Analyzing Major Cyber Security Attacks in Turkey

March 29, 2016 | Views: 3404

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Abstract

This report aims to shed light the major cyber security attacks that have hit Turkey’s infrastructure. It’s based on analyzing the vulnerabilities that opened the gateway for those attacks and how such an attacks could happen in the future if the appropriate security measures are not be implemented.

The objective of this paper is to reach a consistent vision to prevent future cyber incidents from happening by studying and analyzing the main reasons that led to the success of these attacks.

 

The Purpose of This Personal Report

This report analyzes the recent attacks that hit Turkey from a technical point of view and studies what the technical manners used, along with studying the root technical cause. In addition, this document lays down and offers some security patches to avoid these kind of attacks in the future.

 

The Urgent Need for Cyber Security Management

Starting with the non-technical users and ending with governmental corporations, the ignorance and negligence about following a good security practice will not only have a devastating effects. It will also disrupt ranking and reputations. Banks, online shops, telecom companies and every party that stores customer data must strive to fortify their networks and infrastructures from eavesdroppers and ensure that all data could not be decrypted by malicious attacks from the outside.

Security and privacy is not a choice, especially when it comes to a country’s reputation and internal peace. State-sponsored hackers are more active than before; they’re armed with the latest technologies and practices to disrupt and demolish the frames of other countries.

 

Cyber Security Attacks on Turkey

The Defacement of Turkish Foreign Ministry Website

In July 2012, the website of the ministry of Foreign affairs got hacked and defaced allegedly by a group called RedHack Team. The attack leaked brotherhood photos between Turkish President, Libyan president and Syrian President, Bashar Al-Assad. The attacker has also leaked the identity cards that the ministry of Foreign affairs granted to foreign diplomats.

The Impact on Turkey’s infrastructure

  • Disruption of availability by defacing the main website
  • Violating the confidentiality of sensitive documents that had been leaked to the public

Source of attacks
Examining the web server logs or sys log server will give more details about the origin of the attack. The Attacker’s IP address: 212.174.190.146

What was the main attacker’s motive?
As the REDHACK team is known in Turkey as opposing to the Turkish Government policies, it would be manifest that their stimulus for the attack was purely political.

The following vulnerabilities are the root cause for that attack

  • Directory Browsing
  • Directory Traversal
  • Weak passwords configured
  • No access control or access permissions applied on sensitive dos

 

The Offensive Attack on Turkish Banks and Financial Corporations

In December 2015, Turkish Financial websites started to suffer from persistent attacks that led to immediate disruption in the credit card system that handles customer’s online transactions. Iş Bank, Garanati, Ziraat Bank, TEB and others were among the victims.

“The attacks are serious, but the target is not Turk Telekom. Instead, banks and public institutions are under heavy attack. A majority of Turkish institutions use Turk Telekom as the service provider, therefore, we are the ones doing the defense against these attacks,” Mr. Onur Oz, a spokesman in Turk Telecom which is the Turkish Service Providers said.

The Impact on Turkey’s infrastructure
Such attacks were able to disrupt the daily banking operations, rendering thousands of online transactions useless. Also, 40,000 root Turkish domains ending with “.tr” were defaced. NIC.tr’s five name servers, ns1.nic.tr through ns5.nic.tr, were completely down under a 40 Gigabits per second DDoS attack.

Source of the attacks
It was believed that the main source was from outside Turkey. Once Foreign IP addresses were blocked from accessing Turkish websites, the main financial and governmental websites had been recovered to its normal operations. An intensive view on the technical logs for the victim’s server may reveal the specific source for this attack.

What was the main motive for the attackers?
Anonymous published this video: https://youtu.be/ZgUxt7fLEyg. They claimed that Turkey is supporting ISIS with oil and guns to fight in Syria for Turkey’s interest

A view on the technical vulnerabilities
Basically, DDOS attacks do not rely on vulnerabilities in web applications or OS’s. They rely on the misconfigurations in firewalls and intrusion prevention systems.

Most DDOS attacks occur in environments that have no security policies applied in the firewalls and IPSs to prevent and filter malicious traffic. Also, the absence of load balancer would add an extra probability for such an attack.

 

The Turkish National Police
In 2016, a massive attack hit Turkish National Police known as “Emnyiet” led to 20 GB of sensitive Turkish Citizens’ data dumped to an external server for download. The leaked data were ID numbers, “TC” addresses and other private data.

The impact on Turkey’s infrastructure
Although this attack has not affected any normal daily procedures, it has been a potentially massive hit because it targeted THE NATIONAL POLICE and leaked millions of citizen’s data.

Source of the attack
It’s estimated that the source was able to access internal and private systems inside Turkish National Police and handed it over to someone named “TheCthulhu,” who uploaded that data to an external server under the address “ https://t.co/ABiURM0rq2”

“TheCthulhu” is prominent security expert who participates in TOR bridges and has a similar record of leaking governmental records, according to content on his Twitter account.

What was the main motive for the attackers?
Political, according to “TheCthulhu” _ The attacker himself _

A view on the technical vulnerabilities

  • Apparently, there’s a poor practice of separation of duties
  • Poor role-based access control
  • Weak security awareness

 

Most Prominent Malware that hit Turkey

According to Microsoft Security Center, the malware encounter rate in Turkey is far greater than that of any other country in the entire world (let alone other countries among the top 10 with malware infections).

 

According to Microsoft

The Kilm Trojan has infected some 235,000 machines, 92 percent of which are in Turkey. The Murkados worm has nearly 170,000 infections; 97 percent are inside Turkey. The Truado Trojan boasts roughly 138,000 infections; 87 percent are in Turkey. The Preflayer Trojan is present on 97,000 machines; 92 percent of which are located in Turkey. The Reksner Trojan is present on just fewer than 47,000 machines; 97 percent of which are inside Turkey.

 

Suggested Remediation and Patches

  • Defense in Depth must be applied in every node in the governmental organization, which means using only Firewalls is not enough
  • Intrusion Prevention Systems should be placed to intercept all traffic before it enters the internal network in concert with packet filtering
  • Identity Service Engines should be implemented to filter out all foreign connections from not-authorized users, in addition to scanning every personal computer and mobile device before its authorized as a legitimate device on the network
  • Using Load Balancers is critical when it comes to protection from DDOS, along with proper configuration of IPS
  • OWASP Top 10 should be something from the past and every breach result from OWASP indicates gullible security knowledge. Applying user input sanitizers to prevent Directory Traversal must be compulsory
  • Role-based access control and separation of duties is essential to keep clandestine files and docs in the authorized hands
  • Isolation and secluding of the secret applications from the outside network is preferable over the productivity
  • Routine Security Awareness Programs must be part of the overall Information Security Program, according to COBIT and ISO 27001 frameworks
  • Following clear termination procedures of old employees by changing the old credentials and pulling any privileges from their accounts
  • Applying Physical Access control in sensitive areas that contain computer resources and secret files. Use of Retina scan is preferable
  • Dedicating a separated and full cyber security faculty in Universities

 

Conclusion
This report summarizes the cyber attacks that occurred in Turkey in Spring 2016. We looked at their associated weaknesses from a technical point of view and scientific perspective.


References
[1] Microsoft Security Center. “Microsoft Security Intelligence Report “. https://www.microsoft.com/security/sir/default.aspx
[2] ISACA. “Information Security Manager Study Manual”

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. Thanks for sharing Ideas with us Okay

  2. Aferim kardeşim
    umarım bahset etiğiniz saldırlar olmayacak

  3. Interesting

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 332 / December 14, 2019
How do I Get MTA Certified?
Views: 924 / December 12, 2019
How much does your PAM software really cost?
Views: 1377 / December 10, 2019
How Do I Get into Android Development?
Views: 1755 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel