Chemical attack Syria

Chemical attack in Syria provokes increased international tensions

Target: Government/Defense/Multiple Sectors


Attack Vector: Phishing Campaign/Vulnerability Exploits

Threat Actor: APT28 / APT29

Summary: On Saturday 7th April 2018, the White Helmets organization claimed that a chemical weapon attack had been

carried out against civilians in the Islamist rebel held town of Douma in Eastern Ghouta located just outside the Syrian capital Damascus. Unconfirmed reports suggest that at least 40 civilians were killed in the alleged attack with hundreds more affected. The incident has resulted in international condemnation against President Assad and his Russian ally President Putin. At the time of reporting, retaliatory airstrikes have been carried out against the Syrian T4 airbase near the city of Homs which have reportedly killed 14 people including Iranian personnel. Russia have claimed that two Israeli Air Force F15’s were responsible for firing eight guided missiles at the base during the attack and also stated that five of the missiles were shot down by air defense systems.

These latest incidents have markedly increased already strained international tensions, following the attempted murder of Sergei Skripal and his daughter Yulia on 4th March 2018 in Salisbury. The situation also mirrors the April 2017 chemical attacks in Syria, which provoked a number of retaliatory cruise missile strikes by the United States. This in turn led to the pro Russian actors The ShadowBrokers dumping a large number of NSA hacking tools into the public domain. This included the ETERNALBLUE malware, which led directly to the highly damaging WannaCry and NotPetya ransomware outbreaks.

Risk assessment summary: Given the current dynamic geo political climate, it continues to be assessed that a 2b HIGH threat of state sponsored activity exists to a broad spectrum of sectors although government and defense organizations remain

the most likely targets. The parallels between April 2017 and April 2018 are worrying and it should be expected that any nation which

participates in punitive military action against Syria will become a target for retaliatory cyber-attacks. Although harvesting and weaponisation of data continues to be the most likely current threat, if military conflict escalates in the region, it should be expected that critical infrastructure may also be targeted for disruptive attacks, especially those organizations which provide telecommunication services to the government or military sectors, however, the energy, health and finance sectors would also prove attractive targets to APT actors.

The Cisco vulnerability situation serves to illustrate that APT groups continue to be active in seeking to exploit any system flaws and is reminiscent of the way that ETERNALBLUE was used by North Korean actors to leverage the SMB vulnerability in order enable their WannaCry ransomware campaign, as did malicious Russian actors with their subsequent NotPetya outbreak. Given the direct correlation between military action in Syria in 2017 and these major cyber incidents, it should be anticipated that a similar situation may develop over the short to medium term in 2018 and it is strongly advised that all software patches and updates are applied.

System administrators should also anticipate cyber-attacks if the United States joins Israel in carrying out air strikes and move onto heightened awareness if military action reaches this point. Previous threat assessments regarding the Skripal situation remain valid and monitoring of the geo-political threat will continue in order to identify further actionable intelligence.