2018 annual cybersecurity report - ntt2018 annual cybersecurity report this is the logo for...

2018 Annual Cybersecurity Report

This is the logo for NTT-CERT, the NTT Group’s Computer Security Incident Response Team, which is administered by NTT Secure Platform Laboratories.

NTT Secure Platform Laboratories

Preface

This report summarizes cybersecurity trends during fiscal year 2017* along with our

related activities at NTT Secure Platform Laboratories.＊ Fiscal year 2017 was the one-year period starting on April 1, 2017, and ending on March 31, 2018.

The environment surrounding cybersecurity is changing each day and there are

plenty of tasks that must be tackled. NTT Secure Platform Laboratories is engaged

in research and development from a variety of perspectives. We are striving to

reduce risk and to make cyberspace a safer place by continually creating technolo-

gies and intelligence. We hope this report will make readers more aware of current cyber-threat trends

and also it will serve as a useful reference for them to improve the security and

safety of any systems or services they maintain or provide.

May 2018NTT Secure Platform Laboratories

Kazuhiko Ohkubo,Vice President

030608091313243346545556575758606264656770757577808182

878992949699

103108

Preface1 The State of Cybersecurity (Executive Summary)2 Worldwide Cybersecurity Cases

1 Summary Report of Cases2 Summary of Security Topics

　　 ❶ Trends of Governments of Various Countries 　　 ❷ Major Vulnerabilities 　　 ❸ Cyberattacks 　　 ❹ Other Issues3 NTT-CERT and NTT Group Activities

1 CONCERT －Center of NTT-CERT2 State of Inquires and Responses3 Examples of Incidents Handled

　　 ❶ Public Monitoring in FY2017 　　 ❷ Infection Spread of the WannaCry Ransomware 　　 ❸ Attacks on Supply Chains that use IoT 　　 ❹ An MS Office File Attached to a Suspicious Mail Message Was Opened 　　 ❺ Credential Information Leak 　　 ❻ Coinhive

4 NTT-CERT Activities in Other Organizations5 Trends in Vulnerability Information6 NTT Group Activities

　　 ❶ Cybersecurity Countermeasure Cooperation in the NTT Group 　　❷ Cybersecurity Exercises in the Chubu Area 　　 ❸ Evaluation of Security Products4 Cybersecurity Topics and Technological Trends in FY 2017

1 Understanding “Anonymously Processed Information” in Japanese Act and Guidelines on the Protection of Personal Information

2 Trends in Cyberattacks on Cryptocurrencies3 Examples of Cryptocurrency Attack Method4 Cyberattacks Related to the Pyeongchang Winter Olympics5 Verification of Olympic Destroyer6 Meltdown and Spectre7 Summary of Self-propagating Ransomware Prevalent in 2017

(provided by NTTDATA-CERT)8 Hardware and the Future Concept for its Needed Security Measures

Trademarks

Table of Contents

Note: This report contains information and cites URLs applicable to fiscal year 2017. In some cases, content or link information might have changed or been deleted.

Preface

This report summarizes cybersecurity trends during fiscal year 2017* along with our

related activities at NTT Secure Platform Laboratories.＊ Fiscal year 2017 was the one-year period starting on April 1, 2017, and ending on March 31, 2018.

The environment surrounding cybersecurity is changing each day and there are

plenty of tasks that must be tackled. NTT Secure Platform Laboratories is engaged

in research and development from a variety of perspectives. We are striving to

reduce risk and to make cyberspace a safer place by continually creating technolo-

gies and intelligence. We hope this report will make readers more aware of current cyber-threat trends

and also it will serve as a useful reference for them to improve the security and

safety of any systems or services they maintain or provide.

May 2018NTT Secure Platform Laboratories

Kazuhiko Ohkubo,Vice President

030608091313243346545556575758606264656770757577808182

878992949699

103108

Preface1 The State of Cybersecurity (Executive Summary)2 Worldwide Cybersecurity Cases

1 Summary Report of Cases2 Summary of Security Topics

　　 ❶ Trends of Governments of Various Countries 　　 ❷ Major Vulnerabilities 　　 ❸ Cyberattacks 　　 ❹ Other Issues3 NTT-CERT and NTT Group Activities

1 CONCERT －Center of NTT-CERT2 State of Inquires and Responses3 Examples of Incidents Handled

　　 ❶ Public Monitoring in FY2017 　　 ❷ Infection Spread of the WannaCry Ransomware 　　 ❸ Attacks on Supply Chains that use IoT 　　 ❹ An MS Office File Attached to a Suspicious Mail Message Was Opened 　　 ❺ Credential Information Leak 　　 ❻ Coinhive

4 NTT-CERT Activities in Other Organizations5 Trends in Vulnerability Information6 NTT Group Activities

　　 ❶ Cybersecurity Countermeasure Cooperation in the NTT Group 　　❷ Cybersecurity Exercises in the Chubu Area 　　 ❸ Evaluation of Security Products4 Cybersecurity Topics and Technological Trends in FY 2017

1 Understanding “Anonymously Processed Information” in Japanese Act and Guidelines on the Protection of Personal Information

2 Trends in Cyberattacks on Cryptocurrencies3 Examples of Cryptocurrency Attack Method4 Cyberattacks Related to the Pyeongchang Winter Olympics5 Verification of Olympic Destroyer6 Meltdown and Spectre7 Summary of Self-propagating Ransomware Prevalent in 2017

(provided by NTTDATA-CERT)8 Hardware and the Future Concept for its Needed Security Measures

Trademarks

Table of Contents

Note: This report contains information and cites URLs applicable to fiscal year 2017. In some cases, content or link information might have changed or been deleted.

03

04

Security Research Activities

The NTT Secure Platform Laboratories provide technical support for strengthening security throughout the NTT Group by leveraging security research and expertise with the help of NTT-CERT, the NTT Group’s Computer Security Incident Response Team (CSIRT).

Introduction to NTT-CERT

NTT-CERT was established in 2004 as the NTT Group’s CSIRT.It promptly gathers security information for planning preventive measures and to minimize the impact of incidents throughout the entire NTT Group.

Summary of NTT-CERT Activities

Summary of Security Research Activities

Prevention

Precautionary Measures Detection Incident Response

Impact Reduction

Technical support related to implementation procedures and building facilities for inspections in the group companies' environments

Technical support related to introducing log analysis methods and blacklists as well as handling the results of security diagnoses conducted on the group companies

On-site technical support when applying technological solutions and determining what to analyze

The Group Companies’

Security Operations

Field Support

R&D Missions

From prevention to detection and incident response, the NTT companies are supported and technology is established to consistently strengthen security operations.


Security Information Sharing Vulnerability Information Sharing

Incident Handling Vulnerability Handling

Security Education and Training Security Consulting (etc.)

Field SupportField Support

Domestic and International Research Institutions

Prevention

Security Product Evaluations

Establishment of Operational Processes and Procedures

Technical Development

Precautionary Measures

Detection

Incident Response

Security DiagnosisNTT-CERT periodically scans and analyzes the web sites of companies in the group for tampering, vulnerabilities, and any gaps in their defenses; if a problem is found, the appropriate steps are taken to address it.Establishing Operational

Processes and ProceduresKeeping a close eye on trends in guidelines planned by the government and commercial sector, NTT-CERT drafts procedural manuals and carries out technical inspections to ensure compliance within the group.

Providing BlacklistsNTT-CERT rolls out blacklists built in research labs (i.e. updates to existing blacklists, such as the ones provided by antivirus vendors) to companies in the group and thus contributes to blocking attacks.

Security Information AnalysisNTT-CERT collects and comprehensively analyzes security-related information available on the Internet and unpublished information from security vendors and shares the latest updates.

Applying Forensic Analysis to MalwareWhile responding to a security incident, NTT-CERT establishes methods for analyzing deeper problems that are difficult for a company to discover (e.g. in malicious programs as well as in access points and system logs) and at the same time continuously maintains and improves security following technological changes.

Evaluating Security ProductsEvaluations of the features, performance and vulnerabilities of new products and technologies plus reports on the measures needed to utilize them properly.

（nicter）・・・etc.

SecurityVendors

NTT GroupInternal Information

Systems

NTT GroupPublic Network Services /

Infrastructure

NTT GroupBusiness Network Services /

Solutions

Feedback

Companies in the NTT GroupRisk Management

Prevention and Minimization of Damages

Ordinary

Support

Precautionary / Em

ergency Support

NTT-C

ERT’s Sam

ple Group

Support Policies

Open source security information, intelligence gathering, SNS rumor investigations.

FIRST, NCA, and Other External Institutions

IncidentIncident Response when Damage Is IncurredAttack DetectionPrecautionary

MeasuresCollection and Sharing of Vulnerabilities and Other Information

Response when Damage Is IncurredAttack DetectionPrecautionary


Specialized response support and prompt communication of information to the right people in the right places

Security OperationsAccumulation and Application of Expertise

Early Detection of Vulnerabilities and Attacks Along with the Collection and Analysis of Related Information

CSIRT Responsibilities

Information SharingAnalysis / InvestigationTraining (etc.) Open Consultation Response and Support

・Information for Verifying Vulnerabilities・Information on Undisclosed Vulnerabilities

・Incident Reporting・Data Leak Detection

・Incident Response and Support・Case Study Sharing

・Security SE・Security Education・Security SE・Security Education




Support for the NTT Group at Each Phase

Impact

Reduction

Security Diagnosis Blacklisting

Forensics Malware Analysis

(1) Detection and Protection Technologies

(2) Cryptographic Protocols

(3) Visualization and Auditing

OSINT (Open Source Intelligence)

05

Annual C

ybersecurity Report

Security Research Activities

The NTT Secure Platform Laboratories provide technical support for strengthening security throughout the NTT Group by leveraging security research and expertise with the help of NTT-CERT, the NTT Group’s Computer Security Incident Response Team (CSIRT).

Introduction to NTT-CERT

NTT-CERT was established in 2004 as the NTT Group’s CSIRT.It promptly gathers security information for planning preventive measures and to minimize the impact of incidents throughout the entire NTT Group.

Summary of NTT-CERT Activities

Summary of Security Research Activities

Prevention

Precautionary Measures Detection Incident Response

Impact Reduction

Technical support related to implementation procedures and building facilities for inspections in the group companies' environments

Technical support related to introducing log analysis methods and blacklists as well as handling the results of security diagnoses conducted on the group companies

On-site technical support when applying technological solutions and determining what to analyze

The Group Companies’

Security Operations

Field Support

R&D Missions

From prevention to detection and incident response, the NTT companies are supported and technology is established to consistently strengthen security operations.


Security Information Sharing Vulnerability Information Sharing

Incident Handling Vulnerability Handling

Security Education and Training Security Consulting (etc.)

Field SupportField Support

Domestic and International Research Institutions

Prevention

Security Product Evaluations

Establishment of Operational Processes and Procedures

Technical Development

Precautionary Measures

Detection

Incident Response

Security DiagnosisNTT-CERT periodically scans and analyzes the web sites of companies in the group for tampering, vulnerabilities, and any gaps in their defenses; if a problem is found, the appropriate steps are taken to address it.Establishing Operational

Processes and ProceduresKeeping a close eye on trends in guidelines planned by the government and commercial sector, NTT-CERT drafts procedural manuals and carries out technical inspections to ensure compliance within the group.

Providing BlacklistsNTT-CERT rolls out blacklists built in research labs (i.e. updates to existing blacklists, such as the ones provided by antivirus vendors) to companies in the group and thus contributes to blocking attacks.

Security Information AnalysisNTT-CERT collects and comprehensively analyzes security-related information available on the Internet and unpublished information from security vendors and shares the latest updates.

Applying Forensic Analysis to MalwareWhile responding to a security incident, NTT-CERT establishes methods for analyzing deeper problems that are difficult for a company to discover (e.g. in malicious programs as well as in access points and system logs) and at the same time continuously maintains and improves security following technological changes.

Evaluating Security ProductsEvaluations of the features, performance and vulnerabilities of new products and technologies plus reports on the measures needed to utilize them properly.

（nicter）・・・etc.

SecurityVendors

NTT GroupInternal Information

Systems

NTT GroupPublic Network Services /

Infrastructure

NTT GroupBusiness Network Services /

Solutions

Feedback

Companies in the NTT GroupRisk Management

Prevention and Minimization of Damages

Ordinary

Support

Precautionary / Em

ergency Support

NTT-C

ERT’s Sam

ple Group

Support Policies

Open source security information, intelligence gathering, SNS rumor investigations.

FIRST, NCA, and Other External Institutions

IncidentIncident Response when Damage Is IncurredAttack DetectionPrecautionary


Response when Damage Is IncurredAttack DetectionPrecautionary


Specialized response support and prompt communication of information to the right people in the right places

Security OperationsAccumulation and Application of Expertise

Early Detection of Vulnerabilities and Attacks Along with the Collection and Analysis of Related Information

CSIRT Responsibilities

Information SharingAnalysis / InvestigationTraining (etc.) Open Consultation Response and Support




・Security SE・Security Education・Security SE・Security Education




Support for the NTT Group at Each Phase

Impact

Reduction

Security Diagnosis Blacklisting

Forensics Malware Analysis

(1) Detection and Protection Technologies

(2) Cryptographic Protocols

(3) Visualization and Auditing

OSINT (Open Source Intelligence)

Financial profit-motivated cybersecurity incidents continued to take place in fiscal year 2017. They included continued attacks against SWIFT (Society for Worldwide Interbank Financial Telecommunication), large-scale ransomware attacks, attacks targeting cryptocurrencies, and growing damage due to CEO fraud emails. Vulner-abilities have been found not only in applications and in middleware as in the past, but also across the entire range of ICT devices like CPUs and Wi-Fi devices. Attacks against IoT devices have increased, including attacks by Mirai variants. International events affected by cyberattacks included the 2018 Olympic & Paralympic Games. Full-scale targeted attacks against the PyeongChang Olympics Organizing Committee actualized the damage of such attacks.

Furthermore, there were many cyberattack incidences related to competition and disputes between countries. In addition, national governments were suspected of orchestrating phishing attacks and various cyberattacks. Activities in cyberspace had a great impact on the international situation in fiscal 2017.

Questions about the role of Internet services in society were also raised in fiscal 2017. Major topics of discus-sion included the abolition of net neutrality in the U.S., tightening of information regulations in China and Russia, and Facebook’ s misuse of personal information.

The security trend in Japan was a year in which more serious and varied cyberattacks occurred with more frequency than in the previous year.

(1) Ransomware caused more damage in Japan.

(2) Numerous phishing email attacks occurred in Japan.

(3) Exploitation of Struts2 and WebLogic vulnerabilities resulted in frequent web server compromises and data breaches.

(4) Various incidents involving cryptocurrencies were reported (illegal access of exchanges, theft of cryptocurren-cies, opportunistic attacks with cryptocurrencies, counterfeit cryptocurrencies, etc.).

(5) Vulnerabilities in IoT devices and attacks considered to exploit the flaws were reported.

(6) Cybercrime suspects are becoming younger, and youths are involved in spreading malware and creating phishing websites.

For the NTT Group, reports about malware infection in a Group company and warning against broadcast email attacks were issued. In addition, warnings are also given about suspicious email as NTT announced the migra-tion to IP telephony. Each Group company also prepared systems and expanded IoT services for the Tokyo 2020 Olympic and Paralympic Games.

In Chapter 2, we will organize and analyzes trends based on articles, reports, and other information related to security incidents.

In Chapter 3, we will report on the activities of NTT-CERT and the NTT Group’ s effort at CSIRT cooperation.

In Chapter 4, we will report the topics and technology trends related to cybersecurity in fiscal year 2017. We will include technical explanation of the handling of anonymously processed information as set forth in the Amended Act on the Protection of Personal Information and reports on attacks on cryptocurrencies, ransom-ware with worm functions, attacks against the Organizing Committee for the 2018 PyeongChang Olympic and Paralympic Winter Games, and analysis of the Meltdown/Spectre CPU vulnerabilities released in January 2018. We will also report on hardware-based vulnerabilities that are expected to gain greater attention in the future.

06

1 The State of Cybersecurity (Executive Summary)In Chapter 1, we will describe the security trends of fiscal year 2017 while providing a summary of the information in this report.

Financial profit-motivated cybersecurity incidents continued to take place in fiscal year 2017. They included continued attacks against SWIFT (Society for Worldwide Interbank Financial Telecommunication), large-scale ransomware attacks, attacks targeting cryptocurrencies, and growing damage due to CEO fraud emails. Vulner-abilities have been found not only in applications and in middleware as in the past, but also across the entire range of ICT devices like CPUs and Wi-Fi devices. Attacks against IoT devices have increased, including attacks by Mirai variants. International events affected by cyberattacks included the 2018 Olympic & Paralympic Games. Full-scale targeted attacks against the PyeongChang Olympics Organizing Committee actualized the damage of such attacks.

Furthermore, there were many cyberattack incidences related to competition and disputes between countries. In addition, national governments were suspected of orchestrating phishing attacks and various cyberattacks. Activities in cyberspace had a great impact on the international situation in fiscal 2017.

Questions about the role of Internet services in society were also raised in fiscal 2017. Major topics of discus-sion included the abolition of net neutrality in the U.S., tightening of information regulations in China and Russia, and Facebook’ s misuse of personal information.

The security trend in Japan was a year in which more serious and varied cyberattacks occurred with more frequency than in the previous year.

(1) Ransomware caused more damage in Japan.

(2) Numerous phishing email attacks occurred in Japan.

(3) Exploitation of Struts2 and WebLogic vulnerabilities resulted in frequent web server compromises and data breaches.

(4) Various incidents involving cryptocurrencies were reported (illegal access of exchanges, theft of cryptocurren-cies, opportunistic attacks with cryptocurrencies, counterfeit cryptocurrencies, etc.).

(5) Vulnerabilities in IoT devices and attacks considered to exploit the flaws were reported.

(6) Cybercrime suspects are becoming younger, and youths are involved in spreading malware and creating phishing websites.

For the NTT Group, reports about malware infection in a Group company and warning against broadcast email attacks were issued. In addition, warnings are also given about suspicious email as NTT announced the migra-tion to IP telephony. Each Group company also prepared systems and expanded IoT services for the Tokyo 2020 Olympic and Paralympic Games.

In Chapter 2, we will organize and analyzes trends based on articles, reports, and other information related to security incidents.

In Chapter 3, we will report on the activities of NTT-CERT and the NTT Group’ s effort at CSIRT cooperation.

In Chapter 4, we will report the topics and technology trends related to cybersecurity in fiscal year 2017. We will include technical explanation of the handling of anonymously processed information as set forth in the Amended Act on the Protection of Personal Information and reports on attacks on cryptocurrencies, ransom-ware with worm functions, attacks against the Organizing Committee for the 2018 PyeongChang Olympic and Paralympic Winter Games, and analysis of the Meltdown/Spectre CPU vulnerabilities released in January 2018. We will also report on hardware-based vulnerabilities that are expected to gain greater attention in the future.

07

Annual C

ybersecurity Report

2-1 Summary Report of Cases

The first round of certification of Registered Information Security Specialists (RISS) took place. There were 4,172 individuals who passed the exam to be qualified as RISS.Ransomware “WannaCry,” which uses a worm function to spread infection, attacked users on a worldwide scale. Japan was among the countries affected.The Japanese Civil Code was revised for the first time in 120 years. Rules concerning general terms and condi-tions were clarified. The Amended Act on the Protection of Personal Information went into full effect.Attacks by destructive malware “NotPetya,” which mimics the behavior of ransomware, were reported.

Apr. 1

May. 13

May. 26

May. 30Jun. 29

ICANN announced plan to roll over (change) the Root Zone KSK (Key Signing Key). (Postponement of the rollover was announced on September 28 due to lack of readiness by resolvers. On February 1, 2018, ICANN announced that the rollover would be re-scheduled to take place on October 11, 2018.)Bitcoin was split into two currencies. Temporary suspensions of Bitcoin exchanges occurred.Due to U.S. Google’s border gateway protocol (BGP) advertisement containing incorrect information, telecom-munication infrastructure, including Japanese ISPs like OCN, was thrown into substantial disarray.Data breach of U.S. consumer credit reporting agency Equifax exposed a massive amount of individuals’ personal information. It was discovered later that an Equifax executive carried out insider trading before the incident was announced.The U.S. government banned the use of Kaspersky Lab products due to suspicion of the company’s associa-tion with the Russian government.Many DDoS attacks targeting online finance took place. Attackers sent emails demanding money in exchange for stopping the attacks.

Jul. 12

Aug. 1Aug. 25 Sep. 8

Sep. 13

Sep. 22

Spectre/Meltdown was reported. Afterwards, many similar CPU flaws were reported.Coincheck suffered a large-scale theft of cryptocurrencies due to unauthorized access. As a result, regulations on cryptocurrency exchanges were tightened and an industry organization was established.A full-fledged targeted attack occurred during the opening ceremony of the PyeongChang 2018 Olympic Winter Games.A 1.3 Tb/s DDoS attack using vulnerable settings in memcached took place. The following week, a 1.7 Tb/s DDoS attack occurred.A company contracted by Japan Pension Service subcontracted its work to China in violation of contractual terms. Furthermore, as a result of a mistake in processing, about 60,000 pension payments were not made.Facebook provided unauthorized personal data to a British analytics company. The use of the data in the U.S. presidential election was suspected.

Jan. 4Jan. 26

Feb. 9

Mar. 1

Mar. 19

Mar. 20

The Ministry of Internal Affairs and Communications (MIC) released “IoT Security Guidelines.” Afterwards, a host of other guidelines were released.WPA2 vulnerability KRACKs (Key Reinstallation Attacks) was reported. (Afterwards, investigation of WPA3 began.)An employee of security company providing P2P survey service was arrested on the suspicion of storing virus. (Afterwards, the charges were dropped by Kyoto prosecutors on March 30).The Ministry of Economy, Trade and Industry (METI) revised its Cybersecurity Management Guidelines.The National Police Agency (NPA) released a report on the misuse of cryptocurrencies. The National Tax Agency issued its conclusions on income from sales of cryptocurrencies to be other income.A high school student in Nagano Prefecture was arrested on charges of unauthorized access.JAL lost 380 million yen due to a business email scam.

Oct. 3

Oct. 16

Oct. 31

Nov. 16Nov. 30Dec. 1Dec. 4Dec. 20

First Quarter (April – June 2017)

Second Quarter (July – September 2017)

Third Quarter (October – December 2017)

Fourth Quarter (January – March 2018)

2 Worldwide Cybersecurity CasesIn Chapter 2, we first summarize security incidents that occurred in fiscal year 2017. We then report on the results of analyzing incidents that became noteworthy topics of discussion.

08


The first round of certification of Registered Information Security Specialists (RISS) took place. There were 4,172 individuals who passed the exam to be qualified as RISS.Ransomware “WannaCry,” which uses a worm function to spread infection, attacked users on a worldwide scale. Japan was among the countries affected.The Japanese Civil Code was revised for the first time in 120 years. Rules concerning general terms and condi-tions were clarified. The Amended Act on the Protection of Personal Information went into full effect.Attacks by destructive malware “NotPetya,” which mimics the behavior of ransomware, were reported.

Apr. 1

May. 13

May. 26

May. 30Jun. 29

ICANN announced plan to roll over (change) the Root Zone KSK (Key Signing Key). (Postponement of the rollover was announced on September 28 due to lack of readiness by resolvers. On February 1, 2018, ICANN announced that the rollover would be re-scheduled to take place on October 11, 2018.)Bitcoin was split into two currencies. Temporary suspensions of Bitcoin exchanges occurred.Due to U.S. Google’s border gateway protocol (BGP) advertisement containing incorrect information, telecom-munication infrastructure, including Japanese ISPs like OCN, was thrown into substantial disarray.Data breach of U.S. consumer credit reporting agency Equifax exposed a massive amount of individuals’ personal information. It was discovered later that an Equifax executive carried out insider trading before the incident was announced.The U.S. government banned the use of Kaspersky Lab products due to suspicion of the company’s associa-tion with the Russian government.Many DDoS attacks targeting online finance took place. Attackers sent emails demanding money in exchange for stopping the attacks.

Jul. 12

Aug. 1Aug. 25 Sep. 8

Sep. 13

Sep. 22

Spectre/Meltdown was reported. Afterwards, many similar CPU flaws were reported.Coincheck suffered a large-scale theft of cryptocurrencies due to unauthorized access. As a result, regulations on cryptocurrency exchanges were tightened and an industry organization was established.A full-fledged targeted attack occurred during the opening ceremony of the PyeongChang 2018 Olympic Winter Games.A 1.3 Tb/s DDoS attack using vulnerable settings in memcached took place. The following week, a 1.7 Tb/s DDoS attack occurred.A company contracted by Japan Pension Service subcontracted its work to China in violation of contractual terms. Furthermore, as a result of a mistake in processing, about 60,000 pension payments were not made.Facebook provided unauthorized personal data to a British analytics company. The use of the data in the U.S. presidential election was suspected.

Jan. 4Jan. 26

Feb. 9

Mar. 1

Mar. 19

Mar. 20

The Ministry of Internal Affairs and Communications (MIC) released “IoT Security Guidelines.” Afterwards, a host of other guidelines were released.WPA2 vulnerability KRACKs (Key Reinstallation Attacks) was reported. (Afterwards, investigation of WPA3 began.)An employee of security company providing P2P survey service was arrested on the suspicion of storing virus. (Afterwards, the charges were dropped by Kyoto prosecutors on March 30).The Ministry of Economy, Trade and Industry (METI) revised its Cybersecurity Management Guidelines.The National Police Agency (NPA) released a report on the misuse of cryptocurrencies. The National Tax Agency issued its conclusions on income from sales of cryptocurrencies to be other income.A high school student in Nagano Prefecture was arrested on charges of unauthorized access.JAL lost 380 million yen due to a business email scam.

Oct. 3

Oct. 16

Oct. 31

Nov. 16Nov. 30Dec. 1Dec. 4Dec. 20

First Quarter (April – June 2017)

Second Quarter (July – September 2017)

Third Quarter (October – December 2017)

Fourth Quarter (January – March 2018)

09

Annual C

ybersecurity Report

10

Increase in prices of cryptocurrencies

Jan. 16: US-CERT released security advisory for SMBv1.

A hotel was hit by ransomware, which locked guests in their rooms.

Election-related friction between U.S. and RussiaConfrontation on cyberattacks

Apr. 10: MS Office vulnerabilitiesCVE-2017-0199

Malware infection of InterContinental Hotels point-of-sale systems

Hacking of Twitter accounts

WordPress website defacement

Struts2 web server compromise

BBC McDonald's

First hacking of Youbit

Feb. 1: WordPress vulnerability

Feb. 24: Successful SHA-1 collision attack

Mar. 14: MS17-010 released

Mar. 7: Struts2 vulnerability

Mar. 8: CIA hacking and malware-based intelligence activities posted on WikiLeaks

May 30: Amended Act on the Protection of Personal Information went into effect.

Ransomware targeting mobile devices on the rise.

Ransomware Cerber found to evade machine learning May 12: Spread of WannaCry

Jun. 21: WannaCry hit Honda plant and halted operations temporarily.

Jun. 27: Spread of Petya variant

Business email compromise attacks

Damage to multiple companies like Google and Facebook

Email broadcast attack by embedding Microsoft Word macro in PDF file

Locky

Mirai variant Spread of Brickerbot Persirai appeared

Apr. 17: Malware Mirai and Hajime spread.

Mining of cryptocurrencies Malware targeting cryptocurrencies became prevalent.

Jaff Trickbot

Circulation of suspicious emails purporting to be from Microsoft

Circulation of suspicious emails purporting to be from Amazon

Italy

Malware infection of InterContinental Hotels point-of-sale systems (again)

DDoS and threats against financial institutions

Spread of Ursnif

Jan. 23: Cyberattack mounted against Saudi ArabiaThird wave of “Shamoon2” cyberattack.

South Korea

Mongolia

Disney

Attacks related to international politicsPresidential election in France

Qatar government-related

Attack on German ruling party think tanks

Apr. 3 :Kaspersky Lab suggests relationship between North Korea and Lazarus Group

Attacks targeting financial institutions in Poland laid in wait on the Web.

Chongryon cyberattacks

Mar. 23: Operation to destroy cybercrime group by police agencies including Japan’s NPA.Participation in OpAvalanche

OpKillingBay DDoS attack targeted multiple sites in Japan (also occurred from January to March 2018)

Growing IoT malware activity

Banking malwareWarning about DreamBot

Warning issued

Targeted-attack menuPass Cyber threats

Occurrence of targeted attacks

Vulnerability in Struts2CVE-2017-9791

Sep. 12: Bluetooth vulnerability “BlueBorne”

Hijacking of Chrome extensions

Sep. 7: Equifax data breach

Copyfish hijacked Web Developer hijacked

Vulnerability in Struts2CVE-2017-9805CVE-2017-12611

Vulnerability in Microsoft Office Equation EditorCVE-2017-11882Vulnerabilities in Flash

CVE-2017-11292

Vulnerability in RSA libraryCVE-2017-15361

Oct. 15: Vulnerability in WPA2KRACKs

Jul. 25 Adobe announced end of life of Flash Player, scheduled at end of 2020.

Oct. 3: MIC released “IoT Security Guidelines.”

EMOTET updated with dictionary-attack capability

Trickbot with expanded capabilities

Cryptomix-variant Azer

Locky variants

Infection at Toshiba Memory

Oct. 24: Outbreak of Bad Rabbit ransomware

Smartphone-locking Lokibot

Spider

LockCrypt spreads by brute-force attacks against RDP

Fake URL in email body

Widespread email attacks using Dynamic Data Exchange (DDE)Locky widespread email attack

Spread of IoTroop

Cecile Babytown Tokyo Gas Toho Gas

Mirai variant Mirai variant

Unauthorized access of EirGrid

Svpeng keylogger

Attacks by The Dark Overload hacker group

Diversification of ransomware

Attacks against critical infrastructure

Attacks on energy sector by Dragonfly group

Attacks targeting government agencies

Malware TritonDDoS against Sweden’s transportation system

List attacks targeting point-of-sale systems

Dinos Cecile

Password list attacks

IoT botnets

New functions added to banking malware


Hacking of banks, fraudulent money transfer through SWIFT

Occurrences of targeted attacks

Attack on financial institutions in Turkey by Cobalt hacking group

Cyber threats against Money Partners, Zaif, bitFlyer, etc.

NetSarang

Dec. 19: Youbit bankrupted after second hacking.

Etherparty hackedIOC hacked

NiceHash was hacked.

Sep. 18: CCleaner infected by malware

Bithumb was hacked.

Coindash ICO was hacked.

Supply chain attack infiltration by software Cyber threats

DreamBot TrickbotCerber

Attacks to steal cryptocurrencies

Maladvertising distributed MineCrunch. Coinhive injection

Boom in cryptocurrency mining

Verizon City of Chicago Time Warner Cable Continual attacks are still occurring.

Data breach occurred due to mistakes in AWS S3 configuration.

JCB Rakuten card Apple

Dec. 20: JAL victimized by business email scam.

May 24: Samba vulnerabilitiesCVE-2017-7494


2017 Timeline of Cybersecurity Incidents (provided by NTTDATA-CERT)

January 2017 February March April May June July August September October November December

Relationship between events:

Series of events:Legend

In Japan

Vulnerabilities Threats Attacks, incidents

Global

EventsVulnerabilities

Ransomw

areEm

ailAttacks against

government agencies

Attacks against financial institutions

Attacks against com

paniesSecurity of IoT devices

Others

Cryptocurrencies


Ransomw

areEm

ailAttacks against

government agencies


Attacks against com


Others

Cryptocurrencies

Worldw

ide Cybersecurity C

ases

2

11

Annual C

ybersecurity Report

Increase in prices of cryptocurrencies

Jan. 16: US-CERT released security advisory for SMBv1.

A hotel was hit by ransomware, which locked guests in their rooms.

Election-related friction between U.S. and RussiaConfrontation on cyberattacks

Apr. 10: MS Office vulnerabilitiesCVE-2017-0199

Malware infection of InterContinental Hotels point-of-sale systems

Hacking of Twitter accounts

WordPress website defacement

Struts2 web server compromise

BBC McDonald's

First hacking of Youbit

Feb. 1: WordPress vulnerability

Feb. 24: Successful SHA-1 collision attack

Mar. 14: MS17-010 released

Mar. 7: Struts2 vulnerability

Mar. 8: CIA hacking and malware-based intelligence activities posted on WikiLeaks

May 30: Amended Act on the Protection of Personal Information went into effect.

Ransomware targeting mobile devices on the rise.

Ransomware Cerber found to evade machine learning May 12: Spread of WannaCry

Jun. 21: WannaCry hit Honda plant and halted operations temporarily.

Jun. 27: Spread of Petya variant

Business email compromise attacks

Damage to multiple companies like Google and Facebook

Email broadcast attack by embedding Microsoft Word macro in PDF file

Locky

Mirai variant Spread of Brickerbot Persirai appeared

Apr. 17: Malware Mirai and Hajime spread.

Mining of cryptocurrencies Malware targeting cryptocurrencies became prevalent.

Jaff Trickbot

Circulation of suspicious emails purporting to be from Microsoft

Circulation of suspicious emails purporting to be from Amazon

Italy

Malware infection of InterContinental Hotels point-of-sale systems (again)

DDoS and threats against financial institutions

Spread of Ursnif

Jan. 23: Cyberattack mounted against Saudi ArabiaThird wave of “Shamoon2” cyberattack.

South Korea

Mongolia

Disney

Attacks related to international politicsPresidential election in France

Qatar government-related

Attack on German ruling party think tanks

Apr. 3 :Kaspersky Lab suggests relationship between North Korea and Lazarus Group

Attacks targeting financial institutions in Poland laid in wait on the Web.

Chongryon cyberattacks

Mar. 23: Operation to destroy cybercrime group by police agencies including Japan’s NPA.Participation in OpAvalanche

OpKillingBay DDoS attack targeted multiple sites in Japan (also occurred from January to March 2018)

Growing IoT malware activity

Banking malwareWarning about DreamBot

Warning issued

Targeted-attack menuPass Cyber threats

Occurrence of targeted attacks

Vulnerability in Struts2CVE-2017-9791

Sep. 12: Bluetooth vulnerability “BlueBorne”

Hijacking of Chrome extensions

Sep. 7: Equifax data breach

Copyfish hijacked Web Developer hijacked

Vulnerability in Struts2CVE-2017-9805CVE-2017-12611

Vulnerability in Microsoft Office Equation EditorCVE-2017-11882Vulnerabilities in Flash

CVE-2017-11292

Vulnerability in RSA libraryCVE-2017-15361

Oct. 15: Vulnerability in WPA2KRACKs

Jul. 25 Adobe announced end of life of Flash Player, scheduled at end of 2020.

Oct. 3: MIC released “IoT Security Guidelines.”

EMOTET updated with dictionary-attack capability


Cryptomix-variant Azer

Locky variants

Infection at Toshiba Memory

Oct. 24: Outbreak of Bad Rabbit ransomware

Smartphone-locking Lokibot

Spider

LockCrypt spreads by brute-force attacks against RDP

Fake URL in email body

Widespread email attacks using Dynamic Data Exchange (DDE)Locky widespread email attack

Spread of IoTroop

Cecile Babytown Tokyo Gas Toho Gas

Mirai variant Mirai variant

Unauthorized access of EirGrid

Svpeng keylogger

Attacks by The Dark Overload hacker group

Diversification of ransomware

Attacks against critical infrastructure

Attacks on energy sector by Dragonfly group

Attacks targeting government agencies

Malware TritonDDoS against Sweden’s transportation system

List attacks targeting point-of-sale systems

Dinos Cecile

Password list attacks

IoT botnets

New functions added to banking malware


Hacking of banks, fraudulent money transfer through SWIFT

Occurrences of targeted attacks

Attack on financial institutions in Turkey by Cobalt hacking group

Cyber threats against Money Partners, Zaif, bitFlyer, etc.

NetSarang

Dec. 19: Youbit bankrupted after second hacking.

Etherparty hackedIOC hacked

NiceHash was hacked.

Sep. 18: CCleaner infected by malware

Bithumb was hacked.

Coindash ICO was hacked.

Supply chain attack infiltration by software Cyber threats

DreamBot TrickbotCerber

Attacks to steal cryptocurrencies

Maladvertising distributed MineCrunch. Coinhive injection

Boom in cryptocurrency mining

Verizon City of Chicago Time Warner Cable Continual attacks are still occurring.

Data breach occurred due to mistakes in AWS S3 configuration.

JCB Rakuten card Apple

Dec. 20: JAL victimized by business email scam.

May 24: Samba vulnerabilitiesCVE-2017-7494


2017 Timeline of Cybersecurity Incidents (provided by NTTDATA-CERT)

January 2017 February March April May June July August September October November December

Relationship between events:

Series of events:Legend

In Japan

Vulnerabilities Threats Attacks, incidents

Global


Ransomw

areEm

ailAttacks against

government agencies


Attacks against com


Others

Cryptocurrencies


Ransomw

areEm

ailAttacks against

government agencies


Attacks against com


Others

Cryptocurrencies

Summary

Abolition of Net Neutrality

We introduce here major actions by governments in 2017.

❶ Trends of Governments of Various Countries

● Abolition of net neutrality● Cyberspace as the new battlefield after land, sea, air, and space● Intelligence activity trends in countries● China tightens regulations● Investigation of cryptocurrencies and regulations in various countries

(1) FCC changed its view on zero rating.●Under the Obama administration and Trump administrations, the U.S. FCC had different opinions on

mobile carriers’ zero rating services.・Zero rating means not counting certain data as usage.

・In the U.S., several mobile carriers apply zero rating to their own video streaming services.

(2) Rules imposed on U.S. ISPs were repealed

●Rules prohibiting U.S. ISPs like Verizon from selling information such as browser history without the con-sent of consumers were considered unfair and repealed.

・On October 27, 2016, the FCC under the Obama administration imposed rules on the ISP to protect privacy.・ISPs were required to obtain user permission when using user information such as browser history and location

information for advertising and marketing.・On March 1, 2017, the FCC issued a temporary stay of this requirement.

・Ajit Pai, chairman of the FCC under the Trump administration, stated that because tech companies like Google, which gather more customer data for online advertising than ISPs do, were exempt from the rules, the rules were unfair.

・On April 3, 2017, the president signed the bill repealing the rules.・According to The Hacker News, because the repeal of the rules were

voted upon by the Senate based on the Congressional Review Act, going forward the FCC could not establish similar regulations.

Abolition of net neutrality: Broadband changes from public service to venue for marketing

・After U.S. President Trump assumed office (on January 20, 2017), the stance of the U.S. government on the role of the Internet in society shifted considerably due to Trump’s appointment of Ajit Pai as chairman of the FCC (on January 23, 2017).

・After Pai assumed chairmanship, major changes in policy were advanced. They included repeal of net neutrality regula-tions established by the Obama administration and a plan to move jurisdiction of the Internet from the FCC＊1 (Federal Communications Commission) to the FTC＊2 (Federal Trade Commission).

(1) FCC changed its view on zero rating(2) Rules imposed on U.S. ISPs were repealed(3) FCC approved the abolition of net neutrality regulations

Ajit PaiURL: http://thehackernews.com/2017/03/fcc-ajit-pai

-net-neutrality.html

2-2 Summary of Security TopicsIn this section, we will analyze the following four themes, which cover important topics from 2017.

＊1 FCC: Federal Communications Commission＊2 FTC: Federal Trade Commission

Announcement

Similarities

Differences

Obama administration Trump administration

FCC issues survey report on January 11, 2017.

There are benefits to mobile carrier subscribers. Popular with mobile carrier subscribers (especially low-income subscribers)

There is the possibility of harm to competition for subscribers of other video streaming services and to competition with those companies.

Going forward, the FCC will not focus on zero rating regulations, but instead push for broadband expansion and provision of innovative services.

Statement by FCC chairman on February 3, 2017

Major NTT Group Security-related Incidents and Activities in Fiscal Year 2017

・ Incidents in fiscal year 2017 included reports of malware infections in an NTT Group company and vulnerabilities found in network devices sold by the NTT Group.

・ Continuing from the previous fiscal year, NTT Group websites and service users were the targets of many phishing websites attacks and attack emails. NTT Group companies issued warnings to inform users.

・ In response to the development of new ICT such as IoT, the cloud, and fintech, NTT Group companies proposed a variety of security services. In addition, they announced the preparation of security systems for the Tokyo 2020 Olympic and Paralympic Games.

1. Trends of Governments of Various Countries3. Cyberattacks

2. Major Vulnerabilities4. Other Issues

12

Worldw

ide Cybersecurity C

ases

2

Summary

Abolition of Net Neutrality

We introduce here major actions by governments in 2017.

❶ Trends of Governments of Various Countries

● Abolition of net neutrality● Cyberspace as the new battlefield after land, sea, air, and space● Intelligence activity trends in countries● China tightens regulations● Investigation of cryptocurrencies and regulations in various countries

(1) FCC changed its view on zero rating.●Under the Obama administration and Trump administrations, the U.S. FCC had different opinions on

mobile carriers’ zero rating services.・Zero rating means not counting certain data as usage.

・In the U.S., several mobile carriers apply zero rating to their own video streaming services.

(2) Rules imposed on U.S. ISPs were repealed

●Rules prohibiting U.S. ISPs like Verizon from selling information such as browser history without the con-sent of consumers were considered unfair and repealed.

・On October 27, 2016, the FCC under the Obama administration imposed rules on the ISP to protect privacy.・ISPs were required to obtain user permission when using user information such as browser history and location

information for advertising and marketing.・On March 1, 2017, the FCC issued a temporary stay of this requirement.

・Ajit Pai, chairman of the FCC under the Trump administration, stated that because tech companies like Google, which gather more customer data for online advertising than ISPs do, were exempt from the rules, the rules were unfair.

・On April 3, 2017, the president signed the bill repealing the rules.・According to The Hacker News, because the repeal of the rules were

voted upon by the Senate based on the Congressional Review Act, going forward the FCC could not establish similar regulations.

Abolition of net neutrality: Broadband changes from public service to venue for marketing

・After U.S. President Trump assumed office (on January 20, 2017), the stance of the U.S. government on the role of the Internet in society shifted considerably due to Trump’s appointment of Ajit Pai as chairman of the FCC (on January 23, 2017).

・After Pai assumed chairmanship, major changes in policy were advanced. They included repeal of net neutrality regula-tions established by the Obama administration and a plan to move jurisdiction of the Internet from the FCC＊1 (Federal Communications Commission) to the FTC＊2 (Federal Trade Commission).

(1) FCC changed its view on zero rating(2) Rules imposed on U.S. ISPs were repealed(3) FCC approved the abolition of net neutrality regulations

Ajit PaiURL: http://thehackernews.com/2017/03/fcc-ajit-pai

-net-neutrality.html

2-2 Summary of Security TopicsIn this section, we will analyze the following four themes, which cover important topics from 2017.

＊1 FCC: Federal Communications Commission＊2 FTC: Federal Trade Commission

Announcement

Similarities

Differences

Obama administration Trump administration

FCC issues survey report on January 11, 2017.

There are benefits to mobile carrier subscribers. Popular with mobile carrier subscribers (especially low-income subscribers)

There is the possibility of harm to competition for subscribers of other video streaming services and to competition with those companies.

Going forward, the FCC will not focus on zero rating regulations, but instead push for broadband expansion and provision of innovative services.

Statement by FCC chairman on February 3, 2017

Major NTT Group Security-related Incidents and Activities in Fiscal Year 2017

・ Incidents in fiscal year 2017 included reports of malware infections in an NTT Group company and vulnerabilities found in network devices sold by the NTT Group.

・ Continuing from the previous fiscal year, NTT Group websites and service users were the targets of many phishing websites attacks and attack emails. NTT Group companies issued warnings to inform users.

・ In response to the development of new ICT such as IoT, the cloud, and fintech, NTT Group companies proposed a variety of security services. In addition, they announced the preparation of security systems for the Tokyo 2020 Olympic and Paralympic Games.

1. Trends of Governments of Various Countries3. Cyberattacks

2. Major Vulnerabilities4. Other Issues

13

Annual C

ybersecurity Report

(1) Cyber as major element of military exercises●“Cyber” was a major keyword raised during large-scale military exercises

held by the United States European Command (EUCOM) and the British navy.・The U.S. Defense Information Systems Agency (DISA)’s European team “DISA

Europe” participated in EUCOM’s large-scale military exercise held in early Febru-ary 2017. It was responsible for communications in a variety of theaters.・For the training scenario, communications and cyberspace strategies were

important elements.・As a cybersecurity service provider, DISA Europe carried out cyber defense

strategies.・Team members participated in the exercise around the clock by being

assigned to EUCOM’s strategy command room.・DISA’s ability to support EUCOM was confirmed.

・The UK’s Royal Navy added AI and cyberwarfare as elements of its large-scale military exercise in March.・It was announced that AI and cyberattacks would be used during “Information

Warrior 17,” a large-scale two-week military exercise held at the end of March.・The purpose of the exercise was to give the navy sound ability to respond to

challenges resulting from warfare in a new era.・The exercise focused on warfare on the sea and shore during the

information age.・Battleships, submarines, and naval personnel were tested as to whether

they could respond effectively to cyber incidents that co-occur with a physical crisis.

・The exercise envisioned AI, robots, automation, quantum computing, etc. as uncertain elements in the future and provided training to respond to them.

・Not just defensive but also offensive measures were included.・Improvement in strategy responding to threats was sought by actively

using AI technologies.・Weaponization of cyber technologies was also included in consider-

ations.

(3) FCC approved the abolition of net neutrality regulations

●On December 14, 2017, the FCC approved the abolition of net neutrality regulations. As part of the repeal, the FCC announced plans to transfer jurisdiction of ISPs to the FTC.

Cyberspace as New Battlefield After Land, Sea, Air, and Space

Cyberspace is being considered by many authorities as the next battlefield after traditional land, sea, air, and space.

・The impact of cyberattacks on countries is becoming greater. More countries and organizations are considering cyber-space as a battlefield.

・There are now military exercises that actively incorporate cyberspace as an element.・Plans to build military sites for the main purpose of conducting cyberspace operations have also been revealed.

(1) Cyber as major element of military exercises(2) Political actions by Russia and Europe(3) EU and NATO formulate cyberattack response guidelines

・On November 22, 2017, the draft order “Proposal to Restore Internet Freedom” to repeal net neutrality regulations was approved by a vote of 3 to 2.・Net neutrality is the principle that all data on the Internet treat should be

treated equally. Under the Obama administration, ISPs were prohibited from restricting or giving preferential treatment to certain network traffic.

・FCC Chairman Pai in the Trump administration sought to repeal these regulations.・Changes as a result of repeal of net neutrality regulations

・Broadband returns from its classification as “telecommunications” to “infor-mation service.”

・ISPs can block or restrict certain traffic and give preferential treatment to certain data for a fee. However, ISPs are required to disclose such information.

・The jurisdiction of ISPs is transferred over to the FTC to audit whether ISPs are accurately disclosing information.

DISA EuropeURL:

Information Warrior 17URL:

FTC logoURL: https://www.ftc.gov/about-ftc/offic

e-inspector-general

http://www.disa.mil/~/media/Images/DISA/Services/Logo/logo_europe_seal.gif?w=205&h=220&as=1

http://www.royalnavy.mod.uk/-/media/royal-navy-responsive/images/operations/information-warrior/blocks/info-warrior-logo-med-block.jpg?h=490&la=en-GB&w=490&hash=C84A5B81D8A1570BEE4401B6585E815780446036

(2) Political actions by Russia and Europe●As reports emerged that European countries were hit by cyberattacks seen as originating from Russia,

NATO and EU countries formed a central research center to defend against cyber threats.・Fancy Bear (also known as APT28, Pawn Storm, and other names), a hacker group considered to be connected with

the Russian government, has been attacking European governments.

(3) EU and NATO formulate cyberattack response guidelines●The EU and NATO clarified their stance on cyberattacks against member countries, including sanctions

and defense applied to all member countries.

・NATO and EU countries establish a central research center to defend against hybrid threats.・Hybrid threats

・Threats that combine political, diplomatic, economic, cyber, and/or disinformation elements with military force.

・The center established will defend against hybrid threats from Russia (dissemination of propaganda and fake news).

・On April 11, 2017, the U.S, UK, and EU and NATO countries＊1 signed a memorandum of understanding (MOU) concerning the establishment of the center.・The center will be established in Helsinki in Finland, which borders Russia.・The center will have a budget of 1.5 million euros. Half will be paid by Finland.・Ten network specialists from participating countries will be assigned within the year.・EU and NATO will cooperate and actively participate.

・On June 19, 2017, the European Council released a draft of “CYBER DIPLOMACY TOOLBOX,” a common EU framework for diplomacy when cyberattacks hit EU member countries. ・The framework permits full use of measures within the “Common

Foreign and Security Policy.”＊2・The purpose of the framework is to prevent wars, mitigate threats,

and stabilize international relations.・On June 28, 2017, the NATO Secretary General stated that a cyberat-

tack on a member country could trigger “NATO Article 5” in the same manner as a land, air, or sea attack.・The cyberattack would be considered an attack on all member

countries, and the attacked country would receive joint support, including the use of military force.

Denmark

Germany

France

Time periodCountry Activities of Fancy Bear

2015, 2016

March, April 2017Two think tanks connected with Germany’s ruling coalition parties were subject to phishing attacks (Trend Micro survey).

April 2017 At least four domains with addresses very similar to en-marche.fr, the official website of presidential candidate Emmanuel Macron’s party En Marche, were created (Trend Micro survey).

Unauthorized access of Danish Defense Ministry email and accounts (revealed by Denmark’s defense minister on April 23, 2017)

＊1 Finland, France, Germany, Latvia, Lithuania, Poland, Sweden, U.S., and UK. Several other countries are expected to join in the near future.

＊2 CFSP: Common Foreign and Security Policy EU and NATO member countries (created on mapchart.net)URL: https://mapchart.net/

2-2 Summary of Security Topics　−　❶ Trends of Governments of Various Countries

14

Worldw

ide Cybersecurity C

ases

2

(1) Cyber as major element of military exercises●“Cyber” was a major keyword raised during large-scale military exercises

held by the United States European Command (EUCOM) and the British navy.・The U.S. Defense Information Systems Agency (DISA)’s European team “DISA

Europe” participated in EUCOM’s large-scale military exercise held in early Febru-ary 2017. It was responsible for communications in a variety of theaters.・For the training scenario, communications and cyberspace strategies were

important elements.・As a cybersecurity service provider, DISA Europe carried out cyber defense

strategies.・Team members participated in the exercise around the clock by being

assigned to EUCOM’s strategy command room.・DISA’s ability to support EUCOM was confirmed.

・The UK’s Royal Navy added AI and cyberwarfare as elements of its large-scale military exercise in March.・It was announced that AI and cyberattacks would be used during “Information

Warrior 17,” a large-scale two-week military exercise held at the end of March.・The purpose of the exercise was to give the navy sound ability to respond to

challenges resulting from warfare in a new era.・The exercise focused on warfare on the sea and shore during the

information age.・Battleships, submarines, and naval personnel were tested as to whether

they could respond effectively to cyber incidents that co-occur with a physical crisis.

・The exercise envisioned AI, robots, automation, quantum computing, etc. as uncertain elements in the future and provided training to respond to them.

・Not just defensive but also offensive measures were included.・Improvement in strategy responding to threats was sought by actively

using AI technologies.・Weaponization of cyber technologies was also included in consider-

ations.

(3) FCC approved the abolition of net neutrality regulations

●On December 14, 2017, the FCC approved the abolition of net neutrality regulations. As part of the repeal, the FCC announced plans to transfer jurisdiction of ISPs to the FTC.

Cyberspace as New Battlefield After Land, Sea, Air, and Space

Cyberspace is being considered by many authorities as the next battlefield after traditional land, sea, air, and space.

・The impact of cyberattacks on countries is becoming greater. More countries and organizations are considering cyber-space as a battlefield.

・There are now military exercises that actively incorporate cyberspace as an element.・Plans to build military sites for the main purpose of conducting cyberspace operations have also been revealed.

(1) Cyber as major element of military exercises(2) Political actions by Russia and Europe(3) EU and NATO formulate cyberattack response guidelines

・On November 22, 2017, the draft order “Proposal to Restore Internet Freedom” to repeal net neutrality regulations was approved by a vote of 3 to 2.・Net neutrality is the principle that all data on the Internet treat should be

treated equally. Under the Obama administration, ISPs were prohibited from restricting or giving preferential treatment to certain network traffic.

・FCC Chairman Pai in the Trump administration sought to repeal these regulations.・Changes as a result of repeal of net neutrality regulations

・Broadband returns from its classification as “telecommunications” to “infor-mation service.”

・ISPs can block or restrict certain traffic and give preferential treatment to certain data for a fee. However, ISPs are required to disclose such information.

・The jurisdiction of ISPs is transferred over to the FTC to audit whether ISPs are accurately disclosing information.

DISA EuropeURL:

Information Warrior 17URL:

FTC logoURL: https://www.ftc.gov/about-ftc/offic

e-inspector-general

http://www.disa.mil/~/media/Images/DISA/Services/Logo/logo_europe_seal.gif?w=205&h=220&as=1

http://www.royalnavy.mod.uk/-/media/royal-navy-responsive/images/operations/information-warrior/blocks/info-warrior-logo-med-block.jpg?h=490&la=en-GB&w=490&hash=C84A5B81D8A1570BEE4401B6585E815780446036

(2) Political actions by Russia and Europe●As reports emerged that European countries were hit by cyberattacks seen as originating from Russia,

NATO and EU countries formed a central research center to defend against cyber threats.・Fancy Bear (also known as APT28, Pawn Storm, and other names), a hacker group considered to be connected with

the Russian government, has been attacking European governments.

(3) EU and NATO formulate cyberattack response guidelines●The EU and NATO clarified their stance on cyberattacks against member countries, including sanctions

and defense applied to all member countries.

・NATO and EU countries establish a central research center to defend against hybrid threats.・Hybrid threats

・Threats that combine political, diplomatic, economic, cyber, and/or disinformation elements with military force.

・The center established will defend against hybrid threats from Russia (dissemination of propaganda and fake news).

・On April 11, 2017, the U.S, UK, and EU and NATO countries＊1 signed a memorandum of understanding (MOU) concerning the establishment of the center.・The center will be established in Helsinki in Finland, which borders Russia.・The center will have a budget of 1.5 million euros. Half will be paid by Finland.・Ten network specialists from participating countries will be assigned within the year.・EU and NATO will cooperate and actively participate.

・On June 19, 2017, the European Council released a draft of “CYBER DIPLOMACY TOOLBOX,” a common EU framework for diplomacy when cyberattacks hit EU member countries. ・The framework permits full use of measures within the “Common

Foreign and Security Policy.”＊2・The purpose of the framework is to prevent wars, mitigate threats,

and stabilize international relations.・On June 28, 2017, the NATO Secretary General stated that a cyberat-

tack on a member country could trigger “NATO Article 5” in the same manner as a land, air, or sea attack.・The cyberattack would be considered an attack on all member

countries, and the attacked country would receive joint support, including the use of military force.

Denmark

Germany

France

Time periodCountry Activities of Fancy Bear

2015, 2016

March, April 2017Two think tanks connected with Germany’s ruling coalition parties were subject to phishing attacks (Trend Micro survey).

April 2017 At least four domains with addresses very similar to en-marche.fr, the official website of presidential candidate Emmanuel Macron’s party En Marche, were created (Trend Micro survey).

Unauthorized access of Danish Defense Ministry email and accounts (revealed by Denmark’s defense minister on April 23, 2017)

＊1 Finland, France, Germany, Latvia, Lithuania, Poland, Sweden, U.S., and UK. Several other countries are expected to join in the near future.

＊2 CFSP: Common Foreign and Security Policy EU and NATO member countries (created on mapchart.net)URL: https://mapchart.net/


15

Annual C

ybersecurity Report

2016 summer

March 26, 2017

March 27, 2017

The interior ministers of Germany and France requested revision of laws to require messaging apps to install “encryption backdoors” to allow the police to access encrypted data.

As a result of the London terrorist incident on March 22, the UK home secretary stated that encrypted messaging services should be compelled to provide the police with access to information.

Similarly, German and French interior ministers stated that Internet service providers and providers of VoIP services (including messaging services) should also be required to provide data.

Intelligence Activity Trends in Countries

Besides actions investigating the role of intelligence activities by foreign countries, as specific activities countries are preparing measures against intervention by foreign governments in their own elections.

・There are both actions supporting and opposing intelligence activities in a country.・Russia was suspected of interfering with the U.S presidential election held in November 2016 through cyberattacks. As

a result, other countries have prepared various measures against cyberattacks for their own elections.

(1) NSA to share intercepted raw data with intelligence agencies(2) The European Commission seeks to give greater access to encrypted data(3) The Dutch legislature has drafted a bill to expand interception of communication(4) Storage of metadata of international phone calls prohibited in Germany(5) Warning on cyberattacks on elections(6) Dutch election votes counted by hand(7) NSA document of investigation of Russian interference in U.S. presidential election leaked (8) The U.S. government prohibited the use of Kaspersky Lab products (9) The U.S. Senate voted to ban Kaspersky products (10) Kaspersky Lab released the results of its internal investigation

(1) NSA to share intercepted raw data with intelligence agencies

●On January 3, 2017, the U.S. Department of Justice (DOJ) set rules permitting the sharing of intelligence data intercepted by the U.S. National Security Agency (NSA) with 16 other intelligence agencies.

NSA emblemURL:

・On the basis of Executive Order 12333, the NSA has been conducting SIGINT (signal intelligence activities) domestically and abroad, such as intercepting communication of foreign persons. The new rules make it possible to share raw data obtained with 16 other intelligence agencies, including the CIA and military intelligence branches.

Intercepted data include・Satellite communications・Communications through switching equipment in foreign countries (telephone

calls, email)・Communications between foreign countries through domestic switching

equipment・General personal information of U.S. citizens obtained through intelligence activi-

ties targeting foreign countries can be used for domestic investigations without consideration of privacy. Human rights organizations have expressed concern about this point. ・In the past, parts of information impinging on the privacy of U.S. citizens were

removed before being shared with other intelligence agencies.

(2) The European Commission seeks to give greater access to encrypted data

●It was reported that on March 28, 2017, the European Commission planned to submit a draft framework in June for requesting operators to release encrypted data held by messaging applications.

・An increase in request for data access in EU countries led to the announcement of this plan.

・EU Justice Commissioner Věra Jourová said she would propose several options for providing encrypted messages in order to improve the current situation of relying on the voluntary cooperation of companies and easing law enforcement agencies’ demand for information from messaging app companies.・Examples of options: Enacting legislation to compel provision of data, signing an agreement between a company

and law enforcement agency to provide data.

https://www.nsa.gov/about/cryptologic-heritage/center-cryptologic-history/insignia/assets/img/nsa-insignia-sm.png

(3) The Dutch legislature has drafted a bill to expand interception of communication

＊1 Confidentiality is recognized as inviolable under Article 10 (1) and required legal intervention in order to restrict it.

The Dutch Senate ChamberURL: https://en.wikipedia.org/wiki/Senate_(Netherlands)

●On July 12, 2017, the Dutch Senate passed an information security bill that broadens the scope of com-munications interception and network surveillance by Dutch intelligence agencies.

・The information security bill was also called the “tapping law.” It received much criticism from human rights organiza-tions. However, it is expected to be signed into law by the king after passing in the Senate.・The new law would give Dutch intelligence agencies greater surveillance rights.

・Not only terrorist suspects and suspects of major crimes but also associates under investigation could be monitored and subject to communications interception.

・Sharing of intelligence with other agencies such as the NSA and GCHQ would be permitted.

・ISPs can be asked to retain data for three years.・Minister of the Interior Ronald Plasterk stated that a new law was needed to

protect the country and its high-tech industries from terrorists and cyberat-tacks.

・The Dutch human rights organization Bits of Freedom warned that intelli-gence agencies could eavesdrop on massive amounts of network traffic without a clear justification and without restrictions.

(4) Storing metadata of international phone calls prohibited in Germany

Germany’s Federal Court of JusticeURL:

●Germany’s Federal Court of Justice ruled on December 14, 2017, that the Federal Intelligence Service (BND) could not store the metadata of international phone calls for intelligence purposes.

・Since 2002, the BND had been using VERAS (Verkehrs-Analyse-System or Traffic Analysis System) to gather, store, and use international phone call metadata for intelligence purposes. ・In June 2015, Reporters Without Borders (RSF) filed a lawsuit arguing that the BND had no legal basis for storing

detailed communication records of international phone calls.・The Federal Court of Justice ruled that telephone call metadata fell under

Article 10 of Germany’s constitution, which states that the privacy of corre-spondence, posts and telecommunications is “inviolable.” It ruled that BND’s “collection, storage, and use” of phone call metadata required “restrictions” to Article 10 pursuant to a law. However, at the current point in time, such a law was absent.・Article 10 of Germany’s Basic Law (constitution) [Privacy of correspon-

dence, posts and telecommunications](1) The privacy of correspondence, posts and telecommunications shall

be inviolable.(2) Restrictions＊1 may be ordered only pursuant to a law.

(5) Warning on cyberattacks on elections

ODNI reportURL:

●The U.S. investigation concluded that Russia used cyberattacks to interfere with the U.S. presidential election. A sense of caution was heightened during France’s presidential election.

・On January 6, 2017, the U.S. Office of the Director of National Intelligence (ODNI) issued a report evaluating Russian activities involving the U.S. election.・ODNI concluded that Russian President Putin ordered Russian intelli-

gence to influence the U.S. election so Trump would become the U.S. president.・The CIA and FBI regarded this assessment with a high level of

confidence. The NSA (National Security Agency) regarded it with mid-level confidence.

・The report stated its belief that Russia’s military intelligence agency was involved in disclosure of Hillary Clinton’s emails to WikiLeaks.

・Russian intelligence agencies had gained access to several state and local election systems.・The U.S. Department of Homeland Security (DHS) concluded that

these breaches had no impact on future elections.

https://upload.wikimedia.org/wikipedia/commons/thumb/b/be/Federal_Administrative_Court_Leipzig_at_night_2_%28aka%29.jpg/330px-Federal_Administrative_Court_Leipzig_at_night_2_%28aka%29.jpg

https://www.dni.gov/files/documents/ICA_2017_01.pdf


16

Worldw

ide Cybersecurity C

ases

2

2016 summer

March 26, 2017

March 27, 2017

The interior ministers of Germany and France requested revision of laws to require messaging apps to install “encryption backdoors” to allow the police to access encrypted data.

As a result of the London terrorist incident on March 22, the UK home secretary stated that encrypted messaging services should be compelled to provide the police with access to information.

Similarly, German and French interior ministers stated that Internet service providers and providers of VoIP services (including messaging services) should also be required to provide data.

Intelligence Activity Trends in Countries

Besides actions investigating the role of intelligence activities by foreign countries, as specific activities countries are preparing measures against intervention by foreign governments in their own elections.

・There are both actions supporting and opposing intelligence activities in a country.・Russia was suspected of interfering with the U.S presidential election held in November 2016 through cyberattacks. As

a result, other countries have prepared various measures against cyberattacks for their own elections.

(1) NSA to share intercepted raw data with intelligence agencies(2) The European Commission seeks to give greater access to encrypted data(3) The Dutch legislature has drafted a bill to expand interception of communication(4) Storage of metadata of international phone calls prohibited in Germany(5) Warning on cyberattacks on elections(6) Dutch election votes counted by hand(7) NSA document of investigation of Russian interference in U.S. presidential election leaked (8) The U.S. government prohibited the use of Kaspersky Lab products (9) The U.S. Senate voted to ban Kaspersky products (10) Kaspersky Lab released the results of its internal investigation

(1) NSA to share intercepted raw data with intelligence agencies

●On January 3, 2017, the U.S. Department of Justice (DOJ) set rules permitting the sharing of intelligence data intercepted by the U.S. National Security Agency (NSA) with 16 other intelligence agencies.

NSA emblemURL:

・On the basis of Executive Order 12333, the NSA has been conducting SIGINT (signal intelligence activities) domestically and abroad, such as intercepting communication of foreign persons. The new rules make it possible to share raw data obtained with 16 other intelligence agencies, including the CIA and military intelligence branches.

Intercepted data include・Satellite communications・Communications through switching equipment in foreign countries (telephone

calls, email)・Communications between foreign countries through domestic switching

equipment・General personal information of U.S. citizens obtained through intelligence activi-

ties targeting foreign countries can be used for domestic investigations without consideration of privacy. Human rights organizations have expressed concern about this point. ・In the past, parts of information impinging on the privacy of U.S. citizens were

removed before being shared with other intelligence agencies.

(2) The European Commission seeks to give greater access to encrypted data

●It was reported that on March 28, 2017, the European Commission planned to submit a draft framework in June for requesting operators to release encrypted data held by messaging applications.

・An increase in request for data access in EU countries led to the announcement of this plan.

・EU Justice Commissioner Věra Jourová said she would propose several options for providing encrypted messages in order to improve the current situation of relying on the voluntary cooperation of companies and easing law enforcement agencies’ demand for information from messaging app companies.・Examples of options: Enacting legislation to compel provision of data, signing an agreement between a company

and law enforcement agency to provide data.

https://www.nsa.gov/about/cryptologic-heritage/center-cryptologic-history/insignia/assets/img/nsa-insignia-sm.png

(3) The Dutch legislature has drafted a bill to expand interception of communication

＊1 Confidentiality is recognized as inviolable under Article 10 (1) and required legal intervention in order to restrict it.

The Dutch Senate ChamberURL: https://en.wikipedia.org/wiki/Senate_(Netherlands)

●On July 12, 2017, the Dutch Senate passed an information security bill that broadens the scope of com-munications interception and network surveillance by Dutch intelligence agencies.

・The information security bill was also called the “tapping law.” It received much criticism from human rights organiza-tions. However, it is expected to be signed into law by the king after passing in the Senate.・The new law would give Dutch intelligence agencies greater surveillance rights.

・Not only terrorist suspects and suspects of major crimes but also associates under investigation could be monitored and subject to communications interception.

・Sharing of intelligence with other agencies such as the NSA and GCHQ would be permitted.

・ISPs can be asked to retain data for three years.・Minister of the Interior Ronald Plasterk stated that a new law was needed to

protect the country and its high-tech industries from terrorists and cyberat-tacks.

・The Dutch human rights organization Bits of Freedom warned that intelli-gence agencies could eavesdrop on massive amounts of network traffic without a clear justification and without restrictions.

(4) Storing metadata of international phone calls prohibited in Germany

Germany’s Federal Court of JusticeURL:

●Germany’s Federal Court of Justice ruled on December 14, 2017, that the Federal Intelligence Service (BND) could not store the metadata of international phone calls for intelligence purposes.

・Since 2002, the BND had been using VERAS (Verkehrs-Analyse-System or Traffic Analysis System) to gather, store, and use international phone call metadata for intelligence purposes. ・In June 2015, Reporters Without Borders (RSF) filed a lawsuit arguing that the BND had no legal basis for storing

detailed communication records of international phone calls.・The Federal Court of Justice ruled that telephone call metadata fell under

Article 10 of Germany’s constitution, which states that the privacy of corre-spondence, posts and telecommunications is “inviolable.” It ruled that BND’s “collection, storage, and use” of phone call metadata required “restrictions” to Article 10 pursuant to a law. However, at the current point in time, such a law was absent.・Article 10 of Germany’s Basic Law (constitution) [Privacy of correspon-

dence, posts and telecommunications](1) The privacy of correspondence, posts and telecommunications shall

be inviolable.(2) Restrictions＊1 may be ordered only pursuant to a law.

(5) Warning on cyberattacks on elections

ODNI reportURL:

●The U.S. investigation concluded that Russia used cyberattacks to interfere with the U.S. presidential election. A sense of caution was heightened during France’s presidential election.

・On January 6, 2017, the U.S. Office of the Director of National Intelligence (ODNI) issued a report evaluating Russian activities involving the U.S. election.・ODNI concluded that Russian President Putin ordered Russian intelli-

gence to influence the U.S. election so Trump would become the U.S. president.・The CIA and FBI regarded this assessment with a high level of

confidence. The NSA (National Security Agency) regarded it with mid-level confidence.

・The report stated its belief that Russia’s military intelligence agency was involved in disclosure of Hillary Clinton’s emails to WikiLeaks.

・Russian intelligence agencies had gained access to several state and local election systems.・The U.S. Department of Homeland Security (DHS) concluded that

these breaches had no impact on future elections.

https://upload.wikimedia.org/wikipedia/commons/thumb/b/be/Federal_Administrative_Court_Leipzig_at_night_2_%28aka%29.jpg/330px-Federal_Administrative_Court_Leipzig_at_night_2_%28aka%29.jpg

https://www.dni.gov/files/documents/ICA_2017_01.pdf


17

Annual C

ybersecurity Report

＊2 The French presidential election was held from April to May 2017.

＊3 Russian military intelligence agency

French Defence Minister Le DrianURL:

(6) Dutch election votes counted by hand

Vote-counting by handURL:

・Vulnerabilities in vote-counting software “OSV,” which were pointed out by experts on January 30, 2017, brought widespread concern about the results of elections (The Register, February 2).・Parts of the vote-counting system use Windows XP, SHA-1, and unsecure

USB memory sticks to transfer voting data, etc.・On February 1, 2017, Interior Minister Ronald Plasterk decided that votes

would be counted by hand.・He stated, “The cabinet cannot exclude the possibility that state actors

might gain advantage from influencing political decision-making and public opinion in the Netherlands and might use means to try and achieve such influence.”

・Raising the example of the U.S, the NATO deputy secretary-general said that electronic vote-counting should be reconsidered due to the risk to the credibili-ty of the results.

(7) NSA document of investigation of Russian interference in U.S. presidential election leaked

Portion of leaked documentURL: https://theintercept.com/2017/06/05/

top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/

●A NSA document with the highest security classification investigat-ing cyberattacks carried out by the GRU＊3 against election-related organizations ahead of the U.S. presidential election was leaked.

・The Intercept published the anonymously provided document on June 5, 2017.・The document was dated May 5, 2017, and detailed the results of an investi-

gation of how the GRU carried out cyberattacks on the 2016 U.S. presiden-tial election.・In August 2016, a cyberattack was carried out against voting system

software vendor VR Systems.・Due to this attack, 122 email addresses of election officials in charge of

voter registration were obtained. Phishing attack emails were sent to them days before the election.

・No conclusions were reached on the impact of this interference of voting results.

・On June 6, 2017, the Russian government denied the reported allegations.

・On January 6, 2017 (the same day as the release of the ODNI report), U.S. DHS Secretary Jeh Johnson stated that election infrastructure was a critical infrastructure subsector.・Although the processes of managing and implementing elections by states

and municipalities would not change, election infrastructure would become a priority for cybersecurity protection provided by the DHS.

・On January 8, 2017, French Minister of Defence Jean-Yves Le Drian expressed concern over the French presidential election＊2 in an interview published in Le Journal du Dimanche.・In 2016, the French Defence Ministry received about 24,000 external

cyberattacks. ・It could not be confirmed at present that the French presidential election

was targeted by a destabilization operation.・However, because such an operation took place in the U.S. it cannot be

denied that it brought turmoil to the French election.

(8) The U.S. government prohibited the use of Kaspersky Lab products

Draft of the National Defense Authorization ActURL: https://www.armed-services.

senate.gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf

●The U.S. Senate Committee on Armed Services expressed concern over the relation-ship between Kaspersky and the Russian government. The following fiscal year, use of the company’s security products in the Defense Department was banned.

・The draft of the 2018 National Defense Authorization Act included an item prohibiting the use of Kaspersky products in the Defense Department.・The concern was based on the fact that Kaspersky Lab CEO Eugene Kaspersky

received training in the past from the KGB and served in the Soviet military intelli-gence branch.・Kaspersky himself has not talked about his involvement during the Soviet era, and to

date has been repeatedly suspected of association with the Russian government.・It is reported that the FBI has brought in Kaspersky employees in various U.S.

locations for voluntary questioning.・To clear suspicions of espionage by the Russian government, Kaspersky Lab has offered to

reveal the source code of its security products.・Kaspersky said he was prepared to testify before the U.S. Congress.

http://www.dw.com/en/dutch-to-hand-count-ballots-in-march-vote-due-to-hacking-fears/a-37375137

http://www.bbc.com/news/world-europe-38546415

(9) The U.S. Senate voted to ban Kaspersky products

＊4 AKA “Smoke Bot” and “Smoke Loader”Trojan created by Russian hackers in 2011 and sold in Russian underground forums

(10) Kaspersky Lab released the results of its internal investigation

Announcement by Kaspersky LabURL: https://securelist.com/investigation-report-

for-the-september-2014-equation-malware-detection-incident-in-the-us/83210/

●Kaspersky Lab released the results of its internal investigation concerning the leak of NSA confidential information. It stated the possibility that the affected PC was already infected by multiple malware and infiltrated by an unknown attacker.

・On November 16, 2017, Kaspersky Lab released “Investigation Report for the September 2014 Equation malware detection incident in the US.”・On October 5 of the same year, the Wall Street Journal reported that

confidential NSA data was leaked to Russia through Kaspersky products. The company just carried out its own investigation.

・Main findings of the report・As reported by the Wall Street Journal, compressed files containing

Equation malware were detected in an NSA contractor’s home PC, the source of the information leak. In accordance with the workings of the product, those files were sent to the company’s servers (from September 11 to November 17, 2014).・Because the detected compressed files contained both the

source code of the malware and confidential materials, the CEO directed the deletion of the files.

・After the detection of the malware, the NSA contractor installed a pirated version of Microsoft Office 2013, which included a pirated software activation tool. Kaspersky believes that its products were deactivated when this tool was run.

・For a two-month period from September to November 2014, 121 instances of malware infection, including the backdoor Mokes,＊4 were found. Kaspersky thus reached the conclusion that it was highly possible that the PC had been infiltrated by an unknown attacker.

・Meanwhile, on November 28, 2017, Nextgov reported that DHS has completed phase 2 of its operation to remove Kaspersky products from federal agencies.・Phase 1: Confirm whether or not Kaspersky products were installed.・Phase 2: Establish plan to remove and replace Kaspersky products.・Phase 3 (final stage): Remove Kaspersky products

(deadline: December 19, 2017)

●On September 18, 2017, the U.S. passed the bill that included banning the use of Kaspersky Lab prod-ucts in federal agencies.

・The U.S. government is concerned about Kaspersky Lab’s alleged ties with the Russian government, and is asking consumers to not to use its products.

Report by NextgovURL: http://www.nextgov.com/cybersecurity/

2017/11/government-has-completed-phase-two-kaspersky-ban/142836/

・Meanwhile, it was reported on September 20 that Kaspersky is providing cybersecurity tools to the Brazilian Armed Forces.

・Kaspersky Lab states that “it does not have unethical ties or affiliations with any government.”

U.S.’s handling of Kaspersky Lab products

September 8, 2017

September 13, 2017

September 18, 2017

Major U.S. electronics retailer Best Buy confirmed that it would stop selling Kaspersky Lab products.

The U.S. DHS announced that it has asked federal agencies to remove Kaspersky products within 90 days.

The U.S. Senate passed a revised bill of the annual National Defense Authorization Act, which included banning the use of Kaspersky products by the federal government.

●Instead of using vote-counting software, which is vulnerable to hacking, the Dutch government decided to count the votes of the parliamentary election held on March 15, 2017, by hand.


18

Worldw

ide Cybersecurity C

ases

2

＊2 The French presidential election was held from April to May 2017.

＊3 Russian military intelligence agency

French Defence Minister Le DrianURL:

(6) Dutch election votes counted by hand

Vote-counting by handURL:

・Vulnerabilities in vote-counting software “OSV,” which were pointed out by experts on January 30, 2017, brought widespread concern about the results of elections (The Register, February 2).・Parts of the vote-counting system use Windows XP, SHA-1, and unsecure

USB memory sticks to transfer voting data, etc.・On February 1, 2017, Interior Minister Ronald Plasterk decided that votes

would be counted by hand.・He stated, “The cabinet cannot exclude the possibility that state actors

might gain advantage from influencing political decision-making and public opinion in the Netherlands and might use means to try and achieve such influence.”

・Raising the example of the U.S, the NATO deputy secretary-general said that electronic vote-counting should be reconsidered due to the risk to the credibili-ty of the results.

(7) NSA document of investigation of Russian interference in U.S. presidential election leaked

Portion of leaked documentURL: https://theintercept.com/2017/06/05/

top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/

●A NSA document with the highest security classification investigat-ing cyberattacks carried out by the GRU＊3 against election-related organizations ahead of the U.S. presidential election was leaked.

・The Intercept published the anonymously provided document on June 5, 2017.・The document was dated May 5, 2017, and detailed the results of an investi-

gation of how the GRU carried out cyberattacks on the 2016 U.S. presiden-tial election.・In August 2016, a cyberattack was carried out against voting system

software vendor VR Systems.・Due to this attack, 122 email addresses of election officials in charge of

voter registration were obtained. Phishing attack emails were sent to them days before the election.

・No conclusions were reached on the impact of this interference of voting results.

・On June 6, 2017, the Russian government denied the reported allegations.

・On January 6, 2017 (the same day as the release of the ODNI report), U.S. DHS Secretary Jeh Johnson stated that election infrastructure was a critical infrastructure subsector.・Although the processes of managing and implementing elections by states

and municipalities would not change, election infrastructure would become a priority for cybersecurity protection provided by the DHS.

・On January 8, 2017, French Minister of Defence Jean-Yves Le Drian expressed concern over the French presidential election＊2 in an interview published in Le Journal du Dimanche.・In 2016, the French Defence Ministry received about 24,000 external

cyberattacks. ・It could not be confirmed at present that the French presidential election

was targeted by a destabilization operation.・However, because such an operation took place in the U.S. it cannot be

denied that it brought turmoil to the French election.

(8) The U.S. government prohibited the use of Kaspersky Lab products

Draft of the National Defense Authorization ActURL: https://www.armed-services.

senate.gov/imo/media/doc/FY18%20NDAA%20Summary6.pdf

●The U.S. Senate Committee on Armed Services expressed concern over the relation-ship between Kaspersky and the Russian government. The following fiscal year, use of the company’s security products in the Defense Department was banned.

・The draft of the 2018 National Defense Authorization Act included an item prohibiting the use of Kaspersky products in the Defense Department.・The concern was based on the fact that Kaspersky Lab CEO Eugene Kaspersky

received training in the past from the KGB and served in the Soviet military intelli-gence branch.・Kaspersky himself has not talked about his involvement during the Soviet era, and to

date has been repeatedly suspected of association with the Russian government.・It is reported that the FBI has brought in Kaspersky employees in various U.S.

locations for voluntary questioning.・To clear suspicions of espionage by the Russian government, Kaspersky Lab has offered to

reveal the source code of its security products.・Kaspersky said he was prepared to testify before the U.S. Congress.

http://www.dw.com/en/dutch-to-hand-count-ballots-in-march-vote-due-to-hacking-fears/a-37375137

http://www.bbc.com/news/world-europe-38546415

(9) The U.S. Senate voted to ban Kaspersky products

＊4 AKA “Smoke Bot” and “Smoke Loader”Trojan created by Russian hackers in 2011 and sold in Russian underground forums

(10) Kaspersky Lab released the results of its internal investigation

Announcement by Kaspersky LabURL: https://securelist.com/investigation-report-

for-the-september-2014-equation-malware-detection-incident-in-the-us/83210/

●Kaspersky Lab released the results of its internal investigation concerning the leak of NSA confidential information. It stated the possibility that the affected PC was already infected by multiple malware and infiltrated by an unknown attacker.

・On November 16, 2017, Kaspersky Lab released “Investigation Report for the September 2014 Equation malware detection incident in the US.”・On October 5 of the same year, the Wall Street Journal reported that

confidential NSA data was leaked to Russia through Kaspersky products. The company just carried out its own investigation.

・Main findings of the report・As reported by the Wall Street Journal, compressed files containing

Equation malware were detected in an NSA contractor’s home PC, the source of the information leak. In accordance with the workings of the product, those files were sent to the company’s servers (from September 11 to November 17, 2014).・Because the detected compressed files contained both the

source code of the malware and confidential materials, the CEO directed the deletion of the files.

・After the detection of the malware, the NSA contractor installed a pirated version of Microsoft Office 2013, which included a pirated software activation tool. Kaspersky believes that its products were deactivated when this tool was run.

・For a two-month period from September to November 2014, 121 instances of malware infection, including the backdoor Mokes,＊4 were found. Kaspersky thus reached the conclusion that it was highly possible that the PC had been infiltrated by an unknown attacker.

・Meanwhile, on November 28, 2017, Nextgov reported that DHS has completed phase 2 of its operation to remove Kaspersky products from federal agencies.・Phase 1: Confirm whether or not Kaspersky products were installed.・Phase 2: Establish plan to remove and replace Kaspersky products.・Phase 3 (final stage): Remove Kaspersky products

(deadline: December 19, 2017)

●On September 18, 2017, the U.S. passed the bill that included banning the use of Kaspersky Lab prod-ucts in federal agencies.

・The U.S. government is concerned about Kaspersky Lab’s alleged ties with the Russian government, and is asking consumers to not to use its products.

Report by NextgovURL: http://www.nextgov.com/cybersecurity/

2017/11/government-has-completed-phase-two-kaspersky-ban/142836/

・Meanwhile, it was reported on September 20 that Kaspersky is providing cybersecurity tools to the Brazilian Armed Forces.

・Kaspersky Lab states that “it does not have unethical ties or affiliations with any government.”

U.S.’s handling of Kaspersky Lab products

September 8, 2017

September 13, 2017

September 18, 2017

Major U.S. electronics retailer Best Buy confirmed that it would stop selling Kaspersky Lab products.

The U.S. DHS announced that it has asked federal agencies to remove Kaspersky products within 90 days.

The U.S. Senate passed a revised bill of the annual National Defense Authorization Act, which included banning the use of Kaspersky products by the federal government.

●Instead of using vote-counting software, which is vulnerable to hacking, the Dutch government decided to count the votes of the parliamentary election held on March 15, 2017, by hand.


19

Annual C

ybersecurity Report

＊1 Other affected companies included StrongVPN and Golden Frog.

＊2 CAC: Cyberspace Administration of China

China Tightens Regulations

In 2017, the Chinese government tightened a variety of telecommunications regulations.

・Transferring data outside the country became strictly regulated.・Regulation of information on the Internet began, and online posters are required to use their real names.

(1) Regulations on provision of VPN in China(2) Audit bill on moving data out of China(3) Tightening of regulations on information on the Internet in China(4) Law requires real names when posting online in China(5) Responses to the Cybersecurity Law of the People’s Republic of China

(1) Regulations on provision of VPN in China

Image of Great FirewallURL: https://www.vpnanswers.com/bypass-

great-firewall-hide-openvpn-in-china-2015/

●VPN providers in China are required to gain authorization from the Chinese government.

・The Chinese government introduced the new regulations on January 22, 2017.・Providers of VPNs that circumvent the Great Firewall must be autho-

rized by the government.・The new regulation applies to ISPs, cloud service providers, and

VPN resellers.・The purpose is to promote sound and orderly social growth.

・Businesses must apply to local governments for authorization.・China.org.cn reported that users of companies such as Astrill＊1 could not

use their VPN on Chinese soil.

Public website of regulationsURL: http://www.cac.gov.cn/2017-05/02/c_

1120902760.htm

(2) Audit bill on moving data out of China●A new audit bill on moving data out of China by companies was

announced.・Reuters reported that the CAC*2 announced an audit bill on April 11, 2017.

・Companies that move data out of China are subject to annual security audits.・Condition: When a company seeks to move out data that exceed

1,000 GB or contain more than 500,000 users.・Targets of review: Security measures of applicable companies

and data moved out・In cases when there is concern that moving data out of China (econom-

ic data, technical data, academic data) affects security or is contrary to the public good, it is prohibited.

・To move data out of the country, the company is required to get users’ consent.

・Public comments were accepted until May 11, 2017.

CAC logoURL: http://www.cac.gov.cn/english/

cyber.htm

(3) Tightening of regulations on information on the Internet in China●The CAC ordered the partial suspension of five major news media

websites based on regulations related to Internet news services announced on May 2, 2017.

・In China, new regulations on Internet new services were announced on May 2, 2017.・The regulations distinguish between news gathering/creation organiza-

tions and news organizations that provide news and services.・Organizations that gather information and create news must

obtain a national license.・On May 9, 2017, the Chinese media reported that five major news media

websites in the country were ordered by the CAC to suspend their streaming news services on the basis of the above regulations.・The reason is that they created news on their own and reported those

contents.

＊3 CNITSEC: China National Information Technology Security Evaluation Center＊4 MSS: Ministry of State Security (intelligence and security agency of China)

Investigation of Cryptocurrencies and Regulations in Various Countries

As cryptocurrencies become more and more popular, countries have begun efforts to prevent their misuse such as for money laundering.

・Due to their involvement in money laundering, several cryptocurrency exchanges were shut down.・Countries have begun actions to regulate ICOs (initial coin offerings).

(1) Arrest of cryptocurrency exchange co-founder(2) U.S., Russian, Chinese, South Korean cryptocurrency regulations(3) European cryptocurrency regulations

(4) Law requires real names when posting online in China

Public announcement by CACURL: http://www.cac.gov.cn/2017-08/25/c_1121541921.htm

●“The Diplomat” reported that the CAC enacted a law requiring real names when posting online.

・The CAC announced the new law on August 25, 2017. ・The new law applies to Internet companies and service providers.

・Online posters are required to verify their identity.・The contents posted by users are strictly managed.

・The purpose of the new law is to promote the sound and orderly growth of online communities.

・Enforcement of the law began on October 1, 2017.・The CAC also clarified its policy of censoring posted contents.

・Examples: content that harm the honor and benefit of the country, content that promote ethnic discrimination, content that harms national unity, etc.

・“The Diplomat” reported that policy was broad and vague.

(1) Arrest of cryptocurrency exchange co-founder

The amount of damage rose sharply in 2016.URL: https://www.blackhat.com/docs/us-17/

wednesday/us-17-Invernizzi-Tracking-Ransomware-End-To-End.pdf

●Alexander Vinnik (age 38), a co-founder of cryptocurrency exchange “BTC-e,” was arrested. This exchange was used to launder a vast amount of money.

・It was reported on July 27, 2017, that Alexander Vinnik had been arrested.・Vinnik was one of the founders of cryptocurrency exchange

“BTC-e.”・U.S. filed 21 counts of money laundering against him.

・He allegedly operated an authorized financial service that laundered about 4 billion U.S. dollars.

・The charges also included receiving money stolen from Bitcoin exchange “Mt Gox.”

・At “Black Hat USA 2017,” Google released its survey on ransomware.・The use of Bitcoin is favored by criminals.

・Transactions are irreversible, and it is easy to convert Bitcoin to cash.

・The survey found 154,227 instances of ransomware from 34 variants.・Of these ransomware, 95% used “BTC-e” to cash out.

(5) Responses to the Cybersecurity Law of the People's Republic of China

CNITSEC and MSSURL: https://www.recordedfuture.com/

china-cybersecurity-law/

●The U.S. expressed opposition to the Cybersecurity Law of the People’s Republic of China, enacted in June 2017.

・The law requires companies operating in China to provide source code to the government for review, and to store data of Chinese users within the country.

・Recorded Future pointed out that CNITSEC＊3, which has the authority to review source code, is an MSS＊4 agency. The company raised the suspicion that the threat group APT3 is associated with the MSS, and observed that it is possible that vulnerabilities found during the review process will not be revealed but used for the threat group’s activities.

・Arguing that the Chinese Cybersecurity Law hinders the business activities of global companies providing cross-border services, the U.S. called for debate at the World Trade Organization (WTO) to request that China refrain from implement-ing the law.


20

Worldw

ide Cybersecurity C

ases

2

＊1 Other affected companies included StrongVPN and Golden Frog.

＊2 CAC: Cyberspace Administration of China

China Tightens Regulations

In 2017, the Chinese government tightened a variety of telecommunications regulations.

・Transferring data outside the country became strictly regulated.・Regulation of information on the Internet began, and online posters are required to use their real names.

(1) Regulations on provision of VPN in China(2) Audit bill on moving data out of China(3) Tightening of regulations on information on the Internet in China(4) Law requires real names when posting online in China(5) Responses to the Cybersecurity Law of the People’s Republic of China

(1) Regulations on provision of VPN in China

Image of Great FirewallURL: https://www.vpnanswers.com/bypass-

great-firewall-hide-openvpn-in-china-2015/

●VPN providers in China are required to gain authorization from the Chinese government.

・The Chinese government introduced the new regulations on January 22, 2017.・Providers of VPNs that circumvent the Great Firewall must be autho-

rized by the government.・The new regulation applies to ISPs, cloud service providers, and

VPN resellers.・The purpose is to promote sound and orderly social growth.

・Businesses must apply to local governments for authorization.・China.org.cn reported that users of companies such as Astrill＊1 could not

use their VPN on Chinese soil.

Public website of regulationsURL: http://www.cac.gov.cn/2017-05/02/c_

1120902760.htm

(2) Audit bill on moving data out of China●A new audit bill on moving data out of China by companies was

announced.・Reuters reported that the CAC*2 announced an audit bill on April 11, 2017.

・Companies that move data out of China are subject to annual security audits.・Condition: When a company seeks to move out data that exceed

1,000 GB or contain more than 500,000 users.・Targets of review: Security measures of applicable companies

and data moved out・In cases when there is concern that moving data out of China (econom-

ic data, technical data, academic data) affects security or is contrary to the public good, it is prohibited.

・To move data out of the country, the company is required to get users’ consent.

・Public comments were accepted until May 11, 2017.

CAC logoURL: http://www.cac.gov.cn/english/

cyber.htm

(3) Tightening of regulations on information on the Internet in China●The CAC ordered the partial suspension of five major news media

websites based on regulations related to Internet news services announced on May 2, 2017.

・In China, new regulations on Internet new services were announced on May 2, 2017.・The regulations distinguish between news gathering/creation organiza-

tions and news organizations that provide news and services.・Organizations that gather information and create news must

obtain a national license.・On May 9, 2017, the Chinese media reported that five major news media

websites in the country were ordered by the CAC to suspend their streaming news services on the basis of the above regulations.・The reason is that they created news on their own and reported those

contents.

＊3 CNITSEC: China National Information Technology Security Evaluation Center＊4 MSS: Ministry of State Security (intelligence and security agency of China)

Investigation of Cryptocurrencies and Regulations in Various Countries

As cryptocurrencies become more and more popular, countries have begun efforts to prevent their misuse such as for money laundering.

・Due to their involvement in money laundering, several cryptocurrency exchanges were shut down.・Countries have begun actions to regulate ICOs (initial coin offerings).

(1) Arrest of cryptocurrency exchange co-founder(2) U.S., Russian, Chinese, South Korean cryptocurrency regulations(3) European cryptocurrency regulations

(4) Law requires real names when posting online in China

Public announcement by CACURL: http://www.cac.gov.cn/2017-08/25/c_1121541921.htm

●“The Diplomat” reported that the CAC enacted a law requiring real names when posting online.

・The CAC announced the new law on August 25, 2017. ・The new law applies to Internet companies and service providers.

・Online posters are required to verify their identity.・The contents posted by users are strictly managed.

・The purpose of the new law is to promote the sound and orderly growth of online communities.

・Enforcement of the law began on October 1, 2017.・The CAC also clarified its policy of censoring posted contents.

・Examples: content that harm the honor and benefit of the country, content that promote ethnic discrimination, content that harms national unity, etc.

・“The Diplomat” reported that policy was broad and vague.

(1) Arrest of cryptocurrency exchange co-founder

The amount of damage rose sharply in 2016.URL: https://www.blackhat.com/docs/us-17/

wednesday/us-17-Invernizzi-Tracking-Ransomware-End-To-End.pdf

●Alexander Vinnik (age 38), a co-founder of cryptocurrency exchange “BTC-e,” was arrested. This exchange was used to launder a vast amount of money.

・It was reported on July 27, 2017, that Alexander Vinnik had been arrested.・Vinnik was one of the founders of cryptocurrency exchange

“BTC-e.”・U.S. filed 21 counts of money laundering against him.

・He allegedly operated an authorized financial service that laundered about 4 billion U.S. dollars.

・The charges also included receiving money stolen from Bitcoin exchange “Mt Gox.”

・At “Black Hat USA 2017,” Google released its survey on ransomware.・The use of Bitcoin is favored by criminals.

・Transactions are irreversible, and it is easy to convert Bitcoin to cash.

・The survey found 154,227 instances of ransomware from 34 variants.・Of these ransomware, 95% used “BTC-e” to cash out.

(5) Responses to the Cybersecurity Law of the People's Republic of China

CNITSEC and MSSURL: https://www.recordedfuture.com/

china-cybersecurity-law/

●The U.S. expressed opposition to the Cybersecurity Law of the People’s Republic of China, enacted in June 2017.

・The law requires companies operating in China to provide source code to the government for review, and to store data of Chinese users within the country.

・Recorded Future pointed out that CNITSEC＊3, which has the authority to review source code, is an MSS＊4 agency. The company raised the suspicion that the threat group APT3 is associated with the MSS, and observed that it is possible that vulnerabilities found during the review process will not be revealed but used for the threat group’s activities.

・Arguing that the Chinese Cybersecurity Law hinders the business activities of global companies providing cross-border services, the U.S. called for debate at the World Trade Organization (WTO) to request that China refrain from implement-ing the law.


21

Annual C

ybersecurity Report

＊1 IRS: Internal Revenue Service (revenue service of the U.S. federal government)＊2 ICO: Initial Coin Offering (means of raising capital using cryptocurrency)

IRS buildingURL: https://themerkle.com/us-government-files-a-

stern-response-to-ongoing-irs-coinbase-case/

(2) U.S., Russian, Chinese, South Korean cryptocurrency regulations ●As cryptocurrencies move into general society, countries have

begun controlling them.・The U.S. IRS＊1 issued a summon for disclosure of information to cryptocur-

rency exchange Coinbase as part of its investigation of tax evasion.・In November 2016, it issued a summon seeking information about users

from 2013 to 2015.・Bitcoin users opposing this has filed a class action lawsuit.・On September 1, 2017, a U.S. court ruled that the IRS summon had a

legitimate purpose. The U.S. government demanded that Coinbase disclose information.

・Russia considers possibility of restricting cryptocurrency users.・Deputy Finance Minister of Russia Alexey Moiseev announced a plan to

restrict the purchase of cryptocurrencies to qualified investors (The Merkle).・The Russian government is planning education about cryptocurrencies

to improve financial literacy (Russian News Agency TASS).・The BBC and other media reported on September 4, 2017, that the Chinese

government has announced the banning of ICOs＊2 in the entire country.・The People's Bank of China said that the ban was enacted due to fear

of disruption to financial order as many ICOs are carried out for specula-tive purposes.

・In July 2017, the U.S. Securities and Exchange Commission (SEC) also suggested the need to monitor ICOs.

・The BBC reported on September 19, 2017, that the Chinese government had decided to temporarily shut down all Bitcoin exchanges in the country.・Exchanges had to submit plans for ceasing operations by September 20.・A website set up by China’s central bank explained that cryptocurren-

cies were being “used as tools to commit crimes, such as money laundering, dealing drugs, smuggling, and illegal collection of money.”

・The Chinese government plans to relax regulations on cryptocurrency transactions after establishing monitoring methods such as a licensing system and a system to prevent money laundering.

・On September 29, 2017, Reuters and other media outlets reported that the South Korean government has banned all raising of money through cryptocurrencies.・The South Korean Financial Services Commission (FSC) stated the need

to strictly monitor and manage cryptocurrency transactions, and all ICOs are to be banned.

・It stated that it was studying methods to authenticate users during cryptocurrency transactions to ensure transaction transparency and protect consumers. It was also studying measures to strengthen report-ing of fraudulent transactions.

・Reuters reported that JP Morgan CEO said Bitcoin “is a fraud.”・He said that cryptocurrency was a bubble and “worse than tulip bulbs.”

He said he would “fire in a second” employees who traded Bitcoin. “It's against our rules and they are stupid.”

・As a result of the comments, the appraised value of Bitcoin fell 10%.

(3) European cryptocurrency regulations●As part of efforts to shut down money laundering and the flow of

funds to terrorist organizations, the UK and EU considered regula-tions that required the identification of cryptocurrency users.

・The Telegraphy reported that the UK economic secretary to the Treasury is studying regulations to identify the users of cryptocurrencies.・The purpose is to shut down money laundering and the flow of funds to

terrorists. ・The Treasury has also requested technical assistance from money

laundering to elucidate the risks of cryptocurrencies.・On December 15, 2017, the European Parliament's Committee on Economic

and Monetary Affairs (ECON) announced the “Revision of the Fourth Anti-Mon-ey-Laundering Directive.” The directive includes the requirement of EU member states to identify customers of cryptocurrency exchanges and wallet services. ・The purpose is to prevent the use of cryptocurrencies in criminal and

terrorist activities.・According to news service Reuters, at the G20 scheduled to be held in April

2018, the French finance minister told local media “LCI” that regulation of Bitcoin would be on the agenda.

Webpage for viewing quotes of cryptocurrenciesURL: https://coinmarketcap.com/all/views/all/

JPMorgan CEO James DimonURL: https://commons.wikimedia.org/wiki/File:The_

Global_Financial_Context_James_Dimon.jpg

Announcement by ECONURL: http://ec.europa.eu/newsroom/just/

document.cfm?action=display&doc_id=48935

Summary of Cases: Trends of Governments of Various Countries

・After U.S. President Trump assumed office, he appointed Ajit Pai as FCC chairman. The U.S. government’s stance toward the role of the Internet underwent a major shift. The move toward the abolition of net neutrality began. The view of broadband as a public service changed to broadband as a marketing venue.

・Cyberspace is being considered by many authorities as the next battlefield after traditional land, sea, air, and space.・Besides actions investigating the role of intelligence activities by foreign countries, as specific activities countries are

preparing measures against intervention by foreign governments in their own elections.・In 2017, the Chinese government tightened a variety of telecommunications regulations. Moving data outside the

country is prohibited. In addition, information on the Internet is being tightly regulated, and users posting comments are now required to use their real names.

・As cryptocurrencies become more and more popular, countries have begun efforts to prevent their misuse such as money laundering. Cryptocurrency exchanges were shut down and ICOs were banned by governments.


22

Worldw

ide Cybersecurity C

ases

2

＊1 IRS: Internal Revenue Service (revenue service of the U.S. federal government)＊2 ICO: Initial Coin Offering (means of raising capital using cryptocurrency)

IRS buildingURL: https://themerkle.com/us-government-files-a-

stern-response-to-ongoing-irs-coinbase-case/

(2) U.S., Russian, Chinese, South Korean cryptocurrency regulations ●As cryptocurrencies move into general society, countries have

begun controlling them.・The U.S. IRS＊1 issued a summon for disclosure of information to cryptocur-

rency exchange Coinbase as part of its investigation of tax evasion.・In November 2016, it issued a summon seeking information about users

from 2013 to 2015.・Bitcoin users opposing this has filed a class action lawsuit.・On September 1, 2017, a U.S. court ruled that the IRS summon had a

legitimate purpose. The U.S. government demanded that Coinbase disclose information.

・Russia considers possibility of restricting cryptocurrency users.・Deputy Finance Minister of Russia Alexey Moiseev announced a plan to

restrict the purchase of cryptocurrencies to qualified investors (The Merkle).・The Russian government is planning education about cryptocurrencies

to improve financial literacy (Russian News Agency TASS).・The BBC and other media reported on September 4, 2017, that the Chinese

government has announced the banning of ICOs＊2 in the entire country.・The People's Bank of China said that the ban was enacted due to fear

of disruption to financial order as many ICOs are carried out for specula-tive purposes.

・In July 2017, the U.S. Securities and Exchange Commission (SEC) also suggested the need to monitor ICOs.

・The BBC reported on September 19, 2017, that the Chinese government had decided to temporarily shut down all Bitcoin exchanges in the country.・Exchanges had to submit plans for ceasing operations by September 20.・A website set up by China’s central bank explained that cryptocurren-

cies were being “used as tools to commit crimes, such as money laundering, dealing drugs, smuggling, and illegal collection of money.”

・The Chinese government plans to relax regulations on cryptocurrency transactions after establishing monitoring methods such as a licensing system and a system to prevent money laundering.

・On September 29, 2017, Reuters and other media outlets reported that the South Korean government has banned all raising of money through cryptocurrencies.・The South Korean Financial Services Commission (FSC) stated the need

to strictly monitor and manage cryptocurrency transactions, and all ICOs are to be banned.

・It stated that it was studying methods to authenticate users during cryptocurrency transactions to ensure transaction transparency and protect consumers. It was also studying measures to strengthen report-ing of fraudulent transactions.

・Reuters reported that JP Morgan CEO said Bitcoin “is a fraud.”・He said that cryptocurrency was a bubble and “worse than tulip bulbs.”

He said he would “fire in a second” employees who traded Bitcoin. “It's against our rules and they are stupid.”

・As a result of the comments, the appraised value of Bitcoin fell 10%.

(3) European cryptocurrency regulations●As part of efforts to shut down money laundering and the flow of

funds to terrorist organizations, the UK and EU considered regula-tions that required the identification of cryptocurrency users.

・The Telegraphy reported that the UK economic secretary to the Treasury is studying regulations to identify the users of cryptocurrencies.・The purpose is to shut down money laundering and the flow of funds to

terrorists. ・The Treasury has also requested technical assistance from money

laundering to elucidate the risks of cryptocurrencies.・On December 15, 2017, the European Parliament's Committee on Economic

and Monetary Affairs (ECON) announced the “Revision of the Fourth Anti-Mon-ey-Laundering Directive.” The directive includes the requirement of EU member states to identify customers of cryptocurrency exchanges and wallet services. ・The purpose is to prevent the use of cryptocurrencies in criminal and

terrorist activities.・According to news service Reuters, at the G20 scheduled to be held in April

2018, the French finance minister told local media “LCI” that regulation of Bitcoin would be on the agenda.

Webpage for viewing quotes of cryptocurrenciesURL: https://coinmarketcap.com/all/views/all/

JPMorgan CEO James DimonURL: https://commons.wikimedia.org/wiki/File:The_

Global_Financial_Context_James_Dimon.jpg

Announcement by ECONURL: http://ec.europa.eu/newsroom/just/

document.cfm?action=display&doc_id=48935

Summary of Cases: Trends of Governments of Various Countries

・After U.S. President Trump assumed office, he appointed Ajit Pai as FCC chairman. The U.S. government’s stance toward the role of the Internet underwent a major shift. The move toward the abolition of net neutrality began. The view of broadband as a public service changed to broadband as a marketing venue.

・Cyberspace is being considered by many authorities as the next battlefield after traditional land, sea, air, and space.・Besides actions investigating the role of intelligence activities by foreign countries, as specific activities countries are

preparing measures against intervention by foreign governments in their own elections.・In 2017, the Chinese government tightened a variety of telecommunications regulations. Moving data outside the

country is prohibited. In addition, information on the Internet is being tightly regulated, and users posting comments are now required to use their real names.

・As cryptocurrencies become more and more popular, countries have begun efforts to prevent their misuse such as money laundering. Cryptocurrency exchanges were shut down and ICOs were banned by governments.


23

Annual C

ybersecurity Report

＊1 CAN: Controller Area Network

Summary

Vulnerabilities in IoT Devices

❷ Major Vulnerabilities

(1) “Devil’s Ivy” vulnerability, which affected many IoT devices●The vulnerability “Devil’s Ivy” was discovered. This flaw in the “gSOAP” library used by IoT devices like

surveillance cameras makes it possible to execute remote code.・Researchers of IoT security company Senrio discovered the vulnerability

(CVE-2017-9765) in the open source “gSOAP” library and called it “Devil’s Ivy.” The vulnerability leads to stack overflow.・gSOAP is a library that enables Internet communication in a variety of

devices.・Because the vulnerability was discovered during the maintenance of Axis

Communications dome cameras, it was possible to access video feed remotely and to deny owner access to the video feed.

・Several tens of millions of products were at risk, such as software products and connected terminals using gSOAP.

・Genivia, which provides gSOAP, released a patch on June 21, 2017.

Many IoT-related vulnerabilities have been reported. These include vulnerabilities in libraries for IoT communication and in inter-device communication standards. The ROCA vulnerability especially had a major effect on national ID cards used in Estonia, requiring government response.

(1) “Devil’s Ivy” vulnerability, which affected many IoT devices(2) DoS vulnerability in CAN standard(3) Vulnerabilities in serial-to-Ethernet converters(4) ROCA(5) Estonian electronic ID card incident(6) Vulnerability in Broadcom Wi-Fi chips(7) Flaw in “Atom C2000” chip

Axis M3004 camera, which was found to be vulnerable.URL: http://blog.senr.io/devilsivy.html

(2) DoS vulnerability in CAN standard●Joint research by the Polytechnic University of Milan, Linklayer Labs, and Trend Micro revealed that the

CAN＊1 standard had a DoS vulnerability. ・The CAN standard is set forth by ISO11898. It is a standard for inter-de-

vice message communication in a controller area network (CAN), which connects systems in an automobile vehicle. ・When a message is recognized to be corrupted, equipment

connected on a CAN sends an error message that directs the message to re-sent and the corrupted message to be destroyed.

・When a particular device sends a great number of error messages, it is cut off from the CAN.

・The attacker attaches an attack device to the CAN. The attack device corrupts the messages of the device the attacker wishes to cut off from the CAN. This makes it possible to incapacitate the targeted device.

・Physical access to the vehicle is assumed to be necessary. However, because the vulnerability lies in the handling of error messages, it is difficult to deal with the problem.

Attack device connected inside a car.URL: https://documents.trendmicro.com/assets/

A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf

We will introduce the particular prominent vulnerabilities discovered in 2017.

● Vulnerabilities in IoT devices● Vulnerabilities in critical infrastructure● Vulnerabilities in cloud services● Leak of vulnerabilities by the Shadow Brokers● Other major vulnerabilities

＊2 ROCA: Return of Coppersmith's Attack

(3) Vulnerabilities in serial-to-Ethernet converters●Vulnerabilities were found in serial-to-Ethernet converters used in indus-

trial control systems made by Moxa and Lantronix.・Three vulnerabilities were found in the Moxa “Nport” serial-to-Ethernet converter

and reported on November 17, 2017.・Affected models: NPort 5110, 5130, 5150, which carry out serial-to-Ethernet

convension.・A firmware update has already been provided.

・Vulnerabilities: Packet injection, data breach, resource depletion・Attackers could crash targeted device remotely.

・Affected devices confirmed online: 1,350 units (at the time of the news report)・An attack on power facilities in Ukraine had targeted devices with the

same function.・A vulnerability in Lantronix serial-to-Ethernet converter “UDS” was reported on

December 1, 2017.・Affected devices leak their Telnet passwords.・The network device search engine Shodan found 6,464 converters with this

vulnerability.・A firmware update has already been provided.

NPortURL: https://www.moxa.com/product/

NPort_5100A.htm

(4) ROCA●A vulnerability where the RSA key pair is improperly generated using the encryption library provided by

Infineon Technologies was discovered.・The vulnerability in Infineon Technologies’ on-chip RSA library (CVE-2017-15361) was named ROCA.＊2

・It was discovered by a joint research team that included Masaryk University.・The private key could be determined from the public key generated by the vulnerable RSA library.・The researchers were able to recover RSA 1024-bit and 2048-bit private keys.・The problem with the library’s key generation method does not jeopardize RSA encryption itself.

・Extent of impact and state of response・Microsoft, Google, HP, Lenovo, and Fujitsu had already issued a fix to the problem at the time the vulnerability was

disclosed. ・Security software company McAfee states that although Android apps may be affected, there is little effect on

Windows, Linux, OS X and iOS.・The Register news website reported that some ID card products from Gemalto, specifically “IDPrime .NET” access

cards, were affected by the vulnerability.・National ID cards issued by the Estonian government were also affected.

・The government is updating the cards’ encryption certificate with new certificates.

Affected servicesURL: https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Advisory from InfineonURL: https://www.infineon.com/cms/en/product/

promopages/tpm-update/?redirId=59160

2-2 Summary of Security Topics　−　❷ Major Vulnerabilities

24

Worldw

ide Cybersecurity C

ases

2

＊1 CAN: Controller Area Network

Summary

Vulnerabilities in IoT Devices

❷ Major Vulnerabilities

(1) “Devil’s Ivy” vulnerability, which affected many IoT devices●The vulnerability “Devil’s Ivy” was discovered. This flaw in the “gSOAP” library used by IoT devices like

surveillance cameras makes it possible to execute remote code.・Researchers of IoT security company Senrio discovered the vulnerability

(CVE-2017-9765) in the open source “gSOAP” library and called it “Devil’s Ivy.” The vulnerability leads to stack overflow.・gSOAP is a library that enables Internet communication in a variety of

devices.・Because the vulnerability was discovered during the maintenance of Axis

Communications dome cameras, it was possible to access video feed remotely and to deny owner access to the video feed.

・Several tens of millions of products were at risk, such as software products and connected terminals using gSOAP.

・Genivia, which provides gSOAP, released a patch on June 21, 2017.

Many IoT-related vulnerabilities have been reported. These include vulnerabilities in libraries for IoT communication and in inter-device communication standards. The ROCA vulnerability especially had a major effect on national ID cards used in Estonia, requiring government response.

(1) “Devil’s Ivy” vulnerability, which affected many IoT devices(2) DoS vulnerability in CAN standard(3) Vulnerabilities in serial-to-Ethernet converters(4) ROCA(5) Estonian electronic ID card incident(6) Vulnerability in Broadcom Wi-Fi chips(7) Flaw in “Atom C2000” chip

Axis M3004 camera, which was found to be vulnerable.URL: http://blog.senr.io/devilsivy.html

(2) DoS vulnerability in CAN standard●Joint research by the Polytechnic University of Milan, Linklayer Labs, and Trend Micro revealed that the

CAN＊1 standard had a DoS vulnerability. ・The CAN standard is set forth by ISO11898. It is a standard for inter-de-

vice message communication in a controller area network (CAN), which connects systems in an automobile vehicle. ・When a message is recognized to be corrupted, equipment

connected on a CAN sends an error message that directs the message to re-sent and the corrupted message to be destroyed.

・When a particular device sends a great number of error messages, it is cut off from the CAN.

・The attacker attaches an attack device to the CAN. The attack device corrupts the messages of the device the attacker wishes to cut off from the CAN. This makes it possible to incapacitate the targeted device.

・Physical access to the vehicle is assumed to be necessary. However, because the vulnerability lies in the handling of error messages, it is difficult to deal with the problem.

Attack device connected inside a car.URL: https://documents.trendmicro.com/assets/

A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf

We will introduce the particular prominent vulnerabilities discovered in 2017.

● Vulnerabilities in IoT devices● Vulnerabilities in critical infrastructure● Vulnerabilities in cloud services● Leak of vulnerabilities by the Shadow Brokers● Other major vulnerabilities

＊2 ROCA: Return of Coppersmith's Attack

(3) Vulnerabilities in serial-to-Ethernet converters●Vulnerabilities were found in serial-to-Ethernet converters used in indus-

trial control systems made by Moxa and Lantronix.・Three vulnerabilities were found in the Moxa “Nport” serial-to-Ethernet converter

and reported on November 17, 2017.・Affected models: NPort 5110, 5130, 5150, which carry out serial-to-Ethernet

convension.・A firmware update has already been provided.

・Vulnerabilities: Packet injection, data breach, resource depletion・Attackers could crash targeted device remotely.

・Affected devices confirmed online: 1,350 units (at the time of the news report)・An attack on power facilities in Ukraine had targeted devices with the

same function.・A vulnerability in Lantronix serial-to-Ethernet converter “UDS” was reported on

December 1, 2017.・Affected devices leak their Telnet passwords.・The network device search engine Shodan found 6,464 converters with this

vulnerability.・A firmware update has already been provided.

NPortURL: https://www.moxa.com/product/

NPort_5100A.htm

(4) ROCA●A vulnerability where the RSA key pair is improperly generated using the encryption library provided by

Infineon Technologies was discovered.・The vulnerability in Infineon Technologies’ on-chip RSA library (CVE-2017-15361) was named ROCA.＊2

・It was discovered by a joint research team that included Masaryk University.・The private key could be determined from the public key generated by the vulnerable RSA library.・The researchers were able to recover RSA 1024-bit and 2048-bit private keys.・The problem with the library’s key generation method does not jeopardize RSA encryption itself.

・Extent of impact and state of response・Microsoft, Google, HP, Lenovo, and Fujitsu had already issued a fix to the problem at the time the vulnerability was

disclosed. ・Security software company McAfee states that although Android apps may be affected, there is little effect on

Windows, Linux, OS X and iOS.・The Register news website reported that some ID card products from Gemalto, specifically “IDPrime .NET” access

cards, were affected by the vulnerability.・National ID cards issued by the Estonian government were also affected.

・The government is updating the cards’ encryption certificate with new certificates.

Affected servicesURL: https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Advisory from InfineonURL: https://www.infineon.com/cms/en/product/

promopages/tpm-update/?redirId=59160


25

Annual C

ybersecurity Report

＊3 Agency regulating information systems in Estonia

(5) Estonian electronic ID card incident●A vulnerability was discovered in the electronic ID cards issued to Es-

tonian citizens and residents. As a result, the ID cards were updated and about 760,000 cards were blocked.

・On September 5, 2017, it was reported that electronic ID cards issued by Estonia’s RIA＊3 had a vulnerability.・This vulnerability exists in ID cards issued after October 2014. It affected

about 750,000 people.・Experts said that it would take about 60 billion euros to crack all the private

keys.・Estonia restricted the access to the national ID card public key database.

・ArsTechnica reported on October 16, 2017, that the vulnerability in the Estonian electronic ID cards was ROCA.・On his blog, cryptography researcher Daniel J. Bernstein asserted that the

private keys could be cracked at 1/1000th of the cost stated by the Estonian government.

・On October 26, 2017, the Estonian government began offering security updates to electronic ID cards and certificates.・The targets were electronic ID cards issued from October 16, 2014, to

October 25, 2017.・The update could be made online through the electronic ID cards’ utility

software.・On November 3, 2017, the Estonian government halted the use of about 760,000

electronic ID cards considered to be vulnerable. It called cardholders to exchange their cards with new electronic ID cards.・Although instances of theft of electronic ID had not yet been found, the

sense of threat increased because the extent of the effects of the ROCA vulnerability was wider than initially expected.

・New electronic ID cards could be exchanged at the service points of the police.

(6) Vulnerability in Broadcom Wi-Fi chips●A vulnerability called “BroadPwn” (CVE-2017-9417) was discovered in Broadcom Wi-Fi chips. A great

number of devices were considered to be affected by this flaw.・The vulnerability in Broadcom Wi-Fi chips was reported on July 27, 2017.

・Affected products: Broadcom BCM43xx series・Affected devices: Android and iOS devices, etc.・Vulnerability: Remote code execution possible. CVSS v3 score of 9.8・State of responses: Google and Apple have provided patches.

・This vulnerability was discovered by researchers of Exodus Intelligence. They present-ed the results of their experiments at “Black Hat USA 2017” held in July 2017.・Attackers can take over the Wi-Fi enabled device without user interaction.・Several hundred SSIDs were collected in a crowded urban area for about an

hour and surveyed.・The result was that about 70% were Broadcom Wi-Fi chips.

●A vulnerability (CVE-2017-11120) in Broadcom Wi-Fi chips was disclosed. The Broadpwn flaw had been discovered before in the company’s Wi-Fi chips.

・Google announced the vulnerability in Wi-Fi chips on September 26, 2017.・Affected products: Broadcom Wi-Fi chip series “BCM4355C0”・CVSS v3 base score: 9.8 critical (max score 10)・A crafted reporter frame could cause buffer overflow.

・When a device is connected to the attacker’s Wi-Fi network, a backdoor could be inserted into the device without requiring any operation from the user.

・ The vulnerability exist in both iOS devices and Android devices. It is fixed in iOS 11. Google has also provided a patch for Android devices.

・ In July 2017, the vulnerability “Broadpwn” was discovered in Broadcom Wi-Fi chip series BCM43xx. The flaw also allowed remote code execution by an attacker without requiring any operation on the part of the user.

Broadcom logoURL: https://jp.broadcom.com/company/about-us/

Broadcom Wi-Fi chip (example)URL: https://www.amazon.co.uk/Broadcom-

BCM4318-MiniPCI-Gateway-Fujitsu-Siemens/dp/B003HJBI5C

FAQ web page on the vulnerability in electronic ID cardsURL: https://www.id.ee/index.php?id=38066

Message from the Estonian government about blocking electronic certificatesURL: https://www.valitsus.ee/en/news/estonia-

will-block-certificates-760-000-id-cards-evening-3-november

(7) Flaw in “Atom C2000” chip●The flaw in the “Atom C2000” could affect the products of several companies.・Intel updated its document on the “Atom C2000” chip in January 2017.

・It reported that systems with the chip could fail to start up or stop working.・On the first week in February 2017, Cisco announced that its products had a defect in

their clock component.・About 18 months after operating, products may stop working or fail to start up.・The affected products included ISR routers, Nexus switches, and ASA appliances.

・According to The Register, the phenomena of the vulnerabilities as explained by both companies shared similarities. Several Dell products also used the same chip.・Although Intel did not reveal a list of products using the Atom C2000 chip, the

company told The Register it would fix the problem in the next shipment of the product.

(1) Fear of attacks against unprotected MQTT servers●MQTT (Message Queuing Telemetry Transport) servers are widely used in IoT devices and industrial con-

trol systems such as monitoring equipment and meters in power plants. In many cases they are left in an unprotected state.

Atom chipURL: http://www.intel.co.jp/content/

www/jp/ja/processors/atom/atom-c-processor.html

Lucas LundgrenURL: https://www.rsaconference.com/

events/us17/agenda/sessions/6671-lightweight-protocol-serious-equipment-critical

Vulnerabilities in Critical Infrastructure

It was observed that systems responsible for critical infrastructure that did not anticipate Internet connection when originally designed had insufficient security measures when connected to the Internet.

(1) Fear of attacks against unprotected MQTT servers(2) Large-scale power outage due to vulnerabilities in solar power generation systems(3) Current state of security in ship systems(4) Vulnerabilities in programmable logic controller (PLC) PFC2000 series

(2) Large-scale power outage due to vulnerabilities in solar power generation systems●A security researcher discovered numerous vulnerabilities in solar power production equipment that

make up a large share of the market. He publicized an attack scenario and pointed out the risk of large-scale power outage across the country.

・From a port scan, Lucas Lundgren of IOActive discovered that there were 87,000 MQTT servers that were unencrypted or not password-protected.・MQTT is a simple and bandwidth-efficient lightweight messaging protocol for realizing an M2M (Machine-to-Ma-

chine) environment. It is used in servers that mediate devices connected on a network.・Applications of MQTT include prison surveillance systems, meter sensors in nuclear power plants, public

transportation systems, and remote control of medical devices like pacemakers and insulin pumps.・Attackers can not only view unprotected messages on an MQTT

server, they can also rewrite them to open or close prison doors, rewrite control system settings, etc.

・Lundgren pointed out that MQTT itself is not weak. The problem is using it without encryption or password protection.

・Dutch security researcher Willem Westerhof disclosed an attack scenario he called the “Horus Scenario,” which exploits vulnerabilities in solar power generation equipment.・By attacking solar power generation facilities to cause massive fluctuations in

the energy output, the balance between demand and supply that supports the power grid could collapse, causing power outage.

・In Europe, power grids are interconnected between countries to support lending energy, so there is the risk that a power outage in an area could spread to the entire continent.

・Westerhof discovered 21 vulnerabilities solar power generation equipment from major industry manufacturer SMA Solar Technology of Germany.・CVE numbers are assigned to 14 flaws. Of these, eight are critical.・Because authentication is weak, power inverters could be hijacked.・Employing a large number of attacks simultaneously to massively change the

power output overwhelms the power grid’s safeguards, resulting in power outage.

Horus ScenarioURL: https://horusscenario.com/wp-co

ntent/uploads/2017/07/p2000x1200_sunsky2_logo-768x461.jpg


26

Worldw

ide Cybersecurity C

ases

2

＊3 Agency regulating information systems in Estonia

(5) Estonian electronic ID card incident●A vulnerability was discovered in the electronic ID cards issued to Es-

tonian citizens and residents. As a result, the ID cards were updated and about 760,000 cards were blocked.

・On September 5, 2017, it was reported that electronic ID cards issued by Estonia’s RIA＊3 had a vulnerability.・This vulnerability exists in ID cards issued after October 2014. It affected

about 750,000 people.・Experts said that it would take about 60 billion euros to crack all the private

keys.・Estonia restricted the access to the national ID card public key database.

・ArsTechnica reported on October 16, 2017, that the vulnerability in the Estonian electronic ID cards was ROCA.・On his blog, cryptography researcher Daniel J. Bernstein asserted that the

private keys could be cracked at 1/1000th of the cost stated by the Estonian government.

・On October 26, 2017, the Estonian government began offering security updates to electronic ID cards and certificates.・The targets were electronic ID cards issued from October 16, 2014, to

October 25, 2017.・The update could be made online through the electronic ID cards’ utility

software.・On November 3, 2017, the Estonian government halted the use of about 760,000

electronic ID cards considered to be vulnerable. It called cardholders to exchange their cards with new electronic ID cards.・Although instances of theft of electronic ID had not yet been found, the

sense of threat increased because the extent of the effects of the ROCA vulnerability was wider than initially expected.

・New electronic ID cards could be exchanged at the service points of the police.

(6) Vulnerability in Broadcom Wi-Fi chips●A vulnerability called “BroadPwn” (CVE-2017-9417) was discovered in Broadcom Wi-Fi chips. A great

number of devices were considered to be affected by this flaw.・The vulnerability in Broadcom Wi-Fi chips was reported on July 27, 2017.

・Affected products: Broadcom BCM43xx series・Affected devices: Android and iOS devices, etc.・Vulnerability: Remote code execution possible. CVSS v3 score of 9.8・State of responses: Google and Apple have provided patches.

・This vulnerability was discovered by researchers of Exodus Intelligence. They present-ed the results of their experiments at “Black Hat USA 2017” held in July 2017.・Attackers can take over the Wi-Fi enabled device without user interaction.・Several hundred SSIDs were collected in a crowded urban area for about an

hour and surveyed.・The result was that about 70% were Broadcom Wi-Fi chips.

●A vulnerability (CVE-2017-11120) in Broadcom Wi-Fi chips was disclosed. The Broadpwn flaw had been discovered before in the company’s Wi-Fi chips.

・Google announced the vulnerability in Wi-Fi chips on September 26, 2017.・Affected products: Broadcom Wi-Fi chip series “BCM4355C0”・CVSS v3 base score: 9.8 critical (max score 10)・A crafted reporter frame could cause buffer overflow.

・When a device is connected to the attacker’s Wi-Fi network, a backdoor could be inserted into the device without requiring any operation from the user.

・ The vulnerability exist in both iOS devices and Android devices. It is fixed in iOS 11. Google has also provided a patch for Android devices.

・ In July 2017, the vulnerability “Broadpwn” was discovered in Broadcom Wi-Fi chip series BCM43xx. The flaw also allowed remote code execution by an attacker without requiring any operation on the part of the user.

Broadcom logoURL: https://jp.broadcom.com/company/about-us/

Broadcom Wi-Fi chip (example)URL: https://www.amazon.co.uk/Broadcom-

BCM4318-MiniPCI-Gateway-Fujitsu-Siemens/dp/B003HJBI5C

FAQ web page on the vulnerability in electronic ID cardsURL: https://www.id.ee/index.php?id=38066

Message from the Estonian government about blocking electronic certificatesURL: https://www.valitsus.ee/en/news/estonia-

will-block-certificates-760-000-id-cards-evening-3-november

(7) Flaw in “Atom C2000” chip●The flaw in the “Atom C2000” could affect the products of several companies.・Intel updated its document on the “Atom C2000” chip in January 2017.

・It reported that systems with the chip could fail to start up or stop working.・On the first week in February 2017, Cisco announced that its products had a defect in

their clock component.・About 18 months after operating, products may stop working or fail to start up.・The affected products included ISR routers, Nexus switches, and ASA appliances.

・According to The Register, the phenomena of the vulnerabilities as explained by both companies shared similarities. Several Dell products also used the same chip.・Although Intel did not reveal a list of products using the Atom C2000 chip, the

company told The Register it would fix the problem in the next shipment of the product.

(1) Fear of attacks against unprotected MQTT servers●MQTT (Message Queuing Telemetry Transport) servers are widely used in IoT devices and industrial con-

trol systems such as monitoring equipment and meters in power plants. In many cases they are left in an unprotected state.

Atom chipURL: http://www.intel.co.jp/content/

www/jp/ja/processors/atom/atom-c-processor.html

Lucas LundgrenURL: https://www.rsaconference.com/

events/us17/agenda/sessions/6671-lightweight-protocol-serious-equipment-critical

Vulnerabilities in Critical Infrastructure

It was observed that systems responsible for critical infrastructure that did not anticipate Internet connection when originally designed had insufficient security measures when connected to the Internet.

(1) Fear of attacks against unprotected MQTT servers(2) Large-scale power outage due to vulnerabilities in solar power generation systems(3) Current state of security in ship systems(4) Vulnerabilities in programmable logic controller (PLC) PFC2000 series

(2) Large-scale power outage due to vulnerabilities in solar power generation systems●A security researcher discovered numerous vulnerabilities in solar power production equipment that

make up a large share of the market. He publicized an attack scenario and pointed out the risk of large-scale power outage across the country.

・From a port scan, Lucas Lundgren of IOActive discovered that there were 87,000 MQTT servers that were unencrypted or not password-protected.・MQTT is a simple and bandwidth-efficient lightweight messaging protocol for realizing an M2M (Machine-to-Ma-

chine) environment. It is used in servers that mediate devices connected on a network.・Applications of MQTT include prison surveillance systems, meter sensors in nuclear power plants, public

transportation systems, and remote control of medical devices like pacemakers and insulin pumps.・Attackers can not only view unprotected messages on an MQTT

server, they can also rewrite them to open or close prison doors, rewrite control system settings, etc.

・Lundgren pointed out that MQTT itself is not weak. The problem is using it without encryption or password protection.

・Dutch security researcher Willem Westerhof disclosed an attack scenario he called the “Horus Scenario,” which exploits vulnerabilities in solar power generation equipment.・By attacking solar power generation facilities to cause massive fluctuations in

the energy output, the balance between demand and supply that supports the power grid could collapse, causing power outage.

・In Europe, power grids are interconnected between countries to support lending energy, so there is the risk that a power outage in an area could spread to the entire continent.

・Westerhof discovered 21 vulnerabilities solar power generation equipment from major industry manufacturer SMA Solar Technology of Germany.・CVE numbers are assigned to 14 flaws. Of these, eight are critical.・Because authentication is weak, power inverters could be hijacked.・Employing a large number of attacks simultaneously to massively change the

power output overwhelms the power grid’s safeguards, resulting in power outage.

Horus ScenarioURL: https://horusscenario.com/wp-co

ntent/uploads/2017/07/p2000x1200_sunsky2_logo-768x461.jpg


27

Annual C

ybersecurity Report

＊1 ECDIS: Electronic Chart Display and Information System

(3) Current state of security in ship systems●Researchers of Pen Test Partners revealed that systems used in ships are connected to the Internet

without security precautions.

Container shipURL: http://www.zdnet.com/article/bad-passwords-

and-weak-security-are-making-ships-an-easy-target-for-hackers/

Invite screenURL: https://community.box.com/t5/

コラボレーションと共有/コラボレータの招待-詳しい説明/ta-p/858

Vulnerabilities in Cloud Services

Vulnerabilities in major cloud services were discovered. These flaws allowed a large number of customer information records to be leaked.

(1) Documents on Box.com could be searched on the Web (2) Data leak found in Cloudflare service

・In the past, a ship’s navigation system, ECDIS＊1, load management systems, etc. were connected on the ship’s local network. These days, this local network is connected to the Internet. However, security measures have not caught up.・Satellite communications terminals (security measures that should be

prioritized due to connection to the Internet)・The default password is simple, and authentication does not use

TLS.・Information on the terminals could be found by using “Shodan,”

which searches equipment connected on the Internet by their IP addresses.

・Threat of weak control systems・By altering information such as the weight and position of freight,

the ship could be destabilized, leading to an accident.・Contraband could be smuggled by altering container information.

(1) Documents on Box.com could be searched on the Web●Confidential documents could be breached on Box.com storage

for corporate users.・Box.com vulnerability discovered

・On January 3, 2017, Kaspersky Lab reported the flaw. Box.com had already repaired the problem.

・“Invite URLs” to collaborative Box.com accounts became targets of Web search.・By using this URL, anyone could have access to a collaborative

document.・With default privilege, an attacker could view, edit, upload, etc.

・Affected documents・More than 10,000 documents from companies including the following

were exposed.・Dell・Discovery Communication・Illumina

(4) Vulnerabilities in programmable logic controller (PLC) PFC200 series●It was revealed that programmable logical controller PFC200 series, used in automated control of farm

equipment, had a vulnerability that allowed malicious remote control.

Affected productsURL: https://eshop.wago.com/JPBC/0_5StartPage.jsp

・Security company SEC Consult announced that 17 models from WAGO’s PFC200 series had a vulnerability that gave attackers administrative privilege without the need for authentication. Attackers could gain remote operation and change tasks, operate files, etc.・Devices using CODESYS Runtime version 2.3 and 2.4 were affected by

this vulnerability.・Malicious use is possible by sending an attack packet to a port using the

CODESYS Runtime (default setting: port 2455).・Attackers could create a DoS state by exploiting this vulnerability

and deleting the entire task list.・SEC Consult observed that by corrupting the memory of the

PLC, arbitrary remote code execution is possible.・WAGO released repair patch in January 2018.

(2) Data leak found in Cloudflare service●A vulnerability was found in the HTML parser used in functions provided by Cloudflare. This flaw caused

a data leak.・On February 19, 2017, Google Project Zero revealed that as a result of this vulnerability in Cloudflare services, memory

leak occurred on Cloudflare’s reverse proxy server.・Memory information that was not initialized on the reverse proxy server was displayed on the customer’s website.

・Information not related to the website leak was also displayed.・Leaked information included session tokens and password information.・This vulnerability was named “Cloudbleed.”

・Cloudflare commented on this flaw on its blog on February 23, 2017, and March 1, 2017.・It explained that the cause of the vulnerability was the newly installed HTML parser.

・The vulnerability occurred with websites that incorrectly assigned a particular HTML tag.・The vulnerability exist in the processing for isolating the content stored in memory, which leads to buffer

overflow.・Data leak occurred with 0.00003% of HTTP requests.

・Google Project Zero notified Cloudflare of the vulnerability on February 18, 2017.・After the notification, Cloudflare repaired the flow with an hour.

・Cloudflare reported that it had not discovered any evidence that leaked information was used maliciously.・It was confirmed that customer SSL private keys were not leaked.

Cloud-based reverse proxyURL: https://dzone.com/articles/what-cloudbleed-means-

for-you-and-your-customers

＊1 NSA: National Security Agency

Leak of Vulnerabilities by the Shadow Brokers

Continuing from 2016, the Shadow Brokers leaked some information that it claimed it stole from the Equation Group, which was suspected of having ties with the NSA.＊1 In response, vendors released patches that repaired the leaked vulnerabilities. Patches for some end-of-life products were also provided. The Shadow Brokers next announced a for-fee service providing the remaining stolen information to members.

(1) Leak of vulnerabilities used by the NSA(2) Shadow Brokers uses membership system for providing information

From information on vulnerabilities hidden by the government, debate took place on how vulnerabilities should be disclosed or stockpiled as malware such as WannaCry and NotPetya were diverted to government use and caused great damage.

(3) U.S. bill for process of disclosing vulnerabilities

Example of data leakURL: https://blog.cloudflare.com/quantifying

-the-impact-of-cloudbleed/


28

Worldw

ide Cybersecurity C

ases

2

＊1 ECDIS: Electronic Chart Display and Information System

(3) Current state of security in ship systems●Researchers of Pen Test Partners revealed that systems used in ships are connected to the Internet

without security precautions.

Container shipURL: http://www.zdnet.com/article/bad-passwords-

and-weak-security-are-making-ships-an-easy-target-for-hackers/

Invite screenURL: https://community.box.com/t5/

コラボレーションと共有/コラボレータの招待-詳しい説明/ta-p/858

Vulnerabilities in Cloud Services

Vulnerabilities in major cloud services were discovered. These flaws allowed a large number of customer information records to be leaked.

(1) Documents on Box.com could be searched on the Web (2) Data leak found in Cloudflare service

・In the past, a ship’s navigation system, ECDIS＊1, load management systems, etc. were connected on the ship’s local network. These days, this local network is connected to the Internet. However, security measures have not caught up.・Satellite communications terminals (security measures that should be

prioritized due to connection to the Internet)・The default password is simple, and authentication does not use

TLS.・Information on the terminals could be found by using “Shodan,”

which searches equipment connected on the Internet by their IP addresses.

・Threat of weak control systems・By altering information such as the weight and position of freight,

the ship could be destabilized, leading to an accident.・Contraband could be smuggled by altering container information.

(1) Documents on Box.com could be searched on the Web●Confidential documents could be breached on Box.com storage

for corporate users.・Box.com vulnerability discovered

・On January 3, 2017, Kaspersky Lab reported the flaw. Box.com had already repaired the problem.

・“Invite URLs” to collaborative Box.com accounts became targets of Web search.・By using this URL, anyone could have access to a collaborative

document.・With default privilege, an attacker could view, edit, upload, etc.

・Affected documents・More than 10,000 documents from companies including the following

were exposed.・Dell・Discovery Communication・Illumina

(4) Vulnerabilities in programmable logic controller (PLC) PFC200 series●It was revealed that programmable logical controller PFC200 series, used in automated control of farm

equipment, had a vulnerability that allowed malicious remote control.

Affected productsURL: https://eshop.wago.com/JPBC/0_5StartPage.jsp

・Security company SEC Consult announced that 17 models from WAGO’s PFC200 series had a vulnerability that gave attackers administrative privilege without the need for authentication. Attackers could gain remote operation and change tasks, operate files, etc.・Devices using CODESYS Runtime version 2.3 and 2.4 were affected by

this vulnerability.・Malicious use is possible by sending an attack packet to a port using the

CODESYS Runtime (default setting: port 2455).・Attackers could create a DoS state by exploiting this vulnerability

and deleting the entire task list.・SEC Consult observed that by corrupting the memory of the

PLC, arbitrary remote code execution is possible.・WAGO released repair patch in January 2018.

(2) Data leak found in Cloudflare service●A vulnerability was found in the HTML parser used in functions provided by Cloudflare. This flaw caused

a data leak.・On February 19, 2017, Google Project Zero revealed that as a result of this vulnerability in Cloudflare services, memory

leak occurred on Cloudflare’s reverse proxy server.・Memory information that was not initialized on the reverse proxy server was displayed on the customer’s website.

・Information not related to the website leak was also displayed.・Leaked information included session tokens and password information.・This vulnerability was named “Cloudbleed.”

・Cloudflare commented on this flaw on its blog on February 23, 2017, and March 1, 2017.・It explained that the cause of the vulnerability was the newly installed HTML parser.

・The vulnerability occurred with websites that incorrectly assigned a particular HTML tag.・The vulnerability exist in the processing for isolating the content stored in memory, which leads to buffer

overflow.・Data leak occurred with 0.00003% of HTTP requests.

・Google Project Zero notified Cloudflare of the vulnerability on February 18, 2017.・After the notification, Cloudflare repaired the flow with an hour.

・Cloudflare reported that it had not discovered any evidence that leaked information was used maliciously.・It was confirmed that customer SSL private keys were not leaked.

Cloud-based reverse proxyURL: https://dzone.com/articles/what-cloudbleed-means-

for-you-and-your-customers

＊1 NSA: National Security Agency

Leak of Vulnerabilities by the Shadow Brokers

Continuing from 2016, the Shadow Brokers leaked some information that it claimed it stole from the Equation Group, which was suspected of having ties with the NSA.＊1 In response, vendors released patches that repaired the leaked vulnerabilities. Patches for some end-of-life products were also provided. The Shadow Brokers next announced a for-fee service providing the remaining stolen information to members.

(1) Leak of vulnerabilities used by the NSA(2) Shadow Brokers uses membership system for providing information

From information on vulnerabilities hidden by the government, debate took place on how vulnerabilities should be disclosed or stockpiled as malware such as WannaCry and NotPetya were diverted to government use and caused great damage.

(3) U.S. bill for process of disclosing vulnerabilities

Example of data leakURL: https://blog.cloudflare.com/quantifying

-the-impact-of-cloudbleed/


29

Annual C

ybersecurity Report

(1) Leak of vulnerabilities used by the NSA●The Shadow Brokers leaked hacking tools and zero-day vulnerabili-

ties used by the U.S. NSA. In response, some security vendors released updates for those vulnerabilities.

・The Shadow Brokers leaked hacking tools and documents that it claimed were stolen from the servers of the Equation Group, which was suspected of having ties with the NSA.・From August 2016, the Shadow Brokers began selling the leaks.

・The leaks had revealed that vulnerabilities in Cisco, Fortinet, and Juniper products and that the NSA had attacked countries like China, South Korea, and Japan.

・On April 4 and 14, 2017, the Shadow Brokers leaked new information on vulnerabilities and attack tools.

・The leak on April 4 released files previously sold by the Shadow Brokers. Its contents were studied by researchers.・Vulnerabilities included Solaris remote code execution zero-day exploit

(EBBISLAND).・Notes on how to access Mobilink’s GSM. ・In addition, attack tools for exploiting known vulnerabilities.

・On April 14, 2017, a new set of files were leaked. Researchers examined the contents of the files.・Several exploits, including those targeting zero-day vulnerabilities, were

revealed.・The table below shows some remote code execution exploits and

the dates of their patches.

・There were many files that suggested attacks by the NSA.・Internal information of EastNets, the largest SWIFT service

bureau in the Middle East.・Attack script similar to the one used by the Stuxnet worm.

(2) Shadow Brokers uses membership system for providing information●Shadow Brokers, who leaked U.S. NSA hacking tools,

announced that starting from June 2017 it would operate a ser-vice providing information on vulnerabilities to members for a fee.

・It called the service “The Shadow Brokers Data Dump of the Month,” and asked for monthly fees for information provided.・Examples of information to be provided included browser/rout-

er/smartphone exploits and tools, information on new vulnerabilities in OSes including Windows 10, leaked data from SWIFT and banks, and data on nuclear facilities and missile designs.

・The membership fee for the first delivery in June 2017 was 100 ZEC＊1 in cryptocurrency “Zcash.”・Fees were to be remitted to a designated address during

June 1 to 30, 2017.・After payment is confirmed, an confirmation email would be

sent to the email address given in the memo field when the remittance was made.

・From July 1 to 17, 2017, leaked information for the June portion would be sent to members in its entirety.

＊1 100 ZEC: About 2.6 million yen (as of June 1, 2017)

Sales priceURL: http://securityaffairs.co/wordpress/54432/

hacking/shadow-brokers-direct-sale.html

Announcement by Shadow BrokersURL: https://steemit.com/shadowbrokers/

@theshadowbrokers/theshadowbrokers-monthly-dump-service-june-2017

Codename of exploitVulnerable product (area) Patch release dateMarch 14March 14March 14March 14April 19April 20

ETERNALROMANCEETERNALSYNERGYETERNALBLUEETERNALCHAMPIONEBBISLANDEMPHASISMINE

Solaris (RPC XDR)Lotus Domino (IMAP)

Windows (SMB)

Name Type BTCauction_filebscatflapcharmscommon cursesdampcrowddewdropdubmoatearlyshovelebb

everythingunknownunknownimplantunknownimplantunknownimplanttrojanexploitexploit

1,000.010.010.0100.010.0100.010.0100.010.010.010.0

(3) U.S. bill for process of disclosing vulnerabilities●Bipartisan lawmakers in the U.S. House of Representatives and Senate submitted a bill (May 17, 2017)

that would specify transparency and clarify responsibility of explanation in the government’s decision to disclose a vulnerability or stockpile it.

・PATCH Act: Protecting our Ability To Counter Hacking Act・Bill that sets forth the process in disclosing information when a govern-

ment agency discovers an unknown vulnerability in a product, system, service, or application.・The bill would establish a “Vulnerability Equities Review Board.”

Like other similar committees, the members would be chiefs of government intelligence agencies. However, the chair would be the head of the DHS instead of NSA.

・The review board would determine whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared. It would also establish the policy and process for this decision-making.

・The bill also prescribes risk and benefits and various effects concerning the disclosure of a vulnerability that should be taken into account for decision-making.

・With this bill, the lawmakers seek to ensure transparency in the process of disclosing vulnerabilities while also ensuring that tools necessary for maintaining national security by the government are maintained.

(1) SHAttered●The crafting of two PDF files that successfully collided hash

values for the first time in a collision attack＊1 on SHA-1 was announced (CWI Amsterdam, Google, February 23, 2017).

・SHA-1 (Secure Hash Algorithm 1) was standardized by the U.S. National Institute of Standards and Technology (NIST) in 1995.・It is used for to confirm the integrity of digital signatures and files.・It 2005, it was pointed out an attack was logically possible, and

deprecation of the standard by 2011 was recommended.・SHAttered: The first attack that successfully collided SHA-1・The data in JPEG files in the PDF header were modified to collide

the hash value.・When a shared prefix and suffix were given, two slightly

different message block pairs were discovered.・A brute-force attack is possible with one year of 12,000,000-GPU

computations. However, the SHAttered attack could be possible with one year of 110-GPU computations.

・Effect of SHA-1 collision・Breakdown of Apache Subversion (SVN) repository due to WebKit test

・Code to test hash collision due to SHA-1 collision was added to the repository, resulting in a crash (WebKit devel-oper, February 23, 2017).

・The code used was the released code for testing the two PDF files.

・On February 24, 2017, Apache released workaround code that tests SHA-1 collision. The code executes before SVN commit operations. Apache announced that repairs would be made in the future.

・This breakdown did not occur on Git (Bleeping Computer, February 26, 2017).

・Linus Torvalds stated on February 26, 2017 that SHA-1 collision does not have much effect on Git.・ Instead of signature, content identifier is used, so reliability does not depend on hashing.・Compared with a preimage attack,＊2 a collision attack is difficult.・Unlike a PDF file, source code is highly transparent, so crafted code is easy to detect.・ Already, two workaround patches have been released, and migration to SHA-3 is being studied.

NSAURL: https://s3.reutersmedia.net/resources/r/?m=02&d=

20170517&t=2&i=1185150484&w=780&fh=&fw=&ll=&pl=&sq=&r=LYNXNPED4G1U5

Two released PDF files with colliding SHA-1 hash values.URL: https://shattered.it

Message block collisionURL: https://shattered.it

＊1 Attack that searches for different messages with the same hash value.＊2 Attack that searches for messages with a specific hash value or messages with identical hash values.

Other Major Vulnerabilities

Other much-discussed vulnerabilities in fiscal year 2017 included success in SHA-1 collision attack (SHAttered）and interception of WPA2-encrypted data (KRACK).

(1) SHAttered(2) KRACK: attack on Wi-Fi standard


30

Worldw

ide Cybersecurity C

ases

2

(1) Leak of vulnerabilities used by the NSA●The Shadow Brokers leaked hacking tools and zero-day vulnerabili-

ties used by the U.S. NSA. In response, some security vendors released updates for those vulnerabilities.

・The Shadow Brokers leaked hacking tools and documents that it claimed were stolen from the servers of the Equation Group, which was suspected of having ties with the NSA.・From August 2016, the Shadow Brokers began selling the leaks.

・The leaks had revealed that vulnerabilities in Cisco, Fortinet, and Juniper products and that the NSA had attacked countries like China, South Korea, and Japan.

・On April 4 and 14, 2017, the Shadow Brokers leaked new information on vulnerabilities and attack tools.

・The leak on April 4 released files previously sold by the Shadow Brokers. Its contents were studied by researchers.・Vulnerabilities included Solaris remote code execution zero-day exploit

(EBBISLAND).・Notes on how to access Mobilink’s GSM. ・In addition, attack tools for exploiting known vulnerabilities.

・On April 14, 2017, a new set of files were leaked. Researchers examined the contents of the files.・Several exploits, including those targeting zero-day vulnerabilities, were

revealed.・The table below shows some remote code execution exploits and

the dates of their patches.

・There were many files that suggested attacks by the NSA.・Internal information of EastNets, the largest SWIFT service

bureau in the Middle East.・Attack script similar to the one used by the Stuxnet worm.

(2) Shadow Brokers uses membership system for providing information●Shadow Brokers, who leaked U.S. NSA hacking tools,

announced that starting from June 2017 it would operate a ser-vice providing information on vulnerabilities to members for a fee.

・It called the service “The Shadow Brokers Data Dump of the Month,” and asked for monthly fees for information provided.・Examples of information to be provided included browser/rout-

er/smartphone exploits and tools, information on new vulnerabilities in OSes including Windows 10, leaked data from SWIFT and banks, and data on nuclear facilities and missile designs.

・The membership fee for the first delivery in June 2017 was 100 ZEC＊1 in cryptocurrency “Zcash.”・Fees were to be remitted to a designated address during

June 1 to 30, 2017.・After payment is confirmed, an confirmation email would be

sent to the email address given in the memo field when the remittance was made.

・From July 1 to 17, 2017, leaked information for the June portion would be sent to members in its entirety.

＊1 100 ZEC: About 2.6 million yen (as of June 1, 2017)

Sales priceURL: http://securityaffairs.co/wordpress/54432/

hacking/shadow-brokers-direct-sale.html

Announcement by Shadow BrokersURL: https://steemit.com/shadowbrokers/

@theshadowbrokers/theshadowbrokers-monthly-dump-service-june-2017

Codename of exploitVulnerable product (area) Patch release dateMarch 14March 14March 14March 14April 19April 20

ETERNALROMANCEETERNALSYNERGYETERNALBLUEETERNALCHAMPIONEBBISLANDEMPHASISMINE

Solaris (RPC XDR)Lotus Domino (IMAP)

Windows (SMB)

Name Type BTCauction_filebscatflapcharmscommon cursesdampcrowddewdropdubmoatearlyshovelebb

everythingunknownunknownimplantunknownimplantunknownimplanttrojanexploitexploit

1,000.010.010.0100.010.0100.010.0100.010.010.010.0

(3) U.S. bill for process of disclosing vulnerabilities●Bipartisan lawmakers in the U.S. House of Representatives and Senate submitted a bill (May 17, 2017)

that would specify transparency and clarify responsibility of explanation in the government’s decision to disclose a vulnerability or stockpile it.

・PATCH Act: Protecting our Ability To Counter Hacking Act・Bill that sets forth the process in disclosing information when a govern-

ment agency discovers an unknown vulnerability in a product, system, service, or application.・The bill would establish a “Vulnerability Equities Review Board.”

Like other similar committees, the members would be chiefs of government intelligence agencies. However, the chair would be the head of the DHS instead of NSA.

・The review board would determine whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared. It would also establish the policy and process for this decision-making.

・The bill also prescribes risk and benefits and various effects concerning the disclosure of a vulnerability that should be taken into account for decision-making.

・With this bill, the lawmakers seek to ensure transparency in the process of disclosing vulnerabilities while also ensuring that tools necessary for maintaining national security by the government are maintained.

(1) SHAttered●The crafting of two PDF files that successfully collided hash

values for the first time in a collision attack＊1 on SHA-1 was announced (CWI Amsterdam, Google, February 23, 2017).

・SHA-1 (Secure Hash Algorithm 1) was standardized by the U.S. National Institute of Standards and Technology (NIST) in 1995.・It is used for to confirm the integrity of digital signatures and files.・It 2005, it was pointed out an attack was logically possible, and

deprecation of the standard by 2011 was recommended.・SHAttered: The first attack that successfully collided SHA-1・The data in JPEG files in the PDF header were modified to collide

the hash value.・When a shared prefix and suffix were given, two slightly

different message block pairs were discovered.・A brute-force attack is possible with one year of 12,000,000-GPU

computations. However, the SHAttered attack could be possible with one year of 110-GPU computations.

・Effect of SHA-1 collision・Breakdown of Apache Subversion (SVN) repository due to WebKit test

・Code to test hash collision due to SHA-1 collision was added to the repository, resulting in a crash (WebKit devel-oper, February 23, 2017).

・The code used was the released code for testing the two PDF files.

・On February 24, 2017, Apache released workaround code that tests SHA-1 collision. The code executes before SVN commit operations. Apache announced that repairs would be made in the future.

・This breakdown did not occur on Git (Bleeping Computer, February 26, 2017).

・Linus Torvalds stated on February 26, 2017 that SHA-1 collision does not have much effect on Git.・ Instead of signature, content identifier is used, so reliability does not depend on hashing.・Compared with a preimage attack,＊2 a collision attack is difficult.・Unlike a PDF file, source code is highly transparent, so crafted code is easy to detect.・ Already, two workaround patches have been released, and migration to SHA-3 is being studied.

NSAURL: https://s3.reutersmedia.net/resources/r/?m=02&d=

20170517&t=2&i=1185150484&w=780&fh=&fw=&ll=&pl=&sq=&r=LYNXNPED4G1U5

Two released PDF files with colliding SHA-1 hash values.URL: https://shattered.it

Message block collisionURL: https://shattered.it

＊1 Attack that searches for different messages with the same hash value.＊2 Attack that searches for messages with a specific hash value or messages with identical hash values.

Other Major Vulnerabilities

Other much-discussed vulnerabilities in fiscal year 2017 included success in SHA-1 collision attack (SHAttered）and interception of WPA2-encrypted data (KRACK).

(1) SHAttered(2) KRACK: attack on Wi-Fi standard


31

Annual C

ybersecurity Report

(2) KRACK: attack on Wi-Fi standard● An attack method called KRACK that makes it possible to intercept communication from wireless com-

munication security standard WPA2 (Wi-Fi Protected Access 2) was discovered.・Researchers at Catholic University of Leuven reported at ACM CCS 2017 that a data breach vulnerability existed in

Wi-Fi communication standard WPA2.・The vulnerability exist in the WPA2’s protocol for authenticating devices.・When a 4-way handshake takes place between the device and the access point, the attacker can decode the

content of WPA2 communication by relaying messages.・The attacker can intercept communication that does not use other encryption methods (HTTPS, IP-VPN, SSH, etc.)・Many products that implement WPA2, including products from Android, Linux, Windows, Apple, and Cisco, are

affected.・It is possible to fix the vulnerability with software updates for each product.

Example of attack between Wi-Fi access point and deviceURL: https://distrinet.cs.kuleuven.be/news/2017/CSS17-RealWorldImpactAward.jsp

Summary of Cases: Major Vulnerabilities

・Continuing from last year, many cases of cyberattacks and vulnerabilities related to IoT devices have been observed. It is recommended that when seeking to introduce IoT devices, companies should calculate risk and confirm that it is within acceptable range.

・Like IoT devices, ships and infrastructure like plants which in the past had not been connected to the Internet are subject to risk. It is recommended that systems be robustly managed so what are connected to the Internet and where risks can be found are understood.

・Several vulnerabilities in cloud services that cause data leaks have been reported. There are risks when using a service shared by many organizations and individual users and in mediating information through the Internet. It is recommend-ed that companies use such services after establishing policies and calculating the risk.

・Much damage has been dealt to the private sector due to cyber weapons seen as used by the U.S. government, as leaked by the Shadow Brokers. Patches to fix the vulnerabilities have already been provided. However, damages continued to be reported in 2018. Patch management and constantly updating products are required.

・There have been many reports of threats to security mechanisms being used today, as shown by the success of the SHA-1 collision attack and interception of WPA2 communication. Because a reliable response is needed when such news appears, it is necessary to maintain constant alert.

Summary

Cyberattacks occurred in 2017 as well. Of those, a number of characteristic attacks are described here.

● Ransomware● Illicit cryptocurrency mining● Thefts of cryptocurrencies● State-sponsored attacks● Attacks against critical infrastructure

Ransomware

❸ Cyberattacks

The fiscal year 2017 was a year in which ransomware attacks gained significant attention. Attacks that made malicious use of tools leaked by the Shadow Brokers broke out. In May 2017, the ransomware Wanna-Cry spread widely, followed in June by NotPetya. Both epidemics caused great damage. In October 2017, Bad Rabbit erupted, which caused damage to victims in Russia and Ukraine.Meanwhile, there have also been many cases of attacks that accessed systems open to the outside. The attacks deleted data and demanded ransom for their restoration. Other ransom attacks used targeted supply chain attacks in the manner of previous malware and demanded ransom in exchange for restoring sensitive information.

(1) WannaCry(2) Spread of NotPetya(3) Damage by ransomware Bad Rabbit(4) Attacks against systems accessible with external connections

(1) WannaCry● Using tools leaked by the Shadow Brokers, the ransomware “WannaCry” exploited a vulnerability in the

Server Message Block (SMB) transport protocol and encrypted data. It spread around the world and caused significant damage.

・A large-scale attack by WannaCry began on May 12, 2017. It was reported that by May 13, 200,000 PCs in at least 150 countries had been infected.・Kryptos Logic estimated the number of infected PCs to be several million.・Trend Micro stated that WannaCry was the ransomware that had victimized the most users to date.・On May 19, 2017, Costin Raiu of Kaspersky Lab stated that according to public data, the majority of infected PCs

used Windows 7.・After a PC was infected, the attackers demanded Bitcoin ransom equivalent to 300 to 600 USD.

・Features of WannaCry・The malware scans SMB (port 445/TCP) and uses EternalBlue to exploit a vulnerability in SMB and spread like a worm.

・The targeted SMB flaw was fixed by an update patch (MS17-010) distributed by Microsoft on March 14, 2017.・EternalBlue is an exploit tool said to be stolen from the NSA. It was leaked by the Shadow Brokers on April

14, 2017.・The malware comes with a kill switch that suspends its functions after accessing a particular domain.

・As a researcher analyzed a sample of WannaCry, he discovered that it sought to access a domain that did not exist on the Web.

・To confirm the extent of infection, the researcher registered the domain. After WannaCry successful accessed the domain, it halted its activities.

・Theories about the purpose of this function include the desire by the malware’s creators to give the ability to avoid analysis in a sandbox and to give it a function to prevent spreading if an unexpected incident occurs.

・WannaCry’s infection vector・According to Malwarebytes’ analysis, the infector vector of WannaCry was not a spam campaign but an SMB port

exposed to the Internet.・Who were the attackers?

・Several reports state that a portion of WannaCry’s code is similar to malware used by the Lazarus group.・Symantec states that based on the techniques and infrastructure used, the possibility of the Lazarus

group’s involvement is extremely high.・According to Group-IB, the Lazarus group is an organization within North Korea’s intelligence agency. It is

said to be affiliated with North Korean cyberwarfare agency Bureau 121.

2-2 Summary of Security Topics

32

Worldw

ide Cybersecurity C

ases

2

(2) KRACK: attack on Wi-Fi standard● An attack method called KRACK that makes it possible to intercept communication from wireless com-

munication security standard WPA2 (Wi-Fi Protected Access 2) was discovered.・Researchers at Catholic University of Leuven reported at ACM CCS 2017 that a data breach vulnerability existed in

Wi-Fi communication standard WPA2.・The vulnerability exist in the WPA2’s protocol for authenticating devices.・When a 4-way handshake takes place between the device and the access point, the attacker can decode the

content of WPA2 communication by relaying messages.・The attacker can intercept communication that does not use other encryption methods (HTTPS, IP-VPN, SSH, etc.)・Many products that implement WPA2, including products from Android, Linux, Windows, Apple, and Cisco, are

affected.・It is possible to fix the vulnerability with software updates for each product.

Example of attack between Wi-Fi access point and deviceURL: https://distrinet.cs.kuleuven.be/news/2017/CSS17-RealWorldImpactAward.jsp

Summary of Cases: Major Vulnerabilities

・Continuing from last year, many cases of cyberattacks and vulnerabilities related to IoT devices have been observed. It is recommended that when seeking to introduce IoT devices, companies should calculate risk and confirm that it is within acceptable range.

・Like IoT devices, ships and infrastructure like plants which in the past had not been connected to the Internet are subject to risk. It is recommended that systems be robustly managed so what are connected to the Internet and where risks can be found are understood.

・Several vulnerabilities in cloud services that cause data leaks have been reported. There are risks when using a service shared by many organizations and individual users and in mediating information through the Internet. It is recommend-ed that companies use such services after establishing policies and calculating the risk.

・Much damage has been dealt to the private sector due to cyber weapons seen as used by the U.S. government, as leaked by the Shadow Brokers. Patches to fix the vulnerabilities have already been provided. However, damages continued to be reported in 2018. Patch management and constantly updating products are required.

・There have been many reports of threats to security mechanisms being used today, as shown by the success of the SHA-1 collision attack and interception of WPA2 communication. Because a reliable response is needed when such news appears, it is necessary to maintain constant alert.

Summary

Cyberattacks occurred in 2017 as well. Of those, a number of characteristic attacks are described here.

● Ransomware● Illicit cryptocurrency mining● Thefts of cryptocurrencies● State-sponsored attacks● Attacks against critical infrastructure

Ransomware

❸ Cyberattacks

The fiscal year 2017 was a year in which ransomware attacks gained significant attention. Attacks that made malicious use of tools leaked by the Shadow Brokers broke out. In May 2017, the ransomware Wanna-Cry spread widely, followed in June by NotPetya. Both epidemics caused great damage. In October 2017, Bad Rabbit erupted, which caused damage to victims in Russia and Ukraine.Meanwhile, there have also been many cases of attacks that accessed systems open to the outside. The attacks deleted data and demanded ransom for their restoration. Other ransom attacks used targeted supply chain attacks in the manner of previous malware and demanded ransom in exchange for restoring sensitive information.

(1) WannaCry(2) Spread of NotPetya(3) Damage by ransomware Bad Rabbit(4) Attacks against systems accessible with external connections

(1) WannaCry● Using tools leaked by the Shadow Brokers, the ransomware “WannaCry” exploited a vulnerability in the

Server Message Block (SMB) transport protocol and encrypted data. It spread around the world and caused significant damage.

・A large-scale attack by WannaCry began on May 12, 2017. It was reported that by May 13, 200,000 PCs in at least 150 countries had been infected.・Kryptos Logic estimated the number of infected PCs to be several million.・Trend Micro stated that WannaCry was the ransomware that had victimized the most users to date.・On May 19, 2017, Costin Raiu of Kaspersky Lab stated that according to public data, the majority of infected PCs

used Windows 7.・After a PC was infected, the attackers demanded Bitcoin ransom equivalent to 300 to 600 USD.

・Features of WannaCry・The malware scans SMB (port 445/TCP) and uses EternalBlue to exploit a vulnerability in SMB and spread like a worm.

・The targeted SMB flaw was fixed by an update patch (MS17-010) distributed by Microsoft on March 14, 2017.・EternalBlue is an exploit tool said to be stolen from the NSA. It was leaked by the Shadow Brokers on April

14, 2017.・The malware comes with a kill switch that suspends its functions after accessing a particular domain.

・As a researcher analyzed a sample of WannaCry, he discovered that it sought to access a domain that did not exist on the Web.

・To confirm the extent of infection, the researcher registered the domain. After WannaCry successful accessed the domain, it halted its activities.

・Theories about the purpose of this function include the desire by the malware’s creators to give the ability to avoid analysis in a sandbox and to give it a function to prevent spreading if an unexpected incident occurs.

・WannaCry’s infection vector・According to Malwarebytes’ analysis, the infector vector of WannaCry was not a spam campaign but an SMB port

exposed to the Internet.・Who were the attackers?

・Several reports state that a portion of WannaCry’s code is similar to malware used by the Lazarus group.・Symantec states that based on the techniques and infrastructure used, the possibility of the Lazarus

group’s involvement is extremely high.・According to Group-IB, the Lazarus group is an organization within North Korea’s intelligence agency. It is

said to be affiliated with North Korean cyberwarfare agency Bureau 121.

2-2 Summary of Security Topics

33

Annual C

ybersecurity Report

(2) Spread of NotPetya●On June 27, 2017, destructive wiper malware “NotPetya” hit European

countries, mainly Ukraine.・Damage

・In Ukraine: attacks on government agencies, financial institutions, banks, energy companies, etc.

・Outside Ukraine: attacks on oil exporter Rosneft (Russia), pharmaceutical company Merck (U.S.), maritime transport company A.P. Moller-Maersk (Denmark), and international courier delivery service TNT Express (Netherlands)

・Microsoft estimated that as of June 27, 2017, there were infections in 65 countries and more than 12,500 PCs were hit.

・Initial infection・The infection spread through the automatic update function of

Ukraine-based M.E.Doc’s accounting software.・Prior to June 27, attackers gained access to the company’s network and

the source code of the accounting software. On June 27, an update file for the software containing the malware was distributed.・The infection completed without user interaction.

・Behavior of malware・After the inflection, the malware attempted a secondary infection. At the

same time, it overwrote the master boot record of the infected PC. After rebooting, the master file table was encrypted and a message demanding 300 USD in Bitcoin was displayed.

・The secondary infection spread through the local network of the compro-mised organization. It exploited the same vulnerability as the one exploit-ed by EternalBlue, DoublePulsar, and EternalRomance, tools leaked by the Shadow Brokers.

・Initially, it was thought that the creator of the malware was the same as Petya’s creator.・The infection techniques, language of the threat message, and decom-

piled code were similar.・As researchers continued analysis, it became clear that a different perpetrator

created Petya.・The malware was not a new compiled version.・In a tweet on June 28, 2017, the creator of Petya denied involvement.

・Afterwards, he also released the Petya decryption key.・Although it behaved like ransomware, NotPetya’s purpose was destruction.

・Several security vendors pointed out that the decryption key was useless.・The initial infection focused on Ukraine as the target.

・Announcement by Ukraine intelligence agency SBU (Security Service of Ukraine)・SBU revealed on June 29, 2017, that it was working together with the U.S. FBI,

UK National Crime Agency (NCA), and EU Europol to investigate the attack. ・On July 1, 2017, SBU said that the investigation had found that the attack-

ers were the same as the group that attacked Ukraine’s financial systems, transport agencies, and energy facilities in December 2016, and that it had proof that Russia’s military intelligence agency was involved.

・Russia denied the allegations.・Will Dormann of CERT/CC said that the problem was lack of security measures

in software update systems.・HTTPs and digital signatures are necessary for update programs.

Data released by Costin RaiuURL: https://twitter.com/craiu/status/865562842149392384

Website of M.E.DocURL: https://www.medoc.ua/uk

Public-facing open SMB ports (as of June 12, 2017)URL: https://www.shodan.io/

search?query=port%3A445+%22SMB+Version%3A+1%22+OS%3AWindows

NotPetya’s threat messageURL: https://securelist.com/schroedingers-petya/78870/

Comment from SBU explaining Russia’s involvementURL: https://ssu.gov.ua/en/news/1/category/2/view/3660

(3) Damage by ransomware Bad Rabbit●A new ransomware called “Bad Rabbit” spread mainly in Russia

and Ukraine, inflicting multiple cases of damage.・On October 24, 2017, damage by ransomware Bad Rabbit, which spread

mostly in Russia and Ukraine, was reported.・Damage in Russia: Some servers of Interfax news agency became

unavailable.・Damage in Ukraine: Some boarding procedures at Odessa Interna-

tional Airport had to be performed manually. The payment system of the Kiev subway system was also affected.

・ESET and Kaspersky Lab released investigative reports on Bad Rabbit.・The malware encrypted files and demanded 0.05 Bitcoins (about 286

USD＊1) in ransom for decryption.・Kaspersky Lab observed that the source code was similar to that of

ransomware NotPetya.＊2・The infection vector was the following, according to ESET and Kaspersky Lab:

・Website compromisesWebsites in Russia and several other countries were compromised. A Flash Player update downloader rigged with Bad Rabbit was displayed.・Popular websites in Russia and Ukraine were compromised.・In Japan, the website of construction materials manufacturer

Aica Kogyo was also compromised.・The malware spreads from infected computers to the local network

(implementation of two modes of operation).・It uses the password extraction tool Mimikatz to steal passwords,

and logs illegally into other computers on the local network. ・Using the attack tool EternalRomance,＊3 it exploits the SMB

vulnerability in the surrounding computers if the vulnerability exists.

Webpage for paying ransomURL: https://www.welivesecurity.com/2017/10/24/bad

-rabbit-not-petya-back/

＊1 Rate as of October 25, 2017.＊2 A large-scale infection that occurred in Ukraine and other countries in June 2017.＊3 The tool was revealed in April 2017. The discloser claimed that it was developed and used by the U.S. NSA.

(4) Attacks against systems accessible with external connections ●Several reports described attacks of systems open to external

connections. The attacks demanded ransom.・On December 27, 2016, security engineer Victor Gevers reported that

attackers were overwriting the contents of MongoDB databases accessible with external connections. The attackers then demanded ransom for recovery. ・Attacks were observed from December 26, 2016.・The attacks were carried out by a perpetrator named Harak1r1.・More than 1,800 servers were observed to be attacked on

January 2, 2017.・The ransom was 0.2 Bitcoins.

・From January 4, 2017, several attacker groups participated.・On January 9, 2017, the number of compromised servers

reached more than 28,000.・A threat actor group called Kraken also sold a MongoDB attack

tool.・The directories of ElasticSearch servers accessible with external connec-

tions were overwritten. Attackers demanded ransom to restore the servers.・On January 12, 2017, a user named Xudong You reported on the

Elastic community forum a ransom attack against ElasticSearch.・The ransom was 0.2 Bitcoins, the same as the ransom demand-

ed by the MongoDB attack.・On January 12, 2017, Shodan creator John Matherly reported on

Twitter that about 35,000 ElasticSearch servers were exposed to the Internet.

・On January 18, 2017, security engineer Niall Merrigan reported on Twitter that about 4,600 ElasticSearch servers had been compro-mised.

Bad Rabbit downloader appearing on compromised websiteURL: https://www.welivesecurity.com/2017/10/24/bad


Screen showing ransom demandURL: https://twitter.com/0xDUDE/status/8138650692

18037760

Post by Xudong YouURL: https://discuss.elastic.co/t/ransom-attack-on-

elasticsearch-cluster/71310

2-2 Summary of Security Topics　−　❸ Cyberattacks

34

Worldw

ide Cybersecurity C

ases

2

(2) Spread of NotPetya●On June 27, 2017, destructive wiper malware “NotPetya” hit European

countries, mainly Ukraine.・Damage

・In Ukraine: attacks on government agencies, financial institutions, banks, energy companies, etc.

・Outside Ukraine: attacks on oil exporter Rosneft (Russia), pharmaceutical company Merck (U.S.), maritime transport company A.P. Moller-Maersk (Denmark), and international courier delivery service TNT Express (Netherlands)

・Microsoft estimated that as of June 27, 2017, there were infections in 65 countries and more than 12,500 PCs were hit.

・Initial infection・The infection spread through the automatic update function of

Ukraine-based M.E.Doc’s accounting software.・Prior to June 27, attackers gained access to the company’s network and

the source code of the accounting software. On June 27, an update file for the software containing the malware was distributed.・The infection completed without user interaction.

・Behavior of malware・After the inflection, the malware attempted a secondary infection. At the

same time, it overwrote the master boot record of the infected PC. After rebooting, the master file table was encrypted and a message demanding 300 USD in Bitcoin was displayed.

・The secondary infection spread through the local network of the compro-mised organization. It exploited the same vulnerability as the one exploit-ed by EternalBlue, DoublePulsar, and EternalRomance, tools leaked by the Shadow Brokers.

・Initially, it was thought that the creator of the malware was the same as Petya’s creator.・The infection techniques, language of the threat message, and decom-

piled code were similar.・As researchers continued analysis, it became clear that a different perpetrator

created Petya.・The malware was not a new compiled version.・In a tweet on June 28, 2017, the creator of Petya denied involvement.

・Afterwards, he also released the Petya decryption key.・Although it behaved like ransomware, NotPetya’s purpose was destruction.

・Several security vendors pointed out that the decryption key was useless.・The initial infection focused on Ukraine as the target.

・Announcement by Ukraine intelligence agency SBU (Security Service of Ukraine)・SBU revealed on June 29, 2017, that it was working together with the U.S. FBI,

UK National Crime Agency (NCA), and EU Europol to investigate the attack. ・On July 1, 2017, SBU said that the investigation had found that the attack-

ers were the same as the group that attacked Ukraine’s financial systems, transport agencies, and energy facilities in December 2016, and that it had proof that Russia’s military intelligence agency was involved.

・Russia denied the allegations.・Will Dormann of CERT/CC said that the problem was lack of security measures

in software update systems.・HTTPs and digital signatures are necessary for update programs.

Data released by Costin RaiuURL: https://twitter.com/craiu/status/865562842149392384

Website of M.E.DocURL: https://www.medoc.ua/uk

Public-facing open SMB ports (as of June 12, 2017)URL: https://www.shodan.io/

search?query=port%3A445+%22SMB+Version%3A+1%22+OS%3AWindows

NotPetya’s threat messageURL: https://securelist.com/schroedingers-petya/78870/

Comment from SBU explaining Russia’s involvementURL: https://ssu.gov.ua/en/news/1/category/2/view/3660

(3) Damage by ransomware Bad Rabbit●A new ransomware called “Bad Rabbit” spread mainly in Russia

and Ukraine, inflicting multiple cases of damage.・On October 24, 2017, damage by ransomware Bad Rabbit, which spread

mostly in Russia and Ukraine, was reported.・Damage in Russia: Some servers of Interfax news agency became

unavailable.・Damage in Ukraine: Some boarding procedures at Odessa Interna-

tional Airport had to be performed manually. The payment system of the Kiev subway system was also affected.

・ESET and Kaspersky Lab released investigative reports on Bad Rabbit.・The malware encrypted files and demanded 0.05 Bitcoins (about 286

USD＊1) in ransom for decryption.・Kaspersky Lab observed that the source code was similar to that of

ransomware NotPetya.＊2・The infection vector was the following, according to ESET and Kaspersky Lab:

・Website compromisesWebsites in Russia and several other countries were compromised. A Flash Player update downloader rigged with Bad Rabbit was displayed.・Popular websites in Russia and Ukraine were compromised.・In Japan, the website of construction materials manufacturer

Aica Kogyo was also compromised.・The malware spreads from infected computers to the local network

(implementation of two modes of operation).・It uses the password extraction tool Mimikatz to steal passwords,

and logs illegally into other computers on the local network. ・Using the attack tool EternalRomance,＊3 it exploits the SMB

vulnerability in the surrounding computers if the vulnerability exists.

Webpage for paying ransomURL: https://www.welivesecurity.com/2017/10/24/bad


＊1 Rate as of October 25, 2017.＊2 A large-scale infection that occurred in Ukraine and other countries in June 2017.＊3 The tool was revealed in April 2017. The discloser claimed that it was developed and used by the U.S. NSA.

(4) Attacks against systems accessible with external connections ●Several reports described attacks of systems open to external

connections. The attacks demanded ransom.・On December 27, 2016, security engineer Victor Gevers reported that

attackers were overwriting the contents of MongoDB databases accessible with external connections. The attackers then demanded ransom for recovery. ・Attacks were observed from December 26, 2016.・The attacks were carried out by a perpetrator named Harak1r1.・More than 1,800 servers were observed to be attacked on

January 2, 2017.・The ransom was 0.2 Bitcoins.

・From January 4, 2017, several attacker groups participated.・On January 9, 2017, the number of compromised servers

reached more than 28,000.・A threat actor group called Kraken also sold a MongoDB attack

tool.・The directories of ElasticSearch servers accessible with external connec-

tions were overwritten. Attackers demanded ransom to restore the servers.・On January 12, 2017, a user named Xudong You reported on the

Elastic community forum a ransom attack against ElasticSearch.・The ransom was 0.2 Bitcoins, the same as the ransom demand-

ed by the MongoDB attack.・On January 12, 2017, Shodan creator John Matherly reported on

Twitter that about 35,000 ElasticSearch servers were exposed to the Internet.

・On January 18, 2017, security engineer Niall Merrigan reported on Twitter that about 4,600 ElasticSearch servers had been compro-mised.

Bad Rabbit downloader appearing on compromised websiteURL: https://www.welivesecurity.com/2017/10/24/bad


Screen showing ransom demandURL: https://twitter.com/0xDUDE/status/8138650692

18037760

Post by Xudong YouURL: https://discuss.elastic.co/t/ransom-attack-on-

elasticsearch-cluster/71310


35

Annual C

ybersecurity Report

(1) Cryptocurrency mining malware “Adylkuzz”●Cryptocurrency mining malware “Adylkuzz” was discovered. This program scans SMB on a massive

scale and like WannaCry uses EternalBlue to spread infection.・To investigate WannaCry, enterprise security company Proofpoint exposed a

machine vulnerable to EternalBlue attacks. The machine was infected by Adylkuzz.・The malware uses EternalBlue to exploit a vulnerability in SMB, down-

loads and runs Adylkuzz, and mines cryptocurrency Monero.・When Adylkuzz is executed, the malware blocks the SMB port to

prevent infection by other malware.・The amount of Monero sent from Adylkuzz (the amount of currency mined)

increased from April 24, 2017, and plunged on May 11.・The attacks very likely began before April 24. ・The attackers switched to a new mining user address to prevent too

many Monero coins paid to a single address.

(2) Cryptocurrency mining on users’ PCs●Cryptocurrency mining by using users’ PC resources was carried out by installing mining tool on unsus-

pecting users’ local PCs or embedding JavaScript on servers.・Spread of malware mining cryptocurrencies (cryptominers)

・The number of cryptocurrency miners detected was 205,000 in 2013. By August 2017, the number had jumped to 1.65 million (Kaspersky Lab study).・Infections by cryptominers mainly use social engineering to install

adware. Other methods include using EternalBlue to exploit vulnerabilities.

・Infected PCs form a botnet to mine Monero or Zcash.・Whereas ransomware targeted mainly Europe and the U.S., cryptominer

botnets were mainly detected in Asia (Malwarebytes survey, 2016).・Number of ransomware attacks:

49.26% occurred in Europe, 32.51% in North America, and 9.84% in Asia.

・Number of cryptominer botnets detected:61.15% in Asia, 14.97% in Europe, 12.49% in North America

・On January 18, 2017, security blog Threat Geek reported that attackers had overwritten the directory information of Hadoop Distributed File System (HDFS) installations accessible from the outside world and demanded ransom for their restoration.・The attacks were observed during the week of January 9, 2017.

・Threat Geek reported that about 8,000 – 10,000 HDFS installa-tions were exposed.

・It found that scans of port 50070 used by HDFS spiked before the attacks.

・Cases of attacks where perpetrators deleted information without demanding ransom for recovery were also confirmed.・All information was deleted. Only a directory called “NODA-

TA4U_SECUREYOURSHIT” was left behind.

Traffic to port 50070 around January 5, 2017.URL: http://www.threatgeek.com/2017/01/open-hadoop

-installs-wiped-worldwide.htm

Change in amount of money sent over timeURL: https://www.proofpoint.com/us/threat-insight/post

/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

Number of cryptominer detectionsURL: https://securelist.com/miners-on-the-rise/81706/

Illicit Cryptocurrency Mining

In the second half of 2017, many cases of illicit mining of cryptocurrencies were discovered. Included was the malicious use of cryptocurrency mining platform “Coinhive” by installing its mining script in websites. This resulted in users’ PC resources being used for cryptocurrency mining without notice. Users are still being hit by this exploit.

(1) Cryptocurrency mining malware “Adylkuzz”(2) Cryptocurrency mining on users’ PCs(3) Cryptocurrency mining script “Coinhive”

2000000

1800000

1600000

1400000

1200000

1000000

800000

600000

400000

200000

02011 2012 2013 2014 2015 2016 2017

・Cryptocurrency mining on PCs of website visitors・Malvertising led users to servers embedded with cryptocurrency mining JavaScript (report by ESET).

・Victims were mainly in Russia and Ukraine. JavaScript embedded in a website ran a cryptocurrency mining program on the users’ browsers while the users viewed webpages.

・There is no need to infect the user’s PC with malware or exploit a vulnerability.・The reported JavaScript code was a modification of MineCrunch. It can mine Monero, Feathercoin, and

Litecoin.・Attacks that embed mining tools in corporate networks by combining attacks against CMS servers such as Word-

Press and Joomla and steganography＊ increased. (Report by IBM X-Force)・The manufacturing and financial sectors have become frequent targets. The entertainment industry is also

being targeted. ・“Coinhive,” a platform that incorporates a mining script into websites

・It was discovered that Coinhive had been embedded in some pages of Sweden’s BitTorrent search site “The Pirate Bay and was mining Monero (report by TorrentFreak). ・According to The Pirate Bay’s operators, they were testing the mining script as a way to procure operating

funds so they could remove all Web advertising from the site.・It was reported on September 21, 2017, that Coinhive was embedded in Chrome extension “SafeBrowse” (The

Merkle).・“SafeBrowse” users noticed a sudden spike in CPU usage. They discovered that SafeBrowse was mining

Monero without their consent.・On September 22, 2017, Sucuri reported that attackers maliciously injected Coinhive (Sucuri blog).

・Websites hacked by attackers were embedded with Coinhive. The PC resources of visitors to the websites were illicitly used to gain profit.

(3) Cryptocurrency mining script “Coinhive”●Many reports investigating the operations of “Coinhive” have

appeared. “Coinhive” is a service that mines cryptocurrency Monero by running JavaScript on the browser of visitors to certain websites.

・“WhoRunsCoinhive.com,” a project investigating the current state of Coinhive・This project publishes a list exposing websites running Coinhive. It seeks

to build a database of all websites running cryptocurrency mining scripts.・As of December 15, 2017, of the 999,998 websites investigated,

1,233 sites were running cryptocurrency mining scripts and 549 Coinhive IDs were being used.

・Malwarebytes’ report (November 7, 2017)・The countries in which cryptocurrency mining scripts were most

frequently found were the U.S. (32% of all cases), Spain (14.1%), France (12%), Italy (9.3%), and Canada (8.7%).

・Malwarebytes products have been blocking the Coinhive API and related proxies an average of 8 million times a day, which is about 248 million blocks in a single month.

・On his blog “gwillem’s lab,” security researcher Willem de Groot reported that Coinhive was embedded in 2,496 e-commerce sites (November 7, 2017). ・Of the 2,496 sites, 85% were linked to two CoinHive IDs. The remaining 15% were linked to unique CoinHive IDs.

The tag added to these remaining 15% sites was consistently the site’s name. De Groot thus surmised that the embedding of Coinhive in the 2,496 sites was carried out by just three individuals or groups.

・Security researcher Troy Mursch discovered that Coinhive was embedded in one of the JavaScript scripts used by live chat widget “LiveHelpNow” (November 23, 2017).

・According to source code search website “PublicWWW,” about 1,500 online shops and business websites use LiveHelpNow.

・Malwarebytes observed that new cryptocurrency mining methods are continuing to emerge. One technique continues the mining process even after the user has seemingly closed browser windows (November 29, 2017). ・At first glance, it seems all windows have been closed. However, Coinhive is still running in a small window hidden

behind the clock on the Windows taskbar.

Logo of cryptocurrency MoneroURL: https://getmonero.org/press-kit/

＊ A technique to conceal data in other types of data.

CoinhiveURL: https://coinhive.com/

WhoRunsCoinhive.comURL: http://whorunscoinhive.com


36

Worldw

ide Cybersecurity C

ases

2

(1) Cryptocurrency mining malware “Adylkuzz”●Cryptocurrency mining malware “Adylkuzz” was discovered. This program scans SMB on a massive

scale and like WannaCry uses EternalBlue to spread infection.・To investigate WannaCry, enterprise security company Proofpoint exposed a

machine vulnerable to EternalBlue attacks. The machine was infected by Adylkuzz.・The malware uses EternalBlue to exploit a vulnerability in SMB, down-

loads and runs Adylkuzz, and mines cryptocurrency Monero.・When Adylkuzz is executed, the malware blocks the SMB port to

prevent infection by other malware.・The amount of Monero sent from Adylkuzz (the amount of currency mined)

increased from April 24, 2017, and plunged on May 11.・The attacks very likely began before April 24. ・The attackers switched to a new mining user address to prevent too

many Monero coins paid to a single address.

(2) Cryptocurrency mining on users’ PCs●Cryptocurrency mining by using users’ PC resources was carried out by installing mining tool on unsus-

pecting users’ local PCs or embedding JavaScript on servers.・Spread of malware mining cryptocurrencies (cryptominers)

・The number of cryptocurrency miners detected was 205,000 in 2013. By August 2017, the number had jumped to 1.65 million (Kaspersky Lab study).・Infections by cryptominers mainly use social engineering to install

adware. Other methods include using EternalBlue to exploit vulnerabilities.

・Infected PCs form a botnet to mine Monero or Zcash.・Whereas ransomware targeted mainly Europe and the U.S., cryptominer

botnets were mainly detected in Asia (Malwarebytes survey, 2016).・Number of ransomware attacks:

49.26% occurred in Europe, 32.51% in North America, and 9.84% in Asia.

・Number of cryptominer botnets detected:61.15% in Asia, 14.97% in Europe, 12.49% in North America

・On January 18, 2017, security blog Threat Geek reported that attackers had overwritten the directory information of Hadoop Distributed File System (HDFS) installations accessible from the outside world and demanded ransom for their restoration.・The attacks were observed during the week of January 9, 2017.

・Threat Geek reported that about 8,000 – 10,000 HDFS installa-tions were exposed.

・It found that scans of port 50070 used by HDFS spiked before the attacks.

・Cases of attacks where perpetrators deleted information without demanding ransom for recovery were also confirmed.・All information was deleted. Only a directory called “NODA-

TA4U_SECUREYOURSHIT” was left behind.

Traffic to port 50070 around January 5, 2017.URL: http://www.threatgeek.com/2017/01/open-hadoop

-installs-wiped-worldwide.htm

Change in amount of money sent over timeURL: https://www.proofpoint.com/us/threat-insight/post

/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

Number of cryptominer detectionsURL: https://securelist.com/miners-on-the-rise/81706/

Illicit Cryptocurrency Mining

In the second half of 2017, many cases of illicit mining of cryptocurrencies were discovered. Included was the malicious use of cryptocurrency mining platform “Coinhive” by installing its mining script in websites. This resulted in users’ PC resources being used for cryptocurrency mining without notice. Users are still being hit by this exploit.

(1) Cryptocurrency mining malware “Adylkuzz”(2) Cryptocurrency mining on users’ PCs(3) Cryptocurrency mining script “Coinhive”

2000000

1800000

1600000

1400000

1200000

1000000

800000

600000

400000

200000

02011 2012 2013 2014 2015 2016 2017

・Cryptocurrency mining on PCs of website visitors・Malvertising led users to servers embedded with cryptocurrency mining JavaScript (report by ESET).

・Victims were mainly in Russia and Ukraine. JavaScript embedded in a website ran a cryptocurrency mining program on the users’ browsers while the users viewed webpages.

・There is no need to infect the user’s PC with malware or exploit a vulnerability.・The reported JavaScript code was a modification of MineCrunch. It can mine Monero, Feathercoin, and

Litecoin.・Attacks that embed mining tools in corporate networks by combining attacks against CMS servers such as Word-

Press and Joomla and steganography＊ increased. (Report by IBM X-Force)・The manufacturing and financial sectors have become frequent targets. The entertainment industry is also

being targeted. ・“Coinhive,” a platform that incorporates a mining script into websites

・It was discovered that Coinhive had been embedded in some pages of Sweden’s BitTorrent search site “The Pirate Bay and was mining Monero (report by TorrentFreak). ・According to The Pirate Bay’s operators, they were testing the mining script as a way to procure operating

funds so they could remove all Web advertising from the site.・It was reported on September 21, 2017, that Coinhive was embedded in Chrome extension “SafeBrowse” (The

Merkle).・“SafeBrowse” users noticed a sudden spike in CPU usage. They discovered that SafeBrowse was mining

Monero without their consent.・On September 22, 2017, Sucuri reported that attackers maliciously injected Coinhive (Sucuri blog).

・Websites hacked by attackers were embedded with Coinhive. The PC resources of visitors to the websites were illicitly used to gain profit.

(3) Cryptocurrency mining script “Coinhive”●Many reports investigating the operations of “Coinhive” have

appeared. “Coinhive” is a service that mines cryptocurrency Monero by running JavaScript on the browser of visitors to certain websites.

・“WhoRunsCoinhive.com,” a project investigating the current state of Coinhive・This project publishes a list exposing websites running Coinhive. It seeks

to build a database of all websites running cryptocurrency mining scripts.・As of December 15, 2017, of the 999,998 websites investigated,

1,233 sites were running cryptocurrency mining scripts and 549 Coinhive IDs were being used.

・Malwarebytes’ report (November 7, 2017)・The countries in which cryptocurrency mining scripts were most

frequently found were the U.S. (32% of all cases), Spain (14.1%), France (12%), Italy (9.3%), and Canada (8.7%).

・Malwarebytes products have been blocking the Coinhive API and related proxies an average of 8 million times a day, which is about 248 million blocks in a single month.

・On his blog “gwillem’s lab,” security researcher Willem de Groot reported that Coinhive was embedded in 2,496 e-commerce sites (November 7, 2017). ・Of the 2,496 sites, 85% were linked to two CoinHive IDs. The remaining 15% were linked to unique CoinHive IDs.

The tag added to these remaining 15% sites was consistently the site’s name. De Groot thus surmised that the embedding of Coinhive in the 2,496 sites was carried out by just three individuals or groups.

・Security researcher Troy Mursch discovered that Coinhive was embedded in one of the JavaScript scripts used by live chat widget “LiveHelpNow” (November 23, 2017).

・According to source code search website “PublicWWW,” about 1,500 online shops and business websites use LiveHelpNow.

・Malwarebytes observed that new cryptocurrency mining methods are continuing to emerge. One technique continues the mining process even after the user has seemingly closed browser windows (November 29, 2017). ・At first glance, it seems all windows have been closed. However, Coinhive is still running in a small window hidden

behind the clock on the Windows taskbar.

Logo of cryptocurrency MoneroURL: https://getmonero.org/press-kit/

＊ A technique to conceal data in other types of data.

CoinhiveURL: https://coinhive.com/

WhoRunsCoinhive.comURL: http://whorunscoinhive.com


37

Annual C

ybersecurity Report

(1) Attacks targeting cryptocurrency Ether●Several cases of cyberattacks to steal cryptocurrency Ether were reported in July 2017. Attackers tar-

geted exchanges, vulnerabilities in client software, and funding events.

＊1 ICO: Initial Coin Offering (new offering of a cryptocurrency)

Ethereum logoURL: http://ethdocs.org/en/latest/

Report of hacked Parity Wallet accountsURL: https://twitter.com/maraoz/status/887755889897295872

Thefts of Cryptocurrencies

Similar to the increase in illicit cryptocurrency mining, there have also been numerous attacks that sought to steal crypto-currencies. These attacks targeted cryptocurrency exchanges and general users.An increase in attacks targeting cryptocurrencies has been observed. Besides thefts of Ether by hacking ICOs,＊1 attacks included targeting cryptocurrency-related service providers and wallet users and thefts of cryptocurrencies from systems and users through a variety of techniques.In South Korea, a cryptocurrency exchange filed for bankruptcy after its cryptocurrency was stolen.

(1) Attacks targeting cryptocurrency Ether(2) Cryptocurrency-related attacks(3) South Korean cryptocurrency exchange Youbit filed for bankruptcy

＊2 South Korean government agency responsible for Internet security

(2) Cryptocurrency-related attacks●There have been increased reports of a variety of attacks against

providers and users of cryptocurrency-related services and illicit mining attacks against general systems and users.

・Attacks against cryptocurrency-related services reported in December 2017.・On December 6, 2017, it was reported that Bitcoin wallets were stolen

from “NiceHash,” a website for buying and selling computational resources.・Although the amount of damage was not publicly disclosed, it

is believed that 60 million USD was stolen.・On December 20, 2017, the DNS server of cryptocurrency exchange

“EtherDelta” was hijacked. Users were redirected to a malicious website.

・Attacks targeting cryptocurrency users reported in the same month・On December 9, 2017, Fortinet discovered a phishing email masquer-

ading as an ad for cryptocurrency exchange software Gunbot.・Orcus RAT, which has DDoS attack functions, was attached.

・Attacks targeting general systems reported in December 2017・On December 15, 2017, F5 Networks reported a campaign called

Zealot that infected servers with the “mule” malware, which mines the cryptocurrency Monero.・The campaign exploited vulnerabilities in Apache Struts and

DotNetNuke CMS.・On December 15, 2017, it was reported that illicit cryptocurrency

mining software was detected in the systems of Russian oil pipeline company Transneft.

・Attacks targeting general users reported in the same month・On December 2, researchers reported injection of illicit mining code

by Wi-Fi at a Starbucks.・The Coinhive cryptominer was injected.

・On December 21, 2017, Trend Micro reported the spread of cryptom-iner Digmine through the desktop browser version of Facebook Messenger.・Chrome’s extension function was exploited.

(3) South Korean cryptocurrency exchange Youbit filed for bankruptcy●South Korean cryptocurrency exchange Youbit, which was

hit by hackers who stole its cryptocurrencies, shut down and filed for bankruptcy.

・It was reported on December 19, 2017, that South Korean cryptocur-rency exchange Youbit shut down and filed for bankruptcy.・Youbit had been hit twice by hackers and lost a substantial

amount of its total assets.・First attack (April 2017): About 4,000 Bitcoins were stolen.・Second attack (December 19, 2017): About 17% of total

assets were stolen.・South Korean local newspapers reported that KISA＊2

announced that the first hacking attack was carried out by North Korean government-affiliated hackers.

・It was announced that KISA and South Korean police had already begun investigation of the second hacking incident.

Cryptocurrency phishing sites revealed by CheckPhishURL: https://checkphish.ai/blockchain-phishing

Illicit cryptocurrency mining discovered on Wi-FiURL: https://twitter.com/imnoah/status/

936948776119537665

Youbit’s public webpageURL: https://www.youbit.co.kr/

・Open source project “Ethereum,” which provides a distributing computing environment・By using Blockchain technology, a variety of applications, including cryptocurrency exchanges, can be run on a

distributed computing environment.・Applications are run by mining cryptocurrency Ether and using it for payment.

・Local papers reported that South Korean cryptocurrency exchange Bithumb suffered a data breach.・Bithumb is the world’s largest Ether exchange and the 4th largest Bitcoin exchange.・Bithumb discovered that in June 2017, information about 30,000 of its customers had been leaked.・In July of the same year, local newspapers reported that attackers behind this breach stole cryptocurrencies

equivalent of 1 million USD.・A vulnerability was discovered in “Parity Wallet,” an open source Ether client. It was reported that at 32 million USD in

Ether had been stolen from at least three wallets.・On July 19, 2017, a repair patch for this vulnerability was released.・The theft of Ether had been occurring since July 18, a day before the public disclosure.

・Two cases of Ether theft by hacking ICOs were reported.・An ICO is a crowdfunding event that raises fund by issuing a unique cryptocurrency (tokens) on a platform like

Ethereum.・On July 17, 2017, attackers hijacked an ICO held by CoinDash and stole 7 million USD in Ether cryptocurrency.

・The website of the company was altered, and users were routed to a different payment address.・On July 23, 2017, Veritaseum was hacked. Thieves stole 8.4 million USD in tokens used for an ICO.


38

Worldw

ide Cybersecurity C

ases

2

(1) Attacks targeting cryptocurrency Ether●Several cases of cyberattacks to steal cryptocurrency Ether were reported in July 2017. Attackers tar-

geted exchanges, vulnerabilities in client software, and funding events.

＊1 ICO: Initial Coin Offering (new offering of a cryptocurrency)

Ethereum logoURL: http://ethdocs.org/en/latest/

Report of hacked Parity Wallet accountsURL: https://twitter.com/maraoz/status/887755889897295872

Thefts of Cryptocurrencies

Similar to the increase in illicit cryptocurrency mining, there have also been numerous attacks that sought to steal crypto-currencies. These attacks targeted cryptocurrency exchanges and general users.An increase in attacks targeting cryptocurrencies has been observed. Besides thefts of Ether by hacking ICOs,＊1 attacks included targeting cryptocurrency-related service providers and wallet users and thefts of cryptocurrencies from systems and users through a variety of techniques.In South Korea, a cryptocurrency exchange filed for bankruptcy after its cryptocurrency was stolen.

(1) Attacks targeting cryptocurrency Ether(2) Cryptocurrency-related attacks(3) South Korean cryptocurrency exchange Youbit filed for bankruptcy

＊2 South Korean government agency responsible for Internet security

(2) Cryptocurrency-related attacks●There have been increased reports of a variety of attacks against

providers and users of cryptocurrency-related services and illicit mining attacks against general systems and users.

・Attacks against cryptocurrency-related services reported in December 2017.・On December 6, 2017, it was reported that Bitcoin wallets were stolen

from “NiceHash,” a website for buying and selling computational resources.・Although the amount of damage was not publicly disclosed, it

is believed that 60 million USD was stolen.・On December 20, 2017, the DNS server of cryptocurrency exchange

“EtherDelta” was hijacked. Users were redirected to a malicious website.

・Attacks targeting cryptocurrency users reported in the same month・On December 9, 2017, Fortinet discovered a phishing email masquer-

ading as an ad for cryptocurrency exchange software Gunbot.・Orcus RAT, which has DDoS attack functions, was attached.

・Attacks targeting general systems reported in December 2017・On December 15, 2017, F5 Networks reported a campaign called

Zealot that infected servers with the “mule” malware, which mines the cryptocurrency Monero.・The campaign exploited vulnerabilities in Apache Struts and

DotNetNuke CMS.・On December 15, 2017, it was reported that illicit cryptocurrency

mining software was detected in the systems of Russian oil pipeline company Transneft.

・Attacks targeting general users reported in the same month・On December 2, researchers reported injection of illicit mining code

by Wi-Fi at a Starbucks.・The Coinhive cryptominer was injected.

・On December 21, 2017, Trend Micro reported the spread of cryptom-iner Digmine through the desktop browser version of Facebook Messenger.・Chrome’s extension function was exploited.

(3) South Korean cryptocurrency exchange Youbit filed for bankruptcy●South Korean cryptocurrency exchange Youbit, which was

hit by hackers who stole its cryptocurrencies, shut down and filed for bankruptcy.

・It was reported on December 19, 2017, that South Korean cryptocur-rency exchange Youbit shut down and filed for bankruptcy.・Youbit had been hit twice by hackers and lost a substantial

amount of its total assets.・First attack (April 2017): About 4,000 Bitcoins were stolen.・Second attack (December 19, 2017): About 17% of total

assets were stolen.・South Korean local newspapers reported that KISA＊2

announced that the first hacking attack was carried out by North Korean government-affiliated hackers.

・It was announced that KISA and South Korean police had already begun investigation of the second hacking incident.

Cryptocurrency phishing sites revealed by CheckPhishURL: https://checkphish.ai/blockchain-phishing

Illicit cryptocurrency mining discovered on Wi-FiURL: https://twitter.com/imnoah/status/

936948776119537665

Youbit’s public webpageURL: https://www.youbit.co.kr/

・Open source project “Ethereum,” which provides a distributing computing environment・By using Blockchain technology, a variety of applications, including cryptocurrency exchanges, can be run on a

distributed computing environment.・Applications are run by mining cryptocurrency Ether and using it for payment.

・Local papers reported that South Korean cryptocurrency exchange Bithumb suffered a data breach.・Bithumb is the world’s largest Ether exchange and the 4th largest Bitcoin exchange.・Bithumb discovered that in June 2017, information about 30,000 of its customers had been leaked.・In July of the same year, local newspapers reported that attackers behind this breach stole cryptocurrencies

equivalent of 1 million USD.・A vulnerability was discovered in “Parity Wallet,” an open source Ether client. It was reported that at 32 million USD in

Ether had been stolen from at least three wallets.・On July 19, 2017, a repair patch for this vulnerability was released.・The theft of Ether had been occurring since July 18, a day before the public disclosure.

・Two cases of Ether theft by hacking ICOs were reported.・An ICO is a crowdfunding event that raises fund by issuing a unique cryptocurrency (tokens) on a platform like

Ethereum.・On July 17, 2017, attackers hijacked an ICO held by CoinDash and stole 7 million USD in Ether cryptocurrency.

・The website of the company was altered, and users were routed to a different payment address.・On July 23, 2017, Veritaseum was hacked. Thieves stole 8.4 million USD in tokens used for an ICO.


39

Annual C

ybersecurity Report

(1) Hacking of Polish financial institutions●As part of a worldwide attack, malware infected several banks in

Poland.・The website of the Polish Financial Supervision Authority (KNF) was infected by

a malware in the country. This was the start of the epidemic. (BadCyber, Febru-ary 3, 2017).・KNF’s website was injected with malicious JavaScript code.・Specific banks that visited the website were targeted. Malware was found

in the system of several Polish banks.・Data was sent from the banks’ computers to external servers.・Key servers inside the banking infrastructure were compromised.

・Analysis by Symantec・Similar attacks began in October 2016 and spanned 31 countries.・Particular companies were being targeted with watering hole attacks.・It is possible that the attacks were connected to the Lazarus hacker group.

(2) Financially-motivated attacks by North Korea●There is a possibility that a fraudulent transfer at Taiwan’s Far Eastern

International Bank and a business email compromise scam against the Meath County Council in Ireland were sponsored by North Korea.

・On October 4, 2017, malware was planted in the local network of the Far Eastern International Bank, and 60 million USD was fraudulently transferred.・On October 6, members of the criminal group were arrested in Sri Lanka.

Almost all of the stolen money was recovered.・On a blog post concerning this case, BAE Systems observed that the

malware and the vector used were similar to those employed by the Lazarus threat group, which is suspected of having ties to the North Korean government.

・According to the Irish Independent, a business email compromise scam against the Meath County Council in October 2016 is believed by authorities to be sponsored by North Korea.・Because there are many multinational companies with bases in Ireland,

companies in the country are subject to attacks on an almost daily basis.

KNF logoURL: https://www.knf.gov.pl/en/index.html

State-Sponsored Attacks

Security companies have reported activities by cybercriminal groups considered to be state-sponsored.Hacking of financial institutions in Poland, a fraudulent money transfer at a bank in Taiwan, and a business email compro-mise scam against a county council in Ireland were considered to involve the Lazarus group, which is believed to be tied to the North Korean government.In addition, the APT17 group, considered to be sponsored by China, carried out the APT attack, which injected a backdoor into the CCleaner software. Cobalt Gypsy, considered to be backed by Iran, conducted cyberattacks using a fictitious female persona on SNS. APT28, considered to be backed by Russia, carried out attacks exploiting a vulnerabili-ty in Microsoft Office Dynamic Data Exchange (DDE).Attacks targeting Japan included MenuPass (a.k.a. APT10), considered to originate from China, and BRONZE BUTLER (a.k.a. Tick and REDBALDKNIGHT), which targeted Japanese researchers and the country’s manufacturing sector.

(1) Hacking of Polish financial institutions(2) Financially-motivated attacks by North Korea(3) Backdoor in Avast CCleaner(4) Cyberattacks using a fictitious female persona on SNS(5) Attack by APT28 exploiting DDE vulnerability(6) “menuPass,” an attack campaign targeting Japan (7) Cyberespionage by APT10 through MSPs(8) BRONZE BUTLER, threat group targeting Japan(9) Targeted attacks by BRONZE BUTLER group

Red Star OS logoURL: https://en.wikipedia.org/wiki/Red_Star_OS

＊1 Avast purchased Piriform on July 18, 2017.

(3) Backdoor in Avast CCleaner●A backdoor was planted in “CCleaner,” a software product developed by Piriform, a company purchased

by Avast. It is seen as an advanced persistent threat (APT) attack that sought out its targets.・On September 18, 2017, Avast announced that a backdoor had

been planted in its system cleaner software “CCleaner.” ・The affected product was version 5.33.6162 Windows 32-bit

and the cloud version.・CCleaner developer Piriform’s system may have been

infiltrated on July 3, 2017. ＊1・At the time of the announcement, CCleaner users numbered

about 730,000.・From September 20 to 25, 2017, Avast released the detailed

results of its investigation.・In actuality, malware was sent through a backdoor to 40

computers.・This is seen as an APT attack that targeted specific

tech and telecommunications companies.・The malware was similar to the malware created by China’s

APT group APT17.

(4) Cyberattacks using a fictitious female persona on SNS●Dell SecureWorks reported the occurrence of cyberattacks that used a fictitious female persona. It ob-

served that attackers with connections to the Iranian government carried out the attacks.

List of targeted domains (partial)URL: https://blog.avast.com/additional-information-regarding-

the-recent-ccleaner-apt-security-incidentl

Mia Ash’s account on LinkedIn (currently closed)URL: https://www.secureworks.com/research/the-curious-case-

of-mia-ash

Avast logoURL: https://blog.avast.com/jp/%E6%96%B0%E3%81%97%E3%81%84%E3%82%A2%E3%83%90%E3%82

%B9%E3%83%88-%E3%83%96%E3%83%A9%E3%83%B3%E3%83%89

・A fictitious female persona named “Mia Ash” had accounts on SNS services like Facebook and Instagram. Her profile said she was a female in her 20s, living in London, and working as a photographer and model.・Her profile and photos were a mishmash of materials from several real users.・At the latest, attackers had been updating Mia Ash’s SNS profile since April 2016.

・ The persona made connections with several hundred users on SNS. Of these, about 30 persons belonging to the technology and energy sectors in countries like Saudi Arabia and Israel were targeted.

・In February 2017, employees in targeted organizations were sent a crafted Excel file for injecting remote control tool PupyRAT. (The infection failed.)

・Dell SecureWorks argue that Cobalt Blue, a threat group associated with the Iranian government, created the Mia Ash accounts to carry out cyberattacks.

(5) Attack by APT28 exploiting DDE vulnerability●McAfee revealed that the attack group APT28 had been

conducting targeted attacks exploiting a vulnerability in Microsoft Office’s Data Dynamic Exchange function.

Announcement by McAfeeURL: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-

threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/

・For the attack, crafted Word files were attached in emails.・The Word file’s name referenced the recent terrorist attack in

New York.・When the Word file is opened, the attack exploits a vulnerability

in DDE. It executes a PowerShell script to download a malware called Seduploader.

・The attack technique of infecting with a backdoor after gathering system information matches APT28’s modus operandi.・Seduploader gathers host system information.・If the gathered information is of interest of the attackers, the

attackers follow up with an infection of backdoor X-Agent or Sedreco.

・On December 13, 2017, Microsoft released a patch fixing this DDE vulnerability.


40

Worldw

ide Cybersecurity C

ases

2

(1) Hacking of Polish financial institutions●As part of a worldwide attack, malware infected several banks in

Poland.・The website of the Polish Financial Supervision Authority (KNF) was infected by

a malware in the country. This was the start of the epidemic. (BadCyber, Febru-ary 3, 2017).・KNF’s website was injected with malicious JavaScript code.・Specific banks that visited the website were targeted. Malware was found

in the system of several Polish banks.・Data was sent from the banks’ computers to external servers.・Key servers inside the banking infrastructure were compromised.

・Analysis by Symantec・Similar attacks began in October 2016 and spanned 31 countries.・Particular companies were being targeted with watering hole attacks.・It is possible that the attacks were connected to the Lazarus hacker group.

(2) Financially-motivated attacks by North Korea●There is a possibility that a fraudulent transfer at Taiwan’s Far Eastern

International Bank and a business email compromise scam against the Meath County Council in Ireland were sponsored by North Korea.

・On October 4, 2017, malware was planted in the local network of the Far Eastern International Bank, and 60 million USD was fraudulently transferred.・On October 6, members of the criminal group were arrested in Sri Lanka.

Almost all of the stolen money was recovered.・On a blog post concerning this case, BAE Systems observed that the

malware and the vector used were similar to those employed by the Lazarus threat group, which is suspected of having ties to the North Korean government.

・According to the Irish Independent, a business email compromise scam against the Meath County Council in October 2016 is believed by authorities to be sponsored by North Korea.・Because there are many multinational companies with bases in Ireland,

companies in the country are subject to attacks on an almost daily basis.

KNF logoURL: https://www.knf.gov.pl/en/index.html

State-Sponsored Attacks

Security companies have reported activities by cybercriminal groups considered to be state-sponsored.Hacking of financial institutions in Poland, a fraudulent money transfer at a bank in Taiwan, and a business email compro-mise scam against a county council in Ireland were considered to involve the Lazarus group, which is believed to be tied to the North Korean government.In addition, the APT17 group, considered to be sponsored by China, carried out the APT attack, which injected a backdoor into the CCleaner software. Cobalt Gypsy, considered to be backed by Iran, conducted cyberattacks using a fictitious female persona on SNS. APT28, considered to be backed by Russia, carried out attacks exploiting a vulnerabili-ty in Microsoft Office Dynamic Data Exchange (DDE).Attacks targeting Japan included MenuPass (a.k.a. APT10), considered to originate from China, and BRONZE BUTLER (a.k.a. Tick and REDBALDKNIGHT), which targeted Japanese researchers and the country’s manufacturing sector.

(1) Hacking of Polish financial institutions(2) Financially-motivated attacks by North Korea(3) Backdoor in Avast CCleaner(4) Cyberattacks using a fictitious female persona on SNS(5) Attack by APT28 exploiting DDE vulnerability(6) “menuPass,” an attack campaign targeting Japan (7) Cyberespionage by APT10 through MSPs(8) BRONZE BUTLER, threat group targeting Japan(9) Targeted attacks by BRONZE BUTLER group

Red Star OS logoURL: https://en.wikipedia.org/wiki/Red_Star_OS

＊1 Avast purchased Piriform on July 18, 2017.

(3) Backdoor in Avast CCleaner●A backdoor was planted in “CCleaner,” a software product developed by Piriform, a company purchased

by Avast. It is seen as an advanced persistent threat (APT) attack that sought out its targets.・On September 18, 2017, Avast announced that a backdoor had

been planted in its system cleaner software “CCleaner.” ・The affected product was version 5.33.6162 Windows 32-bit

and the cloud version.・CCleaner developer Piriform’s system may have been

infiltrated on July 3, 2017. ＊1・At the time of the announcement, CCleaner users numbered

about 730,000.・From September 20 to 25, 2017, Avast released the detailed

results of its investigation.・In actuality, malware was sent through a backdoor to 40

computers.・This is seen as an APT attack that targeted specific

tech and telecommunications companies.・The malware was similar to the malware created by China’s

APT group APT17.

(4) Cyberattacks using a fictitious female persona on SNS●Dell SecureWorks reported the occurrence of cyberattacks that used a fictitious female persona. It ob-

served that attackers with connections to the Iranian government carried out the attacks.

List of targeted domains (partial)URL: https://blog.avast.com/additional-information-regarding-

the-recent-ccleaner-apt-security-incidentl

Mia Ash’s account on LinkedIn (currently closed)URL: https://www.secureworks.com/research/the-curious-case-

of-mia-ash

Avast logoURL: https://blog.avast.com/jp/%E6%96%B0%E3%81%97%E3%81%84%E3%82%A2%E3%83%90%E3%82

%B9%E3%83%88-%E3%83%96%E3%83%A9%E3%83%B3%E3%83%89

・A fictitious female persona named “Mia Ash” had accounts on SNS services like Facebook and Instagram. Her profile said she was a female in her 20s, living in London, and working as a photographer and model.・Her profile and photos were a mishmash of materials from several real users.・At the latest, attackers had been updating Mia Ash’s SNS profile since April 2016.

・ The persona made connections with several hundred users on SNS. Of these, about 30 persons belonging to the technology and energy sectors in countries like Saudi Arabia and Israel were targeted.

・In February 2017, employees in targeted organizations were sent a crafted Excel file for injecting remote control tool PupyRAT. (The infection failed.)

・Dell SecureWorks argue that Cobalt Blue, a threat group associated with the Iranian government, created the Mia Ash accounts to carry out cyberattacks.

(5) Attack by APT28 exploiting DDE vulnerability●McAfee revealed that the attack group APT28 had been

conducting targeted attacks exploiting a vulnerability in Microsoft Office’s Data Dynamic Exchange function.

Announcement by McAfeeURL: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-

threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/

・For the attack, crafted Word files were attached in emails.・The Word file’s name referenced the recent terrorist attack in

New York.・When the Word file is opened, the attack exploits a vulnerability

in DDE. It executes a PowerShell script to download a malware called Seduploader.

・The attack technique of infecting with a backdoor after gathering system information matches APT28’s modus operandi.・Seduploader gathers host system information.・If the gathered information is of interest of the attackers, the

attackers follow up with an infection of backdoor X-Agent or Sedreco.

・On December 13, 2017, Microsoft released a patch fixing this DDE vulnerability.


41

Annual C

ybersecurity Report

＊2 NCSC: National Cyber Security Centre

(6) “menuPass,” an attack campaign targeting Japan●According to Palo Alto Networks, an attack campaign called “menuPass” was carried out from Septem-

ber to November 2016. Its targets included Japanese researchers.・menuPass was an attack campaign reported by FireEye in 2013. It is considered to be linked to the Chinese government.

・The targets at the time were defense contractors in the U.S. and other countries. The range of targets gradually expanded.

・Outline of September to November 2016 attack campaign targeting Japan・The targets were academic researchers, pharmaceutical companies, and a U.S.-based subsidiary of a manufac-

turing company.・The attack method was a spear phishing attack using spoofed email addresses from the Sasakawa Peace

Foundation and the White House.・The malware used were PlugX, Poison Ivy, and ChChes

・ChChes was a malware unique to this campaign.・According to JPCERT, ChChes can run shell commands and download/upload files by installing modules.

(8) BRONZE BUTLER, threat group targeting Japan●The threat group BRONZE BUTLER has been stealing the intellectual property and other sensitive infor-

mation about Japan’s critical infrastructure, heavy industry, and manufacturing sector over a long period of time.

(7) Cyberespionage by APT10 through MSPs●APT10 (MenuPass Group) carried out new espionage activities by using service providers as the foot-

hold. It infiltrated the providers’ customer organizations and stole information.・APT10 is considered to be a Chinese cyberespionage group. It has been active since 2009.

・It targets construction, space, and telecommunications industries and government agencies in the U.S., Europe, and Japan to steal information for the purpose of Chinese national security.

・New activities by APT10 carried out from 2016 to 2017 were reported in April 2017.・Joint investigation by the UK NCSC,＊2 PwC and BAE Systems

・“Operation Cloud Hopper,” an attack campaign that used managed service providers (MSPs) as the foothold to infiltrate targeted companies, became more active from mid-2016.

・FireEye report・The company detected attacks targeting the manufacturing sector in India, Japan, and northern Europe, the

mining sector in South America, and multiple IT service providers around the world.

・ In the case of MSPs, the attack campaign exploited this supply chain to steal information because MSPs hold great amounts of customer data and operate VPNs connecting the networks of customer companies.

(1) Attackers infiltrated MSPs and deployed a malware that enables remote control.(2) Choosing MSP customers to be targeted, attackers broke into their MSP accounts.(3) Customer data was compressed and transferred to the MSP.(4) Customer data was exfiltrated from the MSP to APT10.

Cyberespionage campaign “Operation Cloud Hopper”URL: http://baesystemsai.blogspot.jp/2017/04/apt10-operation-cloud-hopper_3.html

Changes in malware used by BRONZE BUTLERURL: https://www.secureworks.com/research/bronze-butler-targets

-japanese-businesses

・SecureWorks’s Counter Threat Unit presented detailed activities of BRONZE BUTLER on its blog on October 12, 2017.・BRONZE BUTLER (a.k.a. Tick) is considered to be based in China.・Its activities targeting Japan have been observed since at least 2012.

・ It infiltrates with spear phishing attacks that exploit a Flash vulnerability and zero-day attacks against software such as SKYSEA Client View, an asset management software with a high market share in Japan.

・After information is stolen, the threat group removes traces of activity, and regularly infiltrates and steals information.

・The group has the ability to develop its own malware, and uses encrypted communication to avoid detection.

(9) Targeted attacks by BRONZE BUTLER group●Trend Micro released a report investigating targeted attacks by the REDBALDKNIGHT threat group,

which uses the “Daserf” backdoor.・“REDBALDKNIGHT” (a.k.a. “BRONZE BUTLER” and “Tick”) is a threat group that chiefly targets Japan.

・Its existence was first confirmed in 2016. It resumed its activities in 2011.・The decoy documents were created with “Ichitaro” word processor and written in fluent Japanese.・The infection methods were diverse. They included targeted emails, watering hole attacks, and attacks exploiting

a vulnerability in a popular asset management software.・“Daserf” 1.72 and later versions used steganographic techniques.

・Configuration files and hacking tools were embedded in image files. The malicious code infiltrates when the image is retrieved and bypasses firewalls.

(1) Increase in attacks against industrial control systems (ICS)●Attacks against industrial control systems (ICS)

increased more than 110% from 2015 to 2016.・Data from IBM Managed Security Services (MSS):

・The main reason for the increase in attacks is brute-force attacks against SCADA.

・After infiltration is successful, connected SCADA＊2 equip-ment can be controlled remotely.

・The U.S. was both the country to which ICS attackers most frequently belonged and the country most subject to ICS attacks.

Example of decoy letterURL: https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

Number of attacks against ICSURL: https://securityintelligence.com/attacks-targeting-industrial-

control-systems-ics-up-110-percent/

Threat process

＊1 ICS: Industrial Control Systems (control systems and associated instrumentation used for industrial process control)

＊2 SCADA: Supervisory Control And Data Acquisition (A type of industrial control system. It monitors systems and controls processes with microcomputers.)

Attacks against Critical Infrastructure

Cyberattacks were committed against the critical infrastructure, including industrial control systems, of numerous countries around the aroundTargeted ICS＊1 were infected with malware. In addition, there was a case of a cyberattack on a transportation system in which the attackers demanded money.

(1) Increase in attacks against industrial control systems (ICS)(2) Cyberattack against a U.S. nuclear power plant(3) Cyberattacks targeting UK energy sector(4) Cyberattacks against industrial control systems(5) Cyberattack against U.S. Sacramento public transportation agency(6) Malware that shut down industrial control systems


42

Worldw

ide Cybersecurity C

ases

2

＊2 NCSC: National Cyber Security Centre

(6) “menuPass,” an attack campaign targeting Japan●According to Palo Alto Networks, an attack campaign called “menuPass” was carried out from Septem-

ber to November 2016. Its targets included Japanese researchers.・menuPass was an attack campaign reported by FireEye in 2013. It is considered to be linked to the Chinese government.

・The targets at the time were defense contractors in the U.S. and other countries. The range of targets gradually expanded.

・Outline of September to November 2016 attack campaign targeting Japan・The targets were academic researchers, pharmaceutical companies, and a U.S.-based subsidiary of a manufac-

turing company.・The attack method was a spear phishing attack using spoofed email addresses from the Sasakawa Peace

Foundation and the White House.・The malware used were PlugX, Poison Ivy, and ChChes

・ChChes was a malware unique to this campaign.・According to JPCERT, ChChes can run shell commands and download/upload files by installing modules.

(8) BRONZE BUTLER, threat group targeting Japan●The threat group BRONZE BUTLER has been stealing the intellectual property and other sensitive infor-

mation about Japan’s critical infrastructure, heavy industry, and manufacturing sector over a long period of time.

(7) Cyberespionage by APT10 through MSPs●APT10 (MenuPass Group) carried out new espionage activities by using service providers as the foot-

hold. It infiltrated the providers’ customer organizations and stole information.・APT10 is considered to be a Chinese cyberespionage group. It has been active since 2009.

・It targets construction, space, and telecommunications industries and government agencies in the U.S., Europe, and Japan to steal information for the purpose of Chinese national security.

・New activities by APT10 carried out from 2016 to 2017 were reported in April 2017.・Joint investigation by the UK NCSC,＊2 PwC and BAE Systems

・“Operation Cloud Hopper,” an attack campaign that used managed service providers (MSPs) as the foothold to infiltrate targeted companies, became more active from mid-2016.

・FireEye report・The company detected attacks targeting the manufacturing sector in India, Japan, and northern Europe, the

mining sector in South America, and multiple IT service providers around the world.

・ In the case of MSPs, the attack campaign exploited this supply chain to steal information because MSPs hold great amounts of customer data and operate VPNs connecting the networks of customer companies.

(1) Attackers infiltrated MSPs and deployed a malware that enables remote control.(2) Choosing MSP customers to be targeted, attackers broke into their MSP accounts.(3) Customer data was compressed and transferred to the MSP.(4) Customer data was exfiltrated from the MSP to APT10.

Cyberespionage campaign “Operation Cloud Hopper”URL: http://baesystemsai.blogspot.jp/2017/04/apt10-operation-cloud-hopper_3.html

Changes in malware used by BRONZE BUTLERURL: https://www.secureworks.com/research/bronze-butler-targets

-japanese-businesses

・SecureWorks’s Counter Threat Unit presented detailed activities of BRONZE BUTLER on its blog on October 12, 2017.・BRONZE BUTLER (a.k.a. Tick) is considered to be based in China.・Its activities targeting Japan have been observed since at least 2012.

・ It infiltrates with spear phishing attacks that exploit a Flash vulnerability and zero-day attacks against software such as SKYSEA Client View, an asset management software with a high market share in Japan.

・After information is stolen, the threat group removes traces of activity, and regularly infiltrates and steals information.

・The group has the ability to develop its own malware, and uses encrypted communication to avoid detection.

(9) Targeted attacks by BRONZE BUTLER group●Trend Micro released a report investigating targeted attacks by the REDBALDKNIGHT threat group,

which uses the “Daserf” backdoor.・“REDBALDKNIGHT” (a.k.a. “BRONZE BUTLER” and “Tick”) is a threat group that chiefly targets Japan.

・Its existence was first confirmed in 2016. It resumed its activities in 2011.・The decoy documents were created with “Ichitaro” word processor and written in fluent Japanese.・The infection methods were diverse. They included targeted emails, watering hole attacks, and attacks exploiting

a vulnerability in a popular asset management software.・“Daserf” 1.72 and later versions used steganographic techniques.

・Configuration files and hacking tools were embedded in image files. The malicious code infiltrates when the image is retrieved and bypasses firewalls.

(1) Increase in attacks against industrial control systems (ICS)●Attacks against industrial control systems (ICS)

increased more than 110% from 2015 to 2016.・Data from IBM Managed Security Services (MSS):

・The main reason for the increase in attacks is brute-force attacks against SCADA.

・After infiltration is successful, connected SCADA＊2 equip-ment can be controlled remotely.

・The U.S. was both the country to which ICS attackers most frequently belonged and the country most subject to ICS attacks.

Example of decoy letterURL: https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/

Number of attacks against ICSURL: https://securityintelligence.com/attacks-targeting-industrial-

control-systems-ics-up-110-percent/

Threat process

＊1 ICS: Industrial Control Systems (control systems and associated instrumentation used for industrial process control)

＊2 SCADA: Supervisory Control And Data Acquisition (A type of industrial control system. It monitors systems and controls processes with microcomputers.)

Attacks against Critical Infrastructure

Cyberattacks were committed against the critical infrastructure, including industrial control systems, of numerous countries around the aroundTargeted ICS＊1 were infected with malware. In addition, there was a case of a cyberattack on a transportation system in which the attackers demanded money.

(1) Increase in attacks against industrial control systems (ICS)(2) Cyberattack against a U.S. nuclear power plant(3) Cyberattacks targeting UK energy sector(4) Cyberattacks against industrial control systems(5) Cyberattack against U.S. Sacramento public transportation agency(6) Malware that shut down industrial control systems


43

Annual C

ybersecurity Report

(2) Cyberattack against a U.S. nuclear power plants●The U.S. DHS and FBI issued an urgent joint report concerning

cyberattacks targeting the networks of companies in the U.S. that operate nuclear power plants.

・On July 6, 2017, the New York Times reported the content of the report it obtained.・It reported that one of the companies attacked was Wolf Creek

Nuclear Operating Corporation, which operates and maintains a nuclear plant in the state of Kansas.

・In the report, the FBI and DHS stated that they believe an “advanced persistent threat” actor was responsible for the attacks.・The report stated that hackers sent emails containing fake

resumes with malicious files to Wolf Creek engineers. The files infected their computers with malware.

・Authorities say that the attackers’ techniques were similar to those of “Energetic Bear,” a hacker group based in Russia.

・At Wolf Creek, the control system is isolated from the company’s intranet. The company stated that as a result the attack did not have an effect.

Wolf Creek nuclear power plantURL: http://www.kansastravel.org/wolfcreek.htm

(3) Cyberattacks targeting UK energy sector●The UK National Cyber Security Centre (NCSC), an agency of

the UK’s intelligence organization GCHQ, issued a warning about cyberattacks against the country’s energy sector. It said the attacks may be a part of a worldwide campaign.

・On July 18, 2017, Motherboard reported about the warning, which it obtained.・According to the document, hackers are targeting the UK’s energy sector.

・It fears that some industrial control systems (ICS) organiza-tions have already been infiltrated.

・The compromised organizations are part of the supply chain for UK critical national infrastructure.

・This warning came at about the same time as similar attacks in other countries were taking place.・The Times reported in June 2017 that according to anony-

mous sources, Russian military hackers had attacked Irish energy companies.

・The FBI issued a warning in late June about cyberattacks targeting energy and nuclear companies in the U.S.

・An NCSC spokesperson stated:・Energy sectors around the world are being targeted. The

government is aware of the existence of a report concerning the attacks.

Example of ICSURL: https://www.trendmicro.com/jp/iot-security/special

/20116

(4) Cyberattacks against industrial control systems●Kaspersky Lab issued a report on cyber threats against industrial con-

trol systems (ICS) that took place in the first half of 2017. The compa-ny called for security measures for ICS.

・Kaspersky Lab’s report is titled “Threat Landscape for Industrial Automation Systems in H1 2017.”・The report is divided into two parts. The first part comprehensively

comments on major cyber threats in the first half of 2017. The second part provides threat statistics gathered from users of Kaspersky Lab’s security products.・Cyber threats discussed in the report include malware Crash-

Over-ride (Industroyer), which targets electronic systems; attacks on security systems; business email compromise (BEC) attacks that target industrial companies; leaks of classified CIA and NSA data; and WannaCry and Petya ransomware attacks.

・In the first half of 2017, attacks were committed against 37.6% of ICS computers protected by Kaspersky Lab products. Manufacturing and engineering were the most frequently hit sectors, followed by the education sector.

・ICS computers were most frequently attacked in the following countries: Vietnam, Algeria, and Morocco. The least affected countries were (in order) Ireland, Denmark, the Netherlands, the U.S., and Switzerland.

Kaspersky’s reportURL: https://ics-cert.kaspersky.com/wp-con

tent/uploads/sites/6/2017/10/KL-ICS-CERT-H1-2017-report-en.pdf

＊3 SIS: Safety Instrumented System(Hardware and software systems designed for the purpose of preventing escalation in the event of a plant incident.)

(5) Cyberattack against U.S. Sacramento public transportation agency●The Sacramento Rapid Transit District (SacRT) in the U.S. was hit by

a cyberattack that demanded ransom money. SacRT did not respond to the demand and restored its system from backup data.

・SacRT, which operates buses and light rail in the city of Sacramento, Califor-nia, was hit by a cyberattack from November 18 to 19, 2017.・The agency’s website was defaced and some programs on its servers

were deleted.・On a message on Facebook on November 19, the attackers threatened

more attacks if SacRT did not pay them one Bitcoin (equivalent to about 8,000 USD as of November 20, 2017).

・SacRT did not respond to the attackers’ demand. It investigated the damage and the attackers’ infiltration technique and dealt with the problem.・SacRT learned that about 30% of files had been deleted and that data

had not moved out of the system.・To minimize the damage, SacRT temporarily suspended its website and

e-payment system. It then restored the agency’s system from backup files.

・The cyberattack had no effect on bus and light rail operations.

SacRT busURL: https://www.helpnetsecurity.com/2017/11/21

/sacramento-regional-transit-hack/

(6) Malware that shut down industrial control systems●A malware called TRITON shut down industrial control

systems (ICS) by overwriting the operations of safety instrumented system (SIS＊3) controllers.

・FireEye revealed in its report of the TRITON malware that the malware shut down ICS by overwriting the operations of SIS controllers and generating false errors.・ If an SIS does not function correctly, physical damage may

result. FireEye thus believes that the purpose of the TRITON malware is to inflict physical damage.

・Dragos released the results of its analysis of the TRITON attack against its customers.・According to its analysis, to cause physical damage attack-

ers need concrete understanding of the industrial process-es managed by the targeted SIS. The possibility that physi-cal damage will result is thus low.

Scenario of attack against SISURL: https://www.fireeye.com/blog/threat-research/2017/12/

attackers-deploy-new-ics-attack-framework-triton.html

Summary of Cases: Cyberattacks

・There has been a major increase in malicious use of tools leaked by the Shadow Brokers. These attacks infect users with ransomware, which demand money from companies and general users in exchange for restoring sensitive information.

・There have been many cases of damage caused by illicit cryptocurrency mining. These operations install tools or embed scripts for mining cryptocurrencies.

・As cryptocurrencies grow in popularity, numerous attacks are targeting cryptocurrency exchanges and general users and seeking to steal cryptocurrencies.

・Attacks considered to be state-sponsored included attacks that used a fictitious persona on SNS and attacks that injected backdoors in legitimate products.

・Attacks against industrial control systems (ICS) have been increasing. Warnings on attacks against critical infrastruc-ture were issued.


44

Worldw

ide Cybersecurity C

ases

2

(2) Cyberattack against a U.S. nuclear power plants●The U.S. DHS and FBI issued an urgent joint report concerning

cyberattacks targeting the networks of companies in the U.S. that operate nuclear power plants.

・On July 6, 2017, the New York Times reported the content of the report it obtained.・It reported that one of the companies attacked was Wolf Creek

Nuclear Operating Corporation, which operates and maintains a nuclear plant in the state of Kansas.

・In the report, the FBI and DHS stated that they believe an “advanced persistent threat” actor was responsible for the attacks.・The report stated that hackers sent emails containing fake

resumes with malicious files to Wolf Creek engineers. The files infected their computers with malware.

・Authorities say that the attackers’ techniques were similar to those of “Energetic Bear,” a hacker group based in Russia.

・At Wolf Creek, the control system is isolated from the company’s intranet. The company stated that as a result the attack did not have an effect.

Wolf Creek nuclear power plantURL: http://www.kansastravel.org/wolfcreek.htm

(3) Cyberattacks targeting UK energy sector●The UK National Cyber Security Centre (NCSC), an agency of

the UK’s intelligence organization GCHQ, issued a warning about cyberattacks against the country’s energy sector. It said the attacks may be a part of a worldwide campaign.

・On July 18, 2017, Motherboard reported about the warning, which it obtained.・According to the document, hackers are targeting the UK’s energy sector.

・It fears that some industrial control systems (ICS) organiza-tions have already been infiltrated.

・The compromised organizations are part of the supply chain for UK critical national infrastructure.

・This warning came at about the same time as similar attacks in other countries were taking place.・The Times reported in June 2017 that according to anony-

mous sources, Russian military hackers had attacked Irish energy companies.

・The FBI issued a warning in late June about cyberattacks targeting energy and nuclear companies in the U.S.

・An NCSC spokesperson stated:・Energy sectors around the world are being targeted. The

government is aware of the existence of a report concerning the attacks.

Example of ICSURL: https://www.trendmicro.com/jp/iot-security/special

/20116

(4) Cyberattacks against industrial control systems●Kaspersky Lab issued a report on cyber threats against industrial con-

trol systems (ICS) that took place in the first half of 2017. The compa-ny called for security measures for ICS.

・Kaspersky Lab’s report is titled “Threat Landscape for Industrial Automation Systems in H1 2017.”・The report is divided into two parts. The first part comprehensively

comments on major cyber threats in the first half of 2017. The second part provides threat statistics gathered from users of Kaspersky Lab’s security products.・Cyber threats discussed in the report include malware Crash-

Over-ride (Industroyer), which targets electronic systems; attacks on security systems; business email compromise (BEC) attacks that target industrial companies; leaks of classified CIA and NSA data; and WannaCry and Petya ransomware attacks.

・In the first half of 2017, attacks were committed against 37.6% of ICS computers protected by Kaspersky Lab products. Manufacturing and engineering were the most frequently hit sectors, followed by the education sector.

・ICS computers were most frequently attacked in the following countries: Vietnam, Algeria, and Morocco. The least affected countries were (in order) Ireland, Denmark, the Netherlands, the U.S., and Switzerland.

Kaspersky’s reportURL: https://ics-cert.kaspersky.com/wp-con

tent/uploads/sites/6/2017/10/KL-ICS-CERT-H1-2017-report-en.pdf

＊3 SIS: Safety Instrumented System(Hardware and software systems designed for the purpose of preventing escalation in the event of a plant incident.)

(5) Cyberattack against U.S. Sacramento public transportation agency●The Sacramento Rapid Transit District (SacRT) in the U.S. was hit by

a cyberattack that demanded ransom money. SacRT did not respond to the demand and restored its system from backup data.

・SacRT, which operates buses and light rail in the city of Sacramento, Califor-nia, was hit by a cyberattack from November 18 to 19, 2017.・The agency’s website was defaced and some programs on its servers

were deleted.・On a message on Facebook on November 19, the attackers threatened

more attacks if SacRT did not pay them one Bitcoin (equivalent to about 8,000 USD as of November 20, 2017).

・SacRT did not respond to the attackers’ demand. It investigated the damage and the attackers’ infiltration technique and dealt with the problem.・SacRT learned that about 30% of files had been deleted and that data

had not moved out of the system.・To minimize the damage, SacRT temporarily suspended its website and

e-payment system. It then restored the agency’s system from backup files.

・The cyberattack had no effect on bus and light rail operations.

SacRT busURL: https://www.helpnetsecurity.com/2017/11/21

/sacramento-regional-transit-hack/

(6) Malware that shut down industrial control systems●A malware called TRITON shut down industrial control

systems (ICS) by overwriting the operations of safety instrumented system (SIS＊3) controllers.

・FireEye revealed in its report of the TRITON malware that the malware shut down ICS by overwriting the operations of SIS controllers and generating false errors.・ If an SIS does not function correctly, physical damage may

result. FireEye thus believes that the purpose of the TRITON malware is to inflict physical damage.

・Dragos released the results of its analysis of the TRITON attack against its customers.・According to its analysis, to cause physical damage attack-

ers need concrete understanding of the industrial process-es managed by the targeted SIS. The possibility that physi-cal damage will result is thus low.

Scenario of attack against SISURL: https://www.fireeye.com/blog/threat-research/2017/12/

attackers-deploy-new-ics-attack-framework-triton.html

Summary of Cases: Cyberattacks

・There has been a major increase in malicious use of tools leaked by the Shadow Brokers. These attacks infect users with ransomware, which demand money from companies and general users in exchange for restoring sensitive information.

・There have been many cases of damage caused by illicit cryptocurrency mining. These operations install tools or embed scripts for mining cryptocurrencies.

・As cryptocurrencies grow in popularity, numerous attacks are targeting cryptocurrency exchanges and general users and seeking to steal cryptocurrencies.

・Attacks considered to be state-sponsored included attacks that used a fictitious persona on SNS and attacks that injected backdoors in legitimate products.

・Attacks against industrial control systems (ICS) have been increasing. Warnings on attacks against critical infrastruc-ture were issued.


45

Annual C

ybersecurity Report

＊ Details of effects and responses are unclear.

Vault 7

Given the name “Vault 7,” a series of documents considered to be internal U.S. CIA (Central Intelligence Agency) informa-tion was published on WikiLeaks. This leak revealed yet unfixed vulnerabilities, leading companies to scramble to respond. Afterwards, publishing of additional leaked documents called Vault 8 began.

(1) Vault 7, a series of leaked CIA internal documents(2) Vault 8

(1) Vault 7, a series of leaked CIA internal documents●WikiLeaks began publishing documents called the Vault 7 series. It claims they had been stored on the

high-security network of an organization inside the CIA.・On March 7, 2017, WikiLeaks began publishing the leaked information.

・Documents about exploits, malware, and hacking activities were released.・WikiLeaks claimed it obtained the information from a former U.S. government hacker or contractor.・CIA did not comment on the authenticity of the information. ・New information continued to be published after April 2017.・As of the end of March 2017, the documents released were as follows:

・Vendors responded to the vulnerabilities revealed in the leaked information.

・Leaks after the end of March 2017 are as follows:

Publication dateDocument batch name Summary of disclosed information

March 7, 2017Year Zero

Dark Matter March 23, 2017

8,761 documents were released. Their contents included hacking activities against mobile devices, Smart TV, OSes, network equipment, automotive software, and security products.

Twenty-three documents on activities embedding undeletable malware in Mac computers and iPhones were published.

Publication dateLeak name SummarySource code of obfuscation toolUser guide of attack code generation toolRAT user guide, etc.User guide of malware against Samsung TVSource code of tool that inserts trackers into PDF files

March 31, 2017April 7, 2017April 14, 2017April 21, 2017April 28, 2017

Marble FrameworkGrasshopperHiveWeeping AngelScribbles

Vendors Effect of vulnerabilitiesAffected productsProduct end-of-lifePreviously repairedPreviously repairedPreviously repairedNo effectNo effectNone＊

NoneRepair patch providedNo effectNonePreviously repaired

Network productsAutomotive softwareSmart TVPC / communication devices

Kaspersky LabBitdefenderComodoESETF-SecurePandaLabsMicrosoftTrend MicroCiscoQNXSamsungAppleDark Matter

Year Zero

Security products

Document batch name

Summary

The main other issues for 2017 listed below are described.

❹ Other Issues

●Vault 7●Incidents due to configuration mistakes by companies or contractors●Risk of infringing children’s privacy●Eroded Trust in Digital Certificates●New threats

＊ NGA: National Geospatial-Intelligence Agency (U.S. agency that collects geospatial intelligence)

(2) Vault 8●WikiLeaks disclosed information about hacking

tools created by the CIA under the name “Vault 7.” It revealed the source code of those tools as “Vault 8” documents.

・On November 9, 2017, WikiLeaks began publishing the source code of tools disclosed in Vault 7 as Vault 8.・Hive, a tool for establishing confidential communication

between CIA servers and CIA malware, was revealed.・It resides on commercial virtual servers and authen-

ticates accessed targets.・Vault 8 did not include source code of zero-day vulnerabil-

ities that can be applied to other malware.・Wikileaks said it published the source code to help

journalists and forensic analysts understand malware technologies.

Vault 8 publication pageURL: https://wikileaks.org/vault8/

NGA logoURL: https://www.nga.mil/MediaRoom/Press%20

Kit/Pages/default.aspx

GitHub repository made public by TataURL: https://coulls.blogspot.jp/2017/06/how-do-

you-fix-mobile-banking-in-canada.html

Incidents Due to Configuration Mistakes by Companies or Contractors

Many incidents such as information leak from government officials and contractors occurred. Information leak also occurred frequently due to configuration mistakes on cloud services as exemplified by Amazon Web Service’s S3.

(1) Incidents caused by contractors(2) Frequent occurrence of information leaks due to mistakes

(1) Incidents caused by contractors●Multiple cases of information leak or damage to systems caused by

contractors were reported.・A contractor was arrested on June 3, 2017, for allegedly leaking a highly classi-

fied U.S. NSA document to The Intercept.・The leaked document was a report about Russian meddling in the U.S.

presidential election through hacking.・The identity of the leaker was deduced from barely visible yellow microdots

printed on the leaked document. The dots revealed the printer model and date and time of printing.

・It was reported that U.S. classified data handled by Booz Allen Hamilton (BAH), a contractor of the U.S. NGA,＊ could be publicly accessed.・On May 22, 2017, information with the highest classified rating became

publicly accessible without a password.・Cybersecurity analyst Chris Vickery, the discoverer of this problem, report-

ed the problem to BAH in the same month. He did not get a response. The next day, he reported the problem to NGA. The document became inaccessible almost immediately.

・It was reported that employees of Indian contractor Tata Consultancy Service stored the source code and development documents of client financial institu-tions on a public GitHub repository.・Information related to development work contracted by financial institu-

tions became publicly accessible.・The documents were related to work for Canadian, U.S., and

Japanese financial institutions.・The documents have already been deleted.

・An employee of contractor CBRE Global Workplace Solutions accidentally shut off power to British Airways’ computer systems, causing large-scale flight cancellations by the airline company on May 27, 2017.・About 75,000 passengers were affected by this mistake.・The contractor may be billed more than 100 British pounds (128 million

USD) for compensation.

2-2 Summary of Security Topics　−　❹ Other Issues

46

Worldw

ide Cybersecurity C

ases

2

＊ Details of effects and responses are unclear.

Vault 7

Given the name “Vault 7,” a series of documents considered to be internal U.S. CIA (Central Intelligence Agency) informa-tion was published on WikiLeaks. This leak revealed yet unfixed vulnerabilities, leading companies to scramble to respond. Afterwards, publishing of additional leaked documents called Vault 8 began.

(1) Vault 7, a series of leaked CIA internal documents(2) Vault 8

(1) Vault 7, a series of leaked CIA internal documents●WikiLeaks began publishing documents called the Vault 7 series. It claims they had been stored on the

high-security network of an organization inside the CIA.・On March 7, 2017, WikiLeaks began publishing the leaked information.

・Documents about exploits, malware, and hacking activities were released.・WikiLeaks claimed it obtained the information from a former U.S. government hacker or contractor.・CIA did not comment on the authenticity of the information. ・New information continued to be published after April 2017.・As of the end of March 2017, the documents released were as follows:

・Vendors responded to the vulnerabilities revealed in the leaked information.

・Leaks after the end of March 2017 are as follows:

Publication dateDocument batch name Summary of disclosed information

March 7, 2017Year Zero

Dark Matter March 23, 2017

8,761 documents were released. Their contents included hacking activities against mobile devices, Smart TV, OSes, network equipment, automotive software, and security products.

Twenty-three documents on activities embedding undeletable malware in Mac computers and iPhones were published.

Publication dateLeak name SummarySource code of obfuscation toolUser guide of attack code generation toolRAT user guide, etc.User guide of malware against Samsung TVSource code of tool that inserts trackers into PDF files

March 31, 2017April 7, 2017April 14, 2017April 21, 2017April 28, 2017

Marble FrameworkGrasshopperHiveWeeping AngelScribbles

Vendors Effect of vulnerabilitiesAffected productsProduct end-of-lifePreviously repairedPreviously repairedPreviously repairedNo effectNo effectNone＊

NoneRepair patch providedNo effectNonePreviously repaired

Network productsAutomotive softwareSmart TVPC / communication devices

Kaspersky LabBitdefenderComodoESETF-SecurePandaLabsMicrosoftTrend MicroCiscoQNXSamsungAppleDark Matter

Year Zero

Security products

Document batch name

Summary

The main other issues for 2017 listed below are described.

❹ Other Issues

●Vault 7●Incidents due to configuration mistakes by companies or contractors●Risk of infringing children’s privacy●Eroded Trust in Digital Certificates●New threats

＊ NGA: National Geospatial-Intelligence Agency (U.S. agency that collects geospatial intelligence)

(2) Vault 8●WikiLeaks disclosed information about hacking

tools created by the CIA under the name “Vault 7.” It revealed the source code of those tools as “Vault 8” documents.

・On November 9, 2017, WikiLeaks began publishing the source code of tools disclosed in Vault 7 as Vault 8.・Hive, a tool for establishing confidential communication

between CIA servers and CIA malware, was revealed.・It resides on commercial virtual servers and authen-

ticates accessed targets.・Vault 8 did not include source code of zero-day vulnerabil-

ities that can be applied to other malware.・Wikileaks said it published the source code to help

journalists and forensic analysts understand malware technologies.

Vault 8 publication pageURL: https://wikileaks.org/vault8/

NGA logoURL: https://www.nga.mil/MediaRoom/Press%20

Kit/Pages/default.aspx

GitHub repository made public by TataURL: https://coulls.blogspot.jp/2017/06/how-do-

you-fix-mobile-banking-in-canada.html

Incidents Due to Configuration Mistakes by Companies or Contractors

Many incidents such as information leak from government officials and contractors occurred. Information leak also occurred frequently due to configuration mistakes on cloud services as exemplified by Amazon Web Service’s S3.

(1) Incidents caused by contractors(2) Frequent occurrence of information leaks due to mistakes

(1) Incidents caused by contractors●Multiple cases of information leak or damage to systems caused by

contractors were reported.・A contractor was arrested on June 3, 2017, for allegedly leaking a highly classi-

fied U.S. NSA document to The Intercept.・The leaked document was a report about Russian meddling in the U.S.

presidential election through hacking.・The identity of the leaker was deduced from barely visible yellow microdots

printed on the leaked document. The dots revealed the printer model and date and time of printing.

・It was reported that U.S. classified data handled by Booz Allen Hamilton (BAH), a contractor of the U.S. NGA,＊ could be publicly accessed.・On May 22, 2017, information with the highest classified rating became

publicly accessible without a password.・Cybersecurity analyst Chris Vickery, the discoverer of this problem, report-

ed the problem to BAH in the same month. He did not get a response. The next day, he reported the problem to NGA. The document became inaccessible almost immediately.

・It was reported that employees of Indian contractor Tata Consultancy Service stored the source code and development documents of client financial institu-tions on a public GitHub repository.・Information related to development work contracted by financial institu-

tions became publicly accessible.・The documents were related to work for Canadian, U.S., and

Japanese financial institutions.・The documents have already been deleted.

・An employee of contractor CBRE Global Workplace Solutions accidentally shut off power to British Airways’ computer systems, causing large-scale flight cancellations by the airline company on May 27, 2017.・About 75,000 passengers were affected by this mistake.・The contractor may be billed more than 100 British pounds (128 million

USD) for compensation.


47

Annual C

ybersecurity Report

Warning of leak from the cloudURL: https://www.pexels.com/search/clouds/

Screen image when setting Amazon S3 bucket (storage space) access policy to “Public.”URL: https://mackeepersecurity.com/post/protect-your-s3-

bucket-in-a-right-way

(2) Frequent occurrence of information leaks due to mistakes●There have been many cases where sensitive information belonging to an organization could be

accessed by a wider circle of users than the information owner intended due to configuration mistakes when storing the information on the Internet.

●Improper access configuration was the cause of all of the incidents where sensitive company informa-tion could be publicly assessed on cloud storage service Amazon S3.

・Cases reported in July 2017・The majority of cases occurred due to security mistakes made when configuring storage services. In each case,

the mistake was made by the organization itself or its contractor. Access by a wider circle of users than intended was discovered.

・Swedish Transport Agency data, including sensitive information, could be accessed inside and outside the country.・Data management contractor employees could access all data and logs on

the cloud from outside the country (from Turkey).・The cause of the problem was that security clearance of contractors

as required by law was not carried out when IBM was selected as the data management contractor in 2015.

・The then-director general of the transport agency was fined 70,000 kroners for carelessness in handling sensitive information. She was fired in January 2017.

・Observations of experts・Network administrators tend neglect rules for configuring service access

control policies.・Basic steps to ensure correct settings for data and services are lacking.・When administrative tasks are contracted to a third party, too much time

tends to pass from the time the access problem is discovered to the time the problem is fixed.

・Kromtech Security Center presented the following as the cause of sensitive information exposure. It also suggested the following preventive measures.・Cause: As agile development practices such as DevOps

become popular, developers are avoiding the time it takes to properly configure security settings. As a result, Amazon S3’s access control becomes set to “Public” easily.

・Preventive measures: Use the following for-fee services provid-ed by Amazon:・Trusted Advisor (checks security configuration) ・AWS Config (allows user to easily apply the appropriate

security configuration)・On September 25, 2017, Bleeping Computer posted the results of a

survey by Skyhigh Networks. About 7% of all Amazon S3 buckets were inappropriately configured, which allowed an indeterminately large number of users to access data.

ContractorAffected organization Storage service Accessible to CauseAmazon S3Amazon S3Google GroupContractor’s system

IBM Cloud

AWS registered usersAWS registered usersGeneral publicGeneral public

Configuration mistake by contractorConfiguration mistakeConfiguration mistakeConfiguration mistake by contractor

Neglect in checking when selecting contractor

NICE SystemsNoneNone3rd party (unclear)

IBM

VerizonDow JonesGizmodo, etc.British Government

Swedish Transport Agency

About 4 million customers’ name, address, and homegateway device information

About 9,400 job seekers’ (mainly U.S. military veterans) name, address, work experience, and “top secret” clearance for access to U.S. government classified informationAdministrator passwords for company systems, information about the system architecture of company servers, keys for authenticating AWS administrators

Information about authentication and design of company systems

About 540,000 customers’ email address, password (SHA-1 hashed), Vehicle Identification Number, and IMEI of onboard GPS device

IT service company BroadSoft (contractor)

Recruitment company TalentPen (contractor)

Viacom

Verizon Wireless engineer (stored information on Amazon S3 for private use)

SVR Tracking

Time Warner Cable

TigerSwan

Viacom

Verizon Wireless

SVR Tracking

September 1,

September 2,

September 19,

September 20,

September 21,

2017

2017

2017

2017

2017

Amazon S3 access control set to “Public”

Affected organizationDate of disclosure Main contents of leaked information Cause Amazon S3 user

＊1 “Education technology” – term for ICT services that provide educational materials or support learning.

EFF’s report on EdTech “Spying on Students”URL: https://www.eff.org/wp/school-issued-devices-and-

student-privacy

Risk of Infringing Children’s Privacy

Excessive collection of information by EdTech-related services, Internet service terms and conditions that are difficult to understand by children, and excessive offering of personal information have become issues.

(1) Spying on students by EdTech services(2) Making terms and conditions easy to understand for children

Eroded Trust in Digital Certificates

Due to mis-issuance of digital certificates and insufficient response to the problems involved, trust in Symantec and StartCom certificates eroded. Google Chrome and other browsers took actions to distrust those certificates.

(1) Distrust of Symantec certificates(2) Withdrawal from certificate authority business

(1) Spying on students by EdTech services●EdTech services＊1 used by K-12 students in the U.S. are collecting student data beyond what is neces-

sary. Some states have begun to regulate the use of such data in advertising.・On April 13, 2017, the U.S. Electronic Frontier Foundation (EFF) released a

report surveying the privacy policies of EdTech services used in schools.・The EFF surveyed 152 services used and found that many of them

collect far more information, including students’ personal information, than is necessary.・It found that the services were lacking in encryption, data reten-

tion, and data sharing policies.・The report found that teachers placed too much trust in the

services’ policies. It also found that parents were not aware of both the services used and data collected.

・Regulations have not kept up with changes in technology, and U.S. federal laws are not able to protect student data.・Some states like California and Colorado now prohibit the use

of student data for targeted advertising.

＊2 The Growing Up Digital Taskforce

Simplified terms and conditionsURL: http://www.childrenscommissioner.gov.uk/sites/

default/files/publications/Growing%20Up%20Digital%20Taskforce%20Report%20January%202017_0.pdf

(2) Making terms and conditions easy to understand for children●A report found that because children use the Internet without understanding online services’ terms and

conditions, they unknowingly and frequently provide personal information.・A report released by a task force＊2 of the UK Children’s Commissioner for

England on January 4, 2017, contained the following comment:・The Internet is not designed for children, who are heavy users.・The task force recommended that social media companies use

language that is easier to understand in their terms and conditions.・The task force tested teenagers’ understanding of Instagram’s

terms and conditions. It found that no teenager completely understood them.

・When the terms and conditions were simplified and condensed, they became easily understood.

・One of the teenagers who finished reading Instagram’s terms and conditions said, “I’m deleting Instagram because it’s weird.”

Contractors inside and outside the country


48

Worldw

ide Cybersecurity C

ases

2

Warning of leak from the cloudURL: https://www.pexels.com/search/clouds/

Screen image when setting Amazon S3 bucket (storage space) access policy to “Public.”URL: https://mackeepersecurity.com/post/protect-your-s3-

bucket-in-a-right-way

(2) Frequent occurrence of information leaks due to mistakes●There have been many cases where sensitive information belonging to an organization could be

accessed by a wider circle of users than the information owner intended due to configuration mistakes when storing the information on the Internet.

●Improper access configuration was the cause of all of the incidents where sensitive company informa-tion could be publicly assessed on cloud storage service Amazon S3.

・Cases reported in July 2017・The majority of cases occurred due to security mistakes made when configuring storage services. In each case,

the mistake was made by the organization itself or its contractor. Access by a wider circle of users than intended was discovered.

・Swedish Transport Agency data, including sensitive information, could be accessed inside and outside the country.・Data management contractor employees could access all data and logs on

the cloud from outside the country (from Turkey).・The cause of the problem was that security clearance of contractors

as required by law was not carried out when IBM was selected as the data management contractor in 2015.

・The then-director general of the transport agency was fined 70,000 kroners for carelessness in handling sensitive information. She was fired in January 2017.

・Observations of experts・Network administrators tend neglect rules for configuring service access

control policies.・Basic steps to ensure correct settings for data and services are lacking.・When administrative tasks are contracted to a third party, too much time

tends to pass from the time the access problem is discovered to the time the problem is fixed.

・Kromtech Security Center presented the following as the cause of sensitive information exposure. It also suggested the following preventive measures.・Cause: As agile development practices such as DevOps

become popular, developers are avoiding the time it takes to properly configure security settings. As a result, Amazon S3’s access control becomes set to “Public” easily.

・Preventive measures: Use the following for-fee services provid-ed by Amazon:・Trusted Advisor (checks security configuration) ・AWS Config (allows user to easily apply the appropriate

security configuration)・On September 25, 2017, Bleeping Computer posted the results of a

survey by Skyhigh Networks. About 7% of all Amazon S3 buckets were inappropriately configured, which allowed an indeterminately large number of users to access data.

ContractorAffected organization Storage service Accessible to CauseAmazon S3Amazon S3Google GroupContractor’s system

IBM Cloud

AWS registered usersAWS registered usersGeneral publicGeneral public

Configuration mistake by contractorConfiguration mistakeConfiguration mistakeConfiguration mistake by contractor

Neglect in checking when selecting contractor

NICE SystemsNoneNone3rd party (unclear)

IBM

VerizonDow JonesGizmodo, etc.British Government

Swedish Transport Agency

About 4 million customers’ name, address, and homegateway device information

About 9,400 job seekers’ (mainly U.S. military veterans) name, address, work experience, and “top secret” clearance for access to U.S. government classified informationAdministrator passwords for company systems, information about the system architecture of company servers, keys for authenticating AWS administrators

Information about authentication and design of company systems

About 540,000 customers’ email address, password (SHA-1 hashed), Vehicle Identification Number, and IMEI of onboard GPS device

IT service company BroadSoft (contractor)

Recruitment company TalentPen (contractor)

Viacom

Verizon Wireless engineer (stored information on Amazon S3 for private use)

SVR Tracking

Time Warner Cable

TigerSwan

Viacom

Verizon Wireless

SVR Tracking

September 1,

September 2,

September 19,

September 20,

September 21,

2017

2017

2017

2017

2017

Amazon S3 access control set to “Public”

Affected organizationDate of disclosure Main contents of leaked information Cause Amazon S3 user

＊1 “Education technology” – term for ICT services that provide educational materials or support learning.

EFF’s report on EdTech “Spying on Students”URL: https://www.eff.org/wp/school-issued-devices-and-

student-privacy

Risk of Infringing Children’s Privacy

Excessive collection of information by EdTech-related services, Internet service terms and conditions that are difficult to understand by children, and excessive offering of personal information have become issues.

(1) Spying on students by EdTech services(2) Making terms and conditions easy to understand for children

Eroded Trust in Digital Certificates

Due to mis-issuance of digital certificates and insufficient response to the problems involved, trust in Symantec and StartCom certificates eroded. Google Chrome and other browsers took actions to distrust those certificates.

(1) Distrust of Symantec certificates(2) Withdrawal from certificate authority business

(1) Spying on students by EdTech services●EdTech services＊1 used by K-12 students in the U.S. are collecting student data beyond what is neces-

sary. Some states have begun to regulate the use of such data in advertising.・On April 13, 2017, the U.S. Electronic Frontier Foundation (EFF) released a

report surveying the privacy policies of EdTech services used in schools.・The EFF surveyed 152 services used and found that many of them

collect far more information, including students’ personal information, than is necessary.・It found that the services were lacking in encryption, data reten-

tion, and data sharing policies.・The report found that teachers placed too much trust in the

services’ policies. It also found that parents were not aware of both the services used and data collected.

・Regulations have not kept up with changes in technology, and U.S. federal laws are not able to protect student data.・Some states like California and Colorado now prohibit the use

of student data for targeted advertising.

＊2 The Growing Up Digital Taskforce

Simplified terms and conditionsURL: http://www.childrenscommissioner.gov.uk/sites/

default/files/publications/Growing%20Up%20Digital%20Taskforce%20Report%20January%202017_0.pdf

(2) Making terms and conditions easy to understand for children●A report found that because children use the Internet without understanding online services’ terms and

conditions, they unknowingly and frequently provide personal information.・A report released by a task force＊2 of the UK Children’s Commissioner for

England on January 4, 2017, contained the following comment:・The Internet is not designed for children, who are heavy users.・The task force recommended that social media companies use

language that is easier to understand in their terms and conditions.・The task force tested teenagers’ understanding of Instagram’s

terms and conditions. It found that no teenager completely understood them.

・When the terms and conditions were simplified and condensed, they became easily understood.

・One of the teenagers who finished reading Instagram’s terms and conditions said, “I’m deleting Instagram because it’s weird.”

Contractors inside and outside the country


49

Annual C

ybersecurity Report

＊1 EV allows the Chrome browser to show owner information of the website next to the padlock icon in the address bar.

EV-certified web addressURL: https://www.theregister.co.uk/2017/03/24/google_slaps_symantec_for_sloppy_

certs_slow_show_of_snafus/

Response by DigiCert Executive Vice President Jeremy RowleyURL: https://groups.google.com/forum/#!topic/mozilla.

dev.security.policy/5qazX5vWaWU

Statement by StartComURL: https://www.startcomca.com/index/News/newDetail?date=

20171116

(1) Distrust of Symantec certificates●Google proposed distrusting certificates issued by Symantec on Chrome.・On March 24, 2017, Google’s Chrome team criticized Symantec certificates and discussed measures for Chrome in its

development forum.・Google criticized Symantec for not having proper procedures to prevent mis-issuing certificates.

・Over the past several years, Symantec had mis-issued at least 30,000 certificates.・2,458 certificates were issued for domains that were never registered.

・Google proposed the following measures for handling Symantec certificates on Chrome.・The validity period of Symantec-issued certificates would be reduced for each Chrome version. Finally,

Chrome 64 would only accept certificates issued within the previous nine months.・The Extended Validation＊1 status of Symantec-issued certificates would be voided.

(2) Withdrawal from certificate authority business●Several certificate authorities faced doubts about their validation process for issuing certificates. As a

result, trust in their certificates and in their business as a whole eroded. Subsequently, some companies terminated their certificate authority business.

・Certificate authority DigiCert purchased Symantec’s certificate authority business. Mozilla expressed concern about this move.・DigiCert Executive Vice President Jeremy Rowley expressed the following on November 1, 2017:

・Symantec’s certificate authority infrastructure will not be used for TLS certificate validation and issuing.・DigiCert staff will be trained on issuing TLS certificates.

・Mozilla and Google expressed concern that Symantec and its partner companies did not carry out sufficient validation when issuing TLS certificates.

・On October 31, 2017, Mozilla issued a statement expressing concern that after DigiCert’s purchase of Symantec, issuance of certificates would still continue with Symantec’s infrastructure and personnel, resulting in the recur-rence of the problem.

・Chinese certificate authority “StartCom” announced that it would stop issuing new certificates by the end of December 2017, and end its business in 2020.・Startcom’s schedule until termination of business is as follows:

・December 31, 2017: End issuance of new certificates・January 1, 2018: Provide only validation of already issued certificates・January 1, 2020: Revoke all issued certificates

・StartCom stated that it could not recover from the distrust of its company and new company “WoSign.”・In September 2016, Mozilla began to distrust newly issued certificates from WoSign and StartCom because

WoSign issued improper certificates for GitHub. ・In 2017, Google and Apple also took action to distrust certificates from WoSign and StartCom.

＊1 A technique for building an application by combining a number of small services

Websites using SR scripts (partial list) URL: https://webtransparency.cs.princeton.edu/

no_boundaries/session_replay_sites.html

Example of microservice architectureURL: https://medium.com/netflix-techblog/starting-the-avalanche-

640e69b14a06

New Threats

(1) Spread of combosquatting(2) Session replay(3) DDoS attack against microservice architectures(4) Online alternation of voter information(5) Services for disseminating disinformation online

(1) Spread of combosquatting●Combosquatting attacks have been growing annually. These attacks phish users by connecting several

words into a domain name. Current security measures are seen as unable to cope.・Georgia Institute of Technology researchers reported the results of a

large-scale empirical study of combosquatting at the 2017 ACM Conference on Computer and Communications Security (CCS)・The researchers collected and examined more than 468 billion

DNS records requested by users through six years from 2011.・They discovered 2.7 million combosquatting domains masquer-

ading as 268 legitimate domains.・The number of combosquatting domains has increased annually.

Combosquatting domains are now 100 times more prevalent than typosquatting domains.

・About 60% of combosquatting domains have been operating for more than three years.

(2) Session replay●Visitors to websites that capture “session replay” (SR) face the risk of exposing sensitive information.・SR is a method of collecting the actions of visitors to a website for the

purpose of collecting marketing information.・Site visitors’ actions such as key input and mouse movements are

collected.・On November 15, 2017, U.S. Princeton University released its study of the

current state of SR.・It studied seven SR vendors (including Yandex, FullStory, and Hotjar).・SR was used in 482 of the top 50,000 sites ranked by Alexa.・Observed threats:

・Recorded data are sent to external servers.・Recorded data include sensitive information.・Rendered site contents are also collected.・When data is collected, https communication is used. Howev-

er, when delivering playbacks, http communication is used.

Squatting typeDomain name

Original TyposquattingHomophone-basedBitsquattingHomophone-basedCombosquatting

youtube[.]comyoutubee[.]comyewtube[.]comyoutubg[.]comY0UTUBE[.]comyoutube-login.com

(3) DDoS attack against microservice architectures●Netflix revealed an effective DDoS attack technique against applications. The attack exploits the nature

of microservice architectures.＊1・At DEF CON 25, Netflix presented a technique of applying

DDoS attack against microservice-architected Web applica-tions.・In a microservice architecture, a single request to a

gateway API amplifies into several thousand microservice requests at the middle tier and backend tier.

・By identifying API calls with a high load that requests a great number of microservices and attacking with these API calls, it is possible to overwhelm the middle tier and deny all services that depend on that tier.

・As case study, Netflix conducted two different attacks over two five-minute periods. The attacks resulted in an 80% API gateway error rate.

・Because the amount of API request amplification is not clear at the edge tier’s web application firewall (WAF), detecting an attack is difficult.

Comparison of squatting types


50

Worldw

ide Cybersecurity C

ases

2

＊1 EV allows the Chrome browser to show owner information of the website next to the padlock icon in the address bar.

EV-certified web addressURL: https://www.theregister.co.uk/2017/03/24/google_slaps_symantec_for_sloppy_

certs_slow_show_of_snafus/

Response by DigiCert Executive Vice President Jeremy RowleyURL: https://groups.google.com/forum/#!topic/mozilla.

dev.security.policy/5qazX5vWaWU

Statement by StartComURL: https://www.startcomca.com/index/News/newDetail?date=

20171116

(1) Distrust of Symantec certificates●Google proposed distrusting certificates issued by Symantec on Chrome.・On March 24, 2017, Google’s Chrome team criticized Symantec certificates and discussed measures for Chrome in its

development forum.・Google criticized Symantec for not having proper procedures to prevent mis-issuing certificates.

・Over the past several years, Symantec had mis-issued at least 30,000 certificates.・2,458 certificates were issued for domains that were never registered.

・Google proposed the following measures for handling Symantec certificates on Chrome.・The validity period of Symantec-issued certificates would be reduced for each Chrome version. Finally,

Chrome 64 would only accept certificates issued within the previous nine months.・The Extended Validation＊1 status of Symantec-issued certificates would be voided.

(2) Withdrawal from certificate authority business●Several certificate authorities faced doubts about their validation process for issuing certificates. As a

result, trust in their certificates and in their business as a whole eroded. Subsequently, some companies terminated their certificate authority business.

・Certificate authority DigiCert purchased Symantec’s certificate authority business. Mozilla expressed concern about this move.・DigiCert Executive Vice President Jeremy Rowley expressed the following on November 1, 2017:

・Symantec’s certificate authority infrastructure will not be used for TLS certificate validation and issuing.・DigiCert staff will be trained on issuing TLS certificates.

・Mozilla and Google expressed concern that Symantec and its partner companies did not carry out sufficient validation when issuing TLS certificates.

・On October 31, 2017, Mozilla issued a statement expressing concern that after DigiCert’s purchase of Symantec, issuance of certificates would still continue with Symantec’s infrastructure and personnel, resulting in the recur-rence of the problem.

・Chinese certificate authority “StartCom” announced that it would stop issuing new certificates by the end of December 2017, and end its business in 2020.・Startcom’s schedule until termination of business is as follows:

・December 31, 2017: End issuance of new certificates・January 1, 2018: Provide only validation of already issued certificates・January 1, 2020: Revoke all issued certificates

・StartCom stated that it could not recover from the distrust of its company and new company “WoSign.”・In September 2016, Mozilla began to distrust newly issued certificates from WoSign and StartCom because

WoSign issued improper certificates for GitHub. ・In 2017, Google and Apple also took action to distrust certificates from WoSign and StartCom.

＊1 A technique for building an application by combining a number of small services

Websites using SR scripts (partial list) URL: https://webtransparency.cs.princeton.edu/

no_boundaries/session_replay_sites.html

Example of microservice architectureURL: https://medium.com/netflix-techblog/starting-the-avalanche-

640e69b14a06

New Threats

(1) Spread of combosquatting(2) Session replay(3) DDoS attack against microservice architectures(4) Online alternation of voter information(5) Services for disseminating disinformation online

(1) Spread of combosquatting●Combosquatting attacks have been growing annually. These attacks phish users by connecting several

words into a domain name. Current security measures are seen as unable to cope.・Georgia Institute of Technology researchers reported the results of a

large-scale empirical study of combosquatting at the 2017 ACM Conference on Computer and Communications Security (CCS)・The researchers collected and examined more than 468 billion

DNS records requested by users through six years from 2011.・They discovered 2.7 million combosquatting domains masquer-

ading as 268 legitimate domains.・The number of combosquatting domains has increased annually.

Combosquatting domains are now 100 times more prevalent than typosquatting domains.

・About 60% of combosquatting domains have been operating for more than three years.

(2) Session replay●Visitors to websites that capture “session replay” (SR) face the risk of exposing sensitive information.・SR is a method of collecting the actions of visitors to a website for the

purpose of collecting marketing information.・Site visitors’ actions such as key input and mouse movements are

collected.・On November 15, 2017, U.S. Princeton University released its study of the

current state of SR.・It studied seven SR vendors (including Yandex, FullStory, and Hotjar).・SR was used in 482 of the top 50,000 sites ranked by Alexa.・Observed threats:

・Recorded data are sent to external servers.・Recorded data include sensitive information.・Rendered site contents are also collected.・When data is collected, https communication is used. Howev-

er, when delivering playbacks, http communication is used.

Squatting typeDomain name

Original TyposquattingHomophone-basedBitsquattingHomophone-basedCombosquatting

youtube[.]comyoutubee[.]comyewtube[.]comyoutubg[.]comY0UTUBE[.]comyoutube-login.com

(3) DDoS attack against microservice architectures●Netflix revealed an effective DDoS attack technique against applications. The attack exploits the nature

of microservice architectures.＊1・At DEF CON 25, Netflix presented a technique of applying

DDoS attack against microservice-architected Web applica-tions.・In a microservice architecture, a single request to a

gateway API amplifies into several thousand microservice requests at the middle tier and backend tier.

・By identifying API calls with a high load that requests a great number of microservices and attacking with these API calls, it is possible to overwhelm the middle tier and deny all services that depend on that tier.

・As case study, Netflix conducted two different attacks over two five-minute periods. The attacks resulted in an 80% API gateway error rate.

・Because the amount of API request amplification is not clear at the edge tier’s web application firewall (WAF), detecting an attack is difficult.

Comparison of squatting types


51

Annual C

ybersecurity Report

＊2 Companies that collect and sell consumer information. Also called list brokers.

States that allow users to change their voter registration online (indicated by yellow color).URL: https://techscience.org/a/2017090601/

(4) Online alteration of voter information●A research study revealed the cost of attacks that use personal information to alter voter registration

and the effect of such an attack on elections. Personal information was obtained from the dark web and data brokers.＊2

・On September 6, 2017, researchers of Harvard University described the practicality of attacks to alter voter registration in U.S. states by imper-sonating the voters online.・In 35 states and Washington, D.C., voter registration could be

changed online.・To change voter information, the information needed to

confirm the voter’s identity differs depending on the state. Many states use a combination of name, date of birth, address, social security number, and driver’s license number.

・These personal information can be obtained from government agencies (election offices), data brokers, and markets on the dark web for free or for a fee.

・It is possible to invalidate voting by deleting voter registration or changing voters’ addresses, and to cast absentee votes by impersonating voters.

・The researchers calculated the time and cost needed to write programs to defeat CAPTCHA in voter registration websites and alter voter information in each state.・The researchers assumed changing just 1% of voter registra-

tions nationwide could have a big impact on election results.・They calculated that the total cost of changing 1% of voter

registrations in the 35 states and Washington, D.C., ranged from $10,081 to $24,926 depending on the data sources used (government agencies / data brokers / dark web).

・The cost of changing 1% of voter registrations in a single state ranged from just 1 USD in Alaska to 1,020 USD in Illinois.

・To prevent alteration of voter registration, the researchers recom-mend the following measures:・When a voter registration record is changed, review it by using

a public agency.・Log visitors to voter registration sites. Prevent changing

multiple voter registrations by the same user.・Maintain change histories on the voter registration website. If

fraudulent operations are detected, return the voter registra-tion to its original version.

(5) Services for disseminating disinformation online●As information manipulators disseminate fake news online and post using fake SNS accounts, a busi-

ness model for information manipulation is emerging on the black market.・Twitter accounts belonging to a Russian “troll factory” were discovered.

・As investigations of Russian intervention in the U.S. presidential election proceeded, on November 1, 2017, the U.S. House Intelli-gence Committee released a list of 2,752 closed fake Twitter accounts believed to be used by an online troll factory in Saint Petersburg.・The accounts were used to spread fake news and extremist

views. Many posts were taken up by the media as the “voice of netizens” and affected election campaigns.

・Included was the account of “Jenna Abrams,” a alt-right female persona who had 70,000 followers.

・In addition, the fake Twitter accounts included those that masqueraded as local media accounts, accounts purporting to belong to officials of the Trump and Clinton campaigns and the Republican and Democratic Parties, and accounts of personas of human rights activists calling out racial discrimi-nation.

Online voter registration websiteURL: https://spectrum.ieee.org/tech-talk/telecom/security/

new-report-suggests-its-surprisingly-easy-to-tamper-with-online-voter-registration-rolls

Released list of fake accountsURL: https://democrats-intelligence.house.gov/

uploadedfiles/exhibit_b.pdf

・Growth of services spreading disinformation on the dark web・On November 16, 2017, Digital Shadows released a report on

the establishment of a business model on the black market for disinformation services.

・The report separates a disinformation campaign, such as manipulating the exchange rate of cryptocurrencies and inflating or deflating a product price, into three stages. ・Creation　Disinformation content is created by 1) creating fake

content that looks like content produced by a news site or company website, or 2) compromise a real website or SNS account.

・Publication　The disinformation service publishes the created

disinformation online. Disinformation services are also providing tools for managing bots, which post in great volume.

・Circulation　Disinformation content is spread by retweeting it on

Twitter, “Liking” it on Facebook, posting reviews about it, and buying online ads to promote it.

Disinformation campaignURL: https://www.digitalshadows.com/blog-and-research/fake-news-

is-more-than-a-political-battlecry/

Summary of Cases: Other Issues

・Many vendors scrambled to address vulnerabilities revealed by Vault 7 leaks.・Data breaches due to configuration mistakes on services like AWS drew attention. Cases of heavy damage to compa-

nies due to incidents caused by contractors were reported.・Technologies and services used by children drew concern for excessively collecting personal information.・Digital certificates, which support trust in ICT technologies, themselves lost trust.・Threats against new forms of services and threats against elections become major issues.


52

Worldw

ide Cybersecurity C

ases

2

＊2 Companies that collect and sell consumer information. Also called list brokers.

States that allow users to change their voter registration online (indicated by yellow color).URL: https://techscience.org/a/2017090601/

(4) Online alteration of voter information●A research study revealed the cost of attacks that use personal information to alter voter registration

and the effect of such an attack on elections. Personal information was obtained from the dark web and data brokers.＊2

・On September 6, 2017, researchers of Harvard University described the practicality of attacks to alter voter registration in U.S. states by imper-sonating the voters online.・In 35 states and Washington, D.C., voter registration could be

changed online.・To change voter information, the information needed to

confirm the voter’s identity differs depending on the state. Many states use a combination of name, date of birth, address, social security number, and driver’s license number.

・These personal information can be obtained from government agencies (election offices), data brokers, and markets on the dark web for free or for a fee.

・It is possible to invalidate voting by deleting voter registration or changing voters’ addresses, and to cast absentee votes by impersonating voters.

・The researchers calculated the time and cost needed to write programs to defeat CAPTCHA in voter registration websites and alter voter information in each state.・The researchers assumed changing just 1% of voter registra-

tions nationwide could have a big impact on election results.・They calculated that the total cost of changing 1% of voter

registrations in the 35 states and Washington, D.C., ranged from $10,081 to $24,926 depending on the data sources used (government agencies / data brokers / dark web).

・The cost of changing 1% of voter registrations in a single state ranged from just 1 USD in Alaska to 1,020 USD in Illinois.

・To prevent alteration of voter registration, the researchers recom-mend the following measures:・When a voter registration record is changed, review it by using

a public agency.・Log visitors to voter registration sites. Prevent changing

multiple voter registrations by the same user.・Maintain change histories on the voter registration website. If

fraudulent operations are detected, return the voter registra-tion to its original version.

(5) Services for disseminating disinformation online●As information manipulators disseminate fake news online and post using fake SNS accounts, a busi-

ness model for information manipulation is emerging on the black market.・Twitter accounts belonging to a Russian “troll factory” were discovered.

・As investigations of Russian intervention in the U.S. presidential election proceeded, on November 1, 2017, the U.S. House Intelli-gence Committee released a list of 2,752 closed fake Twitter accounts believed to be used by an online troll factory in Saint Petersburg.・The accounts were used to spread fake news and extremist

views. Many posts were taken up by the media as the “voice of netizens” and affected election campaigns.

・Included was the account of “Jenna Abrams,” a alt-right female persona who had 70,000 followers.

・In addition, the fake Twitter accounts included those that masqueraded as local media accounts, accounts purporting to belong to officials of the Trump and Clinton campaigns and the Republican and Democratic Parties, and accounts of personas of human rights activists calling out racial discrimi-nation.

Online voter registration websiteURL: https://spectrum.ieee.org/tech-talk/telecom/security/

new-report-suggests-its-surprisingly-easy-to-tamper-with-online-voter-registration-rolls

Released list of fake accountsURL: https://democrats-intelligence.house.gov/

uploadedfiles/exhibit_b.pdf

・Growth of services spreading disinformation on the dark web・On November 16, 2017, Digital Shadows released a report on

the establishment of a business model on the black market for disinformation services.

・The report separates a disinformation campaign, such as manipulating the exchange rate of cryptocurrencies and inflating or deflating a product price, into three stages. ・Creation　Disinformation content is created by 1) creating fake

content that looks like content produced by a news site or company website, or 2) compromise a real website or SNS account.

・Publication　The disinformation service publishes the created

disinformation online. Disinformation services are also providing tools for managing bots, which post in great volume.

・Circulation　Disinformation content is spread by retweeting it on

Twitter, “Liking” it on Facebook, posting reviews about it, and buying online ads to promote it.

Disinformation campaignURL: https://www.digitalshadows.com/blog-and-research/fake-news-

is-more-than-a-political-battlecry/

Summary of Cases: Other Issues

・Many vendors scrambled to address vulnerabilities revealed by Vault 7 leaks.・Data breaches due to configuration mistakes on services like AWS drew attention. Cases of heavy damage to compa-

nies due to incidents caused by contractors were reported.・Technologies and services used by children drew concern for excessively collecting personal information.・Digital certificates, which support trust in ICT technologies, themselves lost trust.・Threats against new forms of services and threats against elections become major issues.


53

Annual C

ybersecurity Report

・CONCERT is a new NTT-CERT activity center established in February, 2018 to increase the efficiency of incident response and improve data collection and analysis. CONCERT aims to achieve those goals by bringing various teams that are based in different buildings together in a single location, thus strengthening inter-team cooperation. The name ‘CONCERT’ refers to cooperative attitude and cooperative ability and is derived from such concepts.

・CONCERT occupies about 1,000 m² of area and has rooms designed specifically for the characteristics of the teams. There is a tight security policy that includes controlled entry and surveillance cameras, etc.

CONCERT entrance Inside CONCERT

Special-purpose room 1

Visitors room


3-1 CONCERT －Center of NTT-CERT

3 NTT-CERT and NTT Group ActivitiesChapter 3 reports on NTT-CERT activities in fiscal year 2017, focusing on responses to security incidents and countermeasure cases. The activities in other organizations and the collection and analysis of vulnerability data are also reported.

54

・CONCERT is a new NTT-CERT activity center established in February, 2018 to increase the efficiency of incident response and improve data collection and analysis. CONCERT aims to achieve those goals by bringing various teams that are based in different buildings together in a single location, thus strengthening inter-team cooperation. The name ‘CONCERT’ refers to cooperative attitude and cooperative ability and is derived from such concepts.

・CONCERT occupies about 1,000 m² of area and has rooms designed specifically for the characteristics of the teams. There is a tight security policy that includes controlled entry and surveillance cameras, etc.

CONCERT entrance Inside CONCERT


Visitors room


3-1 CONCERT －Center of NTT-CERT

55

Annual C

ybersecurity Report

3-2 State of Inquires and Responses

1942835

1243469

1904169

15040610

15825117

6144467

17113547

8143157

2953676

11639611

1972446

24515113

■ Security alerts■ Handling of pre-publication vulnerabilities■ Incident handling■ Technical inquiries■ Investigation, data gathering

100

80

60

40

20

0

24

5

15

1

13

19

7

24

4

6

11

6

39

6

11

29

5

36

7

6

8

14

31

5

7

17

11

35

4

7

6

14

44

6

7

15

8

25

11

7

15

40

6

10

19

41

00

6

9

12

34

6

9

419

4

28

3

5

3-3 Examples of Incidents Handled

Summary

NTT-CERT does daily public monitoring for information on cyberattacks on NTT Group companies and information related to harmful rumors.Particularly for dates on which major historical events occurred and for events that attract major international attention (world summits and Olympics, etc.), the system is strengthened and public monitoring is performed.A public monitoring response case in which a special system implemented by NTT-CERT in fiscal year 2017 is described in the right table.＊ Excludes cases of individually-requested public monitoring

Results of Public Monitoring in FY2017

The results of special public monitoring performed by NTT-CERT in fiscal year 2017 confirmed no information (advance notice) of attacks targeting NTT Group companies, etc. There was also no confirmation of damaging information, etc. appearing in Japan.Concerning the Manchurian Incident anniversary on September 18 in particular, NTT-CERT confirmed many cases of information warning of attack and actual damaging incidents such as website defacement in the period from 2012 to 2014, but the cases decreased beginning in fiscal year 2015 and no apparent incidents of attack or damage were confirmed. The same was true for fiscal year 2017. Political and historical acts such as the Japanese Prime Minister’s visit to the Yasukuni shrine are provocative to neigh-boring countries and cyberattacks tend to increase correspondingly, but there have been few acts related to the deterio-ration in relationships with nearby countries in recent years, so we believe there are also few cyberattacks.

❶ Public Monitoring in FY2017

Fiscal year Events

Time Event

2012

2013

2014

2015

June 2017

August 2017

September 2017

November 2017

December 2017

February 2018

February-March 2018

March 2018

NTT Ordinary General Meeting of Shareholders

August 15, War Memorial Day

September 18, date of the Manchurian Incident

U.S. President Donald Trump’s visit to Japan

December 13, date of the Nanjing Incident

February 22, Takeshima Day

Pyeongchang Winter Olympics and Winter Paralympic Games

March 1st Movement

Main events concerning public monitoring for the September 18 Manchurian Incident handled by NTT-CERT in the past

Public monitoring by NTT-CERT in fiscal year 2017

Target list posted on the Hongke bulletin board (2012)

[Reference] Main events associated with the Manchurian incident in the past

[Reference] Past damage cases

A target list of over 100 government, financial, infrastructure and educational organizations was posted by the Chinese Hongke Union hacktivist group and on the Baidu bulletin board service, etc. Although NTT was on the list, the NTT Group was fortunately not affected. NTT-CERT confirmed 20 incidents of defaced website affecting other organizations.

On the morning of September 18, numerous reports of website-defacing affecting many websites in Japan were posted on the defacing report site ‘zone-h’, on ‘hack-cn’, and on the site of the 1937cn hacker group. The reports continued through the next day, September 19. About 30 of the total of 90 reported cases were confirmed by NTT-CERT.

As in fiscal year 2013, about 130 reports of defacing affecting Japanese websites were posted on zone-h and other such places on September 18 and 19. The reason is not known, but this year was remarkable for the defacing of sites related to building contractor's offices.

On September 18, posts purporting attacks on the Japanese Ministry of Defense and the Yasukuni Shrine and calls for DDoS attacks appeared on the Hongke Union site and Baidu. The URL given for Yasukuni Shrine was not the URL for the regular site. Access remained normal for both the MoD and Yasukuni.

Actual website defacing damage case 1 (2014)Actual website defacing damage case 2 (2014)

●Main topics・May:・May:・June – July:・July:・August:・September:・October:・December:・January:・February – March:

Worldwide spread of WannaCryOS command injection vulnerability in WordPressWorldwide spread of Petya variantsVulnerability in the use of the Struts1 plug-in in Apache Struts2Internet connection failures due to misroutingVulnerability in the Apache Struts2 REST plug-in environmentVulnerability in environments that accept the Tomcat HTTP PUT request Oracle WebLogic Server vulnerabilitySpectre/Meltdown CPU vulnerabilityPyeongchang Winter Olympics and Pyeongchang Winter Paralympic Games

Apr. May. Jun. July Aug. Sept. Oct. Nov. Dec. Jan. Feb. Mar.


56

NTT-C

ERT and N

TT Group A

ctivities

3

3-2 State of Inquires and Responses

1942835

1243469

1904169

15040610

15825117

6144467

17113547

8143157

2953676

11639611

1972446

24515113

■ Security alerts■ Handling of pre-publication vulnerabilities■ Incident handling■ Technical inquiries■ Investigation, data gathering

100

80

60

40

20

0

24

5

15

1

13

19

7

24

4

6

11

6

39

6

11

29

5

36

7

6

8

14

31

5

7

17

11

35

4

7

6

14

44

6

7

15

8

25

11

7

15

40

6

10

19

41

00

6

9

12

34

6

9

419

4

28

3

5


Summary

NTT-CERT does daily public monitoring for information on cyberattacks on NTT Group companies and information related to harmful rumors.Particularly for dates on which major historical events occurred and for events that attract major international attention (world summits and Olympics, etc.), the system is strengthened and public monitoring is performed.A public monitoring response case in which a special system implemented by NTT-CERT in fiscal year 2017 is described in the right table.＊ Excludes cases of individually-requested public monitoring

Results of Public Monitoring in FY2017

The results of special public monitoring performed by NTT-CERT in fiscal year 2017 confirmed no information (advance notice) of attacks targeting NTT Group companies, etc. There was also no confirmation of damaging information, etc. appearing in Japan.Concerning the Manchurian Incident anniversary on September 18 in particular, NTT-CERT confirmed many cases of information warning of attack and actual damaging incidents such as website defacement in the period from 2012 to 2014, but the cases decreased beginning in fiscal year 2015 and no apparent incidents of attack or damage were confirmed. The same was true for fiscal year 2017. Political and historical acts such as the Japanese Prime Minister’s visit to the Yasukuni shrine are provocative to neigh-boring countries and cyberattacks tend to increase correspondingly, but there have been few acts related to the deterio-ration in relationships with nearby countries in recent years, so we believe there are also few cyberattacks.

❶ Public Monitoring in FY2017

Fiscal year Events

Time Event

2012

2013

2014

2015

June 2017

August 2017

September 2017

November 2017

December 2017

February 2018

February-March 2018

March 2018

NTT Ordinary General Meeting of Shareholders

August 15, War Memorial Day

September 18, date of the Manchurian Incident

U.S. President Donald Trump’s visit to Japan

December 13, date of the Nanjing Incident

February 22, Takeshima Day

Pyeongchang Winter Olympics and Winter Paralympic Games

March 1st Movement

Main events concerning public monitoring for the September 18 Manchurian Incident handled by NTT-CERT in the past

Public monitoring by NTT-CERT in fiscal year 2017

Target list posted on the Hongke bulletin board (2012)

[Reference] Main events associated with the Manchurian incident in the past

[Reference] Past damage cases

A target list of over 100 government, financial, infrastructure and educational organizations was posted by the Chinese Hongke Union hacktivist group and on the Baidu bulletin board service, etc. Although NTT was on the list, the NTT Group was fortunately not affected. NTT-CERT confirmed 20 incidents of defaced website affecting other organizations.

On the morning of September 18, numerous reports of website-defacing affecting many websites in Japan were posted on the defacing report site ‘zone-h’, on ‘hack-cn’, and on the site of the 1937cn hacker group. The reports continued through the next day, September 19. About 30 of the total of 90 reported cases were confirmed by NTT-CERT.

As in fiscal year 2013, about 130 reports of defacing affecting Japanese websites were posted on zone-h and other such places on September 18 and 19. The reason is not known, but this year was remarkable for the defacing of sites related to building contractor's offices.

On September 18, posts purporting attacks on the Japanese Ministry of Defense and the Yasukuni Shrine and calls for DDoS attacks appeared on the Hongke Union site and Baidu. The URL given for Yasukuni Shrine was not the URL for the regular site. Access remained normal for both the MoD and Yasukuni.

Actual website defacing damage case 1 (2014)Actual website defacing damage case 2 (2014)

●Main topics・May:・May:・June – July:・July:・August:・September:・October:・December:・January:・February – March:

Worldwide spread of WannaCryOS command injection vulnerability in WordPressWorldwide spread of Petya variantsVulnerability in the use of the Struts1 plug-in in Apache Struts2Internet connection failures due to misroutingVulnerability in the Apache Struts2 REST plug-in environmentVulnerability in environments that accept the Tomcat HTTP PUT request Oracle WebLogic Server vulnerabilitySpectre/Meltdown CPU vulnerabilityPyeongchang Winter Olympics and Pyeongchang Winter Paralympic Games



57

Annual C

ybersecurity Report

＊ Ransomware: A kind of malware that makes it impossible to use a terminal by encrypting files or locking computer operations and then demanding a “ransom” to restore the terminal to its original state.

Summary

・The “WannaCry” ransomware caused damage around the world, beginning on May 12, 2017.・There was damage in Japan too, and the NTT Group also detected infections by WannaCry (＊ including variants).

NTT-CERT provided incident response support, including examination and log analysis of terminals suspected of infection and provision of information.

❷ Infection Spread of the WannaCry Ransomware

The WannaCry ransom demand screen

WannaCry infection mechanism

Files encrypted by WannaCry

What is WannaCry?

Infection Mechanism

・A type of ransomware. The program searches for vulnerable computers by remote access from computers that are directly connected to the Internet or infected terminals to spread the infection.

・Upon infection, files are encrypted and a screen that presents a demand for ransom is displayed.・NSA (U.S. National Security Agency) hacking tools called “DoublePulsar (backdoor tool)” and “EternalBlue (exploit

tool)” were used. The tools had been published by a hacker group called “Shadow Brokers”. EternalBlue used vulnera-bilities of Windows SMBv1 (MS17-010 and CVE-2017-0145).

・In Japan, damage to major infrastructure enterprises and manufacturers as well as to the NTT Group was confirmed.

(1) An attack is made by EternalBlue exploiting a MS17-010 vulnerability.(2) The DoublePulsar backdoor is delivered and used to create an mssecsvc.exe file.(3) mssecsvc.exe creates tasksch.exe (an executable for encryption).(4) If an attempt to connect to the kill switch fails, operation continues.(5) To spread the infection, mssecsvc.exe runs the mssecsvc 2.0 service and then restarts itself.(6) If a search to discover a terminal that can communicate on the TCP port 445 succeeds, the discovered

machine is infected as described in step 1.(7) tasksch.exe encrypts each file in the infected terminal and displays a ransom demand on the desktop.

Sites damaged

Infected terminal

Carried-in terminal

mssecsvc.exe mssecsvc 2.0 service

(1)

(5)

(7)(3)

(6)

Internet

Infection Detection

●Check the communication logs

●Scan and confirm relevant files

・Check for processes and operation of the mssecsvc.exe executable ・Check the event log for the operating status of relevant services

Countermeasures

●Countermeasures that can be performed on the terminal

●Countermeasures that can be implemented in the corporate network environment

●Countermeasures that can be implemented by corporate organization

・DNS query log: Presence of a connection to the kill switch＊Some variants do not connect to the kill switch.

・Firewall log: Presence of a suspicious connection to TCP port 445 from the Internet or the company intranet

＊What is the WannaCry kill switch?This is the condition for halting operation of WannaCry itself. When connection to a domain that has been set is successful, WannaCry stops file encryption and display of the ransom screen.

・Thorough management and understanding of IT assets・Management of security updates・Management of anti-virus products・Management of carried-in computers and USB devices

・Advance preparation of incident response procedures and in-house escalation

・Block suspicious connections to the TCP 445 port with the firewall.・Periodic data back-up to equipment that is not always connected to the network.・Appropriate separation of network segments

・Apply the MS17-010 security patch.・Disable the TCP 445 port.・Update to the most recent pattern file for the anti-virus software

3-3 Examples of Incidents Handled　−　❷ Infection Spread of the WannaCry Ransomware

(4)

(2)

58

NTT-C

ERT and N

TT Group A

ctivities

3

＊ Ransomware: A kind of malware that makes it impossible to use a terminal by encrypting files or locking computer operations and then demanding a “ransom” to restore the terminal to its original state.

Summary

・The “WannaCry” ransomware caused damage around the world, beginning on May 12, 2017.・There was damage in Japan too, and the NTT Group also detected infections by WannaCry (＊ including variants).

NTT-CERT provided incident response support, including examination and log analysis of terminals suspected of infection and provision of information.

❷ Infection Spread of the WannaCry Ransomware

The WannaCry ransom demand screen

WannaCry infection mechanism

Files encrypted by WannaCry

What is WannaCry?

Infection Mechanism

・A type of ransomware. The program searches for vulnerable computers by remote access from computers that are directly connected to the Internet or infected terminals to spread the infection.

・Upon infection, files are encrypted and a screen that presents a demand for ransom is displayed.・NSA (U.S. National Security Agency) hacking tools called “DoublePulsar (backdoor tool)” and “EternalBlue (exploit

tool)” were used. The tools had been published by a hacker group called “Shadow Brokers”. EternalBlue used vulnera-bilities of Windows SMBv1 (MS17-010 and CVE-2017-0145).

・In Japan, damage to major infrastructure enterprises and manufacturers as well as to the NTT Group was confirmed.

(1) An attack is made by EternalBlue exploiting a MS17-010 vulnerability.(2) The DoublePulsar backdoor is delivered and used to create an mssecsvc.exe file.(3) mssecsvc.exe creates tasksch.exe (an executable for encryption).(4) If an attempt to connect to the kill switch fails, operation continues.(5) To spread the infection, mssecsvc.exe runs the mssecsvc 2.0 service and then restarts itself.(6) If a search to discover a terminal that can communicate on the TCP port 445 succeeds, the discovered

machine is infected as described in step 1.(7) tasksch.exe encrypts each file in the infected terminal and displays a ransom demand on the desktop.

Sites damaged

Infected terminal

Carried-in terminal

mssecsvc.exe mssecsvc 2.0 service

(1)

(5)

(7)(3)

(6)

Internet

Infection Detection

●Check the communication logs

●Scan and confirm relevant files

・Check for processes and operation of the mssecsvc.exe executable ・Check the event log for the operating status of relevant services

Countermeasures

●Countermeasures that can be performed on the terminal

●Countermeasures that can be implemented in the corporate network environment

●Countermeasures that can be implemented by corporate organization

・DNS query log: Presence of a connection to the kill switch＊Some variants do not connect to the kill switch.

・Firewall log: Presence of a suspicious connection to TCP port 445 from the Internet or the company intranet

＊What is the WannaCry kill switch?This is the condition for halting operation of WannaCry itself. When connection to a domain that has been set is successful, WannaCry stops file encryption and display of the ransom screen.

・Thorough management and understanding of IT assets・Management of security updates・Management of anti-virus products・Management of carried-in computers and USB devices

・Advance preparation of incident response procedures and in-house escalation

・Block suspicious connections to the TCP 445 port with the firewall.・Periodic data back-up to equipment that is not always connected to the network.・Appropriate separation of network segments

・Apply the MS17-010 security patch.・Disable the TCP 445 port.・Update to the most recent pattern file for the anti-virus software

3-3 Examples of Incidents Handled　−　❷ Infection Spread of the WannaCry Ransomware

(4)

(2)

59

Annual C

ybersecurity Report

＊ IoT devices X and Y are the same type of device. OS, library, and various types of files were copied and used.

Background

・IoT devices are ranked by IPA in “10 Major Data Security Threats in 2018”, and the threat to IoT devices is growing year by year. This situation requires even greater attention going forward.・Ranked 9th for “Individuals” is “Improper management of IoT devices”. ・Ranked 7th for “Organizations” is “Manifestation of IoT device vulnerabilities”

・NTT-CERT has also dealt with some inquiries concerning “IoT devices”. Of those, cases that have recently attracted attention and can be considered supply-chain attacks are described.

❸ Attacks on Supply Chains that use IoT

Summary

●Flow of events leading to the request

●Analysis results

A forensics request was sent to NTT-CERT for investigation of malware behavior and a disinfection method.

Malware functions・A function for DNS communication with Google DNS servers (8.8.8.8 and 8.8.4.4)・A function for killing a specified process or a function for deleting corresponding files・A function for collecting terminal information such as the kernel name and hardware name by using the uname command・A function for replicating itself (the malware) when the device is started up

The possibility of affecting the BIOS, host OS, or other networks was small.

Test environment Customer environmentInternet

IoT device X DNS Multiple network devices IoT device Y FW

(3) Suspicious DNS query

(4) Suspicious files present; disconnect from the network

(2) Change settings

(5) Disconnect from the network

(1) High traffic volume

(1) A large amount of traffic to the DNS server was detected in the test environment of company A.(2) Because the traffic was from IoT device X, the situation was handled by temporarily changing settings on the IoT device itself.(3) At a later time, suspicious DNS queries from IoT device Y＊ in a different environment were detected.(4) Checking revealed multiple suspicious files, so the device was physically disconnected from the network.(5) IoT device X, which is related to IoT device Y, was also physically disconnected from the network.

・Scanning the suspicious files with multiple commercial anti-virus programs identified the presence of malware that performs a DDoS attack.

・Examination of logs for the IoT device and network device revealed that there was actual communication with danger-ous sites.・Although there was no successful communication for IoT device Y, there was successful communication for IoT

device X. As far as can be known from the logs, the probability of a data breach was low, but the possibility of control from a remote location was high.

・The date of the malware and the results of a meeting point to a high probability that the malware was in the IoT device prior to delivery.

・The product was examined for the presence of malware functions other than DDoS, such as a worm for infecting other devices or a downloader function.

Other closed network

＊ IoT Security Guidelines ver. 1.0 (MIC)http://www.soumu.go.jp/main_content/000428393.pdf

Impact, Recovery, and Countermeasures

●Impact

●Recovery process

●Countermeasures

Subcontractor

Installer

Virus infectionVirus infection

Vendor B

IoT device

Company A

Scope of the investigation

IoT device

Installation in the device

Copying to multiple other IoT devices

Delivery DeliveryDelivery Delivery

Test environment of company A

Customer environment

XX environment

Storage

IoT device

IoT device

・Subsequent investigation revealed that the malware was originally present in the installer program itself.・The cause of infection was presumed to be a connection test on an ordinary line performed by a subcontractor prior to

delivery, when no security measures had been implemented for the device.・It appears that the opportunity for infection occurred because virus checks were not performed at the time of delivery

between companies.・Because company A copied the installer to multiple IoT devices after delivery, multiple environments were considered

to be affected in addition to the IoT devices X and Y at the time of discovery.

Developer/supplier･Develop in an environment that implements security measures･Check with antivirus software･Diagnose vulnerabilities

User･Check operation in a testing environment･Check with antivirus software･Diagnose vulnerabilities･Check the security of the entire service that uses IoT devices

This is a kind of supply chain attack targeting IoT devices.In consideration of future attacks, a risk assessment with reference to the measures described below is recommended for each developer/supplier and user.Checking the guidelines published by the Ministry of Internal Affairs and Communications＊ is also recommended.

・Removal of malware by using antivirus software on the multiple IoT devices that were targeted.・Concerning the terminal for which external communication could not be confirmed (IoT device Y), confirm the

following.・The malware can be removed with antivirus software.・Communication with the DNS servers (8.8.8.8 and 8.8.4.4) is not possible.・If the above conditions cannot be satisfied, rebuild the operating system itself.

・For the terminal for which external communication could be confirmed (IoT device X), the following measures are planned.・Rebuild the OS itself or purchase a new device・Perform a full scan with antivirus software to check for problems.

The recovery process described below is presented as a recommendation by NTT-CERT. The effectiveness and results of this process are confirmed with the requester as appropriate.

3-3 Examples of Incidents Handled　−　❸ Attacks on Supply Chains that use IoT

60

NTT-C

ERT and N

TT Group A

ctivities

3

＊ IoT devices X and Y are the same type of device. OS, library, and various types of files were copied and used.

Background

・IoT devices are ranked by IPA in “10 Major Data Security Threats in 2018”, and the threat to IoT devices is growing year by year. This situation requires even greater attention going forward.・Ranked 9th for “Individuals” is “Improper management of IoT devices”. ・Ranked 7th for “Organizations” is “Manifestation of IoT device vulnerabilities”

・NTT-CERT has also dealt with some inquiries concerning “IoT devices”. Of those, cases that have recently attracted attention and can be considered supply-chain attacks are described.

❸ Attacks on Supply Chains that use IoT

Summary

●Flow of events leading to the request

●Analysis results

A forensics request was sent to NTT-CERT for investigation of malware behavior and a disinfection method.

Malware functions・A function for DNS communication with Google DNS servers (8.8.8.8 and 8.8.4.4)・A function for killing a specified process or a function for deleting corresponding files・A function for collecting terminal information such as the kernel name and hardware name by using the uname command・A function for replicating itself (the malware) when the device is started up

The possibility of affecting the BIOS, host OS, or other networks was small.

Test environment Customer environmentInternet

IoT device X DNS Multiple network devices IoT device Y FW

(3) Suspicious DNS query

(4) Suspicious files present; disconnect from the network

(2) Change settings

(5) Disconnect from the network

(1) High traffic volume

(1) A large amount of traffic to the DNS server was detected in the test environment of company A.(2) Because the traffic was from IoT device X, the situation was handled by temporarily changing settings on the IoT device itself.(3) At a later time, suspicious DNS queries from IoT device Y＊ in a different environment were detected.(4) Checking revealed multiple suspicious files, so the device was physically disconnected from the network.(5) IoT device X, which is related to IoT device Y, was also physically disconnected from the network.

・Scanning the suspicious files with multiple commercial anti-virus programs identified the presence of malware that performs a DDoS attack.

・Examination of logs for the IoT device and network device revealed that there was actual communication with danger-ous sites.・Although there was no successful communication for IoT device Y, there was successful communication for IoT

device X. As far as can be known from the logs, the probability of a data breach was low, but the possibility of control from a remote location was high.

・The date of the malware and the results of a meeting point to a high probability that the malware was in the IoT device prior to delivery.

・The product was examined for the presence of malware functions other than DDoS, such as a worm for infecting other devices or a downloader function.

Other closed network

＊ IoT Security Guidelines ver. 1.0 (MIC)http://www.soumu.go.jp/main_content/000428393.pdf

Impact, Recovery, and Countermeasures

●Impact

●Recovery process

●Countermeasures

Subcontractor

Installer

Virus infectionVirus infection

Vendor B

IoT device

Company A

Scope of the investigation

IoT device

Installation in the device

Copying to multiple other IoT devices

Delivery DeliveryDelivery Delivery

Test environment of company A

Customer environment

XX environment

Storage

IoT device

IoT device

・Subsequent investigation revealed that the malware was originally present in the installer program itself.・The cause of infection was presumed to be a connection test on an ordinary line performed by a subcontractor prior to

delivery, when no security measures had been implemented for the device.・It appears that the opportunity for infection occurred because virus checks were not performed at the time of delivery

between companies.・Because company A copied the installer to multiple IoT devices after delivery, multiple environments were considered

to be affected in addition to the IoT devices X and Y at the time of discovery.

Developer/supplier･Develop in an environment that implements security measures･Check with antivirus software･Diagnose vulnerabilities

User･Check operation in a testing environment･Check with antivirus software･Diagnose vulnerabilities･Check the security of the entire service that uses IoT devices

This is a kind of supply chain attack targeting IoT devices.In consideration of future attacks, a risk assessment with reference to the measures described below is recommended for each developer/supplier and user.Checking the guidelines published by the Ministry of Internal Affairs and Communications＊ is also recommended.

・Removal of malware by using antivirus software on the multiple IoT devices that were targeted.・Concerning the terminal for which external communication could not be confirmed (IoT device Y), confirm the

following.・The malware can be removed with antivirus software.・Communication with the DNS servers (8.8.8.8 and 8.8.4.4) is not possible.・If the above conditions cannot be satisfied, rebuild the operating system itself.

・For the terminal for which external communication could be confirmed (IoT device X), the following measures are planned.・Rebuild the OS itself or purchase a new device・Perform a full scan with antivirus software to check for problems.

The recovery process described below is presented as a recommendation by NTT-CERT. The effectiveness and results of this process are confirmed with the requester as appropriate.

3-3 Examples of Incidents Handled　−　❸ Attacks on Supply Chains that use IoT

61

Annual C

ybersecurity Report

Incident Summary

Results of the Forensic Investigation

❹ An MS Office File Attached to a Suspicious Mail Message Was Opened.

A suspicious email with attached file was received.

June 7, 2018Invoice is attachedNone“your invoice.xls”When the file was opened in Excel, there was no content.

(1) An MS Office file (‘invoice.xls’) that was attached to a suspicious email with the subject “invoice attached” and no body text was saved to the terminal and opened by double-clicking. When the file was opened, a macro was enabled.

(2) The file was judged to be suspicious because there were no entries when opened in Excel and the mail message had no body text.After about five minutes, the terminal was disconnected from the network.

(3) With the terminal disconnected from the network, the antivirus software installed on the terminal was used to perform a full scan, but nothing was detected.

(4) It was unknown whether the terminal was actually infected with a virus or not, or, if it was infected, whether or not it infected other terminals.NTT-CERT was requested to perform forensics on the terminal followed by a consultation.

(1) What happens when the macro in the attached file is enabled?The attachment is an Excel file and when the file is opened, there is a prompt to open enable a macro.When the macro is enabled, access to an illegitimate site without permission and download of banking malware (URSNIF) begins.

(2) Is the malware of the attached file necessarily detected by antivirus software?After scanning with four types of antivirus products, only one of them detected the malware.The detected malware was W97m.Downloader.Because some products do not detect that malware, multiple products should be used for scanning.

(3) Was the terminal infected with malware?The result of the forensic investigation was that there was no infection by the banking malware (URSNIF). The malware could be thwarted by disconnecting from the network soon after the file was opened.

What is the Banking Malware URSNIF?

・Malware for theft of network banking and credit card information and unauthorized transfer of funds, etc.・The main infection vector is a downloader in an email attachment.・Infection happens when a macro in an Office file that downloads the malware is enabled.

Similar malware is Dreambot.

●URSNIF

●“Don’t open suspicious mail!” is basic knowledge, but…

When a macro in an MS Office file is enabled, the malware itself is down-loaded.

It is possible to prevent URSNIF infection by using the Trust Center of MS Word and Excel to forcefully disable macros in those programs.

From the File menu, choose Options. In the left pane, select Trust Center and then in the right pane, click on the Trust Center Settings button. In the left pane that is then displayed, click on Macro Settings and then in the right pane, disable macros.

[ D a t e ] [ S u b j e c t ] [ B o d y ] [Attachment]

3-3 Examples of Incidents Handled　−　❹ An MS Office File Attached to a Suspicious Mail Message Was Opened.

62

NTT-C

ERT and N

TT Group A

ctivities

3

Incident Summary

Results of the Forensic Investigation

❹ An MS Office File Attached to a Suspicious Mail Message Was Opened.

A suspicious email with attached file was received.

June 7, 2018Invoice is attachedNone“your invoice.xls”When the file was opened in Excel, there was no content.

(1) An MS Office file (‘invoice.xls’) that was attached to a suspicious email with the subject “invoice attached” and no body text was saved to the terminal and opened by double-clicking. When the file was opened, a macro was enabled.

(2) The file was judged to be suspicious because there were no entries when opened in Excel and the mail message had no body text.After about five minutes, the terminal was disconnected from the network.

(3) With the terminal disconnected from the network, the antivirus software installed on the terminal was used to perform a full scan, but nothing was detected.

(4) It was unknown whether the terminal was actually infected with a virus or not, or, if it was infected, whether or not it infected other terminals.NTT-CERT was requested to perform forensics on the terminal followed by a consultation.

(1) What happens when the macro in the attached file is enabled?The attachment is an Excel file and when the file is opened, there is a prompt to open enable a macro.When the macro is enabled, access to an illegitimate site without permission and download of banking malware (URSNIF) begins.

(2) Is the malware of the attached file necessarily detected by antivirus software?After scanning with four types of antivirus products, only one of them detected the malware.The detected malware was W97m.Downloader.Because some products do not detect that malware, multiple products should be used for scanning.

(3) Was the terminal infected with malware?The result of the forensic investigation was that there was no infection by the banking malware (URSNIF). The malware could be thwarted by disconnecting from the network soon after the file was opened.

What is the Banking Malware URSNIF?

・Malware for theft of network banking and credit card information and unauthorized transfer of funds, etc.・The main infection vector is a downloader in an email attachment.・Infection happens when a macro in an Office file that downloads the malware is enabled.

Similar malware is Dreambot.

●URSNIF

●“Don’t open suspicious mail!” is basic knowledge, but…

When a macro in an MS Office file is enabled, the malware itself is down-loaded.

It is possible to prevent URSNIF infection by using the Trust Center of MS Word and Excel to forcefully disable macros in those programs.

From the File menu, choose Options. In the left pane, select Trust Center and then in the right pane, click on the Trust Center Settings button. In the left pane that is then displayed, click on Macro Settings and then in the right pane, disable macros.

[ D a t e ] [ S u b j e c t ] [ B o d y ] [Attachment]

3-3 Examples of Incidents Handled　−　❹ An MS Office File Attached to a Suspicious Mail Message Was Opened.

63

Annual C

ybersecurity Report

＊ Dark web: Websites that can be accessed using particular software. Traffic can be anonymized and some websites engage in illegal transactions.

Introduction

❺ Credential Information Leak

●Summary

Information that appears to be mail addresses and passwords was leaked.

Investigation of a report that a large amount of credential information was discovered on the dark web＊ revealed that about 40 GB of credential information was found on the website. Investigation of the data confirmed that the credential information of NTT Group employees was included.

The Leaked Credential Information

The credential information that we actually obtained is available to anyone in the community. We confirmed information that is believed to be several hundreds of millions of email addresses and passwords.The NTT Group employee credential information included breaks down as follows.・NTT Group companies for which leaks were confirmed: 10・Number of NTT employee credentials: 1,065

From the above features, it can be assumed that the files that integrate details of files leaked in the past are the files that were leaked this time.

●ResponseIt is believed that credential information was leaked when NTT Group employees registered company information for web services, etc. This information was made widely known in the NTT Group.

Countermeasures

●Protecting your own credentials from a breach・Do not register for unnecessary services.・Fully confirm the safety of websites where personal information is entered.

●What to do if your own credentials are leaked・Change your password immediately.・If credit card information or other such information is leaked, quickly take steps to cancel.・After an information leak, you may become a target for targeted mail, so be fully careful when checking your mail every

day.

●Features of the leaked files・It was possible to confirm that credential information that was leaked in the past was included.・The leaked files included a log named “impoted.log”, which made it possible to confirm the behavior of integrating

many service names believed to have been leaked in the past.

Some of the actual leaked files

Excerpt from impoted.log

File structure

The mail addresses are sorted in alphabetical order, making them easy to exploit.

Files believed to be leaked in the past can actually be confirmed with the log.

Summary

❻ Coinhive

・Coinhive is a service that generates revenue by embedding JavaScript in a Web site to use the CPU of visitors to the site to mine the cryptocurrency Monero.

・It became known when secretly introduced to the world’s largest torrent site (The Pirate Bay) as a new monetization method. It became instantly famous when the Wi-Fi network of Starbucks in Australia was hijacked and the code inject-ed there.

・The front page of the Coinhive website describes various applications, such as monetizing user browsing, control of access to specific content by requiring a certain amount of mining, and spam suppression by requiring mining before posting, etc.

・Although there is some talk of Coinhive being adopted in actual services, the topic has not raised much excitement, whereas the topic of the Coinhive script being embedded by tampering with major sites has drawn attention.

How Coinhive Works

・The website publisher installs the Coinhive script on their site.

・The script directs the visitor’s browser to Coinhive and retrieves the mining data.

・The browser sends the mining results to Coinhive.・Coinhive pays a fee to the site publisher according to the

amount of mining performed.

Coinhive mechanism

Blocking Coinhive

・Simply block communication to Coinhive→Communication can be prevented by routing the script

through a proxy, and many proxies have actually been set up.

・Blockers that disable the script itself seem to be better・Can often be blocked with anti-virus software

Blocking Coinhive

Coinhive

Install Coinhive

FeeMining instructions

Results

Site operatorScript installer

Site visitor


Site visitor

Coinhive

Coinhive proxy


64

NTT-C

ERT and N

TT Group A

ctivities

3

＊ Dark web: Websites that can be accessed using particular software. Traffic can be anonymized and some websites engage in illegal transactions.

Introduction

❺ Credential Information Leak

●Summary

Information that appears to be mail addresses and passwords was leaked.

Investigation of a report that a large amount of credential information was discovered on the dark web＊ revealed that about 40 GB of credential information was found on the website. Investigation of the data confirmed that the credential information of NTT Group employees was included.

The Leaked Credential Information

The credential information that we actually obtained is available to anyone in the community. We confirmed information that is believed to be several hundreds of millions of email addresses and passwords.The NTT Group employee credential information included breaks down as follows.・NTT Group companies for which leaks were confirmed: 10・Number of NTT employee credentials: 1,065

From the above features, it can be assumed that the files that integrate details of files leaked in the past are the files that were leaked this time.

●ResponseIt is believed that credential information was leaked when NTT Group employees registered company information for web services, etc. This information was made widely known in the NTT Group.

Countermeasures

●Protecting your own credentials from a breach・Do not register for unnecessary services.・Fully confirm the safety of websites where personal information is entered.

●What to do if your own credentials are leaked・Change your password immediately.・If credit card information or other such information is leaked, quickly take steps to cancel.・After an information leak, you may become a target for targeted mail, so be fully careful when checking your mail every

day.

●Features of the leaked files・It was possible to confirm that credential information that was leaked in the past was included.・The leaked files included a log named “impoted.log”, which made it possible to confirm the behavior of integrating

many service names believed to have been leaked in the past.

Some of the actual leaked files

Excerpt from impoted.log

File structure

The mail addresses are sorted in alphabetical order, making them easy to exploit.

Files believed to be leaked in the past can actually be confirmed with the log.

Summary

❻ Coinhive

・Coinhive is a service that generates revenue by embedding JavaScript in a Web site to use the CPU of visitors to the site to mine the cryptocurrency Monero.

・It became known when secretly introduced to the world’s largest torrent site (The Pirate Bay) as a new monetization method. It became instantly famous when the Wi-Fi network of Starbucks in Australia was hijacked and the code inject-ed there.

・The front page of the Coinhive website describes various applications, such as monetizing user browsing, control of access to specific content by requiring a certain amount of mining, and spam suppression by requiring mining before posting, etc.

・Although there is some talk of Coinhive being adopted in actual services, the topic has not raised much excitement, whereas the topic of the Coinhive script being embedded by tampering with major sites has drawn attention.

How Coinhive Works

・The website publisher installs the Coinhive script on their site.

・The script directs the visitor’s browser to Coinhive and retrieves the mining data.

・The browser sends the mining results to Coinhive.・Coinhive pays a fee to the site publisher according to the

amount of mining performed.

Coinhive mechanism

Blocking Coinhive

・Simply block communication to Coinhive→Communication can be prevented by routing the script

through a proxy, and many proxies have actually been set up.

・Blockers that disable the script itself seem to be better・Can often be blocked with anti-virus software

Blocking Coinhive

Coinhive

Install Coinhive

FeeMining instructions

Results


Site visitor


Site visitor

Coinhive

Coinhive proxy


65

Annual C

ybersecurity Report

Problems Caused by Coinhive

Consumes user’s CPU powerThe script is provided in opt-in and opt-out versions, but the opt-out version is adopted and installed in most cases. The result is that users are unaware that power is being consumed and there are other harmful effects such as sluggish computer operation.

Improved Version of Coinhive

・A version that makes the operation of Coinhive less noticeable to the user by reducing the CPU power use rate has appeared.

・A version that uses a pop-up window to remain active even after the tab for the original site is closed has appeared.

Incident Response Cases

There were requests from within the NTT Group for investigation of URLs for which access was blocked by antivirus software. The following investigation results have been reported.

・CPU resources were consumed for mining to the extent that the computer could not be used for hardly any other purposes.

・Other than mining by Coinhive, no negative effects wore found.・It was confirmed that closing the browser stopped the operation of the JavaScript and that there was no problem when

restarting the browser.

NTT-CERT Activities in Other Organizations

●Main NTT-CERT activity sites・In Japan, participation in the Nippon CSIRT Association (NCA) and the Information Security Operation Providers Group,

Japan (ISOG-J) ・Internationally, participation in FIRST (the Forum of Incident Response and Security Teams) and NCFTA (the National

Cyber-Forensics and Training Alliance)

In Japan: Nippon CSIRT Association

●Nippon CSIRT Association (NCA)・The CSIRT community of Japanese companies・Yoshitaka Inoue, Representative・Continuation of participation and contribution to promotion of various activities

●Main NTT-CERT postings・Yoshiki Sugiura, Steering Committee・Itaru Kamiya, Security Reporting Working Group (WG), Chief Investigator・Itaru Kamiya, Honeynet Project Japan Chapter WG, Chief Investigator・Seiichi Komura, CSIRT Evaluation Model Study WG, Chief Investigator・Shizuko Fugo, TRANSITS Workshop, Instructor

●NTT-CERT participation in NCA working groups (WG) and sub-working groups (SWG)Explanation of WG and SWG: http://www.nca.gr.jp/activity/index.html・CSIRT Task Study SWG (formerly CSIRT In-house Task Study WG) [from September 2007]

Study groups and discussions with CSIRT Association members and parties that are considering construction and operation of a CSIRT in their organization to identify the tasks that are required

・Threat Information Sharing WG [from September, 2007]Activities for sharing threat information related to computer incidents among CSIRTs that have close and trustful relationships

・Incident Information Use Framework Study WG [from July, 2008]Studying a framework for sharing, exchanging, and publishing information on vulnerability countermeasures and incidents. Specifically, the WG collects appropriate materials and tries to improve procedures for sharing, exchanging, and publishing, etc.

・CSIRT WG [from July, 2012]This WG was established to provide a place for exchange by participating teams and teams that wish to partici-pate. For unification of activities, the CSIRT Task Study WG, CSIRT Construction Recommendation WG, and CSIRT Human Resources SWG were positioned as sub-groups of this WG.

・Honeynet Project Japan Chapter WG [from August, 2012]The Honeynet Project is a community of security engineers that are the core developers of the honeypot software that is widely used in CSIRT activities and also the publishers of the Know Your Enemy intelligence report. This WG promotes activities as the Japan Chapter of the Honeynet Project.

・Incident Case Analysis WG [from November, 2013]This WG performs analysis related to methods of communication within and between companies, internal company organization (legal department, sales, etc.), and effective measures for preventing recurrence for the purpose of identifying efficient responses and effective countermeasures through analysis of incident cases of multiple companies.

・Incident Response Study WG [from December, 2013]This group is studying responses and countermeasures for current server threats and contributing to raising the level of security countermeasures in Japanese organizations.

・TRANSITS WG [from the March, 2014]TRANSITS is an educational program for constructing and operating CSIRTs developed in Europe. This group considers the updating of TRANSITS materials, training of instructors, and the direction of TRANSITS. It is also studying the creation of a Japanese version.

・SSH Server Security Settings Study WG [from March, 2014]It is believed that many incidents can be prevented with SSH server security settings. This group is creating documents that will encourage caution and raise awareness concerning security settings and aims to spread awareness of the importance of SSH server setup.

3-4 NTT-CERT Activities in Other Organizations

66

NTT-C

ERT and N

TT Group A

ctivities

3

Problems Caused by Coinhive

Consumes user’s CPU powerThe script is provided in opt-in and opt-out versions, but the opt-out version is adopted and installed in most cases. The result is that users are unaware that power is being consumed and there are other harmful effects such as sluggish computer operation.

Improved Version of Coinhive

・A version that makes the operation of Coinhive less noticeable to the user by reducing the CPU power use rate has appeared.

・A version that uses a pop-up window to remain active even after the tab for the original site is closed has appeared.

Incident Response Cases

There were requests from within the NTT Group for investigation of URLs for which access was blocked by antivirus software. The following investigation results have been reported.

・CPU resources were consumed for mining to the extent that the computer could not be used for hardly any other purposes.

・Other than mining by Coinhive, no negative effects wore found.・It was confirmed that closing the browser stopped the operation of the JavaScript and that there was no problem when

restarting the browser.

NTT-CERT Activities in Other Organizations

●Main NTT-CERT activity sites・In Japan, participation in the Nippon CSIRT Association (NCA) and the Information Security Operation Providers Group,

Japan (ISOG-J) ・Internationally, participation in FIRST (the Forum of Incident Response and Security Teams) and NCFTA (the National

Cyber-Forensics and Training Alliance)

In Japan: Nippon CSIRT Association

●Nippon CSIRT Association (NCA)・The CSIRT community of Japanese companies・Yoshitaka Inoue, Representative・Continuation of participation and contribution to promotion of various activities

●Main NTT-CERT postings・Yoshiki Sugiura, Steering Committee・Itaru Kamiya, Security Reporting Working Group (WG), Chief Investigator・Itaru Kamiya, Honeynet Project Japan Chapter WG, Chief Investigator・Seiichi Komura, CSIRT Evaluation Model Study WG, Chief Investigator・Shizuko Fugo, TRANSITS Workshop, Instructor

●NTT-CERT participation in NCA working groups (WG) and sub-working groups (SWG)Explanation of WG and SWG: http://www.nca.gr.jp/activity/index.html・CSIRT Task Study SWG (formerly CSIRT In-house Task Study WG) [from September 2007]

Study groups and discussions with CSIRT Association members and parties that are considering construction and operation of a CSIRT in their organization to identify the tasks that are required

・Threat Information Sharing WG [from September, 2007]Activities for sharing threat information related to computer incidents among CSIRTs that have close and trustful relationships

・Incident Information Use Framework Study WG [from July, 2008]Studying a framework for sharing, exchanging, and publishing information on vulnerability countermeasures and incidents. Specifically, the WG collects appropriate materials and tries to improve procedures for sharing, exchanging, and publishing, etc.

・CSIRT WG [from July, 2012]This WG was established to provide a place for exchange by participating teams and teams that wish to partici-pate. For unification of activities, the CSIRT Task Study WG, CSIRT Construction Recommendation WG, and CSIRT Human Resources SWG were positioned as sub-groups of this WG.

・Honeynet Project Japan Chapter WG [from August, 2012]The Honeynet Project is a community of security engineers that are the core developers of the honeypot software that is widely used in CSIRT activities and also the publishers of the Know Your Enemy intelligence report. This WG promotes activities as the Japan Chapter of the Honeynet Project.

・Incident Case Analysis WG [from November, 2013]This WG performs analysis related to methods of communication within and between companies, internal company organization (legal department, sales, etc.), and effective measures for preventing recurrence for the purpose of identifying efficient responses and effective countermeasures through analysis of incident cases of multiple companies.

・Incident Response Study WG [from December, 2013]This group is studying responses and countermeasures for current server threats and contributing to raising the level of security countermeasures in Japanese organizations.

・TRANSITS WG [from the March, 2014]TRANSITS is an educational program for constructing and operating CSIRTs developed in Europe. This group considers the updating of TRANSITS materials, training of instructors, and the direction of TRANSITS. It is also studying the creation of a Japanese version.

・SSH Server Security Settings Study WG [from March, 2014]It is believed that many incidents can be prevented with SSH server security settings. This group is creating documents that will encourage caution and raise awareness concerning security settings and aims to spread awareness of the importance of SSH server setup.


67

Annual C

ybersecurity Report

In Japan: Information Security Operation Providers Group Japan

●Information Security Operation providers Group Japan (ISOG-J)・A community of people involved in security operations・Shunichi Konno is the Representative・Continuation of activities and contribution to promotion of various activities

●NTT-CERT participation in ISOG-J Working Groups (WG) and projectsExplanation of WG and projects: http://isog-j.org/activities/index.html・[WG 1] Security Operation Guideline Working Group (from July, 2012)

Produces a user-oriented penetration testing service guide and penetration testing service guidelines for businesses.

・[WG 2] Security Operation Technology Working Group (from June, 2008)Investigates the most recent technical trends, explores the most suitable security operation technology, and facilitates communication among engineers.

・Global Dynamics Sharing Project (June, 2016 to December, 2017)The needs and motivations required by security operations change dynamically day by day. Although WG 2 can follow the changes in technology, the focus of this project is “dynamics” that are not covered by technology alone, and global changes in particular. Furthermore, relevance is extracted from the fragmented information on global dynamics and shared so that the SOC of each company can be prepared for a new era.

・CSIRT Human Resources WG [from October, 2014]This group shares knowledge while taking in the opinions from personnel departments of the participating organi-zations to the extent possible. It creates documents that can be used in the management of each CSIRT, and promotes activities for use within NCA as well.

・Incident Response Training Method Study WG [April, 2016 to March, 2018]Conducting incident response training enables effective advance preparation for incident occurrences. In coop-eration with IT risk management, this WG is studying application of desktop training, a lightweight and highly cost efficient training method,

・Security Reporting WG [from April, 2016]This WG shares knowledge on methods of preparing reports related to security with the objective of improving the reporting capability of each CSIRT.

・CSIRT Team Training WG [from May, 2016]This WG reviews and examines CSIRT training and documentation that is required in the short-term and long-term, and studies the direction it should take.

・Log Analysis WG [from July, 2016]This WG mainly studies the construction and operation of log analysis platforms using OSS and methods of using log analysis for anomaly detection, and researches ways to improve anomaly detection capability at low cost.

・CSIRT Evaluation Model Study WG [from November, 2016]This WG examines and organizes the items that should be considered for stable implementation and improve-ment of CSIRT activities and CSIRT characteristics that have excellent response capabilities.

・Legal Research WG [from January, 2017]This WG organizes and develops an early understanding of the legal system in relation to CSIRT activities and distributes information to organizations participating in NCA in a form that is easy to understand. It also shares information on (and sometimes resolves) difficulties with the legal system and enables contribution from the legal system to each organization.

･Tool Sharing WG [from December, 2017]This WG shares tools and scripts that are indispensable in the operation of CSIRT. By mutual sharing of knowl-edge such as self-made tools and manuals for using OSS, etc., this group aims to increase the sophistication and efficiency of CSIRT activities.

In Japan: Conference Participation and Other Activities

●Main conferences ・21st Shirahama Cyber Crime Symposium・NCA 10th Anniversary Conference・Information Security Workshop in Echigo Yuzawa, 2017・Cyber Security Symposium Dogo 2018

●Other・“Cyber Intelligence” lecture at the Institute of Information Security・Information security workshop Echigo Yuzawa 2017, Chair

International: FIRST and NCFTA

●FIRST（The Forum of Incident Response and Security Teams）・International CSIRT community・Itaru Kamiya is Representative

●Major NTT-CERT posts in FIRST・Shinichi Adachi, Session Chair (2017 Annual Meeting)・Shinichi Adachi, Program Committee (2017 Annual Meeting, 2018 Annual Meeting)・Yoshitaka Inoue, Program Committee (2018 Annual Meeting)・Itaru Kamiya, Program Committee (2018 Annual Meeting)・FIRST TC Osaka Executive Committee members (Yoshiki Sugiura, Yoshitaka Inoue, Itaru Kamiya, and Ataru Ishii)

●NCFTA (National Cyber-Forensics and Training Alliance)・A nonprofit organization that cooperates with cybersecurity experts from over 500 law enforcement agencies,

private enterprises, and academia to share information on cybercrime and engage in operations to defeat it.・Junya Akiba serves as liaison・Participates in monthly on-line meetings, training, and annual meetings

International: Conference Participation

●Main conferences・29th FIRST Annual Conference・Defcon 25・USENIX Security '17・HITCON Community 2017・Underground Economy 2017・CODE BLUE 2017・VB 2017・RISE-Cambodia・TRANSITS I in Prague・FIRST Borderless Cyber and Technical Symposium・HITCON Pacific 2017・34C3・NCSC.nl One Conference 2018・FIRST Regional Symposium Europe・FIRST TC Osaka


68

NTT-C

ERT and N

TT Group A

ctivities

3

In Japan: Information Security Operation Providers Group Japan

●Information Security Operation providers Group Japan (ISOG-J)・A community of people involved in security operations・Shunichi Konno is the Representative・Continuation of activities and contribution to promotion of various activities

●NTT-CERT participation in ISOG-J Working Groups (WG) and projectsExplanation of WG and projects: http://isog-j.org/activities/index.html・[WG 1] Security Operation Guideline Working Group (from July, 2012)

Produces a user-oriented penetration testing service guide and penetration testing service guidelines for businesses.

・[WG 2] Security Operation Technology Working Group (from June, 2008)Investigates the most recent technical trends, explores the most suitable security operation technology, and facilitates communication among engineers.

・Global Dynamics Sharing Project (June, 2016 to December, 2017)The needs and motivations required by security operations change dynamically day by day. Although WG 2 can follow the changes in technology, the focus of this project is “dynamics” that are not covered by technology alone, and global changes in particular. Furthermore, relevance is extracted from the fragmented information on global dynamics and shared so that the SOC of each company can be prepared for a new era.

・CSIRT Human Resources WG [from October, 2014]This group shares knowledge while taking in the opinions from personnel departments of the participating organi-zations to the extent possible. It creates documents that can be used in the management of each CSIRT, and promotes activities for use within NCA as well.

・Incident Response Training Method Study WG [April, 2016 to March, 2018]Conducting incident response training enables effective advance preparation for incident occurrences. In coop-eration with IT risk management, this WG is studying application of desktop training, a lightweight and highly cost efficient training method,

・Security Reporting WG [from April, 2016]This WG shares knowledge on methods of preparing reports related to security with the objective of improving the reporting capability of each CSIRT.

・CSIRT Team Training WG [from May, 2016]This WG reviews and examines CSIRT training and documentation that is required in the short-term and long-term, and studies the direction it should take.

・Log Analysis WG [from July, 2016]This WG mainly studies the construction and operation of log analysis platforms using OSS and methods of using log analysis for anomaly detection, and researches ways to improve anomaly detection capability at low cost.

・CSIRT Evaluation Model Study WG [from November, 2016]This WG examines and organizes the items that should be considered for stable implementation and improve-ment of CSIRT activities and CSIRT characteristics that have excellent response capabilities.

・Legal Research WG [from January, 2017]This WG organizes and develops an early understanding of the legal system in relation to CSIRT activities and distributes information to organizations participating in NCA in a form that is easy to understand. It also shares information on (and sometimes resolves) difficulties with the legal system and enables contribution from the legal system to each organization.

･Tool Sharing WG [from December, 2017]This WG shares tools and scripts that are indispensable in the operation of CSIRT. By mutual sharing of knowl-edge such as self-made tools and manuals for using OSS, etc., this group aims to increase the sophistication and efficiency of CSIRT activities.

In Japan: Conference Participation and Other Activities

●Main conferences ・21st Shirahama Cyber Crime Symposium・NCA 10th Anniversary Conference・Information Security Workshop in Echigo Yuzawa, 2017・Cyber Security Symposium Dogo 2018

●Other・“Cyber Intelligence” lecture at the Institute of Information Security・Information security workshop Echigo Yuzawa 2017, Chair

International: FIRST and NCFTA

●FIRST（The Forum of Incident Response and Security Teams）・International CSIRT community・Itaru Kamiya is Representative

●Major NTT-CERT posts in FIRST・Shinichi Adachi, Session Chair (2017 Annual Meeting)・Shinichi Adachi, Program Committee (2017 Annual Meeting, 2018 Annual Meeting)・Yoshitaka Inoue, Program Committee (2018 Annual Meeting)・Itaru Kamiya, Program Committee (2018 Annual Meeting)・FIRST TC Osaka Executive Committee members (Yoshiki Sugiura, Yoshitaka Inoue, Itaru Kamiya, and Ataru Ishii)

●NCFTA (National Cyber-Forensics and Training Alliance)・A nonprofit organization that cooperates with cybersecurity experts from over 500 law enforcement agencies,

private enterprises, and academia to share information on cybercrime and engage in operations to defeat it.・Junya Akiba serves as liaison・Participates in monthly on-line meetings, training, and annual meetings

International: Conference Participation

●Main conferences・29th FIRST Annual Conference・Defcon 25・USENIX Security '17・HITCON Community 2017・Underground Economy 2017・CODE BLUE 2017・VB 2017・RISE-Cambodia・TRANSITS I in Prague・FIRST Borderless Cyber and Technical Symposium・HITCON Pacific 2017・34C3・NCSC.nl One Conference 2018・FIRST Regional Symposium Europe・FIRST TC Osaka


69

Annual C

ybersecurity Report

3-5 Trends in Vulnerability Information

In gathering and analyzing vulnerability information, NTT-CERT refers to multiple information sources. The main informa-tion sources and how they are used are listed below.

●Trend analysisIntelGraph (iDefense) reported a total of 29,749 published vulnerability information items for 2017, with a monthly average of 2,479 (including separately-counted updates, which account for about half of the cases).That is in increase of about 30% relative to 2016, and there has been a net increase every year since 2013, when the data was first included in the Annual Report. There are no indications that this trend will decline in the future.

35,000

30,000

25,000

20,000

15,000

10,000

5,000

02013 2014 2015 2016 2017

●Trend analysisIntelGraph (iDefense) reported a total of 29,744 published vulnerability information instances for 2017 (22,727 for 2016), with a monthly average of 2,479 (1,894 for 2016). Those figures include separately-counted updates, which account for about half of the cases.The distribution over months was uneven, with the highest volume in August (3,659) and the lowest in January (1,758). The minimum monthly number of 1,758 for 2017 was greater than the maximum of 1,666 in 2016, so, although there was variance, we can see that there was a large increase in 2017 compared to 2016. A breakdown for the months that have the largest numbers (August, September and October) shows that Oracle Java was highest (362), followed by Android OS (267).

3000

3500

4000

2500

2000

1500

1000

500

0

■High　■Medium　■Low

■Without exploit code, but with countermeasures ■With exploit code and countermeasures■Without exploit code or countermeasures ■With exploit code, but without countermeasures

2017/01 2017/02 2017/03 2017/04 2017/05 2017/06 2017/07 2017/08 2017/09 2017/10 2017/11 2017/12

Amount of Vulnerability Information Dealt with by NTT-CERT by Month and Risk LevelThe Source of Information is the IntelGraph (iDefense) information provided by Accenture. (January through December, 2017)

●Trend analysisIt is generally desirable that publication of vulnerability information be accompanied by countermeasures (patches or workarounds). We obtained statistics on 24,008 vulnerability information disclosures for the period from April through December of 2017 from IntelGraph.About 94% of them included some kind of countermeasure information.About 5.7% did not provide countermeasures and 0.5% were the most dangerous combination of exploit codes provid-ed without countermeasures.A breakdown of the countermeasures shows that 22,579 cases (94% of the total) provided patches, compared to 68 cases (0.3%) that provided provisional countermeasures without patches.

Provision of Exploit Codes and Countermeasures (Patches or Workarounds)The source is the IntelGraph (iDefense) information provided by Accenture. (April through December, 2017)

0.5％5.2％

5.2％

89.1％

Overview, Features Purpose of useInformation titleOrganization

providing information

Vulnerability information prior to disclosure to the general public

Early warning of information security early-warning partnerships/information requiring attention

IntelGraph Intelligence Reports(see following chapters)

National Vulnerability Database (NVD)

JPCERT/CC and IPA

Accenture (Verisign)

NIST

The handling of vulnerability information and related information (patches, etc.) for appropriate release concerning vulnerabilities prior to disclosure to the general public. Prior to disclosure to the general public, the information must be handled with strict management of confidentiality.

Information provision and arbitration with product development staff within the NTT Group

Japan Vulnerability Notes (JVN)

Provides adjusted vulnerability information reported by JPCERT/CC and IPA as the vulnerability information before release to the general public described above and vulnerability information produced in cooperation with coordinating organizations of other countries, such as CERT/CC.

Used for technical investigations within NTT-CERT, for responding to queries to NTT-CERT, and provision of information to security personnel within the NTT Group

A service providing vulnerability and other information to JPCERT/CC partnership members

I n f o r m a t i o n i s p ro v i d e d t o security-related personnel in the NTT Group by email and other means

Largest vulnerability information database in the world. Covers CVE. Has related links for each CVE, maintained to provide the latest links to advisories from vendors.

Used for technical investigation within NTT-CERT, for responding to queries to NTT-CERT, etc.

A service from Accenture, providing vulnerability and threat information. Hitachi Systems is responsible for translation to Japanese. Provides information for the NTT Group as an initiative of NTT Group planning departments, to share security information within the NTT Group. Focuses on disclosed information, but includes original iDefense information and information on products affected, most of which is good for sharing with other enterprises.

Used for technical investigation within NTT-CERT, for responding to queries to NTT-CERT, for sharing vulnerability information related to particular products in NTT Group, etc.

Published Vulnerability Information Continues to Increase (Trend in Number of Appearances in A Year)The source is the IntelGraph (iDefense) information provided by Accenture (Verisign).

In the countermeasure breakdown, 22,579 items (94.0%) provided patches and 68 (0.3%) provided only provisional countermeasures.

70

NTT-C

ERT and N

TT Group A

ctivities

3


In gathering and analyzing vulnerability information, NTT-CERT refers to multiple information sources. The main informa-tion sources and how they are used are listed below.

●Trend analysisIntelGraph (iDefense) reported a total of 29,749 published vulnerability information items for 2017, with a monthly average of 2,479 (including separately-counted updates, which account for about half of the cases).That is in increase of about 30% relative to 2016, and there has been a net increase every year since 2013, when the data was first included in the Annual Report. There are no indications that this trend will decline in the future.

35,000

30,000

25,000

20,000

15,000

10,000

5,000

02013 2014 2015 2016 2017

●Trend analysisIntelGraph (iDefense) reported a total of 29,744 published vulnerability information instances for 2017 (22,727 for 2016), with a monthly average of 2,479 (1,894 for 2016). Those figures include separately-counted updates, which account for about half of the cases.The distribution over months was uneven, with the highest volume in August (3,659) and the lowest in January (1,758). The minimum monthly number of 1,758 for 2017 was greater than the maximum of 1,666 in 2016, so, although there was variance, we can see that there was a large increase in 2017 compared to 2016. A breakdown for the months that have the largest numbers (August, September and October) shows that Oracle Java was highest (362), followed by Android OS (267).

3000

3500

4000

2500

2000

1500

1000

500

0

■High　■Medium　■Low

■Without exploit code, but with countermeasures ■With exploit code and countermeasures■Without exploit code or countermeasures ■With exploit code, but without countermeasures

2017/01 2017/02 2017/03 2017/04 2017/05 2017/06 2017/07 2017/08 2017/09 2017/10 2017/11 2017/12

Amount of Vulnerability Information Dealt with by NTT-CERT by Month and Risk LevelThe Source of Information is the IntelGraph (iDefense) information provided by Accenture. (January through December, 2017)

●Trend analysisIt is generally desirable that publication of vulnerability information be accompanied by countermeasures (patches or workarounds). We obtained statistics on 24,008 vulnerability information disclosures for the period from April through December of 2017 from IntelGraph.About 94% of them included some kind of countermeasure information.About 5.7% did not provide countermeasures and 0.5% were the most dangerous combination of exploit codes provid-ed without countermeasures.A breakdown of the countermeasures shows that 22,579 cases (94% of the total) provided patches, compared to 68 cases (0.3%) that provided provisional countermeasures without patches.

Provision of Exploit Codes and Countermeasures (Patches or Workarounds)The source is the IntelGraph (iDefense) information provided by Accenture. (April through December, 2017)

0.5％5.2％

5.2％

89.1％

Overview, Features Purpose of useInformation titleOrganization

providing information

Vulnerability information prior to disclosure to the general public

Early warning of information security early-warning partnerships/information requiring attention

IntelGraph Intelligence Reports(see following chapters)

National Vulnerability Database (NVD)

JPCERT/CC and IPA

Accenture (Verisign)

NIST

The handling of vulnerability information and related information (patches, etc.) for appropriate release concerning vulnerabilities prior to disclosure to the general public. Prior to disclosure to the general public, the information must be handled with strict management of confidentiality.

Information provision and arbitration with product development staff within the NTT Group

Japan Vulnerability Notes (JVN)

Provides adjusted vulnerability information reported by JPCERT/CC and IPA as the vulnerability information before release to the general public described above and vulnerability information produced in cooperation with coordinating organizations of other countries, such as CERT/CC.

Used for technical investigations within NTT-CERT, for responding to queries to NTT-CERT, and provision of information to security personnel within the NTT Group

A service providing vulnerability and other information to JPCERT/CC partnership members

I n f o r m a t i o n i s p ro v i d e d t o security-related personnel in the NTT Group by email and other means

Largest vulnerability information database in the world. Covers CVE. Has related links for each CVE, maintained to provide the latest links to advisories from vendors.

Used for technical investigation within NTT-CERT, for responding to queries to NTT-CERT, etc.

A service from Accenture, providing vulnerability and threat information. Hitachi Systems is responsible for translation to Japanese. Provides information for the NTT Group as an initiative of NTT Group planning departments, to share security information within the NTT Group. Focuses on disclosed information, but includes original iDefense information and information on products affected, most of which is good for sharing with other enterprises.

Used for technical investigation within NTT-CERT, for responding to queries to NTT-CERT, for sharing vulnerability information related to particular products in NTT Group, etc.

Published Vulnerability Information Continues to Increase (Trend in Number of Appearances in A Year)The source is the IntelGraph (iDefense) information provided by Accenture (Verisign).

In the countermeasure breakdown, 22,579 items (94.0%) provided patches and 68 (0.3%) provided only provisional countermeasures.

71

Annual C

ybersecurity Report

●Trend analysisThe number of vulnerabilities for Mozilla Firefox increased relative to 2016 so that Mozilla Firefox replaced Google Chrome as the highest in the list. Microsoft Edge, which has been the default browser of Windows 10 since 2015 and widely used, increased greatly from 59 cases in 2016 to 165 cases in 2017, moving into 3rd place.WebKit vulnerabilities decreased in 2017, declining to 5th-place.

300

0Google Chrome WebkitMicrosoft Edge Microsoft IEMozilla Firefox

250

200

150

100

50

w3m

■2017　■2016

●Trend analysisAdobe Flash, Adobe Reader and Acrobat, and ImageMagick vulnerabilities occupied the top position in 2017, as in the previous year. For the two Adobe products that were in top place for four consecutive years, there was a decrease in the number of cases from the previous year.The image processing software XnView, which can handle a large variety of image formats on the other hand, rose sharp-ly to 4th place.

250

200

350

300

450

400

150

100

50

0Adobe Flash Adobe Reader

and AcrobatMicrosoft

OfficeImageMagick JasPer GraphicsMagick FFmpeg Adobe Digital

EditionsXnview Foxit Reader

■2017　■2016

●Trend analysisIn 2017, the list was unchanged up to 4th-place from 2016, but Android vulnerabilities nearly doubled, moving it to the 1st place. Limiting to smart phone and tablet device OS, 7th-place Apple iOS increased in rank, but was overwhelmed in number of cases by Android.Microsoft Windows vulnerabilities increased slightly and Linux kernel vulnerabilities decreased slightly, but their respec-tive ranks of 2nd place and 3rd place remained the same.Apple Mac OS X fell back to 6th place.

●Trend analysisWe plotted a summary of information on systems other than terminal software and operating systems, including middle-ware, programming languages, and databases.Multiple Oracle products, including Oracle E-Business Suites, Oracle Java SE, Oracle Hospitality, and Oracle PeopleSoft, exhibited an increasing trend. PHP, which was at the top in the previous year, fell to 6th place. Tcpdump, Qemu, node.js, and Jenkins, etc., have moved up.

1400

1200

1000

800

600

400

200

0Juniper

Junos OSOracleSolaris

Cisco IOSAndroid Linux Kernel Apple iOSMicrosoftWindows

Apple MacOS

Apple MacOS X

■2017　■2016

350

400

450

300

250

200

150

100

50

0

■2017　■2016

Oracle Java SE

Oracle E-Business

Suite

Tcpdump

Oracle MySQL ServerQemu

PHPnode.js

Jenkins

Oracle Hospitality

GNU Project binutils

Oracle FlexCube

libtiff

Oracle PeolpeSoft

phpMyAdmin

Advantech WebAccess NTP

IBM WebSphere

Wireshark

autotrace

Wordpress

IBM BigFix

OpenSSL Xen

IBM Rational

Apache Tomcat

libarchive

openjpeg

F5 BIG-IP X.orgNetApp

IBM Kenexa

Oracle VM Virtualbox

Browser Vulnerabilities (Including the Render Engine)IntelGraph (iDefense) Information (January through December, 2017)

Vulnerabilities in Typical Terminal Software (Excluding Browsers)IntelGraph (iDefense) Information (January through December, 2017)

OS VulnerabilitiesIntelGraph (iDefense) Information (January through December, 2017)

Other Vulnerabilities (Programming Languages, MW, DB, etc.) IntelGraph (iDefense) Information (January through December, 2017)

＊ When updated information for the same item overlaps, updates are summarized as one item ＊ When updated information for the same item overlaps, updates are summarized as one item

＊ When updated information for the same item overlaps, updates are summarized as one item＊ When updated information for the same item overlaps, updates are summarized as one item


72

NTT-C

ERT and N

TT Group A

ctivities

3

●Trend analysisThe number of vulnerabilities for Mozilla Firefox increased relative to 2016 so that Mozilla Firefox replaced Google Chrome as the highest in the list. Microsoft Edge, which has been the default browser of Windows 10 since 2015 and widely used, increased greatly from 59 cases in 2016 to 165 cases in 2017, moving into 3rd place.WebKit vulnerabilities decreased in 2017, declining to 5th-place.

300

0Google Chrome WebkitMicrosoft Edge Microsoft IEMozilla Firefox

250

200

150

100

50

w3m

■2017　■2016

●Trend analysisAdobe Flash, Adobe Reader and Acrobat, and ImageMagick vulnerabilities occupied the top position in 2017, as in the previous year. For the two Adobe products that were in top place for four consecutive years, there was a decrease in the number of cases from the previous year.The image processing software XnView, which can handle a large variety of image formats on the other hand, rose sharp-ly to 4th place.

250

200

350

300

450

400

150

100

50

0Adobe Flash Adobe Reader

and AcrobatMicrosoft

OfficeImageMagick JasPer GraphicsMagick FFmpeg Adobe Digital

EditionsXnview Foxit Reader

■2017　■2016

●Trend analysisIn 2017, the list was unchanged up to 4th-place from 2016, but Android vulnerabilities nearly doubled, moving it to the 1st place. Limiting to smart phone and tablet device OS, 7th-place Apple iOS increased in rank, but was overwhelmed in number of cases by Android.Microsoft Windows vulnerabilities increased slightly and Linux kernel vulnerabilities decreased slightly, but their respec-tive ranks of 2nd place and 3rd place remained the same.Apple Mac OS X fell back to 6th place.

●Trend analysisWe plotted a summary of information on systems other than terminal software and operating systems, including middle-ware, programming languages, and databases.Multiple Oracle products, including Oracle E-Business Suites, Oracle Java SE, Oracle Hospitality, and Oracle PeopleSoft, exhibited an increasing trend. PHP, which was at the top in the previous year, fell to 6th place. Tcpdump, Qemu, node.js, and Jenkins, etc., have moved up.

1400

1200

1000

800

600

400

200

0Juniper

Junos OSOracleSolaris

Cisco IOSAndroid Linux Kernel Apple iOSMicrosoftWindows

Apple MacOS

Apple MacOS X

■2017　■2016

350

400

450

300

250

200

150

100

50

0

■2017　■2016

Oracle Java SE

Oracle E-Business

Suite

Tcpdump

Oracle MySQL ServerQemu

PHPnode.js

Jenkins

Oracle Hospitality

GNU Project binutils

Oracle FlexCube

libtiff

Oracle PeolpeSoft

phpMyAdmin

Advantech WebAccess NTP

IBM WebSphere

Wireshark

autotrace

Wordpress

IBM BigFix

OpenSSL Xen

IBM Rational

Apache Tomcat

libarchive

openjpeg

F5 BIG-IP X.orgNetApp

IBM Kenexa

Oracle VM Virtualbox

Browser Vulnerabilities (Including the Render Engine)IntelGraph (iDefense) Information (January through December, 2017)

Vulnerabilities in Typical Terminal Software (Excluding Browsers)IntelGraph (iDefense) Information (January through December, 2017)

OS VulnerabilitiesIntelGraph (iDefense) Information (January through December, 2017)

Other Vulnerabilities (Programming Languages, MW, DB, etc.) IntelGraph (iDefense) Information (January through December, 2017)

＊ When updated information for the same item overlaps, updates are summarized as one item ＊ When updated information for the same item overlaps, updates are summarized as one item

＊ When updated information for the same item overlaps, updates are summarized as one item＊ When updated information for the same item overlaps, updates are summarized as one item


73

Annual C

ybersecurity Report

Vulnerabilities by Type (from JVN iPedia Data)

■2017　■2016　■2015

2000

1500

1000

500

0

2500

3000

Config

uratio

n：CWE-16

Improp

er inp

ut val

idation：CWE-20

Path tra

versal：CWE-22

Cryptog

raphic

issue

s：CWE-31

0

CSRF：CWE-35

2

Race c

onditio

ns：CWE-36

2

Resourc

e man

agem

ent e

rrors：

CWE-399

Data brea

ch/Disc

losure：CWE-20

0

Creden

tials m

anag

emen

t：CWE-25

5

Permiss

ions, p

rivileg

es, an

d acce

ss co

ntrol：

CWE-264

Improp

er au

thenti

catio

n：CWE-28

7

Use of

extern

ally-co

ntrolle

d form

at str

ing：CWE-13

4

Numeri

c erro

rs：CWE-18

9

XSS：CWE-79

OS comman

d injec

tion：

CWE-78

Link f

ollowing：CWE-59

SQL injec

tion：

CWE-89

Code in

jectio

n：CWE-94

Buffer

errors：CWE-11

9

3-6 NTT Group Activities

Group Cooperation in Responding to Major Vulnerabilities and Incidents in Emergencies

❶ Cybersecurity Countermeasure Cooperation in the NTT Group

A CSIRT has been established under the CISO of each NTT Group company since July, 2015 for control of information security management in emergencies. The teams collaborate within the Group in responding to critical vulnerabilities and incidents that occur. Even when not faced with emergencies, the teams share among themselves the security threat information and operational knowledge of each company to strengthen the ability of the entire group to respond to cyber-attacks.This section describes team collaboration on cybersecurity countermeasures within the NTT Group during emergencies and ordinary times.

・If the NTT-CERT discovers a critical vulnerability through their investigation, an emergency Group cooperation system is set up, centered on the NTT holding company. Teleconferencing and information sharing tools are used to rapidly share methods of investigating the presence of the vulnerability and countermeasures for it. Doing so enables each Group company to take defensive measures before an active cyberattack occurs anywhere in the world.

・In the event that an incident occurs within the Group, information is quickly shared within the group and the same countermeasures when a critical vulnerability is found are taken so that the other companies in the group are not affect-ed by the same attack.

Emergency Group collaboration scenario

Other Group companies

Regional telecom company


Long-distance and

international telecom company

Security company

Mobile communication

company

Data communication

companyOther

companies

Holding company cybersecurity response teamUse of information

sharing tools

CSIRT CSIRT CSIRT CSIRT CSIRT CSIRT CSIRT

KADAN

TopicRoom

Response and protection by Group cooperation

Attack establishment conditions, methods of

detecting the vulnerability, response method, etc.

・ WordPress（2017.5）・ Struts2（2017.7, 9）・ Tomcat（2017.9）・ WebLogic（2017.12）

Critical vulnerability or incident

Discovery

＊ Aggregated by CWE type. iDefense information is not related to CWE, so JVN iPedia is used.●Trend analysisContinuing from 2016, there are many cases of buffer error (CWE-119), XSS (CWE-79), information exposure (CWE-200), authorization, permissions, and access control (CWE-264), and improper input validation (CWA-20). Although the trend is similar to 2016, there was a great increase in the number of cases from 2016 to 2017.

Examples of responses to security threats in fiscal year 2017

74

NTT-C

ERT and N

TT Group A

ctivities

3

Vulnerabilities by Type (from JVN iPedia Data)

■2017　■2016　■2015

2000

1500

1000

500

0

2500

3000

Config

uratio

n：CWE-16

Improp

er inp

ut val

idation：CWE-20

Path tra

versal：CWE-22

Cryptog

raphic

issue

s：CWE-31

0

CSRF：CWE-35

2

Race c

onditio

ns：CWE-36

2

Resourc

e man

agem

ent e

rrors：

CWE-399

Data brea

ch/Disc

losure：CWE-20

0

Creden

tials m

anag

emen

t：CWE-25

5

Permiss

ions, p

rivileg

es, an

d acce

ss co

ntrol：

CWE-264

Improp

er au

thenti

catio

n：CWE-28

7

Use of

extern

ally-co

ntrolle

d form

at str

ing：CWE-13

4

Numeri

c erro

rs：CWE-18

9

XSS：CWE-79

OS comman

d injec

tion：

CWE-78

Link f

ollowing：CWE-59

SQL injec

tion：

CWE-89

Code in

jectio

n：CWE-94

Buffer

errors：CWE-11

9


Group Cooperation in Responding to Major Vulnerabilities and Incidents in Emergencies

❶ Cybersecurity Countermeasure Cooperation in the NTT Group

A CSIRT has been established under the CISO of each NTT Group company since July, 2015 for control of information security management in emergencies. The teams collaborate within the Group in responding to critical vulnerabilities and incidents that occur. Even when not faced with emergencies, the teams share among themselves the security threat information and operational knowledge of each company to strengthen the ability of the entire group to respond to cyber-attacks.This section describes team collaboration on cybersecurity countermeasures within the NTT Group during emergencies and ordinary times.

・If the NTT-CERT discovers a critical vulnerability through their investigation, an emergency Group cooperation system is set up, centered on the NTT holding company. Teleconferencing and information sharing tools are used to rapidly share methods of investigating the presence of the vulnerability and countermeasures for it. Doing so enables each Group company to take defensive measures before an active cyberattack occurs anywhere in the world.

・In the event that an incident occurs within the Group, information is quickly shared within the group and the same countermeasures when a critical vulnerability is found are taken so that the other companies in the group are not affect-ed by the same attack.

Emergency Group collaboration scenario

Other Group companies



Long-distance and

international telecom company

Security company

Mobile communication

company

Data communication

companyOther

companies

Holding company cybersecurity response teamUse of information

sharing tools

CSIRT CSIRT CSIRT CSIRT CSIRT CSIRT CSIRT

KADAN

TopicRoom

Response and protection by Group cooperation

Attack establishment conditions, methods of

detecting the vulnerability, response method, etc.

・ WordPress（2017.5）・ Struts2（2017.7, 9）・ Tomcat（2017.9）・ WebLogic（2017.12）

Critical vulnerability or incident

Discovery

＊ Aggregated by CWE type. iDefense information is not related to CWE, so JVN iPedia is used.●Trend analysisContinuing from 2016, there are many cases of buffer error (CWE-119), XSS (CWE-79), information exposure (CWE-200), authorization, permissions, and access control (CWE-264), and improper input validation (CWA-20). Although the trend is similar to 2016, there was a great increase in the number of cases from 2016 to 2017.

Examples of responses to security threats in fiscal year 2017

75

Annual C

ybersecurity Report

Sharing of Security Threat Information and Operational Knowledge in Ordinary Times

Cyber Incident Response Exercise

Information sharing in normal times

NTT Group cyberattack response exercises (March, 2018) Critical infrastructure incident response exercise (December, 2017)

Indicator of compromise (IoC)・Blacklist・Advanced persistent threat・Malware

Knowledge・Incident response cases・CSIRT operation manuals・Educational materials・Product use knowledge

CSIRT community Analyst community

Information sharingamong companies

Summary

❷ Cybersecurity Exercises in the Chubu Area

Chubu Regional Corporate Collaboration Community

Features of the Community

Activities in FY2017

Cybersecurity Exercises

＊1 ISAC: Information Sharing and Analysis Center＊2 ISACA Nagoya Branch, Nagoya Information Security Study Group, CISSP Tokai Community

＊1 An organization that is responsible for information sharing and analysis functions and related functions for key infrastructure companies, etc.

＊ NISC: National center of Incident readiness and Strategy for Cybersecurity

The distinguishing feature of this community is not the ISAC＊1 created by the industrial organizations as described above, but having the viewpoint of “regional cooperation” for maintaining cybersecurity in the Chubu region. Another feature is that, while being a community of corporations, representatives from security expert communities to which individuals belong＊2 also participate in the activities as experts, thus improving the long-term information security of medium and small business enterprises and forming a regional ecosystem of security personnel.

Following a proposal by Professor Kenji Watanabe of the Nagoya Institute of Technology in February, 2017, a number of corporations and organizations in the Chubu region, mainly major infrastructure enterprises, formed this cybersecurity community. The objective of the community is to maintain cybersecurity in the region by sharing information among the stakeholders (key infrastructure enterprises, major industrial enterprises, universities, governments, and law enforce-ment) and working together.The background for establishment of this community is the common recognition that future cybersecurity incidents can cause stoppage of services and operations in the same way as earthquakes, typhoons and other natural disasters and that the effects can spread out to companies that depend on regional services.

The four topics listed below were considered in setting the community activities for fiscal year 2017.

(1) Information sharing by major infrastructure companies when a cyberattack occurs(2) Formation of an information exchange site for the Chubu region(3) Training of regional security personnel(4) Support for improvement of information security for small and medium-size businesses

Of those topics, it was decided to tackle the first through cybersecurity exercises based on the NISC＊ cross-sector exercises as the activities for fiscal year 2017, emphasizing “building a network of known faces” and “short-term feasibility”.

The NISC cross-sector exercises are cybersecurity exercises that have been held annually since fiscal year 2006 for the purpose of maintaining and improving the ability to respond to major infrastructure service outages. About 2,600 persons from 13 key infrastructure fields, including telecommunications, finance, transportation, energy, water supply, and medical care participated in the exercises held in fiscal year 2017.

●The NISC cross-sector exercises

●Basic exercise scenarioIn advance of the cross-sector exercises, NISC provides a basic scenario that is based on the most recent cyber situation. The structure of the base scenario is that the facilitator controller presents circumstances according to a timeline. The exercise players deal with them sequentially in their own company, share information with the CEPTOAR＊1 office and relevant organizations, and make and execute real-time decisions concerning actions that must be taken, such as disclosing information to customers and the mass media.The companies participating in the exercise customize the basic scenario provided by NISC to prepare an exercise scenario that is suited to the conditions of each company. The customization is done by the controller of the exercise facilitator. The exercise players do not know the content of the scenario.

NTT West participated in community information-sharing activities in the Chubu region in fiscal year 2017. Specifically, we joined a number of major regional infrastructure enterprises in collaborative regional cybersecurity exercises based on the NISC cross-sector exercises.

・The NTT Group companies periodically conduct joint cyberattack response exercises to confirm that actions based on the Group cooperation rules and the incident handling rules of each company can be executed properly by each company in an emergency and to improve and strengthen the Group response capability.

・The NTT Group also jointly participates in nation-wide “cross-sector exercises” for critical infrastructure organizations hosted by NISC (National Center for Incident Readiness and Strategy for Cybersecurity), thus confirming information cooperation with organizations outside the Group as well as within the Group.

・Information such as blacklists of the IP addresses of C&C servers discovered during the operation of each company’s systems and APT mail’s header and content are shared within the Group and the information is applied to the filtering settings of each company’s firewalls and proxy servers, etc.

・Knowledge such as actual cases of incident handling in each company, CSIRT operation manuals, information security employee training materials, and tools used, etc. are also shared so that the security response of each company can be improved and enhanced.

・We set up an analyst community of CSIRT members or SOC, etc. and share information by using communication tools holding periodic meetings to establish a trusted relationship through face-to-face interaction.

【　　　　　　　　　　　　　】


Outside organization B

Company B Company A

Outside organization A Outside

organization B

Other fields

Government ministries

and agencies

Company C

Outside organizations

Carriers, etc.Outside intelligence

Cooperation among CSIRT in the NTT Group

Intelligence vendors

NTT West

NTT East

NTT CommunicationsNTT-CERT

NTT Holdings

Dimension DataNTT SecurityNTT DOCOMO

NTT Data

[Information distribution]

Outside organization A

76

NTT-C

ERT and N

TT Group A

ctivities

3

Sharing of Security Threat Information and Operational Knowledge in Ordinary Times

Cyber Incident Response Exercise

Information sharing in normal times

NTT Group cyberattack response exercises (March, 2018) Critical infrastructure incident response exercise (December, 2017)

Indicator of compromise (IoC)・Blacklist・Advanced persistent threat・Malware

Knowledge・Incident response cases・CSIRT operation manuals・Educational materials・Product use knowledge

CSIRT community Analyst community

Information sharingamong companies

Summary

❷ Cybersecurity Exercises in the Chubu Area

Chubu Regional Corporate Collaboration Community

Features of the Community

Activities in FY2017

Cybersecurity Exercises

＊1 ISAC: Information Sharing and Analysis Center＊2 ISACA Nagoya Branch, Nagoya Information Security Study Group, CISSP Tokai Community

＊1 An organization that is responsible for information sharing and analysis functions and related functions for key infrastructure companies, etc.

＊ NISC: National center of Incident readiness and Strategy for Cybersecurity

The distinguishing feature of this community is not the ISAC＊1 created by the industrial organizations as described above, but having the viewpoint of “regional cooperation” for maintaining cybersecurity in the Chubu region. Another feature is that, while being a community of corporations, representatives from security expert communities to which individuals belong＊2 also participate in the activities as experts, thus improving the long-term information security of medium and small business enterprises and forming a regional ecosystem of security personnel.

Following a proposal by Professor Kenji Watanabe of the Nagoya Institute of Technology in February, 2017, a number of corporations and organizations in the Chubu region, mainly major infrastructure enterprises, formed this cybersecurity community. The objective of the community is to maintain cybersecurity in the region by sharing information among the stakeholders (key infrastructure enterprises, major industrial enterprises, universities, governments, and law enforce-ment) and working together.The background for establishment of this community is the common recognition that future cybersecurity incidents can cause stoppage of services and operations in the same way as earthquakes, typhoons and other natural disasters and that the effects can spread out to companies that depend on regional services.

The four topics listed below were considered in setting the community activities for fiscal year 2017.

(1) Information sharing by major infrastructure companies when a cyberattack occurs(2) Formation of an information exchange site for the Chubu region(3) Training of regional security personnel(4) Support for improvement of information security for small and medium-size businesses

Of those topics, it was decided to tackle the first through cybersecurity exercises based on the NISC＊ cross-sector exercises as the activities for fiscal year 2017, emphasizing “building a network of known faces” and “short-term feasibility”.

The NISC cross-sector exercises are cybersecurity exercises that have been held annually since fiscal year 2006 for the purpose of maintaining and improving the ability to respond to major infrastructure service outages. About 2,600 persons from 13 key infrastructure fields, including telecommunications, finance, transportation, energy, water supply, and medical care participated in the exercises held in fiscal year 2017.

●The NISC cross-sector exercises

●Basic exercise scenarioIn advance of the cross-sector exercises, NISC provides a basic scenario that is based on the most recent cyber situation. The structure of the base scenario is that the facilitator controller presents circumstances according to a timeline. The exercise players deal with them sequentially in their own company, share information with the CEPTOAR＊1 office and relevant organizations, and make and execute real-time decisions concerning actions that must be taken, such as disclosing information to customers and the mass media.The companies participating in the exercise customize the basic scenario provided by NISC to prepare an exercise scenario that is suited to the conditions of each company. The customization is done by the controller of the exercise facilitator. The exercise players do not know the content of the scenario.

NTT West participated in community information-sharing activities in the Chubu region in fiscal year 2017. Specifically, we joined a number of major regional infrastructure enterprises in collaborative regional cybersecurity exercises based on the NISC cross-sector exercises.

・The NTT Group companies periodically conduct joint cyberattack response exercises to confirm that actions based on the Group cooperation rules and the incident handling rules of each company can be executed properly by each company in an emergency and to improve and strengthen the Group response capability.

・The NTT Group also jointly participates in nation-wide “cross-sector exercises” for critical infrastructure organizations hosted by NISC (National Center for Incident Readiness and Strategy for Cybersecurity), thus confirming information cooperation with organizations outside the Group as well as within the Group.

・Information such as blacklists of the IP addresses of C&C servers discovered during the operation of each company’s systems and APT mail’s header and content are shared within the Group and the information is applied to the filtering settings of each company’s firewalls and proxy servers, etc.

・Knowledge such as actual cases of incident handling in each company, CSIRT operation manuals, information security employee training materials, and tools used, etc. are also shared so that the security response of each company can be improved and enhanced.

・We set up an analyst community of CSIRT members or SOC, etc. and share information by using communication tools holding periodic meetings to establish a trusted relationship through face-to-face interaction.

【　　　　　　　　　　　　　】


Outside organization B

Company B Company A

Outside organization A Outside

organization B

Other fields

Government ministries

and agencies

Company C

Outside organizations

Carriers, etc.Outside intelligence

Cooperation among CSIRT in the NTT Group

Intelligence vendors

NTT West

NTT East

NTT CommunicationsNTT-CERT

NTT Holdings

Dimension DataNTT SecurityNTT DOCOMO

NTT Data

[Information distribution]

Outside organization A

77

Annual C

ybersecurity Report

Regional cooperation scenario

Setting the circumstances (service outage warning)

Elapsed time Basic scenario Additional scenario

Not connected to the Web server

Information shared by the prefectural police

Internet connection not possible

Information shared by the prefectural policeMalware infection information (Department A)

Consultation with prefectural policeMalware infection information (Department B)

Cyber terrorism warningConsultation with prefectural police

Information and instructions from executive management

DDoS attack detected

Illegal data on the dark web

Information and instructions from executives

Information provided by JPCERT/CC

Information shared by other companies


Activate if information sharing does not proceed smoothly

Can stoppage of other company services be taken into account?

0 minutes5 minutes

10 minutes

20 minutes

25 minutes

30 minutes

35 minutes

55 minutes65 minutes

70 minutes

90 minutes (end)

●Creating regional cooperation scenarios

●Exercise design

For this regional community effort, we held five scenario study meetings on customization of the basic scenario, which resulted in the addition of two viewpoints: “information sharing within the region” and “consideration of the interdepen-dence of services among the companies in the exercise”.

On the day of the exercise, members from eight companies including NTT West Japan and the prefectural police depart-ment gathered together at the site in Nagoya and the joint exercise was conducted over a period of three hours. Various kinds of systems were used by the different companies and the number of participants ranged widely from 3 to 20, with some companies represented only by members from the information systems department and others represented by members from the information systems department and the general affairs department, reflecting the cyber incident primary response system of each company.The characteristics of the different companies were also seen in the seating arrangement of the players, use of white-boards, and the information sharing tools that were used during the exercise.

Viewpoint (1): Information should be shared in the region.In addition to cutting across fields via the CEPTOAR of each industry, the scenario included information sharing via the prefectural police serving as a hub. If information sharing with the prefectural police as a hub does not proceed smoothly, the difficulty of moving forward with the scenario is increased.

Viewpoint (2): Encourage consideration of the interdependence of the services provided by different companies during the exercise

The scenario involves advance notification of a service outage due to a cyberattack. The circumstances were set to require action to be taken with consideration given to effects on the services of other companies without delay, while the scope of impact is unknown.

The prefectural police department is used as a communication hub because that department already has the role of actively collecting information from companies when an incident occurs, so is considered to be the most realistic and rational way to achieve regional information sharing and cooperation across fields.

Summary of Cases

●Exercise results and issues

＊2 Business Continuity Management (BCM)

< Internet bulletin board >

We are the cracker group “Black Dinosaur” targeting Japan.

We will disrupt the G20 meeting to decrease trust in Japan.We paid maintenance contractors of key infrastructure companies that are maintaining important systems in the Chubu area to inject a virus into machines during maintenance work. The targets are the companies listed below. Key infrastructure services will go down in one hour, (the time at which the G20 meeting begins).

[Targets]･xxxxxx, Ltd.･xxxxxx, Ltd. ･xxxxxx, Ltd. ･xxxxxx, Ltd.･NTT West･xxxxxx, Ltd.

In the exercise, each company shared information via the prefectural police department. The effectiveness of the prefec-tural police serving as a regional hub for a situation-sharing system according to point 1 described above was confirmed. At the same time points that should be improved by each company with respect to sharing information with the prefectur-al police, including timing, granularity, and frequency, were also identified.Concerning the second viewpoint, different tendencies were observed, depending on team composition. Specifically, some teams proceeded with actions from the perspective of BCM＊2, but other teams, mainly those composed of members from information system departments only, went no further than to escalate the inter-service dependency information to the responsible department in their companies. This suggested the inclusion of a requirement to take measures from the perspective of BCM rather than simply escalating information in the scenario for the next exercise.

In this year’s security exercise, the first for this community, we are able to accomplish “building a network of known faces”, “exploring regional cooperation methods using the prefectural police department as a hub”, “identifying problems in information sharing”, and “identifying points for improvement in the exercise scenario”. We were also able to obtain certain results for “information sharing by key infrastructure companies, etc. when a cyberattack occurs”, which was one of the community topics.

In fiscal year 2018, the second year, we plan to continue conducting cybersecurity exercises based on the results of the first year and increase the sophistication of the exercise design, focusing on the points listed below.

● Improve the exercise scenario with respect to the interdependence of services● Add noise information (wrong information, irrelevant information, and low-priority information)● Create a scenario that brings management-level decisions on service stoppage into the scope

Furthermore, we will again review the topics that could not be addressed in the first year, and go beyond simply conduct-ing a cybersecurity exercise to work towards cooperation in sharing security information and taking security measures while deepening cooperation with local governments that lead the way towards regional BCM to achieve the community goal of maintaining cybersecurity in the Chubu region.

Also, in parallel with these activities of the next year, we will continue to disseminate information about this approach of reducing risk by “regional cooperation” in the current cybersecurity situation of attacker predominance to outside organi-zations.

3-6 NTT Group Activities　−　❷ Cybersecurity Exercises in the Chubu Area

78

NTT-C

ERT and N

TT Group A

ctivities

3

Regional cooperation scenario

Setting the circumstances (service outage warning)

Elapsed time Basic scenario Additional scenario

Not connected to the Web server

Information shared by the prefectural police

Internet connection not possible

Information shared by the prefectural policeMalware infection information (Department A)

Consultation with prefectural policeMalware infection information (Department B)

Cyber terrorism warningConsultation with prefectural police

Information and instructions from executive management

DDoS attack detected

Illegal data on the dark web


Information provided by JPCERT/CC

Information shared by other companies


Activate if information sharing does not proceed smoothly

Can stoppage of other company services be taken into account?

0 minutes5 minutes

10 minutes

20 minutes

25 minutes

30 minutes

35 minutes

55 minutes65 minutes

70 minutes

90 minutes (end)

●Creating regional cooperation scenarios

●Exercise design

For this regional community effort, we held five scenario study meetings on customization of the basic scenario, which resulted in the addition of two viewpoints: “information sharing within the region” and “consideration of the interdepen-dence of services among the companies in the exercise”.

On the day of the exercise, members from eight companies including NTT West Japan and the prefectural police depart-ment gathered together at the site in Nagoya and the joint exercise was conducted over a period of three hours. Various kinds of systems were used by the different companies and the number of participants ranged widely from 3 to 20, with some companies represented only by members from the information systems department and others represented by members from the information systems department and the general affairs department, reflecting the cyber incident primary response system of each company.The characteristics of the different companies were also seen in the seating arrangement of the players, use of white-boards, and the information sharing tools that were used during the exercise.

Viewpoint (1): Information should be shared in the region.In addition to cutting across fields via the CEPTOAR of each industry, the scenario included information sharing via the prefectural police serving as a hub. If information sharing with the prefectural police as a hub does not proceed smoothly, the difficulty of moving forward with the scenario is increased.

Viewpoint (2): Encourage consideration of the interdependence of the services provided by different companies during the exercise

The scenario involves advance notification of a service outage due to a cyberattack. The circumstances were set to require action to be taken with consideration given to effects on the services of other companies without delay, while the scope of impact is unknown.

The prefectural police department is used as a communication hub because that department already has the role of actively collecting information from companies when an incident occurs, so is considered to be the most realistic and rational way to achieve regional information sharing and cooperation across fields.

Summary of Cases

●Exercise results and issues

＊2 Business Continuity Management (BCM)

< Internet bulletin board >

We are the cracker group “Black Dinosaur” targeting Japan.

We will disrupt the G20 meeting to decrease trust in Japan.We paid maintenance contractors of key infrastructure companies that are maintaining important systems in the Chubu area to inject a virus into machines during maintenance work. The targets are the companies listed below. Key infrastructure services will go down in one hour, (the time at which the G20 meeting begins).

[Targets]･xxxxxx, Ltd.･xxxxxx, Ltd. ･xxxxxx, Ltd. ･xxxxxx, Ltd.･NTT West･xxxxxx, Ltd.

In the exercise, each company shared information via the prefectural police department. The effectiveness of the prefec-tural police serving as a regional hub for a situation-sharing system according to point 1 described above was confirmed. At the same time points that should be improved by each company with respect to sharing information with the prefectur-al police, including timing, granularity, and frequency, were also identified.Concerning the second viewpoint, different tendencies were observed, depending on team composition. Specifically, some teams proceeded with actions from the perspective of BCM＊2, but other teams, mainly those composed of members from information system departments only, went no further than to escalate the inter-service dependency information to the responsible department in their companies. This suggested the inclusion of a requirement to take measures from the perspective of BCM rather than simply escalating information in the scenario for the next exercise.

In this year’s security exercise, the first for this community, we are able to accomplish “building a network of known faces”, “exploring regional cooperation methods using the prefectural police department as a hub”, “identifying problems in information sharing”, and “identifying points for improvement in the exercise scenario”. We were also able to obtain certain results for “information sharing by key infrastructure companies, etc. when a cyberattack occurs”, which was one of the community topics.

In fiscal year 2018, the second year, we plan to continue conducting cybersecurity exercises based on the results of the first year and increase the sophistication of the exercise design, focusing on the points listed below.

● Improve the exercise scenario with respect to the interdependence of services● Add noise information (wrong information, irrelevant information, and low-priority information)● Create a scenario that brings management-level decisions on service stoppage into the scope

Furthermore, we will again review the topics that could not be addressed in the first year, and go beyond simply conduct-ing a cybersecurity exercise to work towards cooperation in sharing security information and taking security measures while deepening cooperation with local governments that lead the way towards regional BCM to achieve the community goal of maintaining cybersecurity in the Chubu region.

Also, in parallel with these activities of the next year, we will continue to disseminate information about this approach of reducing risk by “regional cooperation” in the current cybersecurity situation of attacker predominance to outside organi-zations.

3-6 NTT Group Activities　−　❷ Cybersecurity Exercises in the Chubu Area

79

Annual C

ybersecurity Report

＊1 Concerning malware countermeasures, there are different detection methods and different evaluation viewpoints, so the evaluation is divided into “prevention and detriments” and “anomalous behavior detection”.

＊2 Detection of malware infection after the fact by analysis of internal behavior history

SummaryIn the NTT Group, we are evaluating products and integrating product operation to increase the sophistication and efficiency of security measures that involve use of commercial products.・Conduct ‘Product evaluation’ for products with new technology whose effect is not clear.・Conduct ‘Integration of product operations’ of already introduced products that are high in integration effect but

require high technologies in operation.

・As ‘Product evaluation’, conducted empirical evaluation for three sets of products and share the results to the Group.・As ‘Integration of product operation’ the target for signature delivery were expanded.

❸ Evaluation of Security Products

Initiatives in FY2017

Evaluation of Endpoint Security Products

Evaluation of CASB Products

●Product evaluation・Product evaluation is intended to determine the applicable area of each security product and introduce the product

as recommended products within the Group.・The products to be empirically evaluated are selected according to social trends and requests from Group companies.

●Target productsTo deal with sophisticated and skillfully constructed malware, we select-ed and compared eight endpoint security products that have protection and prevention as core functions.

●Evaluation methodCompare the following measures among product under different settings (environments)・Detection rates for known and unknown malwares・Comparison of false positives for normal files・Evaluation of ease of setup and operation

●Target productsConsidering the increasing use of cloud services, we selected and compared four typical CASB products which enable cloud access visual-ization and control.

●Evaluation methodAssuming a basic scenario that accords with the use situation and the conditions and content to be verified in it, a corresponding number of items are compared.Concerning the checked items, evaluation focuses on the functions that are provided, such as visualization and protection from threats, but there are constraints such as preconditions for use, so those are made clear in the evaluation results.

●Product operation・Select products that require advanced operational techniques and integrate operation of those products within the

group for efficiency.・The products and operations are selected according to results with respect to the threats of recent years and

requests from Group companies with the purpose of organizing workflow.

●Trends in threats and IT in recent yearsSophistication of malware and limitation of detection. Increase of zero-day attacks on vulnerabilities. Increase in use of cloud, which requires measures to prevent data breach.

Determine sets of security products that are effective in countermeasures.

Conducted empirical evaluation

Share the results of empirical evaluation by Group companies


Expand to the target for signature delivery





Malware countermeasures＊1

Prevention and deterrence

Anomalous behavior detection＊2

Cloud Access Security Broker (CASB)

Web application firewallTargets for product operation integration

Targets for product evaluation

Product set Action

Evaluation results (CASB products)

Evaluation results (endpoint security products)

Visibility

Cost

Threat protection Data security

Compliance

PriceComparison of detection ratesWith connection to the Internet

Comparison of introduction and operation

80

NTT-C

ERT and N

TT Group A

ctivities

3

＊1 Concerning malware countermeasures, there are different detection methods and different evaluation viewpoints, so the evaluation is divided into “prevention and detriments” and “anomalous behavior detection”.

＊2 Detection of malware infection after the fact by analysis of internal behavior history

SummaryIn the NTT Group, we are evaluating products and integrating product operation to increase the sophistication and efficiency of security measures that involve use of commercial products.・Conduct ‘Product evaluation’ for products with new technology whose effect is not clear.・Conduct ‘Integration of product operations’ of already introduced products that are high in integration effect but

require high technologies in operation.

・As ‘Product evaluation’, conducted empirical evaluation for three sets of products and share the results to the Group.・As ‘Integration of product operation’ the target for signature delivery were expanded.

❸ Evaluation of Security Products

Initiatives in FY2017

Evaluation of Endpoint Security Products

Evaluation of CASB Products

●Product evaluation・Product evaluation is intended to determine the applicable area of each security product and introduce the product

as recommended products within the Group.・The products to be empirically evaluated are selected according to social trends and requests from Group companies.

●Target productsTo deal with sophisticated and skillfully constructed malware, we select-ed and compared eight endpoint security products that have protection and prevention as core functions.

●Evaluation methodCompare the following measures among product under different settings (environments)・Detection rates for known and unknown malwares・Comparison of false positives for normal files・Evaluation of ease of setup and operation

●Target productsConsidering the increasing use of cloud services, we selected and compared four typical CASB products which enable cloud access visual-ization and control.

●Evaluation methodAssuming a basic scenario that accords with the use situation and the conditions and content to be verified in it, a corresponding number of items are compared.Concerning the checked items, evaluation focuses on the functions that are provided, such as visualization and protection from threats, but there are constraints such as preconditions for use, so those are made clear in the evaluation results.

●Product operation・Select products that require advanced operational techniques and integrate operation of those products within the

group for efficiency.・The products and operations are selected according to results with respect to the threats of recent years and

requests from Group companies with the purpose of organizing workflow.

●Trends in threats and IT in recent yearsSophistication of malware and limitation of detection. Increase of zero-day attacks on vulnerabilities. Increase in use of cloud, which requires measures to prevent data breach.

Determine sets of security products that are effective in countermeasures.









Malware countermeasures＊1

Prevention and deterrence

Anomalous behavior detection＊2

Cloud Access Security Broker (CASB)

Web application firewallTargets for product operation integration

Targets for product evaluation

Product set Action

Evaluation results (CASB products)

Evaluation results (endpoint security products)

Visibility

Cost

Threat protection Data security

Compliance

PriceComparison of detection ratesWith connection to the Internet

Comparison of introduction and operation

4 Cybersecurity Topics and Technological Trends in FY 2017Chapter 4 describes important topics related to cybersecurity that became issues in fiscal year 2017.

81

＊ Can be downloaded from https://www.ppc.go.jp/personal/legal/

Act:Enforcement Order:Enforcement Rules:Guidelines (General Rules):Guidelines:QA:Report:

Act on the Protection of Personal InformationThe Cabinet Order to Enforce the Act on the Protection of Personal InformationEnforcement Rules for the Act on the Protection of Personal InformationGuidelines on the Act on the Protection of Personal Information (General Rules)Guidelines on the Act on the Protection of Personal Information (Anonymously Processed Information) Q&A on "Guidelines on the Act on the Protection of Personal Information" and "Response to an Incident of Personal Data Leakage, etc."Report by the Personal Information Protection Commission Secretariat: Anonymously Processed Information (omitted from this table)

4-1 Understanding “Anonymously Processed Information” in Japanese Act and Guidelines on the Protection of Personal Information

Summary

The Anonymously Processed Information introduced by the Revised Act on Protection of Personal Information is expect-ed to serve as a means of distributing personal data. Anonymously Processed Information must satisfy the criteria speci-fied in laws and guidelines, but those criteria are often considered difficult to understand. This section explains how to interpret laws and guidelines that concern criteria for anonymizing information.

Introduction

Anonymously Processed Information is a system newly introduced in the Revised Personal Information Protection Act that processes personal information into a form that makes it impossible to identify a specific individual from the processed information. The purpose of Anonymously Processed Information is to allow personal information to be used for purposes other than originally intended and to be provided to third parties under certain rules without the person’s consent. This section describes the rules for Anonymously Processed Information and explains technology for imple-menting it to facilitate the creation of Anonymously Processed Information.The laws and guidelines described in this section are listed below.＊

What is Anonymously Processed Information?

Act Article 2, Paragraph 1, Guidelines (General Rules) 2-1, QA Q1-1 to 18

Act Article 2, Paragraph 9, Guidelines 2-1, QA Q 11-1 to 3

Act Article 36, Paragraph 1, Enforcement Rules Article 19, Guidelines 3-2, QA Q 11-4 to 10

Definition of Personal Information

Definition of Individual Identification Codes

Definition of Anonymously Processed Information

Creating Anonymously Processed Information

The conditions and level (not possible for an ordinary person) of “can identify” and “can restore” are explained in the Guidelines 2-1.“Can identify a specific person” refers to・A specific individual can be identified in general social terms by using information stored alone or in combination with

other information・It depends on whether ordinary people would be able to identify said information with a living person, with their ability

to judge and understand information“Make it impossible to restore the personal information” refers to・Making it impossible, by ordinary methods, to return the Anonymously Processed Information to the original personal

information by identifying from the Anonymously Processed Information some description that identifies a specific person or individual identification code (that was included in the personal information from which the Anonymously Processed Information was derived).(parentheses added by the author)

Additional description for ‘identify’ and ‘level of restoration’ is given below.・It is not required that all possibility of identification (restoration) by any method be excluded from a technical perspec-

tive, but it is required that it, at least, to put the information in any form for which it is not possible for business operators who handle personal information or who handle Anonymously Processed Information to identify (restore) personal information by ordinary methods using the abilities and methods available to ordinary persons or business operators.(The part in parentheses,’(restore)’, was added by the author.)

Guidelines 3-2-1 specifies that combinations of information that can identify a specific person such as address and date of birth, etc. shall be deleted (replaced) as well as personal names.・Case 1: For personal information that includes personal names, addresses, and dates of birth, delete the names, delete

the addresses or replace them with partial information such as xx Prefecture, yy City, delete the dates of birth or delete the day of birth and replace with the month and year of birth.

・Case 2: For personal information that includes member IDs, personal names, addresses, and telephone numbers, delete the IDs, names, and telephone numbers and delete the addresses or replace them with partial information such as xx Prefecture, yy City.

Next, Report 4.1.1 provides a supplementary description concerning processing level and introduces an approach that enables flexible setting of the processing level, using address and birth date as examples.・For addresses and dates of birth, it is assumed that partial deletion or replacement is used to create a certain degree

of ambiguity, with addresses extending only to the city name (or to the Ward name in the case of urban centers that have large populations) and dates of birth extending only to the year of birth or month of birth.

・The approach of adjusting the level of each item to avoid unique combinations of items such as address, date of birth, and gender is also assumed

The report also includes a supplement concerning the items processed to introduce mobile phone numbers and other such items that had been excluded from the individual identification codes as targets for Rule 1.・Mobile phone numbers, email addresses, and IDs such as SNS have been excluded from individual identification codes

for reasons such as that they are indistinguishable from numbers that belong to corporations, but such codes should be treated as personal information in cases where they can be recognized by business operators as belonging to specific persons either by the information itself or by combining the information with other information about those persons.

To understand the measures for the various numbers included in Rule 1, it is necessary to understand the handling of “temporary IDs”. That is explained in summary later.

Criteria for Processing Anonymously Processed Information

The criteria for Anonymously Processed Information stipulated in Article 19 of the Regulations, Rules 1 through 5 are explained in order below. For the measures described in each rule, all of the measures must be taken to the extent that they are applicable to the information rather than selecting from among them (QA A11-5).

●Regulations, Article 19, Rule 1All or part of the personal information content that can identify a specific person shall be deleted (including replace-ment of all or part of the information with other information by a method that does not have regularities that enable restoration).

Rule 1

Rule 1 is to delete (replace) all or part of content that can identify a specific person.

さらに、「識別できる」「復元できる」に関しては、ガイド匿 2-1 において、これらの状態とレベル（一般人ができない）を説明している。

「特定の個人を識別することができる」とは、・情報単体または複数の情報を組み合わせて保存されているものから社会通念上そのように判断できるもの・一般人の判断力または理解力をもって生存する具体的な人物と情報の間に同一性を認めることができるもの

「当該個人情報を復元することができないようにしたもの」とは、・通常の方法では、匿名加工情報から（匿名加工情報の作成の元となった個人情報に含まれていた）、特定の個人を識別

することとなる記述等又は個人識別符号の内容を特定することなどにより、匿名加工情報を個人情報に戻すことができない状態にすること（括弧は筆者が加えた）

また特定と復元のレベルに関しての追加的記述が、両者共通に次のようにある。・あらゆる手法によって特定（復元）することができないよう技術的側面からすべての可能性を排除することまでを求める

ものではなく、少なくとも、一般人および一般的な事業者の能力、手法などを基準として当該情報を個人情報取扱事業者または匿名加工情報取扱事業者が通常の方法により特定（復元）できないような状態にすることを求めるものである

（括弧書き（復元）は筆者が加えた）。

ガイド匿 3-2-1は、氏名のような単体だけでなく、住所、生年月日など記述の組み合わせで特定の個人を識別できるものを削除（置き換え）することとしている。・事例①：氏名、住所、生年月日が含まれる個人情報の場合、氏名を削除し、住所を削除、または○○県△△市に置き

換え、生年月日を削除、または日を削除し、生年月に置き換える。・事例②：会員ID、氏名、住所、電話番号が含まれる個人情報の場合、会員ID、氏名、電話番号を削除し、住所を削除、

または○○県△△市に置き換える。

次にレポート4.1.1には加工レベルについて補足する記述があり、住所や生年月日を例に、加工レベルを柔軟に設定できる考え方が紹介されている。・住所であれば「○○市」まで（人口の多い都心部であれば、「○○区」まで）、生年月日であれば「生年月」あるいは「生年」

までといったように、情報の項目それぞれについて一定程度曖昧化されるように部分的な削除や置換えを行う考え方が想定される。

・住所・生年月日・性別などの複数の項目の組み合わせで一意にならないように各項目の加工レベルを調整する考え方も想定される。

同じくレポートに、加工対象についての補足があり、携帯電話番号など個人識別符号から除外されたものも1号として対象となりうることが紹介されている。・携帯電話番号や電子メールアドレス、SNSなどのID、クレジットカード番号などは、法人所有番号との区別がつかない

などの理由で個人識別符号からは除外されているが、事業者において単体またはほかの情報との組み合わせにより、これらの情報が特定の個人のものとして認識されている場合については、個人情報として扱われるべきものである。

なお、1号を含む各号の措置を理解するために、「仮ID」の扱いの理解が必要である。これは後でまとめて解説する。

匿名加工情報の加工基準は規則第19条1号から5号として定められおり、順を追って解説する。なお、各号の措置はどれか一つではなく、該当する情報がある限り「各号に定める措置を選択的に講ずればよいものではなく、各号すべての措置を行う必要」がある（QA A11-5）とされている。

1号は規則で「特定の個人を識別することができる記述等の全部又は一部」を削除（置き換え）するとされている。

Act Article 2, Paragraph 2, Enforcement Order Article 1, Enforcement Rules Article 2 Article 3 Article 4, Guidelines (General Rules) 2-2, QA Q 1-19 to 23

Anonymously Processed Information is stipulated in the Act (Article 2, Paragraph 9) as follows.・Anonymously Processed Information is information concerning individuals that has been processed so that it is not

possible to identify a specific individual or to restore the personal information.The Anonymously Processed Information processing is determined according to the class of personal information.・For personal information that is subject to Article 2, Paragraph 1, Item 1 of the Act, some of the description or other

content of the information shall be deleted (replaced).＊・For personal information that is subject to Item 2 of the same, all of the individual identifying codes in the information

shall be deleted (replaced).

The first class of personal information described above is information that contains names, dates of birth, or other information that can be used to identify a specific individual (including information that makes it possible to identify specific individuals through easy collation with other information). The second of the above classes is information that includes individual identification codes.The points in the above that are said to be difficult to understand are listed below.

(1) What information can identify a specific person?(2) What does it mean to ‘make it impossible to identify a specific individual’ or to ‘make it impossible to restore

the personal information’?The Act stipulates “individual identification codes”, which are clearly a part of item (1) above, by the Enforcement Order. Concerning item (2) above, the criteria for Anonymously Processed Information are stipulated by Enforcement Rules.・Individual identification codes are stipulated by the Enforcement Order as something that can identify a specific person

(user, purchaser or recipient of a document). (Article 2, Paragraph 2 of the Act)・To make it impossible to identify a specific person or restore the original personal information, “the personal informa-

tion must be processed according to the criteria stipulated by the Personal Information Protection Committee Regula-tions” (Article 36, Paragraph 1 of the Act).

＊ In instituting Anonymously Processed Information, the measure of “deletion (replacement of relevant parts of description, etc. with other content by an irregular method such that the original information cannot be restored)” is often referred to. In this section, we refer to it as simply “delete (replace)”.

82

Cybersecurity Topics and Technological Trends in FY

2017

4

＊ Can be downloaded from https://www.ppc.go.jp/personal/legal/

Act:Enforcement Order:Enforcement Rules:Guidelines (General Rules):Guidelines:QA:Report:

Act on the Protection of Personal InformationThe Cabinet Order to Enforce the Act on the Protection of Personal InformationEnforcement Rules for the Act on the Protection of Personal InformationGuidelines on the Act on the Protection of Personal Information (General Rules)Guidelines on the Act on the Protection of Personal Information (Anonymously Processed Information) Q&A on "Guidelines on the Act on the Protection of Personal Information" and "Response to an Incident of Personal Data Leakage, etc."Report by the Personal Information Protection Commission Secretariat: Anonymously Processed Information (omitted from this table)


Summary

The Anonymously Processed Information introduced by the Revised Act on Protection of Personal Information is expect-ed to serve as a means of distributing personal data. Anonymously Processed Information must satisfy the criteria speci-fied in laws and guidelines, but those criteria are often considered difficult to understand. This section explains how to interpret laws and guidelines that concern criteria for anonymizing information.

Introduction

Anonymously Processed Information is a system newly introduced in the Revised Personal Information Protection Act that processes personal information into a form that makes it impossible to identify a specific individual from the processed information. The purpose of Anonymously Processed Information is to allow personal information to be used for purposes other than originally intended and to be provided to third parties under certain rules without the person’s consent. This section describes the rules for Anonymously Processed Information and explains technology for imple-menting it to facilitate the creation of Anonymously Processed Information.The laws and guidelines described in this section are listed below.＊

What is Anonymously Processed Information?

Act Article 2, Paragraph 1, Guidelines (General Rules) 2-1, QA Q1-1 to 18

Act Article 2, Paragraph 9, Guidelines 2-1, QA Q 11-1 to 3

Act Article 36, Paragraph 1, Enforcement Rules Article 19, Guidelines 3-2, QA Q 11-4 to 10

Definition of Personal Information

Definition of Individual Identification Codes

Definition of Anonymously Processed Information

Creating Anonymously Processed Information

The conditions and level (not possible for an ordinary person) of “can identify” and “can restore” are explained in the Guidelines 2-1.“Can identify a specific person” refers to・A specific individual can be identified in general social terms by using information stored alone or in combination with

other information・It depends on whether ordinary people would be able to identify said information with a living person, with their ability

to judge and understand information“Make it impossible to restore the personal information” refers to・Making it impossible, by ordinary methods, to return the Anonymously Processed Information to the original personal

information by identifying from the Anonymously Processed Information some description that identifies a specific person or individual identification code (that was included in the personal information from which the Anonymously Processed Information was derived).(parentheses added by the author)

Additional description for ‘identify’ and ‘level of restoration’ is given below.・It is not required that all possibility of identification (restoration) by any method be excluded from a technical perspec-

tive, but it is required that it, at least, to put the information in any form for which it is not possible for business operators who handle personal information or who handle Anonymously Processed Information to identify (restore) personal information by ordinary methods using the abilities and methods available to ordinary persons or business operators.(The part in parentheses,’(restore)’, was added by the author.)

Guidelines 3-2-1 specifies that combinations of information that can identify a specific person such as address and date of birth, etc. shall be deleted (replaced) as well as personal names.・Case 1: For personal information that includes personal names, addresses, and dates of birth, delete the names, delete

the addresses or replace them with partial information such as xx Prefecture, yy City, delete the dates of birth or delete the day of birth and replace with the month and year of birth.

・Case 2: For personal information that includes member IDs, personal names, addresses, and telephone numbers, delete the IDs, names, and telephone numbers and delete the addresses or replace them with partial information such as xx Prefecture, yy City.

Next, Report 4.1.1 provides a supplementary description concerning processing level and introduces an approach that enables flexible setting of the processing level, using address and birth date as examples.・For addresses and dates of birth, it is assumed that partial deletion or replacement is used to create a certain degree

of ambiguity, with addresses extending only to the city name (or to the Ward name in the case of urban centers that have large populations) and dates of birth extending only to the year of birth or month of birth.

・The approach of adjusting the level of each item to avoid unique combinations of items such as address, date of birth, and gender is also assumed

The report also includes a supplement concerning the items processed to introduce mobile phone numbers and other such items that had been excluded from the individual identification codes as targets for Rule 1.・Mobile phone numbers, email addresses, and IDs such as SNS have been excluded from individual identification codes

for reasons such as that they are indistinguishable from numbers that belong to corporations, but such codes should be treated as personal information in cases where they can be recognized by business operators as belonging to specific persons either by the information itself or by combining the information with other information about those persons.

To understand the measures for the various numbers included in Rule 1, it is necessary to understand the handling of “temporary IDs”. That is explained in summary later.

Criteria for Processing Anonymously Processed Information

The criteria for Anonymously Processed Information stipulated in Article 19 of the Regulations, Rules 1 through 5 are explained in order below. For the measures described in each rule, all of the measures must be taken to the extent that they are applicable to the information rather than selecting from among them (QA A11-5).

●Regulations, Article 19, Rule 1All or part of the personal information content that can identify a specific person shall be deleted (including replace-ment of all or part of the information with other information by a method that does not have regularities that enable restoration).

Rule 1

Rule 1 is to delete (replace) all or part of content that can identify a specific person.

さらに、「識別できる」「復元できる」に関しては、ガイド匿 2-1 において、これらの状態とレベル（一般人ができない）を説明している。

「特定の個人を識別することができる」とは、・情報単体または複数の情報を組み合わせて保存されているものから社会通念上そのように判断できるもの・一般人の判断力または理解力をもって生存する具体的な人物と情報の間に同一性を認めることができるもの

「当該個人情報を復元することができないようにしたもの」とは、・通常の方法では、匿名加工情報から（匿名加工情報の作成の元となった個人情報に含まれていた）、特定の個人を識別

することとなる記述等又は個人識別符号の内容を特定することなどにより、匿名加工情報を個人情報に戻すことができない状態にすること（括弧は筆者が加えた）

また特定と復元のレベルに関しての追加的記述が、両者共通に次のようにある。・あらゆる手法によって特定（復元）することができないよう技術的側面からすべての可能性を排除することまでを求める

ものではなく、少なくとも、一般人および一般的な事業者の能力、手法などを基準として当該情報を個人情報取扱事業者または匿名加工情報取扱事業者が通常の方法により特定（復元）できないような状態にすることを求めるものである

（括弧書き（復元）は筆者が加えた）。

ガイド匿 3-2-1は、氏名のような単体だけでなく、住所、生年月日など記述の組み合わせで特定の個人を識別できるものを削除（置き換え）することとしている。・事例①：氏名、住所、生年月日が含まれる個人情報の場合、氏名を削除し、住所を削除、または○○県△△市に置き

換え、生年月日を削除、または日を削除し、生年月に置き換える。・事例②：会員ID、氏名、住所、電話番号が含まれる個人情報の場合、会員ID、氏名、電話番号を削除し、住所を削除、

または○○県△△市に置き換える。

次にレポート4.1.1には加工レベルについて補足する記述があり、住所や生年月日を例に、加工レベルを柔軟に設定できる考え方が紹介されている。・住所であれば「○○市」まで（人口の多い都心部であれば、「○○区」まで）、生年月日であれば「生年月」あるいは「生年」

までといったように、情報の項目それぞれについて一定程度曖昧化されるように部分的な削除や置換えを行う考え方が想定される。

・住所・生年月日・性別などの複数の項目の組み合わせで一意にならないように各項目の加工レベルを調整する考え方も想定される。

同じくレポートに、加工対象についての補足があり、携帯電話番号など個人識別符号から除外されたものも1号として対象となりうることが紹介されている。・携帯電話番号や電子メールアドレス、SNSなどのID、クレジットカード番号などは、法人所有番号との区別がつかない

などの理由で個人識別符号からは除外されているが、事業者において単体またはほかの情報との組み合わせにより、これらの情報が特定の個人のものとして認識されている場合については、個人情報として扱われるべきものである。

なお、1号を含む各号の措置を理解するために、「仮ID」の扱いの理解が必要である。これは後でまとめて解説する。

匿名加工情報の加工基準は規則第19条1号から5号として定められおり、順を追って解説する。なお、各号の措置はどれか一つではなく、該当する情報がある限り「各号に定める措置を選択的に講ずればよいものではなく、各号すべての措置を行う必要」がある（QA A11-5）とされている。

1号は規則で「特定の個人を識別することができる記述等の全部又は一部」を削除（置き換え）するとされている。

Act Article 2, Paragraph 2, Enforcement Order Article 1, Enforcement Rules Article 2 Article 3 Article 4, Guidelines (General Rules) 2-2, QA Q 1-19 to 23

Anonymously Processed Information is stipulated in the Act (Article 2, Paragraph 9) as follows.・Anonymously Processed Information is information concerning individuals that has been processed so that it is not

possible to identify a specific individual or to restore the personal information.The Anonymously Processed Information processing is determined according to the class of personal information.・For personal information that is subject to Article 2, Paragraph 1, Item 1 of the Act, some of the description or other

content of the information shall be deleted (replaced).＊・For personal information that is subject to Item 2 of the same, all of the individual identifying codes in the information

shall be deleted (replaced).

The first class of personal information described above is information that contains names, dates of birth, or other information that can be used to identify a specific individual (including information that makes it possible to identify specific individuals through easy collation with other information). The second of the above classes is information that includes individual identification codes.The points in the above that are said to be difficult to understand are listed below.

(1) What information can identify a specific person?(2) What does it mean to ‘make it impossible to identify a specific individual’ or to ‘make it impossible to restore

the personal information’?The Act stipulates “individual identification codes”, which are clearly a part of item (1) above, by the Enforcement Order. Concerning item (2) above, the criteria for Anonymously Processed Information are stipulated by Enforcement Rules.・Individual identification codes are stipulated by the Enforcement Order as something that can identify a specific person

(user, purchaser or recipient of a document). (Article 2, Paragraph 2 of the Act)・To make it impossible to identify a specific person or restore the original personal information, “the personal informa-

tion must be processed according to the criteria stipulated by the Personal Information Protection Committee Regula-tions” (Article 36, Paragraph 1 of the Act).

＊ In instituting Anonymously Processed Information, the measure of “deletion (replacement of relevant parts of description, etc. with other content by an irregular method such that the original information cannot be restored)” is often referred to. In this section, we refer to it as simply “delete (replace)”.

83

Annual C

ybersecurity Report

Individual identifying codes are specified by government ordinance in limited detail as having two types: biometric data codes that can identify the person or the issuer and public numbers. Biometric data pertains to the category specified as “of the level that can identify a specific person” in Article 2 of the Regulations. Public numbering codes are described in detail in Article 3 and Article 4 of the Regulations. Individual identifying codes are not described in detail. Please check the ordinances for more information.

●Regulations Article 19, Rule 2All of the individual identification codes contained in the personal information shall be deleted (including replacement with other information by a method that does not have regularities that enable restoration of the individual identifica-tion codes).

Rule 2

Rule 2 is the deletion (replacement) of all individual identification codes.

A specific example of linked codes is an ID that is split for safety management and stored in multiple tables that can be linked. "Information being actually handled by a personal information handling business operator" refers to “codes that are used to link information that is actually handled”.

●Regulations Article 19, Rule 3Deleting those codes (limited to those codes linking mutually plural information being actually handled by a personal information handling business operator) which link personal information and information obtained by having taken measures against the personal information (including replacing the said codes with those other codes which cannot link the said personal information and information obtained by having taken measures against the said personal information using a method with no regularity that can restore the said codes)

Rule 3

Rule 3 is deletion (replacement) of linked codes.

The reason for processing idiosyncratic descriptions is, as explained in Guidelines 3-2-4:・Descriptions of unusual facts or descriptions that differ significantly from those of other persons may generally be

used to identify a specific person.Thus, idiosyncratic descriptions are:・Descriptions that can lead to identification of specific persons since they are idiosyncratic,

However, the rule does not apply for・Descriptions that cannot be used to identify a specific person, even though the description differs from that of

other personsIn deciding if the description is actually idiosyncratic:・A subjective decision must be made for each case based on the nature of the information.・Descriptions that are recognized as idiosyncratic in all general situations using social common sense are consid-

ered idiosyncratic.Examples:・Case 1: Delete medical records for which there are very few examples of illness or injury symptoms.・Case 2: replace the age described as “116 years old” with the description “over 90 years old”.

The Report also includes the following supplementary explanation.・Because description that is idiosyncrasy with respect to social common sense is subject to the rule, if there are no

results of investigation of the distribution of the information or if it exists but is unknown to ordinary persons, the sense of “idiosyncrasy” used in this rule is not considered to apply, even if the information is idiosyncrasy.

●Regulations Article 19, Rule 4Idiosyncratic descriptions shall be deleted (including replacement with other descriptions by a method that does not have regularities that enable restoration of the original description).

Rule 4

Rule 4 is deletion (replacement) of idiosyncratic description.

For the measures of Rule 5, “appropriate measures” are to be taken “in the case that it remains possible for a specific person to be identified or for the original personal information to be restored, even for information that has been processed according to Regulations Article 19, Rule 1 through Rule 4” (Guidelines 3-2-5). Case examples follow.・Case 1: In cases where a record of movement includes location information (latitude and longitude) that makes it possi-

ble to estimate the address of a person’s home or workplace, etc. and “there is concern that a specific person can be identified or the original personal information can be restored” (the same for the following cases 2 and 3), the location information for the range of addresses that can be estimated is deleted (deletion of items, deletion of records, deletion of cells).

・Case 2: In cases where the purchase history of a retail store includes the purchase history of products for which purchasers are extremely limited, specific product information (product number and color) is replaced with general product categories (generalization).

・Case 3: In a case where the physical examination information for a primary school includes information for a student that is greatly different from the other students (height of 170 cm), the height information is replaced with “150 cm or more” (top coding).

Rule 5 describes that the differences between “description contained in personal information” and “the description contained in the personal information of others that is stored in the same personal information database” should be taken into consideration. That corresponds to “values and descriptions, etc. are relatively unique” among the data that is to be processed (Report 4.1.5.1, and QA A11-9 is also relevant), and typical examples are “student height of 170 cm” in the above Case 3 and “purchase of limited products” in Case 2. However, Rule 5 continues with “considering the nature of the personal information database”, and the consideration must accord with the data. An example of that is the move-ment record of Case 1.・In particular, when a personal information database includes information related to repeated behaviors such as a

purchase history or location data, it may be possible to understand a specific person’s behavioral habits by accumulat-ing that information (Guidelines 3-2-5).

The explanation of information subject to Rule 5 that is given in Guidelines has been described here, but there is addition-al explanation in the Report (4.1.5.2), and investigation of appropriate measures is needed for “IDs that are highly unlikely to change and service IDs obtained by many business operators, etc.”, “time-related information”, and “location informa-tion (movement records)” items mentioned there.What about the extent of processing, then? Although Rules 1 through 4 required “deletion (replacement)”, Rule 5 is about “appropriate measures”. Guidelines 3-2-5 describes appropriate measures as follows.・Appropriate measures must be taken according to methods such as listed in Appendix Table 1.・Because the information to be processed and the degree of processing vary with the nature of the information process-

ing target, it is necessary to individually and specifically decide what information must be processed to what level according to the nature of the processing target.

Example methods for anonymizing information are presented in Appendix Table 1. They are explained only as a list of the general properties of methods such as deletion, generalization, and top coding, etc. and the degree of processing is left to the judgment of the process designer.

●Regulations Article 19, Rule 5In addition to the measures specified in the previous Rules, appropriate measures shall be taken based on the results of considering differences between the description contained in the personal information of a person and the descrip-tion contained in the personal information of others that is stored in the same personal information database and considering the nature of the personal information database.

Rule 5

Rule 5 is other measures that are based on the nature of personal information databases, etc.

Temporary IDs

The temporary ID is taken up for the first time in Guidelines 3-2-1 as an example of “substitution without regularity” for descriptions, etc. that enable identification of a specific person. It is pointed out that, in addition to the basic issue of (for example) correctly using a hash function so that the original information cannot be leaked and the original information cannot be obtained from a temporary ID that has been created, it is also desirable that temporary IDs can be changed for each supplier and can be changed periodically.There is further explanation added in the Report (4.1.1) that if it is not possible to manage the risk of using temporary IDs, they should not be used.・(Change for each provider) There is concern that links can be created between the data related to individuals

possessed by different businesses.・(Change periodically) it is also assumed that the risk of being able to identify the person associated with the original

personal information increases as information on the same person continues to accumulate.・Unless a temporary ID is necessary, it is better to not use a temporary ID as a replacement so as to lower the risk of

re-identification.


84


2017

4

Individual identifying codes are specified by government ordinance in limited detail as having two types: biometric data codes that can identify the person or the issuer and public numbers. Biometric data pertains to the category specified as “of the level that can identify a specific person” in Article 2 of the Regulations. Public numbering codes are described in detail in Article 3 and Article 4 of the Regulations. Individual identifying codes are not described in detail. Please check the ordinances for more information.

●Regulations Article 19, Rule 2All of the individual identification codes contained in the personal information shall be deleted (including replacement with other information by a method that does not have regularities that enable restoration of the individual identifica-tion codes).

Rule 2

Rule 2 is the deletion (replacement) of all individual identification codes.

A specific example of linked codes is an ID that is split for safety management and stored in multiple tables that can be linked. "Information being actually handled by a personal information handling business operator" refers to “codes that are used to link information that is actually handled”.

●Regulations Article 19, Rule 3Deleting those codes (limited to those codes linking mutually plural information being actually handled by a personal information handling business operator) which link personal information and information obtained by having taken measures against the personal information (including replacing the said codes with those other codes which cannot link the said personal information and information obtained by having taken measures against the said personal information using a method with no regularity that can restore the said codes)

Rule 3

Rule 3 is deletion (replacement) of linked codes.

The reason for processing idiosyncratic descriptions is, as explained in Guidelines 3-2-4:・Descriptions of unusual facts or descriptions that differ significantly from those of other persons may generally be

used to identify a specific person.Thus, idiosyncratic descriptions are:・Descriptions that can lead to identification of specific persons since they are idiosyncratic,

However, the rule does not apply for・Descriptions that cannot be used to identify a specific person, even though the description differs from that of

other personsIn deciding if the description is actually idiosyncratic:・A subjective decision must be made for each case based on the nature of the information.・Descriptions that are recognized as idiosyncratic in all general situations using social common sense are consid-

ered idiosyncratic.Examples:・Case 1: Delete medical records for which there are very few examples of illness or injury symptoms.・Case 2: replace the age described as “116 years old” with the description “over 90 years old”.

The Report also includes the following supplementary explanation.・Because description that is idiosyncrasy with respect to social common sense is subject to the rule, if there are no

results of investigation of the distribution of the information or if it exists but is unknown to ordinary persons, the sense of “idiosyncrasy” used in this rule is not considered to apply, even if the information is idiosyncrasy.

●Regulations Article 19, Rule 4Idiosyncratic descriptions shall be deleted (including replacement with other descriptions by a method that does not have regularities that enable restoration of the original description).

Rule 4

Rule 4 is deletion (replacement) of idiosyncratic description.

For the measures of Rule 5, “appropriate measures” are to be taken “in the case that it remains possible for a specific person to be identified or for the original personal information to be restored, even for information that has been processed according to Regulations Article 19, Rule 1 through Rule 4” (Guidelines 3-2-5). Case examples follow.・Case 1: In cases where a record of movement includes location information (latitude and longitude) that makes it possi-

ble to estimate the address of a person’s home or workplace, etc. and “there is concern that a specific person can be identified or the original personal information can be restored” (the same for the following cases 2 and 3), the location information for the range of addresses that can be estimated is deleted (deletion of items, deletion of records, deletion of cells).

・Case 2: In cases where the purchase history of a retail store includes the purchase history of products for which purchasers are extremely limited, specific product information (product number and color) is replaced with general product categories (generalization).

・Case 3: In a case where the physical examination information for a primary school includes information for a student that is greatly different from the other students (height of 170 cm), the height information is replaced with “150 cm or more” (top coding).

Rule 5 describes that the differences between “description contained in personal information” and “the description contained in the personal information of others that is stored in the same personal information database” should be taken into consideration. That corresponds to “values and descriptions, etc. are relatively unique” among the data that is to be processed (Report 4.1.5.1, and QA A11-9 is also relevant), and typical examples are “student height of 170 cm” in the above Case 3 and “purchase of limited products” in Case 2. However, Rule 5 continues with “considering the nature of the personal information database”, and the consideration must accord with the data. An example of that is the move-ment record of Case 1.・In particular, when a personal information database includes information related to repeated behaviors such as a

purchase history or location data, it may be possible to understand a specific person’s behavioral habits by accumulat-ing that information (Guidelines 3-2-5).

The explanation of information subject to Rule 5 that is given in Guidelines has been described here, but there is addition-al explanation in the Report (4.1.5.2), and investigation of appropriate measures is needed for “IDs that are highly unlikely to change and service IDs obtained by many business operators, etc.”, “time-related information”, and “location informa-tion (movement records)” items mentioned there.What about the extent of processing, then? Although Rules 1 through 4 required “deletion (replacement)”, Rule 5 is about “appropriate measures”. Guidelines 3-2-5 describes appropriate measures as follows.・Appropriate measures must be taken according to methods such as listed in Appendix Table 1.・Because the information to be processed and the degree of processing vary with the nature of the information process-

ing target, it is necessary to individually and specifically decide what information must be processed to what level according to the nature of the processing target.

Example methods for anonymizing information are presented in Appendix Table 1. They are explained only as a list of the general properties of methods such as deletion, generalization, and top coding, etc. and the degree of processing is left to the judgment of the process designer.

●Regulations Article 19, Rule 5In addition to the measures specified in the previous Rules, appropriate measures shall be taken based on the results of considering differences between the description contained in the personal information of a person and the descrip-tion contained in the personal information of others that is stored in the same personal information database and considering the nature of the personal information database.

Rule 5

Rule 5 is other measures that are based on the nature of personal information databases, etc.

Temporary IDs

The temporary ID is taken up for the first time in Guidelines 3-2-1 as an example of “substitution without regularity” for descriptions, etc. that enable identification of a specific person. It is pointed out that, in addition to the basic issue of (for example) correctly using a hash function so that the original information cannot be leaked and the original information cannot be obtained from a temporary ID that has been created, it is also desirable that temporary IDs can be changed for each supplier and can be changed periodically.There is further explanation added in the Report (4.1.1) that if it is not possible to manage the risk of using temporary IDs, they should not be used.・(Change for each provider) There is concern that links can be created between the data related to individuals

possessed by different businesses.・(Change periodically) it is also assumed that the risk of being able to identify the person associated with the original

personal information increases as information on the same person continues to accumulate.・Unless a temporary ID is necessary, it is better to not use a temporary ID as a replacement so as to lower the risk of

re-identification.


85

Annual C

ybersecurity Report

＊1 Report 4.2.2 takes the view that it is possible to consider from the viewpoints of “types of information that can be obtained” and “ease of matching information”.＊2 What is known as the k-anonymity approach＊3 This processing is the “strongest” level, and if done properly, it is, by itself, considered to mostly satisfy the requirement for Anonymously Processed Information.

Unfortunately, however, the anonymized data is necessarily “far apart from” the original data.

Items Currently Unclear

Summary of Cases

Up to here, we have mainly reviewed the laws and guidelines, etc. that are relevant to creating Anonymously Processed Information. The Anonymously Processed Information use cases and processing examples described in the later part of the report were not introduced in this section, but detailed case examples that included various types of record data, etc. were presented. In those cases, the processing level and method were shown specifically, but the assumed risk and the processing method were considered individually for each data item. That approach, unfortunately, does not directly provide answers for the following two questions, which are considered to be important in practice as described at the beginning of this section.

(1) What information can identify specific persons?(2) What does it mean to ‘make it impossible to identify a specific individual’ or to ‘make it impossible to restore the

original personal information’?(1) Information that can identify specific persons

From the laws and guidelines, we can clearly understand that personal names, addresses, gender, date of birth, facial images, email addresses (that allow it to be known that an individual belongs to a certain company), and individual identification codes are associated with individual identity. Such information is treated as information that can, by itself, identify a specific person. There are other patterns in which information that cannot be said to identify a specific person itself can be used with reference to other information obtained separately to identify a specific person. Consid-er the following categories of personal identity.

A. Personal identity established by the information itself.B. Personal identity established by reference to the source personal information.C. Personal identity established by reference to other available information.

Category A includes extensions of personal names, addresses, gender, and dates of birth, etc. Specifying such items of information (and their combinations) is a deep problem and selection criteria are needed to use category A in practice. Category B includes all of the processed data, to the extent that a line-by-line association between the original data and the processed data remains.Category C includes descriptions that make identification possible by referring to other information that is available in the world. For example, annual income can be used to identify a specific person by reference if personal income per year in units of one yen is generally available. To use category C in practice, it is necessary to consider the risk of referencing other information.＊1 The current situation is that the necessity and degree of dealing with these three categories are not clear.

(2) Making it impossible to identify a specific person or restore the original personal informationThis can be considered as removing the personal identifiability from personally identifying information (required for categories A, B, and C) for ordinary persons.The measures indicated in the Guidelines for dealing with category A information include deletion of personal names and converting addresses to less specific forms such as “XX Prefecture, YY City”, etc. However, it is difficult to judge whether those measures alone are sufficient to eliminate the personally identifying nature of that information, which is the essence of Anonymously Processed Information. Another problem is that those measures do not fully resolve the problem of possible excessive processing.The Report (4.1.1) states that “the approach in which the processing level of each information item is adjusted so that there are no unique combinations of address, date of birth, and gender, etc. is also assumed”, but if measures are taken so that information of category A is deleted and there are multiple parts of the category A information in combi-nation, certain claims can be made concerning the elimination of personal identifiability.＊2If we are to deal with category B, all of the description of the processing data is the target, so all of the information items are processed to some extent to eliminate relationships with the original data.＊3However, the report mentions the opinion that it is not necessary to deal with category B information (3.4.2, “Relation-ships that are Easily Collated.”).An example of category C information is annual income, which is associated with a reference risk. That information requires processing so that a specific person cannot be identified. The degree of processing is left to the judgment of the processing designer, as pointed out in the section on Rule 5. Based on the obligation to prohibit discrimination concerning Anonymously Processed Information, it is not permitted to not anonymize annual income.

●For the futureThe National Institute of Informatics (NII) has published a report concerning problem (1) target information and problem number (2) processing degree and methods (“Report on Appropriate Processing Methods for Anonymously Processed Information”). That report separates the category A information (“information that is personally identifying itself”) as target information for Rule 1 and category C information (“personally identifying by reference risk”) as target information for Rule 5. For the former, it is necessary to eliminate clear identifiability such as unique combinations and for the latter, there are multiple proposals of processing methods that involve “appropriate measures based on the nature of databases, etc.”It is necessary to first clearly organize problems (1) and (2) and their relationships and to collect cases from the industry based on shared ideas.

We have summarized specifically-determined items from currently published laws and guidelines, etc. that serve as criteria for creating Anonymously Processed Information. We have also discussed the direction of important issues that remain unclear, focusing on the information to be processed and processing degrees and methods.

Cyberattacks Related to Cryptocurrencies

Attacks on the cryptocurrency industry have occurred one after the other in recent years. Other than Bitcoin, there are various implementations such as Ethereum and NEM. Some implementations are highly anonymous and some are difficult to track down, even when used in crime. The methods of storing cryptocurrencies are broadly classified as methods for depositing in exchanges and methods for storing in wallets. The attack methods used depend on the crypto-currency storage method.

Attack Cases

Cases of attacks that have occurred since 2014 are described here.

Attackers target highly anonymous cryptocurrencies for which a cash route can be created to steal from cryptocurrency exchanges and users. Other attack methods that have been noticed are DDoS attacks on the exchanges and cryptojack-ing, which uses computing resources of the general public for mining to earn cryptocurrency. Some opinions point to the involvement of national governments in these attacks. In this report, we introduce cases of specific attacks, including a detailed explanation of cryptojacking, in which the victims are not users of cryptocurrencies.

4-2 Trends in Cyberattacks on Cryptocurrencies

Cryptocurrency storage methods

e.g. Ledger Nano SURL: https://www.ledgerwallet.com/

products/ledger-nano-s

Example: Bitcoin.com Wallet (not the official Bitcoin application)URL: https://play.google.com/store/apps/details?id=com.

bitcoin.mwallet&hl=ja

・Software ・Hardware

●Attacks on cryptocurrency exchanges(1) Thefts of cryptocurrencies have been occurring one after the other throughout the world over the last five years.・MT. Gox, Japan … BTC stolen in 2014/Feb

・MtGOX Suddenly Shuts Down In a few years, the exchange lost 740,000 BTC in custodial assets by theft. (Ma-sanori Kusunoki) https://news.yahoo.co.jp/byline/kusunokimasanori/20140225-00033012/

・Bithumb, South Korea … BTC and ETH stolen in 2017/Jun・Bithumb Hacked: Bitcoin, Ethereum Stolen From Popular Cryptocurrency Exchange

http://www.ibtimes.com/bithumb-hacked-bitcoin-ethereum-stolen-popular-cryptocurrency-exchange-2561627・Youbit exchange, South Korea … BTC stolen in 2017/Apr and 17% of assets lost in 2017/Dec

・Bitcoin exchange Youbit shuts after second hack attack http://www.bbc.com/news/technology-42409815

・Coincheck, Japan … NEM stolen in 2018/Jan・Report on unauthorized remittances of the NEM cryptocurrency

http://corporate.coincheck.com/2018/03/08/46.html

Depositing in exchanges Storage in a local wallet

86


2017

4

＊1 Report 4.2.2 takes the view that it is possible to consider from the viewpoints of “types of information that can be obtained” and “ease of matching information”.＊2 What is known as the k-anonymity approach＊3 This processing is the “strongest” level, and if done properly, it is, by itself, considered to mostly satisfy the requirement for Anonymously Processed Information.

Unfortunately, however, the anonymized data is necessarily “far apart from” the original data.

Items Currently Unclear

Summary of Cases

Up to here, we have mainly reviewed the laws and guidelines, etc. that are relevant to creating Anonymously Processed Information. The Anonymously Processed Information use cases and processing examples described in the later part of the report were not introduced in this section, but detailed case examples that included various types of record data, etc. were presented. In those cases, the processing level and method were shown specifically, but the assumed risk and the processing method were considered individually for each data item. That approach, unfortunately, does not directly provide answers for the following two questions, which are considered to be important in practice as described at the beginning of this section.

(1) What information can identify specific persons?(2) What does it mean to ‘make it impossible to identify a specific individual’ or to ‘make it impossible to restore the

original personal information’?(1) Information that can identify specific persons

From the laws and guidelines, we can clearly understand that personal names, addresses, gender, date of birth, facial images, email addresses (that allow it to be known that an individual belongs to a certain company), and individual identification codes are associated with individual identity. Such information is treated as information that can, by itself, identify a specific person. There are other patterns in which information that cannot be said to identify a specific person itself can be used with reference to other information obtained separately to identify a specific person. Consid-er the following categories of personal identity.

A. Personal identity established by the information itself.B. Personal identity established by reference to the source personal information.C. Personal identity established by reference to other available information.

Category A includes extensions of personal names, addresses, gender, and dates of birth, etc. Specifying such items of information (and their combinations) is a deep problem and selection criteria are needed to use category A in practice. Category B includes all of the processed data, to the extent that a line-by-line association between the original data and the processed data remains.Category C includes descriptions that make identification possible by referring to other information that is available in the world. For example, annual income can be used to identify a specific person by reference if personal income per year in units of one yen is generally available. To use category C in practice, it is necessary to consider the risk of referencing other information.＊1 The current situation is that the necessity and degree of dealing with these three categories are not clear.

(2) Making it impossible to identify a specific person or restore the original personal informationThis can be considered as removing the personal identifiability from personally identifying information (required for categories A, B, and C) for ordinary persons.The measures indicated in the Guidelines for dealing with category A information include deletion of personal names and converting addresses to less specific forms such as “XX Prefecture, YY City”, etc. However, it is difficult to judge whether those measures alone are sufficient to eliminate the personally identifying nature of that information, which is the essence of Anonymously Processed Information. Another problem is that those measures do not fully resolve the problem of possible excessive processing.The Report (4.1.1) states that “the approach in which the processing level of each information item is adjusted so that there are no unique combinations of address, date of birth, and gender, etc. is also assumed”, but if measures are taken so that information of category A is deleted and there are multiple parts of the category A information in combi-nation, certain claims can be made concerning the elimination of personal identifiability.＊2If we are to deal with category B, all of the description of the processing data is the target, so all of the information items are processed to some extent to eliminate relationships with the original data.＊3However, the report mentions the opinion that it is not necessary to deal with category B information (3.4.2, “Relation-ships that are Easily Collated.”).An example of category C information is annual income, which is associated with a reference risk. That information requires processing so that a specific person cannot be identified. The degree of processing is left to the judgment of the processing designer, as pointed out in the section on Rule 5. Based on the obligation to prohibit discrimination concerning Anonymously Processed Information, it is not permitted to not anonymize annual income.

●For the futureThe National Institute of Informatics (NII) has published a report concerning problem (1) target information and problem number (2) processing degree and methods (“Report on Appropriate Processing Methods for Anonymously Processed Information”). That report separates the category A information (“information that is personally identifying itself”) as target information for Rule 1 and category C information (“personally identifying by reference risk”) as target information for Rule 5. For the former, it is necessary to eliminate clear identifiability such as unique combinations and for the latter, there are multiple proposals of processing methods that involve “appropriate measures based on the nature of databases, etc.”It is necessary to first clearly organize problems (1) and (2) and their relationships and to collect cases from the industry based on shared ideas.

We have summarized specifically-determined items from currently published laws and guidelines, etc. that serve as criteria for creating Anonymously Processed Information. We have also discussed the direction of important issues that remain unclear, focusing on the information to be processed and processing degrees and methods.

Cyberattacks Related to Cryptocurrencies

Attacks on the cryptocurrency industry have occurred one after the other in recent years. Other than Bitcoin, there are various implementations such as Ethereum and NEM. Some implementations are highly anonymous and some are difficult to track down, even when used in crime. The methods of storing cryptocurrencies are broadly classified as methods for depositing in exchanges and methods for storing in wallets. The attack methods used depend on the crypto-currency storage method.

Attack Cases

Cases of attacks that have occurred since 2014 are described here.

Attackers target highly anonymous cryptocurrencies for which a cash route can be created to steal from cryptocurrency exchanges and users. Other attack methods that have been noticed are DDoS attacks on the exchanges and cryptojack-ing, which uses computing resources of the general public for mining to earn cryptocurrency. Some opinions point to the involvement of national governments in these attacks. In this report, we introduce cases of specific attacks, including a detailed explanation of cryptojacking, in which the victims are not users of cryptocurrencies.

4-2 Trends in Cyberattacks on Cryptocurrencies

Cryptocurrency storage methods

e.g. Ledger Nano SURL: https://www.ledgerwallet.com/

products/ledger-nano-s

Example: Bitcoin.com Wallet (not the official Bitcoin application)URL: https://play.google.com/store/apps/details?id=com.

bitcoin.mwallet&hl=ja

・Software ・Hardware

●Attacks on cryptocurrency exchanges(1) Thefts of cryptocurrencies have been occurring one after the other throughout the world over the last five years.・MT. Gox, Japan … BTC stolen in 2014/Feb

・MtGOX Suddenly Shuts Down In a few years, the exchange lost 740,000 BTC in custodial assets by theft. (Ma-sanori Kusunoki) https://news.yahoo.co.jp/byline/kusunokimasanori/20140225-00033012/

・Bithumb, South Korea … BTC and ETH stolen in 2017/Jun・Bithumb Hacked: Bitcoin, Ethereum Stolen From Popular Cryptocurrency Exchange

http://www.ibtimes.com/bithumb-hacked-bitcoin-ethereum-stolen-popular-cryptocurrency-exchange-2561627・Youbit exchange, South Korea … BTC stolen in 2017/Apr and 17% of assets lost in 2017/Dec

・Bitcoin exchange Youbit shuts after second hack attack http://www.bbc.com/news/technology-42409815

・Coincheck, Japan … NEM stolen in 2018/Jan・Report on unauthorized remittances of the NEM cryptocurrency

http://corporate.coincheck.com/2018/03/08/46.html

Depositing in exchanges Storage in a local wallet

87

Annual C

ybersecurity Report

The Attackers

●Attacks on cryptocurrency usersThefts of cryptocurrencies by various means have occurred.・Unauthorized use of an owner’s computer・A third-year high school student in Osaka was arrested on suspicion of creating a virus for the illegal acquisition

of a cryptocurrency… The target was the cryptocurrency “MonaCoin”http://www.sankei.com/west/news/180130/wst1801300079-n1.html

・Unauthorized use of an exchange API・Report of unauthorized use of customer API keys for transactions and withdrawals and request for countermea-

sureshttps://corp.zaif.jp/info/8231/

・Another method that may appear in the future is the selling of infected wallets.

Attackers are generally considered to be interested in money. As a specific attacker image, it has been reported that the South Korean National Intelligence Service has pointed to the involvement of North Korea attacks on some exchanges. According to comments by Rep. Kim Byung-gi of the Korean National Assembly quoted in the same report, “It has been confirmed that North Korea has used technology to defeat the antivirus software of well-known manufac-turers in South Korea and, focusing on the fact that cryptocurrency companies are hiring new employees, send out hacking emails disguised as job applications.” -Representative Kim Byung-gi of the Korean national assembly・Source: “North Korea Has Taken Hundreds of Millions of Yen in Cryptocurrencies by Hacking”-National Intelligence Service

http://japan.hani.co.kr/arti/politics/29706.htmlThere is also a comment at a CoinCheck press conference to inform CoinCheck members that a targeted attack had been made.・Prospective compensation by CoinCheck to begin next week - the result of a targeted attack?

http://www.itmedia.co.jp/business/articles/1803/08/news123.html

●Attacks on the general public (cryptojacking)・Cryptojacking, also known as Drive-by-Mining, has become common. This type of attack involves use of a web

browser to mine cryptocurrency without the user’s consent.・Detailed explanation is given in the second half.

（2） More DDoS attacks are being seen than in the last half of 2017.・Zaif, Japan … DDoSed in 2017/Sep・Report on difficult access phenomena in Japan

https://corp.zaif.jp/info/6534/・bitFlyer, Japan … DDoSed in 2017/Sep・5-hour cyberattack on bitFlyer, a major Bitcoin exchange

https://internetcom.jp/203437/bitflyer-ddos・HitBTC … DDoSed in 2017/Dec・Dear traders, we are under heavy DDoS attack and currently working on bringing our platform back online.

https://twitter.com/hitbtc/status/941359354007183360・DDoS attacks, by themselves, are not profitable to attackers, but there has been a case of a threatened DDoS attack

on an EC site as an attempt to obtain money, and that method might also be applied to cryptocurrency exchange targets.

Cryptojacking

4-3 Examples of Cryptocurrency Attack Method

What is cryptojacking?Source: ENISA: Cryptojacking – Cryptomining in the browserURL: https://www.enisa.europa.eu/publications/info-notes/cryptojacking-cryptomining-in-the-browser

Why is this kind of attack prevalent?

End-users

Cryptocurrencymining

Threat actor

Compromised website with cryptomining script embedded

Cryptojacking

Steps1. The threat actor compromises a website2. Users connect to the compromised website and the cryptomining script executes 3. Users unknowingly start mining cryptocurrency on behalf of the threat actor4. Upon successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins

12

43

3

・A scenario in which an attacker that is motivated by profit chooses to obtain money by using ransomware, for example, is described below.(1) Use some method to infect the target with ransomware.(2) Use data encryption or other means to intimidate the victim into sending cryptocurrency.(3) The victim prepares the cryptocurrency.(4) The victim transfers the cryptocurrency to the attacker.・Comparing the above scenario to cryptojacking, the ransomware victim must take the extra step of preparing the

cryptocurrency and transferring it to the attacker, and preparing the cryptocurrency is known to be a surprisingly difficult task.

・NTT Security conducted experiments to see if it is possible to obtain Bitcoin valued at 300 USD within seven days, assuming that an ordinary end-user who is not familiar with cryptocurrencies is a victim of ransomware infection. The results show that such an end-user could not complete the task within the time limit. For details on that experiment, refer to the report shown below.・NTT Security: NTT Security Monthly Threat Report May 2017

https://www.nttsecurity.com/docs/librariesprovider3/resources/gtic-monthly-threat-report-may-2017・Cryptojacking can thus be considered a more efficient attack method for attackers.

・The attack scenario is described below.(1) The attacker embeds Coinhive or other JavaScript for mining cryptocurrency on a website by tampering.(2) The script uses the computer CPU resources of visitors to the site to mine cryptocurrency and takes the profit.

・This section concerns cryptojacking attacks, which have been increasing in parallel with attacks on cryptocurrency exchanges. This term has been in use since CoinHive appeared in September, 2017.

88


2017

4

The Attackers

●Attacks on cryptocurrency usersThefts of cryptocurrencies by various means have occurred.・Unauthorized use of an owner’s computer・A third-year high school student in Osaka was arrested on suspicion of creating a virus for the illegal acquisition

of a cryptocurrency… The target was the cryptocurrency “MonaCoin”http://www.sankei.com/west/news/180130/wst1801300079-n1.html

・Unauthorized use of an exchange API・Report of unauthorized use of customer API keys for transactions and withdrawals and request for countermea-

sureshttps://corp.zaif.jp/info/8231/

・Another method that may appear in the future is the selling of infected wallets.

Attackers are generally considered to be interested in money. As a specific attacker image, it has been reported that the South Korean National Intelligence Service has pointed to the involvement of North Korea attacks on some exchanges. According to comments by Rep. Kim Byung-gi of the Korean National Assembly quoted in the same report, “It has been confirmed that North Korea has used technology to defeat the antivirus software of well-known manufac-turers in South Korea and, focusing on the fact that cryptocurrency companies are hiring new employees, send out hacking emails disguised as job applications.” -Representative Kim Byung-gi of the Korean national assembly・Source: “North Korea Has Taken Hundreds of Millions of Yen in Cryptocurrencies by Hacking”-National Intelligence Service

http://japan.hani.co.kr/arti/politics/29706.htmlThere is also a comment at a CoinCheck press conference to inform CoinCheck members that a targeted attack had been made.・Prospective compensation by CoinCheck to begin next week - the result of a targeted attack?

http://www.itmedia.co.jp/business/articles/1803/08/news123.html

●Attacks on the general public (cryptojacking)・Cryptojacking, also known as Drive-by-Mining, has become common. This type of attack involves use of a web

browser to mine cryptocurrency without the user’s consent.・Detailed explanation is given in the second half.

（2） More DDoS attacks are being seen than in the last half of 2017.・Zaif, Japan … DDoSed in 2017/Sep・Report on difficult access phenomena in Japan

https://corp.zaif.jp/info/6534/・bitFlyer, Japan … DDoSed in 2017/Sep・5-hour cyberattack on bitFlyer, a major Bitcoin exchange

https://internetcom.jp/203437/bitflyer-ddos・HitBTC … DDoSed in 2017/Dec・Dear traders, we are under heavy DDoS attack and currently working on bringing our platform back online.

https://twitter.com/hitbtc/status/941359354007183360・DDoS attacks, by themselves, are not profitable to attackers, but there has been a case of a threatened DDoS attack

on an EC site as an attempt to obtain money, and that method might also be applied to cryptocurrency exchange targets.

Cryptojacking


What is cryptojacking?Source: ENISA: Cryptojacking – Cryptomining in the browserURL: https://www.enisa.europa.eu/publications/info-notes/cryptojacking-cryptomining-in-the-browser

Why is this kind of attack prevalent?

End-users

Cryptocurrencymining

Threat actor

Compromised website with cryptomining script embedded

Cryptojacking

Steps1. The threat actor compromises a website2. Users connect to the compromised website and the cryptomining script executes 3. Users unknowingly start mining cryptocurrency on behalf of the threat actor4. Upon successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins

12

43

3

・A scenario in which an attacker that is motivated by profit chooses to obtain money by using ransomware, for example, is described below.(1) Use some method to infect the target with ransomware.(2) Use data encryption or other means to intimidate the victim into sending cryptocurrency.(3) The victim prepares the cryptocurrency.(4) The victim transfers the cryptocurrency to the attacker.・Comparing the above scenario to cryptojacking, the ransomware victim must take the extra step of preparing the

cryptocurrency and transferring it to the attacker, and preparing the cryptocurrency is known to be a surprisingly difficult task.

・NTT Security conducted experiments to see if it is possible to obtain Bitcoin valued at 300 USD within seven days, assuming that an ordinary end-user who is not familiar with cryptocurrencies is a victim of ransomware infection. The results show that such an end-user could not complete the task within the time limit. For details on that experiment, refer to the report shown below.・NTT Security: NTT Security Monthly Threat Report May 2017

https://www.nttsecurity.com/docs/librariesprovider3/resources/gtic-monthly-threat-report-may-2017・Cryptojacking can thus be considered a more efficient attack method for attackers.

・The attack scenario is described below.(1) The attacker embeds Coinhive or other JavaScript for mining cryptocurrency on a website by tampering.(2) The script uses the computer CPU resources of visitors to the site to mine cryptocurrency and takes the profit.

・This section concerns cryptojacking attacks, which have been increasing in parallel with attacks on cryptocurrency exchanges. This term has been in use since CoinHive appeared in September, 2017.

89

Annual C

ybersecurity Report

JavaScript Cryptocurrency Miners

●Coinhive

Coinhive logo

Coinhive embedding

Case of Coinhive embedded in a university website.

・We first describe Coinhive, the code of a service that is considered to be typical of cryptojacking.

・Coinhive uses a cryptocurrency miner implemented in JavaScript to mine the Monero blockchain. It is the first of its kind and has estab-lished the largest use base in this field. A study of the public World Wide Web shows that Coinhive was embedded in over 34,000 sites on the date of the study (December 11, 2017).

・The JavaScript cryptocurrency mining scripts used in cryptojacking are described here.

・According to a report by Sucuri, compromising websites to embed Coinhive is frequent.・Sucuri: Hacked Websites Mine Cryptocurrencies

https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html・Sucuri: Cryptominers on Hacked Sites – Part 2

https://blog.sucuri.net/2017/10/cryptominers-on-hacked-sites-part-2.html・Websites embedded with Coinhive by tampering in Japan have also been observed.・IIJ: Cases of Cryptocurrency Mining Scripts Embedded by Website Tampering

https://wizsafe.iij.ad.jp/2017/10/94/・The above cases involve a relatively sophisticated approach in which the Coinhive script is obfuscated by disguising it

to appear as a commonly-used library.・Typically, Coinhive is not obfuscated in most of the cases observed.・Example of a website of a certain university that was a victim of tampering. The site has now been restored to its

normal operation. (Observed on November 29, 2017)

Summary of Cryptojacking

・As described above, cryptojacking is a profitable attack method and JavaScript cryptocurrency mining scripts like the Minr cryptominer are evolving to avoid detection by antivirus software and ad blockers, etc. There is thus concern that damage caused by cryptojacking will continue to increase.

・There are also cases of tampering with content distribution networks (CDN) such as S3 as attack routes, and cryptojacking attacks are expected to increase in sophistication.・Unsecured AWS led to cryptojacking attack on LA Times

https://nakedsecurity.sophos.com/2018/02/27/unsecured-aws-led-to-cryptojacking-attack-on-la-times/

・So then, what measures can be taken against cryptojacking? Methods for dealing with cryptojacking by both end-users and security managers are summarized below.

Countermeasures for end-users

Countermeasures for security managers(1) Identify the domains used regularly by the cryptocurrency miners and create a blacklist.

Reference information・CoinBlockerLists

https://github.com/ZeroDot1/CoinBlockerLists

(1) Always keep antivirus software definition files up-to-date.(2) Use ad blockers (Ablock Plus and some other ad blockers have functions for blocking cryptocurrency miners.)(3) Use specialized cryptocurrency miner blockers (NoCoin, AntiMiner, MinerBlock, etc.).


90


2017

4

JavaScript Cryptocurrency Miners

●Coinhive

Coinhive logo

Coinhive embedding

Case of Coinhive embedded in a university website.

・We first describe Coinhive, the code of a service that is considered to be typical of cryptojacking.

・Coinhive uses a cryptocurrency miner implemented in JavaScript to mine the Monero blockchain. It is the first of its kind and has estab-lished the largest use base in this field. A study of the public World Wide Web shows that Coinhive was embedded in over 34,000 sites on the date of the study (December 11, 2017).

・The JavaScript cryptocurrency mining scripts used in cryptojacking are described here.

・According to a report by Sucuri, compromising websites to embed Coinhive is frequent.・Sucuri: Hacked Websites Mine Cryptocurrencies

https://blog.sucuri.net/2017/09/hacked-websites-mine-crypocurrencies.html・Sucuri: Cryptominers on Hacked Sites – Part 2

https://blog.sucuri.net/2017/10/cryptominers-on-hacked-sites-part-2.html・Websites embedded with Coinhive by tampering in Japan have also been observed.・IIJ: Cases of Cryptocurrency Mining Scripts Embedded by Website Tampering

https://wizsafe.iij.ad.jp/2017/10/94/・The above cases involve a relatively sophisticated approach in which the Coinhive script is obfuscated by disguising it

to appear as a commonly-used library.・Typically, Coinhive is not obfuscated in most of the cases observed.・Example of a website of a certain university that was a victim of tampering. The site has now been restored to its

normal operation. (Observed on November 29, 2017)

Summary of Cryptojacking

・As described above, cryptojacking is a profitable attack method and JavaScript cryptocurrency mining scripts like the Minr cryptominer are evolving to avoid detection by antivirus software and ad blockers, etc. There is thus concern that damage caused by cryptojacking will continue to increase.

・There are also cases of tampering with content distribution networks (CDN) such as S3 as attack routes, and cryptojacking attacks are expected to increase in sophistication.・Unsecured AWS led to cryptojacking attack on LA Times

https://nakedsecurity.sophos.com/2018/02/27/unsecured-aws-led-to-cryptojacking-attack-on-la-times/

・So then, what measures can be taken against cryptojacking? Methods for dealing with cryptojacking by both end-users and security managers are summarized below.

Countermeasures for end-users

Countermeasures for security managers(1) Identify the domains used regularly by the cryptocurrency miners and create a blacklist.

Reference information・CoinBlockerLists

https://github.com/ZeroDot1/CoinBlockerLists

(1) Always keep antivirus software definition files up-to-date.(2) Use ad blockers (Ablock Plus and some other ad blockers have functions for blocking cryptocurrency miners.)(3) Use specialized cryptocurrency miner blockers (NoCoin, AntiMiner, MinerBlock, etc.).


91

Annual C

ybersecurity Report

Summary of Attacks

The official website and other services were temporarily taken off-line during the time before and after the opening ceremony of the Pyeongchang Winter Olympics. The Organizing Committee announced that the reason for the suspen-sion was a cyberattack, but there was no further explanation.

・The events listed below occurred at 20:00 on February 9, 2018, just before the beginning of the opening ceremony.・The official Olympic website went offline temporarily, preventing site

browsing and event ticket printing.・Television viewing and Internet communication in the main press center

was temporarily disabled.・The wireless LAN in the Olympic Stadium was temporarily disabled.

・The Organizing Committee explained that the problems were caused by a cyberattack.・Details on the attack and information about the attackers were not

provided because “the problem is being dealt with”.・The Guardian suggested the possible involvement of Russian government,

which had been punished for the doping issue.・The Russian Foreign Ministry immediately denied involvement.

4-4 Cyberattacks Related to the Pyeongchang Winter Olympics

Guardian Article on the AttackURL: https://www.theguardian.com/sport/2018/

feb/11/winter-olympics-was-hit-by-cyber-attack-officials-confirm

Results of Cisco Talos Analysis

・On February 12, 2018 Cisco Talos announced analysis results that the “Olympic Destroyer” malware was apparently used in the attacks before and after the opening ceremony.・Windows shadow copies and settings required for startup were deleted,

making it impossible to use the computers. However, there was no function for theft of information.

・The initial infection route is unknown. However, the infection was spread by stealing the credential from Windows and web browsers, and illegally logging into computers with PsExec and WMI.

・The attacker seems to understand the Olympic information system in great detail.・Usernames, passwords, domain names, and server names

・The public announcement did not include information on the attacker’s identity.

・Information security companies also released additional analysis results on Olympic Destroyer.

Published Blog of Cisco Talos Analysis ResultsURL: http://blog.talosintelligence.com/2018/02/

olympic-destroyer.html

Articles on the Cyberscoop News Site

・On February 14, 2018, the news site Cyberscoop published an article pointing out the possibility that a cyberattack had been executed against the French IT company Atos, beginning around December 2017. Atos had constructed the information system for the Pyeongchang Olympics.・In December 2017, samples of Olympic Destroyer were posted to

VirusTotal, originating in France and Romania, which are consistent with the offices of Atos.

・Analysis of the samples revealed the presence of the character string “(username)@atos.net”. That was inferred to be a username of the Atos system.

・A spokesman for Atos gave the following explanation.・Atos is conducting a thorough investigation of the incident that occurred

during the opening ceremony.・There is no mention of whether or not Atos had been attacked around

December, 2017.・The explanation given by Atmos on the news site CRN is as follows.・This attack resulted in no information leaks.・There was no damage to the Atos infrastructure or to clients.

Cyberscoop ArticleURL: https://www.cyberscoop.com/atos-olympics-

hack-olympic-destroyer-malware-peyongchang/

Washington Post News Reports

・On February 24, 2018, the Washington Post reported that sources related to US government intelligence agencies claim that Russia has executed cyberattacks on organizations related to the Pyeongchang Olympics.・The sources claimed that the Russian military intelligence agency

GRU gained unauthorized access to about 300 computers of organizations related to the Olympics beginning in February.・North Korean IP addresses and other means were used to

make it appear that the attacks were the work of North Korea.

・The sources also claimed that GRU hacked multiple routers in Korea to spread malware on February 9, the day of the opening ceremony.

・No specific evidence of Russian involvement was presented.・It is unknown whether those attacks are related to the attacks

before and after the opening ceremony.

Reference Information

Cyberattacks Related to the Pyeongchang Winter Olympics・https://www.theguardian.com/sport/2018/feb/11/winter-olympics-was-hit-by-cyber-attack-officials-confirm・https://www.reuters.com/article/us-olympics-2018-cyber/games-organizers-confirm-cyber-attack-wont-reveal-source-idUSKBN1FV036・http://blog.talosintelligence.com/2018/02/olympic-destroyer.html・https://motherboard.vice.com/en_us/article/d3w7jz/olympic-destroyer-opening-ceremony-hack・https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights・https://www.mbsd.jp/blog/20180215.html・https://www.cyberscoop.com/atos-olympics-hack-olympic-destroyer-malware-peyongchang/・https://www.crn.com/news/security/300099511/olympics-solution-provider-atos-cyberattack-caused-no-data-leakage-

infrastructure-damage.htm・https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-nort

h-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html?utm_term=.9bb52599d595

Washington Post ArticleURL: https://www.washingtonpost.com/world/national-

security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html?utm_term=.1adb2ecc75a5

92


2017

4

Summary of Attacks

The official website and other services were temporarily taken off-line during the time before and after the opening ceremony of the Pyeongchang Winter Olympics. The Organizing Committee announced that the reason for the suspen-sion was a cyberattack, but there was no further explanation.

・The events listed below occurred at 20:00 on February 9, 2018, just before the beginning of the opening ceremony.・The official Olympic website went offline temporarily, preventing site

browsing and event ticket printing.・Television viewing and Internet communication in the main press center

was temporarily disabled.・The wireless LAN in the Olympic Stadium was temporarily disabled.

・The Organizing Committee explained that the problems were caused by a cyberattack.・Details on the attack and information about the attackers were not

provided because “the problem is being dealt with”.・The Guardian suggested the possible involvement of Russian government,

which had been punished for the doping issue.・The Russian Foreign Ministry immediately denied involvement.

4-4 Cyberattacks Related to the Pyeongchang Winter Olympics

Guardian Article on the AttackURL: https://www.theguardian.com/sport/2018/


Results of Cisco Talos Analysis

・On February 12, 2018 Cisco Talos announced analysis results that the “Olympic Destroyer” malware was apparently used in the attacks before and after the opening ceremony.・Windows shadow copies and settings required for startup were deleted,

making it impossible to use the computers. However, there was no function for theft of information.

・The initial infection route is unknown. However, the infection was spread by stealing the credential from Windows and web browsers, and illegally logging into computers with PsExec and WMI.

・The attacker seems to understand the Olympic information system in great detail.・Usernames, passwords, domain names, and server names

・The public announcement did not include information on the attacker’s identity.

・Information security companies also released additional analysis results on Olympic Destroyer.

Published Blog of Cisco Talos Analysis ResultsURL: http://blog.talosintelligence.com/2018/02/

olympic-destroyer.html

Articles on the Cyberscoop News Site

・On February 14, 2018, the news site Cyberscoop published an article pointing out the possibility that a cyberattack had been executed against the French IT company Atos, beginning around December 2017. Atos had constructed the information system for the Pyeongchang Olympics.・In December 2017, samples of Olympic Destroyer were posted to

VirusTotal, originating in France and Romania, which are consistent with the offices of Atos.

・Analysis of the samples revealed the presence of the character string “(username)@atos.net”. That was inferred to be a username of the Atos system.

・A spokesman for Atos gave the following explanation.・Atos is conducting a thorough investigation of the incident that occurred

during the opening ceremony.・There is no mention of whether or not Atos had been attacked around

December, 2017.・The explanation given by Atmos on the news site CRN is as follows.・This attack resulted in no information leaks.・There was no damage to the Atos infrastructure or to clients.

Cyberscoop ArticleURL: https://www.cyberscoop.com/atos-olympics-

hack-olympic-destroyer-malware-peyongchang/

Washington Post News Reports

・On February 24, 2018, the Washington Post reported that sources related to US government intelligence agencies claim that Russia has executed cyberattacks on organizations related to the Pyeongchang Olympics.・The sources claimed that the Russian military intelligence agency

GRU gained unauthorized access to about 300 computers of organizations related to the Olympics beginning in February.・North Korean IP addresses and other means were used to

make it appear that the attacks were the work of North Korea.

・The sources also claimed that GRU hacked multiple routers in Korea to spread malware on February 9, the day of the opening ceremony.

・No specific evidence of Russian involvement was presented.・It is unknown whether those attacks are related to the attacks

before and after the opening ceremony.


Cyberattacks Related to the Pyeongchang Winter Olympics・https://www.theguardian.com/sport/2018/feb/11/winter-olympics-was-hit-by-cyber-attack-officials-confirm・https://www.reuters.com/article/us-olympics-2018-cyber/games-organizers-confirm-cyber-attack-wont-reveal-source-idUSKBN1FV036・http://blog.talosintelligence.com/2018/02/olympic-destroyer.html・https://motherboard.vice.com/en_us/article/d3w7jz/olympic-destroyer-opening-ceremony-hack・https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights・https://www.mbsd.jp/blog/20180215.html・https://www.cyberscoop.com/atos-olympics-hack-olympic-destroyer-malware-peyongchang/・https://www.crn.com/news/security/300099511/olympics-solution-provider-atos-cyberattack-caused-no-data-leakage-

infrastructure-damage.htm・https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-nort

h-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html?utm_term=.9bb52599d595

Washington Post ArticleURL: https://www.washingtonpost.com/world/national-

security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html?utm_term=.1adb2ecc75a5

93

Annual C

ybersecurity Report

＊ PsExec: A powerful Microsoft network administration tool that can remotely copy and execute a local file if there is authentication information.

Main Malware Behaviors

The main purpose of this malware is not to steal information or to create bots in the machines, but rather to destroy machines logically. The following pattern of infection and destruction is repeated.

・Multiple executable files (.exe) that are stored in the main malware code are dropped onto the local machine.・exe1 is used to logically destroy the machine.・exe2 is executed to steal credentials from within the machine and embed them in a copy of itself. ・Remote hosts obtained from the ARP table on the infected machine are made targets for new infection.・exe3 is used to infect the target hosts by remotely copying and executing itself.

Infection Procedure

Specifically, the malware searches for the next target host by the following method and spreads the infection within the network.

(1) The next host to target for infection is selected in the ARP table of the infected machine.→Because the ARP table is used, we know that the targets for infection are within the network.

(2) The credential theft tool that was dropped from the binary code is executed to obtain authentication information from the memory of the infected machine. That information is embedded in a copy of the malware and the copy is used to infect other machines, so the number of credentials increases each time the infection is repeated. An example of credentials being added when the malware is actually executed in a testing environment is presented below.

(3) Infection is accomplished by using the PsExec＊ binary (the exe3 mentioned above) that was dropped from the binary code of the malware and the authentication information obtained in step (2) to remotely copy and execute the malware on the remote hosts obtained in step (1).

4-5 Verification of Olympic Destroyer

●攻撃を伝えるThe Guardianの記事参照：https://www.theguardian.com/sport/2018/


Malware behavior

Authentication information within the binary code

Part that was already included in the sample

Part that was added upon execution in the test environment

Machine A

Machine B

Adds the credentials to a copy of itself

Main malware code

Main malware code

Destructive action

Stealing Credentials

Remote copying and execution

Copy of itself

Credentials are increased with each infection

Initial infection route is unknown.

exe1

exe2

exe3

Destructive Actions

Shut down the machine after a certain amount of time has passed after execution of the following.

Because service start-up is disabled, the result is BSOD, even if the OS starts up.After that, machine goes into an infinite loop of startup, BSOD, startup, BSOD. Also, recovery is not possible, because the recovery data has been deleted.

Summary

To use PsExec remotely with Windows 7 and later, the entry “localAccount – TokenFilterPolicy” must be added to the registry of the machine being used. (In some central server management solutions, however, that entry is added at time of introduction.)Also, the destructive actions described above all require administrator authorization. The binary code used in the analysis included credentials that were presumed to be for the Active Directory environment, and they included usernames that can be imagined to be administrators (many had simple passwords…). If that is the case, the credentials can be used to infect many machines.

Centralized management of machines, users, and various other resources is an important function, especially in large-scale systems, but there should be awareness of the risks that entails.

Delete backups wbadmin.exe delete catalog -quiet

Delete event logs wevtutil.exe cl Security

Delete shadow copies c:¥Windows¥system32¥vssadmin.exe delete shadows /all /quiet

Delete shared files Open a remote file and partially overwrite it with “0x00”.

Stop active services and shut down

Use the Windows API to disable startup of all services that are running on the host and then shut the machine down.

Disable Startup Repair and disable recovery mode

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

94


2017

4

＊ PsExec: A powerful Microsoft network administration tool that can remotely copy and execute a local file if there is authentication information.

Main Malware Behaviors

The main purpose of this malware is not to steal information or to create bots in the machines, but rather to destroy machines logically. The following pattern of infection and destruction is repeated.

・Multiple executable files (.exe) that are stored in the main malware code are dropped onto the local machine.・exe1 is used to logically destroy the machine.・exe2 is executed to steal credentials from within the machine and embed them in a copy of itself. ・Remote hosts obtained from the ARP table on the infected machine are made targets for new infection.・exe3 is used to infect the target hosts by remotely copying and executing itself.

Infection Procedure

Specifically, the malware searches for the next target host by the following method and spreads the infection within the network.

(1) The next host to target for infection is selected in the ARP table of the infected machine.→Because the ARP table is used, we know that the targets for infection are within the network.

(2) The credential theft tool that was dropped from the binary code is executed to obtain authentication information from the memory of the infected machine. That information is embedded in a copy of the malware and the copy is used to infect other machines, so the number of credentials increases each time the infection is repeated. An example of credentials being added when the malware is actually executed in a testing environment is presented below.

(3) Infection is accomplished by using the PsExec＊ binary (the exe3 mentioned above) that was dropped from the binary code of the malware and the authentication information obtained in step (2) to remotely copy and execute the malware on the remote hosts obtained in step (1).

4-5 Verification of Olympic Destroyer

●攻撃を伝えるThe Guardianの記事参照：https://www.theguardian.com/sport/2018/


Malware behavior

Authentication information within the binary code

Part that was already included in the sample

Part that was added upon execution in the test environment

Machine A

Machine B

Adds the credentials to a copy of itself

Main malware code

Main malware code

Destructive action

Stealing Credentials

Remote copying and execution

Copy of itself

Credentials are increased with each infection

Initial infection route is unknown.

exe1

exe2

exe3

Destructive Actions

Shut down the machine after a certain amount of time has passed after execution of the following.

Because service start-up is disabled, the result is BSOD, even if the OS starts up.After that, machine goes into an infinite loop of startup, BSOD, startup, BSOD. Also, recovery is not possible, because the recovery data has been deleted.

Summary

To use PsExec remotely with Windows 7 and later, the entry “localAccount – TokenFilterPolicy” must be added to the registry of the machine being used. (In some central server management solutions, however, that entry is added at time of introduction.)Also, the destructive actions described above all require administrator authorization. The binary code used in the analysis included credentials that were presumed to be for the Active Directory environment, and they included usernames that can be imagined to be administrators (many had simple passwords…). If that is the case, the credentials can be used to infect many machines.

Centralized management of machines, users, and various other resources is an important function, especially in large-scale systems, but there should be awareness of the risks that entails.

Delete backups wbadmin.exe delete catalog -quiet

Delete event logs wevtutil.exe cl Security

Delete shadow copies c:¥Windows¥system32¥vssadmin.exe delete shadows /all /quiet

Delete shared files Open a remote file and partially overwrite it with “0x00”.

Stop active services and shut down

Use the Windows API to disable startup of all services that are running on the host and then shut the machine down.

Disable Startup Repair and disable recovery mode

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

95

Annual C

ybersecurity Report

Summary of Vulnerabilities

Both vulnerabilities allow theft of information through illegitimate memory access.

4-6 Meltdown and Spectre

Meltdown SpectreItem

User process can access OS kernel memory information.

CVE-2017-5754

Out-of-order execution

Intel processors, ARM-based processors (Apple)

Attack programs can steal information from OS kernel memory.

Attacker executes code for exploiting the vulnerability on a virtual machine in a virtual environment (cloud, etc.) to steal information from memory of host or other virtual machines.

Attack applications can illegitimately acquire data of memory allocated for other applications.

CVE-2017-5715, CVE-2017-5753

Speculative execution, branch prediction

Intel, AMD, and ARM processors, ARM-based processors (Apple, Samsung, Qualcomm)

Attack programs can steal information from memory of other applications.

JavaScript for exploiting vulnerability is read by the target Web browser.・Enticement to malicious website・Defacing of official website・Illegitimate website ads

Vulnerability mechanism

CVE identifier

Exploited function

Affected processors

Effect of attack

Example of attack methods

Countermeasures

It is necessary to switch to a secure CPU as a permanent measure. However, since they are still not available, measures to avoid attacks must be put in place.

Meltdown SpectreType of countermeasure

Switch to CPU for which the vulnerability has been fixed　＊CPUs for which the vulnerability has been fixed, however, are still not available as of January 2018.

・Implement patch program for OS・Update the CPU microcode (through BIOS update)・Implement patch program for application (Web browser, etc.)

Permanent measure

Temporary measure

Affected Products

While Meltdown only affects some processors, Spectre affects all (including PCs, servers, smartphones, and mobile devices installed with the processor)

NTT-CERT has verified that both vulnerabilities can be exploited under the following conditions:OS : Ubuntu 16.04Kernel: 4.4.0-93-genericCPU : Intel Core i7-4790

Meltdown SpectreVendor

All processors released from 1995 (Except Atom and Itanium processors released before 2013)

＊Not affected

Partly affected＊However, no devices were carrying the vulnerable

cores at the time of the announcement.

All processors

Almost all currently used processors

Intel

AMD

ARM

ARM-based

Apple

Samsung

Qualcomm

＊Not affected

＊Not affected

Traces and Cases of Exploitation of the Vulnerabilities

Traces of exploitation

Cases of exploitationNo reports have been confirmed as of January 31, 2018.

Examples of Vendor Response

The following are some examples of vendor response; in all cases, the response is aimed at both vulnerabilities.

Intel (Jan. 3, 2018)): BIOS Update・INTEL-SA-00088

Apple (Jan. 8, 2018)): macOS, Safari, etc.・Spectre: iOS 11.2, macOS 10.13.2, tvOS 11.2・Meltdown: iOS 11.2.2, macOS High Sierra 10.13.2, Safari 11.0.2

Google (Jan. 3, 2018, Jan. 5, 2018)): Android, Google Chrome・Android 2018-01-05 Security Patch Level ・Google Chrome 64

Microsoft (Jan. 3, 2018, Jan. 9, 2018): Windows, Internet Explorer, Microsoft Edge・KB4056897, KB4056894, KB4056888, KB4056892, KB4056891, KB4056890,

KB4056898, KB4056893, KB4056895Linux distributions:・Release of patch by Red Hat, Cent OS, Fedora, Ubuntu, Debian, SUSE, Scientific Linux,

CoreOS, NixOS, Arch Linux, Gentoo, Oracle Linux, CloudLinux, etc.

Other Related Events

Reduction in performance during patch application (unresolved)・Intel announced patch validation results:

・Latest CPU: 6% reduction in processing performance, 12% reduction in responsiveness

・Old CPU model: 8% reduction in processing perfor-mance, 21% reduction in responsiveness

＊ Responsiveness is a measurement standard for processing speed during launch of applications, Internet viewing with multiple tabs, copying and encryption of files, etc.

・Cloud provider Scaleway announced changes in perfor-mance before and after applying Linux Kernel patch program to its cloud services:・Results show a significant increase in the system’s CPU

usage.

・None (No logs of the attack are left behind in traditional logs.)

CPU usage before and after patch program application (Report by Scaleway)

System CPU usage increased at the point when the patch program was applied.

96


2017

4

Summary of Vulnerabilities

Both vulnerabilities allow theft of information through illegitimate memory access.

4-6 Meltdown and Spectre

Meltdown SpectreItem

User process can access OS kernel memory information.

CVE-2017-5754

Out-of-order execution

Intel processors, ARM-based processors (Apple)

Attack programs can steal information from OS kernel memory.

Attacker executes code for exploiting the vulnerability on a virtual machine in a virtual environment (cloud, etc.) to steal information from memory of host or other virtual machines.

Attack applications can illegitimately acquire data of memory allocated for other applications.

CVE-2017-5715, CVE-2017-5753

Speculative execution, branch prediction

Intel, AMD, and ARM processors, ARM-based processors (Apple, Samsung, Qualcomm)

Attack programs can steal information from memory of other applications.

JavaScript for exploiting vulnerability is read by the target Web browser.・Enticement to malicious website・Defacing of official website・Illegitimate website ads

Vulnerability mechanism

CVE identifier

Exploited function

Affected processors

Effect of attack

Example of attack methods

Countermeasures

It is necessary to switch to a secure CPU as a permanent measure. However, since they are still not available, measures to avoid attacks must be put in place.

Meltdown SpectreType of countermeasure

Switch to CPU for which the vulnerability has been fixed　＊CPUs for which the vulnerability has been fixed, however, are still not available as of January 2018.

・Implement patch program for OS・Update the CPU microcode (through BIOS update)・Implement patch program for application (Web browser, etc.)

Permanent measure

Temporary measure

Affected Products

While Meltdown only affects some processors, Spectre affects all (including PCs, servers, smartphones, and mobile devices installed with the processor)

NTT-CERT has verified that both vulnerabilities can be exploited under the following conditions:OS : Ubuntu 16.04Kernel: 4.4.0-93-genericCPU : Intel Core i7-4790

Meltdown SpectreVendor

All processors released from 1995 (Except Atom and Itanium processors released before 2013)

＊Not affected

Partly affected＊However, no devices were carrying the vulnerable

cores at the time of the announcement.

All processors

Almost all currently used processors

Intel

AMD

ARM

ARM-based

Apple

Samsung

Qualcomm

＊Not affected

＊Not affected

Traces and Cases of Exploitation of the Vulnerabilities

Traces of exploitation

Cases of exploitationNo reports have been confirmed as of January 31, 2018.

Examples of Vendor Response

The following are some examples of vendor response; in all cases, the response is aimed at both vulnerabilities.

Intel (Jan. 3, 2018)): BIOS Update・INTEL-SA-00088

Apple (Jan. 8, 2018)): macOS, Safari, etc.・Spectre: iOS 11.2, macOS 10.13.2, tvOS 11.2・Meltdown: iOS 11.2.2, macOS High Sierra 10.13.2, Safari 11.0.2

Google (Jan. 3, 2018, Jan. 5, 2018)): Android, Google Chrome・Android 2018-01-05 Security Patch Level ・Google Chrome 64

Microsoft (Jan. 3, 2018, Jan. 9, 2018): Windows, Internet Explorer, Microsoft Edge・KB4056897, KB4056894, KB4056888, KB4056892, KB4056891, KB4056890,

KB4056898, KB4056893, KB4056895Linux distributions:・Release of patch by Red Hat, Cent OS, Fedora, Ubuntu, Debian, SUSE, Scientific Linux,

CoreOS, NixOS, Arch Linux, Gentoo, Oracle Linux, CloudLinux, etc.

Other Related Events

Reduction in performance during patch application (unresolved)・Intel announced patch validation results:

・Latest CPU: 6% reduction in processing performance, 12% reduction in responsiveness

・Old CPU model: 8% reduction in processing perfor-mance, 21% reduction in responsiveness

＊ Responsiveness is a measurement standard for processing speed during launch of applications, Internet viewing with multiple tabs, copying and encryption of files, etc.

・Cloud provider Scaleway announced changes in perfor-mance before and after applying Linux Kernel patch program to its cloud services:・Results show a significant increase in the system’s CPU

usage.

・None (No logs of the attack are left behind in traditional logs.)

CPU usage before and after patch program application (Report by Scaleway)

System CPU usage increased at the point when the patch program was applied.

97

Annual C

ybersecurity Report


・Summary of vulnerabilitieshttps://www.enisa.europa.eu/publications/info-notes/meltdown-and-spectre-critical-processor-vulnerabilitieshttps://googleprojectzero.blogspot.jp/2018/01/reading-privileged-memory-with-side.html

・Status of vendor response https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-frhttps://support.apple.com/en-us/HT208394https://support.google.com/faqs/answer/7622138#androidhttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180002

・Other related eventshttps://japan.cnet.com/article/35113055/https://blog.online.net/2018/01/03/important-note-about-the-security-flaw-impacting-arm-intel-hardware/https://support.microsoft.com/ja-jp/help/4072699/january-3-2018-windows-security-updates-and-antivirus-softwarehttp://www.zdnet.com/article/windows-meltdown-spectre-update-now-some-amd-pc-owners-post-crash-reports/https://support.microsoft.com/en-us/help/4073707/windows-operating-system-security-update-for-amd-based-deviceshttps://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/https://japan.zdnet.com/article/35113677/http://itpro.nikkeibp.co.jp/atcl/news/17/010902932/https://japan.cnet.com/article/35114230/

Number of malware samples related to Meltdown and Spectre (Report by AV-TEST Institute)

4-7 Summary of Self-propagating Ransomware Prevalent in 2017(provided by NTTDATA-CERT)

Introduction

In 2017, worldwide damage was reported from ransomware, such as WannaCry, Petya variants (Petya, NotPetya, GoldenEye, etc.), BadRabbit, etc. (1)(2)

These ransomware exploit the same vulnerability and are similar in that they act like worms (autonomously spread infection within the organizational network). Since they infect without the need for user operations such as opening emails or clicking links, they are able to spread infection to a large number of devices within a short period of time. In this Chapter, we will review the characteristics and timeline of events related to these ransomware and explain the counter-measures expected of organizational network and security administrators.

Timeline(3)

・January 16, 2017US-CERT issued a security advisory regarding the SMBv1 vulnerability.

・March 14, 2017Microsoft released security update MS17-010(4) to fix CVE-2017-0144.

・April 14, 2017Crime group The Shadow Brokers released the Fuzzbunch hacking tool (including exploit code EternalBlue, and DoublePulsar backdoor)

・May 12, 2017Widespread infection by WannaCry

・May 12, 2017Microsoft additionally released a patch program for CVE-2017-0144 for Windows XP.

・June 27, 2017Widespread infection by Petya variant

・October 24, 2017Widespread infection by BadRabbit

(1) WannaCry・UK: National Health Service (NHS)

The medical system was crippled, preventing the delivery of services to patients. 47 financial institutions in England and 13 in Scotland were affected. (5)

・Japan: HitachiFailure occurred in some in-house systems, affecting the transmission of emails. The electron microscope system in the Germany office was infected, and the infection spread via the organizational network. (6)(7)

(2) Petya variant・Russia: Petroleum exporter Rosneft

Access to the company’s official website was blocked. To prevent damage to petroleum production facilities, the company shifted operations to its back-up system. (8)

・Pharmaceutical company MerckProduction facilities were temporarily crippled, resulting to opportunity losses. (9)

・UK-based daily commodity manufacturer Reckitt BenckiserProduction stopped, resulting in losses amounting to 100 million pounds. (10)

・Chocolate manufacturer MondelezLosses led to a 3-point reduction in 2nd quarter sales. (10)

(3) BadRabbit・Russia: News agency Interfax

Access to the agency’s official website was blocked. (11)

・Ukraine: Odessa International AirportThe airport’s IT system was crippled, causing delays in flight departures and arrivals. (11)

Examples of Damage

The following are examples of damages caused by ransomware inside and outside Japan. Initial infection and subse-quent spread were caused by terminals that were not installed with the security update.

Failure in Intel’s CPU microcode update, resulting in sudden restarts (unresolved)・Computer suddenly restarts without warning after updating the microcode.・Intel published the status of its investigation into the phenomenon on January 17, 2018, explaining the possibility of

failure to occur in Haswell to Kaby Lake processors.・On January 22, 2018, Intel updated its investigation status report and admitted the failure in the microcode update it

provided, recommending discontinuation of the microcode update.・Intel cancelled the publication of the flawed microcode update.・The date of release of a fixed microcode update, however, was not announced.

・Heeding Intel’s recommendation, Dell and HP cancelled the release of the BIOS update that included the microcode update.

BSOD error, compatibility problem with anti-virus software in Windows (resolved)・BSOD error occurs and computer fails to start after the patch program is applied on Windows installed with an anti-vi-

rus software.・To address the issue, Microsoft revised its patch application policy by urging users to download and install the patch

program only when the anti-virus software has been updated to a version that supports the patch program.

BSOD error after application of patch program on computer installed with old CPU model from AMD (re-solved)・BSOD error occurs and computer fails to start after the patch program is applied to computer running on Athlon X2

6000+ manufactured around 2006.・Microsoft released a patch program that fixed the failure.

Temporary unavailability of Office 365 at the Saga Prefectural Government Office caused by problem oc-curring after application of patch program on Azure (resolved)・On January 5, 2018, Office 365 became unavailable for approximately three hours at the Saga Prefectural Government

Office.・User authentication server on Microsoft Azure was being used.・Microsoft applied the patch on the server on January 3, 2018, after which the necessary processes would not launch

after restart.・Around January 5, 2018, the validity of the authentication information generated before the occurrence of failure

expired, resulting in user authentication error and unavailability of Office 365.・To prevent reoccurrence of the problem, the Saga Prefectural Government Office requested that Microsoft issue a

preliminary notice when applying emergency security patches.

Discovery of a large number of malware samples targeting Meltdown and Spectre・On February 1, 2018, AV-TEST Institute published results of an investigation showing that

there were 139 samples related to Meltdown/Spectre.・Most of the samples were PoC, with no cases of their being used in actual attacks.

98


2017

4


・Summary of vulnerabilitieshttps://www.enisa.europa.eu/publications/info-notes/meltdown-and-spectre-critical-processor-vulnerabilitieshttps://googleprojectzero.blogspot.jp/2018/01/reading-privileged-memory-with-side.html

・Status of vendor response https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-frhttps://support.apple.com/en-us/HT208394https://support.google.com/faqs/answer/7622138#androidhttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180002

・Other related eventshttps://japan.cnet.com/article/35113055/https://blog.online.net/2018/01/03/important-note-about-the-security-flaw-impacting-arm-intel-hardware/https://support.microsoft.com/ja-jp/help/4072699/january-3-2018-windows-security-updates-and-antivirus-softwarehttp://www.zdnet.com/article/windows-meltdown-spectre-update-now-some-amd-pc-owners-post-crash-reports/https://support.microsoft.com/en-us/help/4073707/windows-operating-system-security-update-for-amd-based-deviceshttps://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/https://japan.zdnet.com/article/35113677/http://itpro.nikkeibp.co.jp/atcl/news/17/010902932/https://japan.cnet.com/article/35114230/

Number of malware samples related to Meltdown and Spectre (Report by AV-TEST Institute)

4-7 Summary of Self-propagating Ransomware Prevalent in 2017(provided by NTTDATA-CERT)

Introduction

In 2017, worldwide damage was reported from ransomware, such as WannaCry, Petya variants (Petya, NotPetya, GoldenEye, etc.), BadRabbit, etc. (1)(2)

These ransomware exploit the same vulnerability and are similar in that they act like worms (autonomously spread infection within the organizational network). Since they infect without the need for user operations such as opening emails or clicking links, they are able to spread infection to a large number of devices within a short period of time. In this Chapter, we will review the characteristics and timeline of events related to these ransomware and explain the counter-measures expected of organizational network and security administrators.

Timeline(3)

・January 16, 2017US-CERT issued a security advisory regarding the SMBv1 vulnerability.

・March 14, 2017Microsoft released security update MS17-010(4) to fix CVE-2017-0144.

・April 14, 2017Crime group The Shadow Brokers released the Fuzzbunch hacking tool (including exploit code EternalBlue, and DoublePulsar backdoor)

・May 12, 2017Widespread infection by WannaCry

・May 12, 2017Microsoft additionally released a patch program for CVE-2017-0144 for Windows XP.

・June 27, 2017Widespread infection by Petya variant

・October 24, 2017Widespread infection by BadRabbit

(1) WannaCry・UK: National Health Service (NHS)

The medical system was crippled, preventing the delivery of services to patients. 47 financial institutions in England and 13 in Scotland were affected. (5)

・Japan: HitachiFailure occurred in some in-house systems, affecting the transmission of emails. The electron microscope system in the Germany office was infected, and the infection spread via the organizational network. (6)(7)

(2) Petya variant・Russia: Petroleum exporter Rosneft

Access to the company’s official website was blocked. To prevent damage to petroleum production facilities, the company shifted operations to its back-up system. (8)

・Pharmaceutical company MerckProduction facilities were temporarily crippled, resulting to opportunity losses. (9)

・UK-based daily commodity manufacturer Reckitt BenckiserProduction stopped, resulting in losses amounting to 100 million pounds. (10)

・Chocolate manufacturer MondelezLosses led to a 3-point reduction in 2nd quarter sales. (10)

(3) BadRabbit・Russia: News agency Interfax

Access to the agency’s official website was blocked. (11)

・Ukraine: Odessa International AirportThe airport’s IT system was crippled, causing delays in flight departures and arrivals. (11)

Examples of Damage

The following are examples of damages caused by ransomware inside and outside Japan. Initial infection and subse-quent spread were caused by terminals that were not installed with the security update.

Failure in Intel’s CPU microcode update, resulting in sudden restarts (unresolved)・Computer suddenly restarts without warning after updating the microcode.・Intel published the status of its investigation into the phenomenon on January 17, 2018, explaining the possibility of

failure to occur in Haswell to Kaby Lake processors.・On January 22, 2018, Intel updated its investigation status report and admitted the failure in the microcode update it

provided, recommending discontinuation of the microcode update.・Intel cancelled the publication of the flawed microcode update.・The date of release of a fixed microcode update, however, was not announced.

・Heeding Intel’s recommendation, Dell and HP cancelled the release of the BIOS update that included the microcode update.

BSOD error, compatibility problem with anti-virus software in Windows (resolved)・BSOD error occurs and computer fails to start after the patch program is applied on Windows installed with an anti-vi-

rus software.・To address the issue, Microsoft revised its patch application policy by urging users to download and install the patch

program only when the anti-virus software has been updated to a version that supports the patch program.

BSOD error after application of patch program on computer installed with old CPU model from AMD (re-solved)・BSOD error occurs and computer fails to start after the patch program is applied to computer running on Athlon X2

6000+ manufactured around 2006.・Microsoft released a patch program that fixed the failure.

Temporary unavailability of Office 365 at the Saga Prefectural Government Office caused by problem oc-curring after application of patch program on Azure (resolved)・On January 5, 2018, Office 365 became unavailable for approximately three hours at the Saga Prefectural Government

Office.・User authentication server on Microsoft Azure was being used.・Microsoft applied the patch on the server on January 3, 2018, after which the necessary processes would not launch

after restart.・Around January 5, 2018, the validity of the authentication information generated before the occurrence of failure

expired, resulting in user authentication error and unavailability of Office 365.・To prevent reoccurrence of the problem, the Saga Prefectural Government Office requested that Microsoft issue a

preliminary notice when applying emergency security patches.

Discovery of a large number of malware samples targeting Meltdown and Spectre・On February 1, 2018, AV-TEST Institute published results of an investigation showing that

there were 139 samples related to Meltdown/Spectre.・Most of the samples were PoC, with no cases of their being used in actual attacks.

99

Annual C

ybersecurity Report

Methods for Spread of Infection

・Ransomware enters the organizational network by exploiting software’s automatic update function, downloading from a compromised website, or through communications with falsified services.

・Ransomware exploits SMBv1 vulnerability and Windows remote management functions to spread infection to other devices in the organizational network.

Characteristics of Ransomware

The abovementioned three types of ransomware are characterized by the following common features:(1) They exploit the SMBv1 vulnerability,(2) They autonomously spread infection within the organizational network.On the other hand, while WannaCry indiscriminately spreads infection to all IP addresses, including global addresses, Petya variant and BadRabbit only spread infection within LAN devices, indicating the possibility that the latter two are targeted at particular organizations or countries.

・Antivirus filters of email programs could not be updated in time to block new ransomware, allowing them to enter the organization’s network as email attachments.

・Likewise, web proxy antivirus filters could not be updated in time, allowing them to enter the organization’s network by downloading from websites.

・Devices that are not fully secured are infected by ransomware when they are brought out of the organization’s premis-es, bringing the ransomware with them back into the organizational network.

Once these ransomware enter the organizational network, they automatically find the terminals with vulnerabilities to spread the infection. As in the following cases, the ransomware may evade stringent entry or exit countermeasures to cause infection.

Image of initial infection and spread of WannaCry

Petya variant (15)(16)(17)WannaCry (12)(13)(14) BadRabbit (18)

Initial infection route

Method for spread

Status of damage caused

Type of damage caused

Kill switch

Demand

Direct access from the Internet to the device’s TCP port 445

Exploitation of the automatic update function of MeDoc accounting software

Infection via a watering hole attack by masquerading as an Adobe Flash Player installer

1-A. Run through and scan the devices within the LAN.

1-B. Indiscriminately scan IP addresses, including global and LAN address-es.

2. Infect the discovered device by exploiting the SMBv1 vulnerability.

1. Run through and scan the devices within the LAN.

2-A. Infect the discovered device by exploiting the SMBv1 vulnerability.

2-B. Extract authentication information using Mimikatz open-source utility. Infect by using Windows remote management functions psexec and WMI.



2-B. Extract authentication information using Mimikatz open-source utility. Use also the password list carried by the malware i tse l f . In fect by using Windows remote manage-ment functions psexec and WMI.

Infected more than 300,000 devices in 150 countr ies . In Japan, more than 2,000 devices in 600 locat ions were infected.

Infected 65 countr ies beginning f rom Ukraine.

Files in the infected device are encrypt-ed and become inaccessible.

Files in the infected device are encrypted and become inaccessible.The hard disk’s Master Boot Record (MBR) is encrypted, and the device becomes unable to start.

Shu ts down upon connec t i on to a particular URL on the Internet

Demands ransom equivalent to around 300 USD in bitcoin

Shuts down upon detection of a particular file in the local drive.

Caused damaged mainly in Russia and Ukraine, and possible damage occurring in Turkey, Bulgaria, Japan, and other countries

●Common features and differences

Infected terminal

(1) Initial infection

(2) Spread of infectionExploit SMB vulnerability to spread infection within internal network.

Countermeasures

(1) Measures to prevent infectionIn principle, the same security measures can be used for the abovementioned ransomware. As with ordinary malware, defense-in-depth reduces risks of intrusion and data breach. (19)(20)

●Measures for systems and organizationsImplement the following measures for systems and organizations as a whole:・Block suspicious communications using appropriate firewall and email filter settings＊.・Update the OS, applications, and software in all devices to the latest versions.・Install security software in all devices and always keep the virus definition file updated.

Even a single vulnerable device within the organizational network can lead to initial infection and its eventual spread. Additionally, implement the following measures to prevent oversights:・Enforce and automate the update of software and virus definition files.・Avoid connecting devices that are not fully secure to the business network (use a quarantine network).

●Measures for individual usersRepeatedly remind members of the organization about the following:・Take caution in opening email attachment files or webpage links.・Disable unnecessary services and limit the access to used services.＊・Use a strong password to prevent unauthorized remote operation and login.

(2) Measures to reduce damage・Regularly back-up files and systems.・To prevent infection via the network, store back-up equipment (hard disks, tapes) off-line.

(3) Response to infection・Disconnect infected devices from the network to prevent spreading the infection.・Simultaneously check whether other devices within the same network are infected.・Get rid of the ransomware to avoid re-infecting the device.・Determine the type of the ransomware.・Try decrypting data from back-up. Decryption tools are available for some ransomware.

(4) CautionThere is no guarantee that the encrypted data or system would be restored after paying the ransom demanded by the attacker. Do not pay the ransom, and restore data and systems from back up.

Forecasts for 2018

①感染予防の対策今回取り上げた3種のランサムウェアとも、セキュリティ対策の原則は同じである。また、一般のマルウェアと同様、多層防御により、侵入や情報漏えいのリスクを低減できる。(19)(20)

●システムや組織を対象にした対策システムや組織全体の方針として、以下の対策を取る。・ファイアウォールやメールフィルタを適切に設定し、不審な通信をブロックする*。・各端末のOSやアプリケーション・ソフトウエアを最新の状態に更新する。・各端末にセキュリティソフトを導入し、定義ファイルを常に最新の状態に保つ。

組織ネットワーク内に1台でも脆弱な端末があると、初期感染や感染拡大のきっかけになる。対策抜け漏れ防止のため、以下の対策を加えると更に効果的である。・ソフトウェアや定義ファイルの最新化を強制、自動化する。・セキュリティ対策の不十分な端末を業務ネットワークに接続させない（検疫ネットワークの導入）。

●個人を対象にした対策組織の構成員に対し、以下のような教育啓発を繰り返す。・メールの添付ファイルの開封やWebページなどのリンクをたどる際には注意する。・不要なサービスを無効化し、使用しているサービスについてはアクセスを制限する＊。・不正な遠隔操作やログインを防ぐため、十分に強力なパスワードを設定する。

サイバー犯罪者にとって、ランサムウェアは以下の点で費用対効果が高く、2018年も継続して用いられる。

②被害軽減の対策・ファイルやシステムを定期的にバックアップする。・ネットワーク経由での感染を防ぐため、バックアップ機器（ハードディスクやテープ）をオフラインで保管する。

③感染した場合の対応・感染拡大を防止するため、感染した端末をネットワークから切断する。・同一ネットワーク内のほかの端末も感染していないか、横並びで調査する。・端末の再感染を防ぐため、ランサムウェアを駆除する。・ランサムウェアの種類を特定する。・バックアップからデータの復号を試みる。ランサムウェアの種類によっては復号ツールが提供されている場合もある。

④注意事項攻撃者の要求した身代金を支払っても、暗号化されたデータやシステムの復旧する保証はない。身代金を支払わず、バックアップを用いて、データやシステムの復旧を試みるのが良い。

・Ransomware as a Serviceのように、専門知識がなくても、ランサムウェアを容易に入手できる。・身代金の支払いに仮想通貨やTorネットワークを利用でき、匿名性が高い。

企業個人の両方でクラウドストレージ（Box、Google Drive、Amazon S3など）の利用が加速しており、クラウドストレージに保存するデータの量や重要性が増している。ローカル端末からクラウドストレージに自動バックアップするような設定になっている場合、ローカル端末がランサムウェアに感染すると、暗号化されたファイルでクラウドストレージ上のファイルも上書きされてしまう。過去履歴を復元できるようなクラウドストレージをバックアップ先に選定すると良い。

Due to the high cost-effectiveness of ransomware for cyber criminals in terms of the following, they will continue to be used also in 2018.

・Ransomware are easy to obtain and launch even without technical expertise due to Ransomware-as-a-Service platforms.

・The use of Tor networks and cryptocurrencies for payment of ransom provides a high level of anonymity.

Use of cloud storage (Box, Google Drive, Amazon S3, etc.) is increasingly becoming widespread, leading to increase in volume as well as importance of data stored in cloud storage. When a local device that is set to automatically back-up files to the cloud storage becomes infected by a ransomware, the encrypted files would also overwrite the files in the cloud storage. Select a cloud storage therefore that allows restoring files to previous versions.

＊ Windows file-sharing service uses TCP port 445. Since it is needed in accessing file servers or network printers from devices, caution should be taken to avoid cutting off communications and shutting down operations.

4-7 Summary of Self-propagating Ransomware Prevalent in 2017

100


2017

4

Methods for Spread of Infection

・Ransomware enters the organizational network by exploiting software’s automatic update function, downloading from a compromised website, or through communications with falsified services.

・Ransomware exploits SMBv1 vulnerability and Windows remote management functions to spread infection to other devices in the organizational network.

Characteristics of Ransomware

The abovementioned three types of ransomware are characterized by the following common features:(1) They exploit the SMBv1 vulnerability,(2) They autonomously spread infection within the organizational network.On the other hand, while WannaCry indiscriminately spreads infection to all IP addresses, including global addresses, Petya variant and BadRabbit only spread infection within LAN devices, indicating the possibility that the latter two are targeted at particular organizations or countries.

・Antivirus filters of email programs could not be updated in time to block new ransomware, allowing them to enter the organization’s network as email attachments.

・Likewise, web proxy antivirus filters could not be updated in time, allowing them to enter the organization’s network by downloading from websites.

・Devices that are not fully secured are infected by ransomware when they are brought out of the organization’s premis-es, bringing the ransomware with them back into the organizational network.

Once these ransomware enter the organizational network, they automatically find the terminals with vulnerabilities to spread the infection. As in the following cases, the ransomware may evade stringent entry or exit countermeasures to cause infection.

Image of initial infection and spread of WannaCry

Petya variant (15)(16)(17)WannaCry (12)(13)(14) BadRabbit (18)

Initial infection route

Method for spread

Status of damage caused

Type of damage caused

Kill switch

Demand

Direct access from the Internet to the device’s TCP port 445

Exploitation of the automatic update function of MeDoc accounting software

Infection via a watering hole attack by masquerading as an Adobe Flash Player installer

1-A. Run through and scan the devices within the LAN.

1-B. Indiscriminately scan IP addresses, including global and LAN address-es.

2. Infect the discovered device by exploiting the SMBv1 vulnerability.



2-B. Extract authentication information using Mimikatz open-source utility. Infect by using Windows remote management functions psexec and WMI.



2-B. Extract authentication information using Mimikatz open-source utility. Use also the password list carried by the malware i tse l f . In fect by using Windows remote manage-ment functions psexec and WMI.

Infected more than 300,000 devices in 150 countr ies . In Japan, more than 2,000 devices in 600 locat ions were infected.

Infected 65 countr ies beginning f rom Ukraine.

Files in the infected device are encrypt-ed and become inaccessible.

Files in the infected device are encrypted and become inaccessible.The hard disk’s Master Boot Record (MBR) is encrypted, and the device becomes unable to start.

Shu ts down upon connec t i on to a particular URL on the Internet

Demands ransom equivalent to around 300 USD in bitcoin

Shuts down upon detection of a particular file in the local drive.

Caused damaged mainly in Russia and Ukraine, and possible damage occurring in Turkey, Bulgaria, Japan, and other countries

●Common features and differences

Infected terminal

(1) Initial infection

(2) Spread of infectionExploit SMB vulnerability to spread infection within internal network.

Countermeasures

(1) Measures to prevent infectionIn principle, the same security measures can be used for the abovementioned ransomware. As with ordinary malware, defense-in-depth reduces risks of intrusion and data breach. (19)(20)

●Measures for systems and organizationsImplement the following measures for systems and organizations as a whole:・Block suspicious communications using appropriate firewall and email filter settings＊.・Update the OS, applications, and software in all devices to the latest versions.・Install security software in all devices and always keep the virus definition file updated.

Even a single vulnerable device within the organizational network can lead to initial infection and its eventual spread. Additionally, implement the following measures to prevent oversights:・Enforce and automate the update of software and virus definition files.・Avoid connecting devices that are not fully secure to the business network (use a quarantine network).

●Measures for individual usersRepeatedly remind members of the organization about the following:・Take caution in opening email attachment files or webpage links.・Disable unnecessary services and limit the access to used services.＊・Use a strong password to prevent unauthorized remote operation and login.

(2) Measures to reduce damage・Regularly back-up files and systems.・To prevent infection via the network, store back-up equipment (hard disks, tapes) off-line.

(3) Response to infection・Disconnect infected devices from the network to prevent spreading the infection.・Simultaneously check whether other devices within the same network are infected.・Get rid of the ransomware to avoid re-infecting the device.・Determine the type of the ransomware.・Try decrypting data from back-up. Decryption tools are available for some ransomware.

(4) CautionThere is no guarantee that the encrypted data or system would be restored after paying the ransom demanded by the attacker. Do not pay the ransom, and restore data and systems from back up.

Forecasts for 2018

①感染予防の対策今回取り上げた3種のランサムウェアとも、セキュリティ対策の原則は同じである。また、一般のマルウェアと同様、多層防御により、侵入や情報漏えいのリスクを低減できる。(19)(20)

●システムや組織を対象にした対策システムや組織全体の方針として、以下の対策を取る。・ファイアウォールやメールフィルタを適切に設定し、不審な通信をブロックする*。・各端末のOSやアプリケーション・ソフトウエアを最新の状態に更新する。・各端末にセキュリティソフトを導入し、定義ファイルを常に最新の状態に保つ。

組織ネットワーク内に1台でも脆弱な端末があると、初期感染や感染拡大のきっかけになる。対策抜け漏れ防止のため、以下の対策を加えると更に効果的である。・ソフトウェアや定義ファイルの最新化を強制、自動化する。・セキュリティ対策の不十分な端末を業務ネットワークに接続させない（検疫ネットワークの導入）。

●個人を対象にした対策組織の構成員に対し、以下のような教育啓発を繰り返す。・メールの添付ファイルの開封やWebページなどのリンクをたどる際には注意する。・不要なサービスを無効化し、使用しているサービスについてはアクセスを制限する＊。・不正な遠隔操作やログインを防ぐため、十分に強力なパスワードを設定する。

サイバー犯罪者にとって、ランサムウェアは以下の点で費用対効果が高く、2018年も継続して用いられる。

②被害軽減の対策・ファイルやシステムを定期的にバックアップする。・ネットワーク経由での感染を防ぐため、バックアップ機器（ハードディスクやテープ）をオフラインで保管する。

③感染した場合の対応・感染拡大を防止するため、感染した端末をネットワークから切断する。・同一ネットワーク内のほかの端末も感染していないか、横並びで調査する。・端末の再感染を防ぐため、ランサムウェアを駆除する。・ランサムウェアの種類を特定する。・バックアップからデータの復号を試みる。ランサムウェアの種類によっては復号ツールが提供されている場合もある。

④注意事項攻撃者の要求した身代金を支払っても、暗号化されたデータやシステムの復旧する保証はない。身代金を支払わず、バックアップを用いて、データやシステムの復旧を試みるのが良い。

・Ransomware as a Serviceのように、専門知識がなくても、ランサムウェアを容易に入手できる。・身代金の支払いに仮想通貨やTorネットワークを利用でき、匿名性が高い。

企業個人の両方でクラウドストレージ（Box、Google Drive、Amazon S3など）の利用が加速しており、クラウドストレージに保存するデータの量や重要性が増している。ローカル端末からクラウドストレージに自動バックアップするような設定になっている場合、ローカル端末がランサムウェアに感染すると、暗号化されたファイルでクラウドストレージ上のファイルも上書きされてしまう。過去履歴を復元できるようなクラウドストレージをバックアップ先に選定すると良い。

Due to the high cost-effectiveness of ransomware for cyber criminals in terms of the following, they will continue to be used also in 2018.

・Ransomware are easy to obtain and launch even without technical expertise due to Ransomware-as-a-Service platforms.

・The use of Tor networks and cryptocurrencies for payment of ransom provides a high level of anonymity.

Use of cloud storage (Box, Google Drive, Amazon S3, etc.) is increasingly becoming widespread, leading to increase in volume as well as importance of data stored in cloud storage. When a local device that is set to automatically back-up files to the cloud storage becomes infected by a ransomware, the encrypted files would also overwrite the files in the cloud storage. Select a cloud storage therefore that allows restoring files to previous versions.

＊ Windows file-sharing service uses TCP port 445. Since it is needed in accessing file servers or network printers from devices, caution should be taken to avoid cutting off communications and shutting down operations.

4-7 Summary of Self-propagating Ransomware Prevalent in 2017

101

Annual C

ybersecurity Report


(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)

https://www.trendmicro.com/ja_jp/security-intelligence/research-reports/sr/sr-2017h1.htmlhttps://www.mcafee.com/jp/resources/reports/rp-quarterly-threats-sept-2017.pdfhttps://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99https://docs.microsoft.com/ja-jp/security-updates/securitybulletins/2017/ms17-010http://www.bbc.com/japanese/39918853http://www.hitachi.co.jp/New/cnews/month/2017/05/0517a.htmlhttp://www.tokyo-np.co.jp/article/economics/list/201707/CK2017070402000114.htmlhttps://www.reuters.com/article/us-russia-rosneft-cyberattack/russias-rosneft-says-hit-by-cyber-attack-oil-production-unaffected-idUSKBN19I1N9http://www.healthcareitnews.com/news/petya-cyberattack-cost-merck-135-million-revenuehttps://www.ft.com/content/ef641e2e-6214-11e7-8814-0ac7eb84e5f1https://www.reuters.com/article/us-ukraine-cyber/new-wave-of-cyber-attacks-hits-russia-other-nations-idUSKBN1CT21Fhttps://www.jpcert.or.jp/at/2017/at170020.htmlhttp://www.npa.go.jp/cyberpolice/detect/pdf/20170519.pdfhttp://blog.trendmicro.co.jp/archives/14920https://blogs.mcafee.jp/petya-effective-destructionhttps://blog.kaspersky.co.jp/schroedingers-petya/16695/https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/http://blog.trendmicro.co.jp/archives/16226https://www.ipa.go.jp/security/ciadr/vul/20170514-ransomware.html https://www.jpcert.or.jp/magazine/security/nomore-ransom.html

4-8 Hardware and the Future Concept for its Needed Security Measures

Introduction

Types of Vulnerabilities

Long years of software cracking and implementation of measures against them have led to the development of the Common Weakness Enumeration (CWE), a list of common types of vulnerabilities. (1)

For example, “CWE-20” is known as the “Improper Input Validation” type, while “CWE-78” as the “Improper Neutraliza-tion of Special Elements used in an OS Command” type of vulnerability. On the other hand, there is no existing list of vulnerability types for hardware (to the author’s knowledge). There is, however, a vulnerability assessment scheme(2) for system LSI (a genre of hardware) that assesses whether the system LSI can withstand the following attacks:(1) Physical attack: Insert probe and read the data from the memory(2) Disturbance attack: Cause disturbance by illuminating with a strong laser light or applying signals to the power source

or clock line(3) Side-channel attack: Measure and determine characteristics of power consumption and electromagnetic wave

emission from running LSI to analyze internal operations(4) Software attack: Analyze internal operations based on response to unexpected commands or parametersClassifying vulnerabilities into types entail determining the target component, the object (event) that must be protected, and what types of attacks are able to succeed. For example, in the above vulnerability assessment system, the success of certain types of attacks are evaluated using the system LSI as the target component and the information stored in it as the object that must be protected.In this Chapter, we will look at what types of attacks are likely to succeed in interfering with the prescribed operations of the programs (as the object of protection) for the hardware indicated in the figure below (as the target component).The hardware example includes a CPU, internal bus, memory, Flash ROM, reset button, and a USB interface for external connection. When the power is on, the CPU of the hardware continues to read a program generally called firmware from the Flash ROM.Power is temporarily cut-off when the reset button is pressed, and flows back again when the button is released. When the reset button is pressed while a USB memory is inserted in the USB interface, the CPU will run on the firmware stored in the USB memory, which, unlike the firmware stored in the Flash ROM, is used to update the contents of the Flash ROM and will stop once the update is finished.Since we have defined an attack as an “interference with the prescribed operations of the program,” an attack is successful when the CPU becomes crippled, or when the hardware is manipulated from the outside to execute an unpre-scribed event, as well as when the program becomes disabled. What types of vulnerabilities would this hardware possi-bly have? We will explain the vulnerabilities for each of the parts by referring to particular cases.

ソフトウェアに対しては、長きにわたるクラッキングとその対策の結果として、どのような脆弱性があるのかが共通脆弱性タイプ一覧（CWE Common Weakness Enumeration）としてまとめられている。(1)

例えば“CWE-20”は「不適切な入力確認」というタイプであるし、“CWE-78”は「OSコマンドインジェクション」というタイプである。一方、ハードウェアに対してはこのような脆弱性タイプ一覧が（少なくとも筆者が知る限り）存在しない。ハードウェアでも、その一部のジャンルであるシステムLSIに関しては脆弱性評価制度がある(2)のだが、これはシステムLSIが以下のような攻撃に対抗できるかどうかを評価するものである。①物理的な攻撃：プローブを挿してメモリからデータを読み出す。②かく乱攻撃：強力なレーザー光を照射したり、電源やクロックラインに信号を印加することでかく乱する。③サイドチャネル攻撃：動作中のLSIの消費電力や放射している電磁波などを取得して、その特徴から内部動作を解析する。④ソフトウェア攻撃：想定外のコマンドやパラメータを与えた際の動作から内部動作を解析する。脆弱性の種類を考える際には、何を対象とするのか、守るべきモノ（コト）は何か、どういう攻撃が成功するのか、といったことを念頭におく。例えば上記の脆弱性評価制度であれば、システムLSIを対象とし、そこに蓄えられた情報が守るべきモノで、いくつか攻撃種類を想定した際にそれが成功するのかどうかを評価している。さて本節では、下図のようなハードウェアを対象とし、その上でプログラムが規定した通りに動くことを守るべきものとしたときに、成功しそうな攻撃にどのようなものがあるかを考えてみよう。このハードウェアには、CPU、内部バス、メモリ、Flash ROM、リセットボタン、それに外部接続用のUSBインタフェースがある。このハードウェアに電気を通すと、CPU が Flash ROM からファームウェアと一般に呼ばれるプログラムを読み出し動き続ける。リセットボタンは押した際に一時的に電源を遮断する機能を持っていて、ボタンを離すと電気が流れ、その際にUSBインタフェースにUSBメモリが挿さっていれば、そのUSBメモリに格納されたファームウェアを使ってCPUが動作する。こちらのファームウェアはFlash ROMに格納されたものとは違い、Flash ROMの中身を更新するために利用するもので、更新が終了すると停止するものとする。プログラムが規定した通りに動かないようにすることを攻撃だと定義したので、CPUを動かなくさせることは攻撃成功となるし、規定していないコトを外部から細工して実行させることも攻撃成功となる。もちろんプログラムを止めることができても攻撃成功となる。ではこのハードウェアにはどんな脆弱性の種類がありえるか。それぞれのパーツごとに事例を参考にしながら説明する。

Example hardware

Reset button

CPU Memory

Internal bus

USB interfaceFlashROM

Security issues stemming from hardware are on the rise. Readers of this report most likely have heard about hardware vulnerabilities such as Meltdown and Spectre.In this Chapter, we will discuss less popular hardware vulnerabilities.

102


2017

4


(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19)(20)

https://www.trendmicro.com/ja_jp/security-intelligence/research-reports/sr/sr-2017h1.htmlhttps://www.mcafee.com/jp/resources/reports/rp-quarterly-threats-sept-2017.pdfhttps://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99https://docs.microsoft.com/ja-jp/security-updates/securitybulletins/2017/ms17-010http://www.bbc.com/japanese/39918853http://www.hitachi.co.jp/New/cnews/month/2017/05/0517a.htmlhttp://www.tokyo-np.co.jp/article/economics/list/201707/CK2017070402000114.htmlhttps://www.reuters.com/article/us-russia-rosneft-cyberattack/russias-rosneft-says-hit-by-cyber-attack-oil-production-unaffected-idUSKBN19I1N9http://www.healthcareitnews.com/news/petya-cyberattack-cost-merck-135-million-revenuehttps://www.ft.com/content/ef641e2e-6214-11e7-8814-0ac7eb84e5f1https://www.reuters.com/article/us-ukraine-cyber/new-wave-of-cyber-attacks-hits-russia-other-nations-idUSKBN1CT21Fhttps://www.jpcert.or.jp/at/2017/at170020.htmlhttp://www.npa.go.jp/cyberpolice/detect/pdf/20170519.pdfhttp://blog.trendmicro.co.jp/archives/14920https://blogs.mcafee.jp/petya-effective-destructionhttps://blog.kaspersky.co.jp/schroedingers-petya/16695/https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/http://blog.trendmicro.co.jp/archives/16226https://www.ipa.go.jp/security/ciadr/vul/20170514-ransomware.html https://www.jpcert.or.jp/magazine/security/nomore-ransom.html


Introduction

Types of Vulnerabilities

Long years of software cracking and implementation of measures against them have led to the development of the Common Weakness Enumeration (CWE), a list of common types of vulnerabilities. (1)

For example, “CWE-20” is known as the “Improper Input Validation” type, while “CWE-78” as the “Improper Neutraliza-tion of Special Elements used in an OS Command” type of vulnerability. On the other hand, there is no existing list of vulnerability types for hardware (to the author’s knowledge). There is, however, a vulnerability assessment scheme(2) for system LSI (a genre of hardware) that assesses whether the system LSI can withstand the following attacks:(1) Physical attack: Insert probe and read the data from the memory(2) Disturbance attack: Cause disturbance by illuminating with a strong laser light or applying signals to the power source

or clock line(3) Side-channel attack: Measure and determine characteristics of power consumption and electromagnetic wave

emission from running LSI to analyze internal operations(4) Software attack: Analyze internal operations based on response to unexpected commands or parametersClassifying vulnerabilities into types entail determining the target component, the object (event) that must be protected, and what types of attacks are able to succeed. For example, in the above vulnerability assessment system, the success of certain types of attacks are evaluated using the system LSI as the target component and the information stored in it as the object that must be protected.In this Chapter, we will look at what types of attacks are likely to succeed in interfering with the prescribed operations of the programs (as the object of protection) for the hardware indicated in the figure below (as the target component).The hardware example includes a CPU, internal bus, memory, Flash ROM, reset button, and a USB interface for external connection. When the power is on, the CPU of the hardware continues to read a program generally called firmware from the Flash ROM.Power is temporarily cut-off when the reset button is pressed, and flows back again when the button is released. When the reset button is pressed while a USB memory is inserted in the USB interface, the CPU will run on the firmware stored in the USB memory, which, unlike the firmware stored in the Flash ROM, is used to update the contents of the Flash ROM and will stop once the update is finished.Since we have defined an attack as an “interference with the prescribed operations of the program,” an attack is successful when the CPU becomes crippled, or when the hardware is manipulated from the outside to execute an unpre-scribed event, as well as when the program becomes disabled. What types of vulnerabilities would this hardware possi-bly have? We will explain the vulnerabilities for each of the parts by referring to particular cases.

ソフトウェアに対しては、長きにわたるクラッキングとその対策の結果として、どのような脆弱性があるのかが共通脆弱性タイプ一覧（CWE Common Weakness Enumeration）としてまとめられている。(1)

例えば“CWE-20”は「不適切な入力確認」というタイプであるし、“CWE-78”は「OSコマンドインジェクション」というタイプである。一方、ハードウェアに対してはこのような脆弱性タイプ一覧が（少なくとも筆者が知る限り）存在しない。ハードウェアでも、その一部のジャンルであるシステムLSIに関しては脆弱性評価制度がある(2)のだが、これはシステムLSIが以下のような攻撃に対抗できるかどうかを評価するものである。①物理的な攻撃：プローブを挿してメモリからデータを読み出す。②かく乱攻撃：強力なレーザー光を照射したり、電源やクロックラインに信号を印加することでかく乱する。③サイドチャネル攻撃：動作中のLSIの消費電力や放射している電磁波などを取得して、その特徴から内部動作を解析する。④ソフトウェア攻撃：想定外のコマンドやパラメータを与えた際の動作から内部動作を解析する。脆弱性の種類を考える際には、何を対象とするのか、守るべきモノ（コト）は何か、どういう攻撃が成功するのか、といったことを念頭におく。例えば上記の脆弱性評価制度であれば、システムLSIを対象とし、そこに蓄えられた情報が守るべきモノで、いくつか攻撃種類を想定した際にそれが成功するのかどうかを評価している。さて本節では、下図のようなハードウェアを対象とし、その上でプログラムが規定した通りに動くことを守るべきものとしたときに、成功しそうな攻撃にどのようなものがあるかを考えてみよう。このハードウェアには、CPU、内部バス、メモリ、Flash ROM、リセットボタン、それに外部接続用のUSBインタフェースがある。このハードウェアに電気を通すと、CPU が Flash ROM からファームウェアと一般に呼ばれるプログラムを読み出し動き続ける。リセットボタンは押した際に一時的に電源を遮断する機能を持っていて、ボタンを離すと電気が流れ、その際にUSBインタフェースにUSBメモリが挿さっていれば、そのUSBメモリに格納されたファームウェアを使ってCPUが動作する。こちらのファームウェアはFlash ROMに格納されたものとは違い、Flash ROMの中身を更新するために利用するもので、更新が終了すると停止するものとする。プログラムが規定した通りに動かないようにすることを攻撃だと定義したので、CPUを動かなくさせることは攻撃成功となるし、規定していないコトを外部から細工して実行させることも攻撃成功となる。もちろんプログラムを止めることができても攻撃成功となる。ではこのハードウェアにはどんな脆弱性の種類がありえるか。それぞれのパーツごとに事例を参考にしながら説明する。

Example hardware

Reset button

CPU Memory

Internal bus

USB interfaceFlashROM

Security issues stemming from hardware are on the rise. Readers of this report most likely have heard about hardware vulnerabilities such as Meltdown and Spectre.In this Chapter, we will discuss less popular hardware vulnerabilities.

103

Annual C

ybersecurity Report

Meltdown and SpectreThe recent trend is to use icons and catchy names for discovered vulnerabilities.URL: https://meltdownattack.com/

Example of malware described in the IMPs paper Attacker is able to login as root using a certain keyword in the network.URL: https://www.usenix.org/legacy/event/leet08/tech/full_papers/king/king_html/

(1) CPURecent CPU vulnerabilities that have come to light are Spectre and Meltdown(3), which were reported in January 2018.These attacks are side-channel attacks that allow an application to read data from a memory for which it does not have the read/write authority. This type of vulnerability is classified as CWE-200 (Information Exposure). This problem can be temporarily addressed by updating the firmware and modifying usage of the CPU, but requires changing the internal CPU circuit to be permanently fixed(4).

Vulnerabilities such as Spectre and Meltdown caused major problems because they were part of the specifications in widely used chips, but there was also a case when a backdoor had been embedded in a military chip(5).This case, however, was classified as a CWE-255 (Credentials Management) vulnerability, wherein the key for the encrypted configuration file of the FPGA (integrated circuit designed to be configured after manufacturing) could be acquired using JTAG (physical interface for circuit debugging)(6).This case is believed to be an attempt to create a circuit that could cause harm by changing the FPGA configuration file. There are also cases, however, when a possibly harmful circuit is embedded during the design implementation of ASIC (integrated circuit with fixed circuit structure). This type of possibly harmful circuit is called a “hardware Trojan.” Exam-ples of hardware Trojans created for research purposes are Illinois Malicious Processors (IMPs)(7) and Malicious8051 processor(8). No technical details, however, are described in these two papers.

The first paper describes a hardware Trojan that locally or remotely implements privilege escalation and illegitimate commands by manipulating CPUs with publicized technical specifications, while the latter describes the creation of counterfeits of control chips that are being used even today for generic purposes. Counterfeit chips embedded with these hardware Trojans can be detected and distinguished from genuine chips using the attack methods described in “Types of vulnerabilities” above. Since these methods, however, are based on the concept that counterfeits perform unnecessary operations that differ from original operations, these Trojans cannot be detected unless unnecessary opera-tions are performed. Researchers are therefore still investigating methods for detecting counterfeits.

まずはCPUである。CPUの脆弱性として最近話題になったのが、2018年1月に公開されたSpectreとMeltdown(3)

である。これは、アプリがメモリ中の自身に読み書きの権限のないデータを読み出すことができる「サイドチャネル攻撃」だった。この脆弱性の種類は“CWE-200”「情報漏えい」である。この問題に対しては、ファームウェアを更改し、CPUの使い方を修正することで暫定対処ができているが、本格対処を行うためにはCPU内の回路から変更する必要がある。(4)

SpectreやMeltdownは仕様上の脆弱性が大量に利用されているチップに存在したために大きな問題となったが、過去にはバックドアが埋め込まれたチップが軍用品として利用されていたと騒がれたケース(5)もあった。ただし、このケースに関してはFPGA（製造後に回路構成を設定できる集積回路）の暗号化された設定ファイルの鍵をJTAG（回路デバッグ用の物理インタフェース）で取得できるようになっていたということのようで、“CWE-255”

「証明書・パスワードの管理」という脆弱性の種類だったようだ。(6)

こちらのケースはFPGAの設定ファイルを変更することで害を及ぼす可能性のある回路を作り上げる（かもしれない）という話だったが、ASIC（回路構成が固定の集積回路）を設計実装する間に害を及ぼす可能性のある回路が組み込まれてしまうというケースもある。このような害を及ぼす可能性のある回路を「ハードウェアトロイ」という。ハードウェアトロイを研究目的で作成した例としては、Illinois Malicious Processors（IMPs）(7)や、Malicious8051 processor (8)などがある。両論文とも詳細な技術情報の記載はない。

Example of side-channel attack (detection)Playing music by defining hardware and applicationURL: https://fulldecent.github.io/system-bus-radio/

Row Hammer attackScreenshot of video showing the instant when the attack succeeded and gained root access.URL: https://www.youtube.com/watch?v=Mnzp1p9Nvw0

(2) Internal busThe internal bus is the data distribution channel between chips. Inserting a physical probe into the bus enables obtaining data between the chips, resulting in a CWE-200 (Information Exposure) vulnerability, which is also equivalent to the physical attack mentioned in “Types of vulnerabilities” above.The inherent JTAG function of the chip can also be used as probe, like in the backdoor discovered to have been embed-ded in the military chip mentioned in (1) CPU above. JTAG is a standard for serial communications with the internal components of the integrated circuit. It was originally created for testing circuit boards, but is recently being used also as a debugging interface. For example, it enables instantaneously stopping signals to and from a particular terminal of FPGA or CPU; in other words, it is possible to operate the hardware independently from the CPU operations. This is classified as a CWE-254 (Security Features) vulnerability. However, since the vendor does not normally publish private commands, it is not possible to use this function without disclosure of information from the vendor.As long as the hardware uses power, however, it transmits a certain form of signal while in operation. This characteristic is exploited in side-channel attack (detection), wherein AM radios can be used to send information externally, even for hardware that does not have any network or USB interface.

(3) MemoryThe memory is known to have the Row Hammer vulnerability. This vulnerability, which is a result of the refinement of the manufacturing process technology, leads to errors arising from the destabilization of data in nearby cells during continu-ous access to DRAM memory cells(9). Attacks using this vulnerability, which is classified as CWE-254 (Security Features), may lead to capture of authority or damage to memory. The attack causes abnormal memory operations by repeatedly writing data within a short period of time.Although it is difficult to experimentally simulate capture of authority for memory, the same problem has been reported also for SSD(10), for which an explanatory video is provided. A vulnerability named Drammer has also been reported in ARM-based terminals widely used for smartphones(11).Soft error is another problem resulting from the refinement of the manufacturing process technology. It occurs as a result of effects to memory caused by the generation of charged particles within semiconductors when they are hit by particles from radioactive elements. Although this has been considered as an error occurring primarily in spacecraft, it has recently become a problem causing failure in ground communication devices as well. The development of methods to address this problem is still at its initial stages; the commercial provision of the environment to artificially induce soft error has only started recently(12).


104


2017

4

Meltdown and SpectreThe recent trend is to use icons and catchy names for discovered vulnerabilities.URL: https://meltdownattack.com/

Example of malware described in the IMPs paper Attacker is able to login as root using a certain keyword in the network.URL: https://www.usenix.org/legacy/event/leet08/tech/full_papers/king/king_html/

(1) CPURecent CPU vulnerabilities that have come to light are Spectre and Meltdown(3), which were reported in January 2018.These attacks are side-channel attacks that allow an application to read data from a memory for which it does not have the read/write authority. This type of vulnerability is classified as CWE-200 (Information Exposure). This problem can be temporarily addressed by updating the firmware and modifying usage of the CPU, but requires changing the internal CPU circuit to be permanently fixed(4).

Vulnerabilities such as Spectre and Meltdown caused major problems because they were part of the specifications in widely used chips, but there was also a case when a backdoor had been embedded in a military chip(5).This case, however, was classified as a CWE-255 (Credentials Management) vulnerability, wherein the key for the encrypted configuration file of the FPGA (integrated circuit designed to be configured after manufacturing) could be acquired using JTAG (physical interface for circuit debugging)(6).This case is believed to be an attempt to create a circuit that could cause harm by changing the FPGA configuration file. There are also cases, however, when a possibly harmful circuit is embedded during the design implementation of ASIC (integrated circuit with fixed circuit structure). This type of possibly harmful circuit is called a “hardware Trojan.” Exam-ples of hardware Trojans created for research purposes are Illinois Malicious Processors (IMPs)(7) and Malicious8051 processor(8). No technical details, however, are described in these two papers.

The first paper describes a hardware Trojan that locally or remotely implements privilege escalation and illegitimate commands by manipulating CPUs with publicized technical specifications, while the latter describes the creation of counterfeits of control chips that are being used even today for generic purposes. Counterfeit chips embedded with these hardware Trojans can be detected and distinguished from genuine chips using the attack methods described in “Types of vulnerabilities” above. Since these methods, however, are based on the concept that counterfeits perform unnecessary operations that differ from original operations, these Trojans cannot be detected unless unnecessary opera-tions are performed. Researchers are therefore still investigating methods for detecting counterfeits.

まずはCPUである。CPUの脆弱性として最近話題になったのが、2018年1月に公開されたSpectreとMeltdown(3)

である。これは、アプリがメモリ中の自身に読み書きの権限のないデータを読み出すことができる「サイドチャネル攻撃」だった。この脆弱性の種類は“CWE-200”「情報漏えい」である。この問題に対しては、ファームウェアを更改し、CPUの使い方を修正することで暫定対処ができているが、本格対処を行うためにはCPU内の回路から変更する必要がある。(4)

SpectreやMeltdownは仕様上の脆弱性が大量に利用されているチップに存在したために大きな問題となったが、過去にはバックドアが埋め込まれたチップが軍用品として利用されていたと騒がれたケース(5)もあった。ただし、このケースに関してはFPGA（製造後に回路構成を設定できる集積回路）の暗号化された設定ファイルの鍵をJTAG（回路デバッグ用の物理インタフェース）で取得できるようになっていたということのようで、“CWE-255”

「証明書・パスワードの管理」という脆弱性の種類だったようだ。(6)

こちらのケースはFPGAの設定ファイルを変更することで害を及ぼす可能性のある回路を作り上げる（かもしれない）という話だったが、ASIC（回路構成が固定の集積回路）を設計実装する間に害を及ぼす可能性のある回路が組み込まれてしまうというケースもある。このような害を及ぼす可能性のある回路を「ハードウェアトロイ」という。ハードウェアトロイを研究目的で作成した例としては、Illinois Malicious Processors（IMPs）(7)や、Malicious8051 processor (8)などがある。両論文とも詳細な技術情報の記載はない。

Example of side-channel attack (detection)Playing music by defining hardware and applicationURL: https://fulldecent.github.io/system-bus-radio/

Row Hammer attackScreenshot of video showing the instant when the attack succeeded and gained root access.URL: https://www.youtube.com/watch?v=Mnzp1p9Nvw0

(2) Internal busThe internal bus is the data distribution channel between chips. Inserting a physical probe into the bus enables obtaining data between the chips, resulting in a CWE-200 (Information Exposure) vulnerability, which is also equivalent to the physical attack mentioned in “Types of vulnerabilities” above.The inherent JTAG function of the chip can also be used as probe, like in the backdoor discovered to have been embed-ded in the military chip mentioned in (1) CPU above. JTAG is a standard for serial communications with the internal components of the integrated circuit. It was originally created for testing circuit boards, but is recently being used also as a debugging interface. For example, it enables instantaneously stopping signals to and from a particular terminal of FPGA or CPU; in other words, it is possible to operate the hardware independently from the CPU operations. This is classified as a CWE-254 (Security Features) vulnerability. However, since the vendor does not normally publish private commands, it is not possible to use this function without disclosure of information from the vendor.As long as the hardware uses power, however, it transmits a certain form of signal while in operation. This characteristic is exploited in side-channel attack (detection), wherein AM radios can be used to send information externally, even for hardware that does not have any network or USB interface.

(3) MemoryThe memory is known to have the Row Hammer vulnerability. This vulnerability, which is a result of the refinement of the manufacturing process technology, leads to errors arising from the destabilization of data in nearby cells during continu-ous access to DRAM memory cells(9). Attacks using this vulnerability, which is classified as CWE-254 (Security Features), may lead to capture of authority or damage to memory. The attack causes abnormal memory operations by repeatedly writing data within a short period of time.Although it is difficult to experimentally simulate capture of authority for memory, the same problem has been reported also for SSD(10), for which an explanatory video is provided. A vulnerability named Drammer has also been reported in ARM-based terminals widely used for smartphones(11).Soft error is another problem resulting from the refinement of the manufacturing process technology. It occurs as a result of effects to memory caused by the generation of charged particles within semiconductors when they are hit by particles from radioactive elements. Although this has been considered as an error occurring primarily in spacecraft, it has recently become a problem causing failure in ground communication devices as well. The development of methods to address this problem is still at its initial stages; the commercial provision of the environment to artificially induce soft error has only started recently(12).


105

Annual C

ybersecurity Report

USB KillScreenshot of video showing the instant when the PC is destroyed using a USB dongle.URL: https://www.youtube.com/watch?v=3hbuhFwFsDU

(4) Flash ROMSince the basic structure of the Flash ROM is the same as the memory, here we will explain problems occurring during hardware operations pertaining to program updates.As mentioned earlier, security measures and technologies developed as a result of software cracking and implementa-tion of measures against them fall mainly within the software domain related to networks, and have not widely penetrated the hardware domain. In the given hardware example, where a USB memory is used to update the firmware, an attack is considered successful when the Flash ROM becomes updated by a firmware that behaves differently from a prescribed operation, through the use of a USB memory.Nowadays, providers avoid dispatching engineers to carry out firmware updates on-site due to cost considerations, wherein remote updates via the network have become the mainstream approach. A good example for an attack on the Flash ROM is that of the Telematics Control Unit (TCU) of Nissan Leaf previously reported in the U.S.(13). The problem arose because a 2G modem that allowed man-in-the-middle (MITM) attacks had been used for the TCU, but more so because no measures were carried out to fix and replace the chip that was found to have a vulnerability years earlier. The use of the MITM-prone modem means that there was a need to not only focus on encrypting the communication channel, but to also correctly verify the parties to the communication. Meanwhile, the failure to address the chip’s vulnerability means that it is important to carry out proper supply chain management to verify the existence of problems in each of the parts used in the hardware.

(5) Reset buttonPressing the reset button shuts the hardware down. Therefore, a successful attack can be made by keeping the button in a pressed state—a simple but effective procedure.Other than using the reset button, operations can be stopped by changing the settings for hardware jumper pins and DIP switches, removing the power cable, or by simply opening the outer casing of hardware equipped with physical intrusion-detection sensors(14).

(6) USB memoryThe I/O interface provides a mechanism for the software to connect with the external environment. For example, in the given hardware example, adding a USB interface enables using a USB memory to update the firmware or the OS. A famous example of an attack using a USB memory is BadUSB(15). It uses a reprogrammable control chip and is recog-nized as a keyboard by the hardware into which it is inserted, enabling automated key inputs into the computer. Although this does not pose a problem to the given hardware example because use of a keyboard is ruled out, attacks based on this idea are likely to occur in the future.There is also a tool known as the USB Killer(16) that piles charges to its built-in capacitor upon connection to the USB port and repeatedly applies voltage to the PC unit by reversing the polarity. The tool, which is commercially available(17), results in unavoidable effects because it uses the USB interface’s power supply function, causing fatal damage on the hardware.

Conclusion


(1)(2)(3)(4)(5)(6)(7)(8)(9)

(10)(11)(12)(13)(14)(15)(16)(17)(18)

https://www.ipa.go.jp/security/vuln/CWE.htmlhttp://www.ecsec.jp/HW3.htmlhttps://googleprojectzero.blogspot.jp/2018/01/reading-privileged-memory-with-side.htmlhttps://newsroom.intel.com/editorials/advancing-security-silicon-level/https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdfhttp://blog.erratasec.com/2012/05/bogus-story-no-chinese-backdoor-in.htmlhttps://www.usenix.org/legacy/event/leet08/tech/full_papers/king/king_html/https://www.researchgate.net/publication/261451763_Designing_and_implementing_a_Malicious_8051_processorhttps://googleprojectzero.blogspot.jp/2015/03/exploiting-dram-rowhammer-bug-to-gain.htmlhttps://www.myce.com/news/ibm-researchers-rowhammer-like-attack-ssds-can-provide-root-privileges-attacker-82386/https://github.com/vusec/drammerhttp://keytech.ntt-at.co.jp/emc/prd_5014.htmlhttp://www.mellanox.com/related-docs/prod_multi_core/PB_TILEmpower-Gx36-FR.pdfhttp://ascii.jp/elem/000/001/533/1533962/index-2.htmlhttps://github.com/brandonlw/Psychsonhttps://kukuruku.co/post/usb-killer/https://usbkill.com/http://www.publickey1.jp/blog/17/cpuminix_3google.html

In this Chapter, we looked at what possible attacks may prove successful for a certain hardware example. As mentioned above, security measures that have been developed as a result of long years of software cracking and implementation of measures against them are slowly spreading from the software into the hardware domain. Since remotely launching physical attacks on hardware is not easy, for the time being, the battleground for hardware attacks would mainly be in firmware. For example, although the UEFI used by Intel’s x86 processor is a proprietary and closed firmware, it has been pointed out that it is internally using MINIX, an open-source OS(18). In other words, Intel uses a different OS, which could in fact be vulnerable to attacks, to operate the OS we are using everyday. The report claims that although attempts are being made, it is difficult to create a truly safe firmware. In the future, it will be increasingly necessary to consider the risks involved in providing safe services—even for hardware, in which it has already become unclear who made what and for what purpose. No one, therefore, knows what lies ahead.


106


2017

4

USB KillScreenshot of video showing the instant when the PC is destroyed using a USB dongle.URL: https://www.youtube.com/watch?v=3hbuhFwFsDU

(4) Flash ROMSince the basic structure of the Flash ROM is the same as the memory, here we will explain problems occurring during hardware operations pertaining to program updates.As mentioned earlier, security measures and technologies developed as a result of software cracking and implementa-tion of measures against them fall mainly within the software domain related to networks, and have not widely penetrated the hardware domain. In the given hardware example, where a USB memory is used to update the firmware, an attack is considered successful when the Flash ROM becomes updated by a firmware that behaves differently from a prescribed operation, through the use of a USB memory.Nowadays, providers avoid dispatching engineers to carry out firmware updates on-site due to cost considerations, wherein remote updates via the network have become the mainstream approach. A good example for an attack on the Flash ROM is that of the Telematics Control Unit (TCU) of Nissan Leaf previously reported in the U.S.(13). The problem arose because a 2G modem that allowed man-in-the-middle (MITM) attacks had been used for the TCU, but more so because no measures were carried out to fix and replace the chip that was found to have a vulnerability years earlier. The use of the MITM-prone modem means that there was a need to not only focus on encrypting the communication channel, but to also correctly verify the parties to the communication. Meanwhile, the failure to address the chip’s vulnerability means that it is important to carry out proper supply chain management to verify the existence of problems in each of the parts used in the hardware.

(5) Reset buttonPressing the reset button shuts the hardware down. Therefore, a successful attack can be made by keeping the button in a pressed state—a simple but effective procedure.Other than using the reset button, operations can be stopped by changing the settings for hardware jumper pins and DIP switches, removing the power cable, or by simply opening the outer casing of hardware equipped with physical intrusion-detection sensors(14).

(6) USB memoryThe I/O interface provides a mechanism for the software to connect with the external environment. For example, in the given hardware example, adding a USB interface enables using a USB memory to update the firmware or the OS. A famous example of an attack using a USB memory is BadUSB(15). It uses a reprogrammable control chip and is recog-nized as a keyboard by the hardware into which it is inserted, enabling automated key inputs into the computer. Although this does not pose a problem to the given hardware example because use of a keyboard is ruled out, attacks based on this idea are likely to occur in the future.There is also a tool known as the USB Killer(16) that piles charges to its built-in capacitor upon connection to the USB port and repeatedly applies voltage to the PC unit by reversing the polarity. The tool, which is commercially available(17), results in unavoidable effects because it uses the USB interface’s power supply function, causing fatal damage on the hardware.

Conclusion


(1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)

https://www.ipa.go.jp/security/vuln/CWE.htmlhttp://www.ecsec.jp/HW3.htmlhttps://googleprojectzero.blogspot.jp/2018/01/reading-privileged-memory-with-side.htmlhttps://newsroom.intel.com/editorials/advancing-security-silicon-level/https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdfhttp://blog.erratasec.com/2012/05/bogus-story-no-chinese-backdoor-in.htmlhttps://www.usenix.org/legacy/event/leet08/tech/full_papers/king/king_html/https://www.researchgate.net/publication/261451763_Designing_and_implementing_a_Malicious_8051_processorhttps://googleprojectzero.blogspot.jp/2015/03/exploiting-dram-rowhammer-bug-to-gain.htmlhttps://www.myce.com/news/ibm-researchers-rowhammer-like-attack-ssds-can-provide-root-privileges-attacker-82386/https://github.com/vusec/drammerhttp://keytech.ntt-at.co.jp/emc/prd_5014.htmlhttp://www.mellanox.com/related-docs/prod_multi_core/PB_TILEmpower-Gx36-FR.pdfhttp://ascii.jp/elem/000/001/533/1533962/index-2.htmlhttps://github.com/brandonlw/Psychsonhttps://kukuruku.co/post/usb-killer/https://usbkill.com/http://www.publickey1.jp/blog/17/cpuminix_3google.html

In this Chapter, we looked at what possible attacks may prove successful for a certain hardware example. As mentioned above, security measures that have been developed as a result of long years of software cracking and implementation of measures against them are slowly spreading from the software into the hardware domain. Since remotely launching physical attacks on hardware is not easy, for the time being, the battleground for hardware attacks would mainly be in firmware. For example, although the UEFI used by Intel’s x86 processor is a proprietary and closed firmware, it has been pointed out that it is internally using MINIX, an open-source OS(18). In other words, Intel uses a different OS, which could in fact be vulnerable to attacks, to operate the OS we are using everyday. The report claims that although attempts are being made, it is difficult to create a truly safe firmware. In the future, it will be increasingly necessary to consider the risks involved in providing safe services—even for hardware, in which it has already become unclear who made what and for what purpose. No one, therefore, knows what lies ahead.


107

Annual C

ybersecurity Report

・ Adobe Flash Player, Adobe, Acrobat, Adobe Reader, Adobe Acrobat Reader, and Adobe ColdFusion are either trademarks or registered trademarks of Adobe Systems Incorporated, its subsidiaries, and related companies in the U.S.A. and/or other countries.

・ AMD and AMD logo are either trademarks or registered trademarks of Advanced Micro Devices, Inc.・ Android, Google Chrome, Google Calendar, Google Cloud Print, Google Docs, Google Drive, Google Play, Google Play log, and Gmail are

either trademarks or registered trademarks of Google Inc. ・ Apache, Tomcat, Apache James, Lucene, Apache Struts, FileUpload, and OGNL are either trademarks or registered trademarks of Apache

Software Foundation.・ Apple, Apple logo, App Store, iPod logo, iTunes, WebKit are registered trademarks of Apple Inc. in the U.S.A. and/or other countries.・ ARM is a trademark of Arm Limited, its subsidiaries, and related companies in the U.S.A. and/or other countries.・ ATOS is a registered trademark of Atos group.・ BIND is a registered trademark of Internet Systems Consortium, Inc. ・ Broadcom is either a trademark or registered trademark of Avago Technologies General IP（Singapore）PTE. LTD.・ CERT is a registered trademark of Carnegie Mellon University.・ CISCO, IOS, and Snort are trademarks of Cisco Systems, Inc., its subsidiaries, and related companies in the U.S.A. and/or other countries.・ Equifax is either a trademark or registered trademark of Equifax Inc.・ ESET is a trademark of ESET, spol. s r.o.・ Facebook and Facebook logo are either trademarks or registered trademarks of Facebook, Inc.・ FortiGate is a registered trademark of Fortinet, Inc.・ FreeBSD is a registered trademark of FreeBSD Foundation.・ GMO is either a trademark or registered trademark of GMO Internet, Inc.・ HP-UX is a registered trademark of Hewlett-Packard Company in the U.S.A. and/or other countries.・ HUAWEI is either a trademark or registered trademark of Huawei Technologies Co. Ltd.・ IBM, IBM logo, ibm.com, AIX, AIX 6, AIX 5L, BladeCenter, IntelliStation, POWER, RS/6000, System i, and System p are trademarks of

International Business Machines Corporation registered in many countries around the world.・ Intel is either a trademark or registered trademark of Intel Corporation.・ Internet Explorer, Windows, and Internet Information Server (IIS) are trademarks or registered trademarks of Microsoft Corporation, its

subsidiaries, and related companies in the U.S.A. and/or other countries.・ JVN is a registered trademark of JPCERT/CC Vender Status Notes DB.・ Kaspersky is either a trademark or registered trademark of AO Kaspersky Lab.・ LINE is a registered trademark of LINE Corporation.・ Linux is either a trademark or registered trademark of Linus Torvalds in the U.S.A. and/or other countries.・ Mozilla, Firefox, Thunderbird and their respective logos are trademarks or registered trademarks of Mozilla Foundation in the U.S.A. and/or

other countries.・ MySQL, Java, JRE, JDK, and Solaris are registered trademarks of Oracle Corporation, its subsidiaries, and related companies in the U.S.A.

and/or other countries.・ PostgreSQL is a trademark of PostgreSQL.・ Red Hat is either a trademark or registered trademark of Red Hat, Inc. in the U.S.A. and/or other countries.・ Ruby on Rails is a registered trademark of David Heinemeier Hansson.・ Twitter, Twitter logo, the Twitter “T” logo, and the Twitter blue bird are registered trademarks of Twitter, Inc. in the U.S.A. and/or other

countries.・ Verisign, Verisign logo, and other names, service marks and logos are either trademarks or registered trademarks of Verisign, Inc. its

subsidiaries, and related companies in the U.S.A. and/or other countries.・ Verizon is either a trademark or registered trademark of Verizon Trademark Services LLC.・ VMware, VMware logo, Virtual SMP, and VMotion are either are trademarks or registered trademarks of VMware, Inc. in the U.S.A. and/or

other countries.・ WebLogic is a registered trademark of BEA Systems, Inc.・ YouTube and YouTube logo are either trademarks or registered trademark of Google Inc.・ ZTE and logo are either trademarks or registered trademarks of ZTE Corporation in China and/or other countries. ・ Coincheck is either a trademark or registered trademark of Coincheck, Inc.・ Proper names of other company and product names appearing herein are trademarks or registered trademarks of the respective

companies.

Trademarks

108

・ Adobe Flash Player, Adobe, Acrobat, Adobe Reader, Adobe Acrobat Reader, and Adobe ColdFusion are either trademarks or registered trademarks of Adobe Systems Incorporated, its subsidiaries, and related companies in the U.S.A. and/or other countries.

・ AMD and AMD logo are either trademarks or registered trademarks of Advanced Micro Devices, Inc.・ Android, Google Chrome, Google Calendar, Google Cloud Print, Google Docs, Google Drive, Google Play, Google Play log, and Gmail are

either trademarks or registered trademarks of Google Inc. ・ Apache, Tomcat, Apache James, Lucene, Apache Struts, FileUpload, and OGNL are either trademarks or registered trademarks of Apache

Software Foundation.・ Apple, Apple logo, App Store, iPod logo, iTunes, WebKit are registered trademarks of Apple Inc. in the U.S.A. and/or other countries.・ ARM is a trademark of Arm Limited, its subsidiaries, and related companies in the U.S.A. and/or other countries.・ ATOS is a registered trademark of Atos group.・ BIND is a registered trademark of Internet Systems Consortium, Inc. ・ Broadcom is either a trademark or registered trademark of Avago Technologies General IP（Singapore）PTE. LTD.・ CERT is a registered trademark of Carnegie Mellon University.・ CISCO, IOS, and Snort are trademarks of Cisco Systems, Inc., its subsidiaries, and related companies in the U.S.A. and/or other countries.・ Equifax is either a trademark or registered trademark of Equifax Inc.・ ESET is a trademark of ESET, spol. s r.o.・ Facebook and Facebook logo are either trademarks or registered trademarks of Facebook, Inc.・ FortiGate is a registered trademark of Fortinet, Inc.・ FreeBSD is a registered trademark of FreeBSD Foundation.・ GMO is either a trademark or registered trademark of GMO Internet, Inc.・ HP-UX is a registered trademark of Hewlett-Packard Company in the U.S.A. and/or other countries.・ HUAWEI is either a trademark or registered trademark of Huawei Technologies Co. Ltd.・ IBM, IBM logo, ibm.com, AIX, AIX 6, AIX 5L, BladeCenter, IntelliStation, POWER, RS/6000, System i, and System p are trademarks of

International Business Machines Corporation registered in many countries around the world.・ Intel is either a trademark or registered trademark of Intel Corporation.・ Internet Explorer, Windows, and Internet Information Server (IIS) are trademarks or registered trademarks of Microsoft Corporation, its

subsidiaries, and related companies in the U.S.A. and/or other countries.・ JVN is a registered trademark of JPCERT/CC Vender Status Notes DB.・ Kaspersky is either a trademark or registered trademark of AO Kaspersky Lab.・ LINE is a registered trademark of LINE Corporation.・ Linux is either a trademark or registered trademark of Linus Torvalds in the U.S.A. and/or other countries.・ Mozilla, Firefox, Thunderbird and their respective logos are trademarks or registered trademarks of Mozilla Foundation in the U.S.A. and/or

other countries.・ MySQL, Java, JRE, JDK, and Solaris are registered trademarks of Oracle Corporation, its subsidiaries, and related companies in the U.S.A.

and/or other countries.・ PostgreSQL is a trademark of PostgreSQL.・ Red Hat is either a trademark or registered trademark of Red Hat, Inc. in the U.S.A. and/or other countries.・ Ruby on Rails is a registered trademark of David Heinemeier Hansson.・ Twitter, Twitter logo, the Twitter “T” logo, and the Twitter blue bird are registered trademarks of Twitter, Inc. in the U.S.A. and/or other

countries.・ Verisign, Verisign logo, and other names, service marks and logos are either trademarks or registered trademarks of Verisign, Inc. its

subsidiaries, and related companies in the U.S.A. and/or other countries.・ Verizon is either a trademark or registered trademark of Verizon Trademark Services LLC.・ VMware, VMware logo, Virtual SMP, and VMotion are either are trademarks or registered trademarks of VMware, Inc. in the U.S.A. and/or

other countries.・ WebLogic is a registered trademark of BEA Systems, Inc.・ YouTube and YouTube logo are either trademarks or registered trademark of Google Inc.・ ZTE and logo are either trademarks or registered trademarks of ZTE Corporation in China and/or other countries. ・ Coincheck is either a trademark or registered trademark of Coincheck, Inc.・ Proper names of other company and product names appearing herein are trademarks or registered trademarks of the respective

companies.

2018 Annual Cybersecurity Report

This is the logo for NTT-CERT, the NTT Group’s Computer Security Incident Response Team, which is administered by NTT Secure Platform Laboratories.
