Security Research
Showing results for 
Search instead for 
Do you mean 

What to Expect from #OpPetrol

SR-FI_Team ‎05-18-2013 08:53 AM - edited ‎05-22-2013 06:45 AM

Given that the #OpPetrol has made the news, we felt that we should provide our view of the operation.

 

Background

#OpPetrol is a new hacktivist campaign targeting several countries (the US, Canada, England, Israel, Saudi Arabia, China, Italy, France, Germany, Kuwait and Qatar) and the Petroleum industry.

 

#OpPetrol was announced on May 10, 2013 via this pastebin - http://pastebin.com/8KWUwJdy

 

It was restated on May 11, 2013 via this pastebin - http://pastebin.com/0Yr6kyWA

 

According to the announcement, the operation will “engage” on June 20, 2013. As we know from past events, actors may be compromising sites now only to release the results as part of the operation. Potential targets may have already seen activity that could later be associated with this announcement.

 

We have seen support for this operation from the following notable actors:

        SaudiAnonymous

        Anon Ghost

The list of actors is fluid and will most likely change throughout the event.

 

As you can see below, social activity spiked the day of the announcement and sharply declined afterward:  

 

 

 

What to Expect?

Given the trends so far, we anticipate that this operation will mirror #OpUSA. We do not anticipate #OpPetrol to be a large success. However, targets should still prepare for the worst as these campaigns could be used as cover for serious threats. Our recommendations from OpUSA Lessons Learned are applicable to this event:

 

Mitigation guidance provided by the government:

  1. Compromised hosts should be wiped and restored to a known good image. Users and administrators should be vigilant about applying the latest patches and anti-virus updates. An infected host endangers the availability, confidentiality,and integrity of data on networks. 
  2. DEP – Data Execution Prevention (DEP) should be enabled where ever possible (to help prevent buffer overflow exploits).
  3. Defend against compromised CA and web site certificates. 
  4. Have layers of defense to mitigate phishing and drive-by downloads.
  5. Make sure strong authentication has been enforced wherever possible and limit remote access.
  6. Harden your infrastructure. For instance: remove unused network interfaces, keep gear patched, ensure strong authentication, limit management access to internal devices, etc.
  7. Be prepared to minimize the effect of SQLi and XSS attacks.
  8. Verify that firewall rules are tuned and that unused rules are removed for both IPv6 and v4 networks.

 

In addition to the federal recommendations, we recommend the following (high level summary):

  1. Make sure to use a CDN for external web presence. CDN's help mitigate  DDoS threats substantially.
  2. Be prepared ahead of time. Work with your up-stream Internet provider to ensure they can redirect and scrub DDoS related traffic or be prepared to redirect traffic to a company such as Prolexic.
  3. Ensure that all DDoS features are tuned and enabled across all security and infrastructure devices. Firewalls, routers, IPS, gateways, etc.  Each of these has a part in defending against the attack and each have specific strengths.
  4. Be prepared to identify and block zero day threats.
  5. Using your visibility solutions, vigilantly monitor for exfiltration and anomalous behavior. Expect that someone will penetrate your perimeter.

 

0 Kudos
About the Author

SR-FI_Team

Comments
Labels
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all