Ready to Start Your Career?

Analyzing Major Cyber Security Attacks in Turkey

Motasem 's profile image

By: Motasem

March 29, 2016

Analyzing Major Cyber Security Attacks in Turkey - CybraryAbstractThis report aims to shed light the major cyber security attacks that have hit Turkey’s infrastructure. It's based on analyzing the vulnerabilities that opened the gateway for those attacks and how such an attacks could happen in the future if the appropriate security measures are not be implemented.The objective of this paper is to reach a consistent vision to prevent future cyber incidents from happening by studying and analyzing the main reasons that led to the success of these attacks. The Purpose of This Personal ReportThis report analyzes the recent attacks that hit Turkey from a technical point of view and studies what the technical manners used, along with studying the root technical cause. In addition, this document lays down and offers some security patches to avoid these kind of attacks in the future. The Urgent Need for Cyber Security ManagementStarting with the non-technical users and ending with governmental corporations, the ignorance and negligence about following a good security practice will not only have a devastating effects. It will also disrupt ranking and reputations. Banks, online shops, telecom companies and every party that stores customer data must strive to fortify their networks and infrastructures from eavesdroppers and ensure that all data could not be decrypted by malicious attacks from the outside.Security and privacy is not a choice, especially when it comes to a country’s reputation and internal peace. State-sponsored hackers are more active than before; they're armed with the latest technologies and practices to disrupt and demolish the frames of other countries. Cyber Security Attacks on TurkeyThe Defacement of Turkish Foreign Ministry WebsiteIn July 2012, the website of the ministry of Foreign affairs got hacked and defaced allegedly by a group called RedHack Team. The attack leaked brotherhood photos between Turkish President, Libyan president and Syrian President, Bashar Al-Assad. The attacker has also leaked the identity cards that the ministry of Foreign affairs granted to foreign diplomats.The Impact on Turkey’s infrastructure
  • Disruption of availability by defacing the main website
  • Violating the confidentiality of sensitive documents that had been leaked to the public
Source of attacksExamining the web server logs or sys log server will give more details about the origin of the attack. The Attacker’s IP address: 212.174.190.146What was the main attacker’s motive?As the REDHACK team is known in Turkey as opposing to the Turkish Government policies, it would be manifest that their stimulus for the attack was purely political.The following vulnerabilities are the root cause for that attack
  • Directory Browsing
  • Directory Traversal
  • Weak passwords configured
  • No access control or access permissions applied on sensitive dos
 The Offensive Attack on Turkish Banks and Financial CorporationsIn December 2015, Turkish Financial websites started to suffer from persistent attacks that led to immediate disruption in the credit card system that handles customer’s online transactions. Iş Bank, Garanati, Ziraat Bank, TEB and others were among the victims.“The attacks are serious, but the target is not Turk Telekom. Instead, banks and public institutions are under heavy attack. A majority of Turkish institutions use Turk Telekom as the service provider, therefore, we are the ones doing the defense against these attacks,” Mr. Onur Oz, a spokesman in Turk Telecom which is the Turkish Service Providers said.The Impact on Turkey’s infrastructureSuch attacks were able to disrupt the daily banking operations, rendering thousands of online transactions useless. Also, 40,000 root Turkish domains ending with “.tr” were defaced. NIC.tr’s five name servers, ns1.nic.tr through ns5.nic.tr, were completely down under a 40 Gigabits per second DDoS attack.Source of the attacksIt was believed that the main source was from outside Turkey. Once Foreign IP addresses were blocked from accessing Turkish websites, the main financial and governmental websites had been recovered to its normal operations. An intensive view on the technical logs for the victim’s server may reveal the specific source for this attack.What was the main motive for the attackers?Anonymous published this video: https://youtu.be/ZgUxt7fLEyg. They claimed that Turkey is supporting ISIS with oil and guns to fight in Syria for Turkey’s interestA view on the technical vulnerabilitiesBasically, DDOS attacks do not rely on vulnerabilities in web applications or OS's. They rely on the misconfigurations in firewalls and intrusion prevention systems.Most DDOS attacks occur in environments that have no security policies applied in the firewalls and IPSs to prevent and filter malicious traffic. Also, the absence of load balancer would add an extra probability for such an attack. The Turkish National PoliceIn 2016, a massive attack hit Turkish National Police known as “Emnyiet” led to 20 GB of sensitive Turkish Citizens' data dumped to an external server for download. The leaked data were ID numbers, “TC” addresses and other private data.The impact on Turkey’s infrastructureAlthough this attack has not affected any normal daily procedures, it has been a potentially massive hit because it targeted THE NATIONAL POLICE and leaked millions of citizen’s data.Source of the attackIt’s estimated that the source was able to access internal and private systems inside Turkish National Police and handed it over to someone named “TheCthulhu,” who uploaded that data to an external server under the address “ https://t.co/ABiURM0rq2”“TheCthulhu” is prominent security expert who participates in TOR bridges and has a similar record of leaking governmental records, according to content on his Twitter account.What was the main motive for the attackers?Political, according to “TheCthulhu” _ The attacker himself _A view on the technical vulnerabilities
  • Apparently, there's a poor practice of separation of duties
  • Poor role-based access control
  • Weak security awareness
 Most Prominent Malware that hit TurkeyAccording to Microsoft Security Center, the malware encounter rate in Turkey is far greater than that of any other country in the entire world (let alone other countries among the top 10 with malware infections). According to MicrosoftThe Kilm Trojan has infected some 235,000 machines, 92 percent of which are in Turkey. The Murkados worm has nearly 170,000 infections; 97 percent are inside Turkey. The Truado Trojan boasts roughly 138,000 infections; 87 percent are in Turkey. The Preflayer Trojan is present on 97,000 machines; 92 percent of which are located in Turkey. The Reksner Trojan is present on just fewer than 47,000 machines; 97 percent of which are inside Turkey. Suggested Remediation and Patches
  • Defense in Depth must be applied in every node in the governmental organization, which means using only Firewalls is not enough
  • Intrusion Prevention Systems should be placed to intercept all traffic before it enters the internal network in concert with packet filtering
  • Identity Service Engines should be implemented to filter out all foreign connections from not-authorized users, in addition to scanning every personal computer and mobile device before its authorized as a legitimate device on the network
  • Using Load Balancers is critical when it comes to protection from DDOS, along with proper configuration of IPS
  • OWASP Top 10 should be something from the past and every breach result from OWASP indicates gullible security knowledge. Applying user input sanitizers to prevent Directory Traversal must be compulsory
  • Role-based access control and separation of duties is essential to keep clandestine files and docs in the authorized hands
  • Isolation and secluding of the secret applications from the outside network is preferable over the productivity
  • Routine Security Awareness Programs must be part of the overall Information Security Program, according to COBIT and ISO 27001 frameworks
  • Following clear termination procedures of old employees by changing the old credentials and pulling any privileges from their accounts
  • Applying Physical Access control in sensitive areas that contain computer resources and secret files. Use of Retina scan is preferable
  • Dedicating a separated and full cyber security faculty in Universities
 ConclusionThis report summarizes the cyber attacks that occurred in Turkey in Spring 2016. We looked at their associated weaknesses from a technical point of view and scientific perspective.
References[1] Microsoft Security Center. “Microsoft Security Intelligence Report “. https://www.microsoft.com/security/sir/default.aspx[2] ISACA. “Information Security Manager Study Manual”
Schedule Demo