNet was the top attacking network during the attack spike.
“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 concludes.
Figure 4 – Top Attacking Networks
Most of the attacks monitored by F5 targeted IoT devices. For this reason, it is crucial to improve their level of security.
Experts published the following recommendations for the protection of the systems:
- Protect remote administration to any device on your network with a firewall or VPN or restrict it to a specified management network. Never allow open communication to the entire Internet
- For home IoT, leverage network address translation (NAT) if you can’t install a home firewall (note that home firewalls have also been targeted by thingbots)
- Always change vendor-default administration credentials
- Stay up to date with any security patches released by the manufacturer