Main Page: Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(added the Homeland Justice operations against Albania) |
(added Homeland Justice as incident 23; retired incidents 11 to 13; lowered weights on 2021 incidents) |
||
| Line 60: | Line 60: | ||
<h2 id="mp-itn-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Featured incident</h2> |
<h2 id="mp-itn-h2" style="margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Featured incident</h2> |
||
<choose uncached> |
<choose uncached> |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | On 2 March 2021, Microsoft issued a [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ statement] about multiple zero-day exploits in its Exchange Server email software and urged customers to update their systems using a patch released at the same time. Nevertheless, malicious cyber activities escalated, resulting in more than [https://edition.cnn.com/2021/03/10/tech/microsoft-exchange-hafnium-hack-explainer/index.html 250,000 affected customers globally] (including governments as well as the private sector) and involving at least [https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/?utm_source=Twitter&utm_medium=cpc&utm_campaign=WLS_apt_groups&utm_term=WLS_apt_groups&utm_content=blog 10 APT groups]. The original campaign was [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ attributed] by Microsoft to ‘Hafnium’, described as a State-sponsored group operating out of China. The hackers used the exploits to gain access to victim organisations’ email systems and to install malware allowing them to maintain long-term access to files, inboxes, and stored credentials. [[Scenario 02: Cyber espionage against government departments|Scenario 02]] of the Toolkit analyses cyber espionage against government departments; economic cyber espionage is discussed in [[Scenario 09: Economic cyber espionage|Scenario 09]].</div> |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | On 13 December 2020, FireEye [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html announced] the discovery of an ongoing supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware. The [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T victims] included many U.S. governmental organisations (such as the Department of Homeland Security, the Department of Energy, or the Treasury) and businesses (including Microsoft, Cisco, or Deloitte). Once the systems were infected, hackers could transfer files, execute files, profile the system, reboot the machines, or disable system services. The U.S. government has [https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure attributed] the attack to an ‘Advanced Persistent Threat Actor, likely Russian in origin’. Even though the campaign’s full scope remains unknown, recovering from the hack and conducting investigations may take up to [https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/ 18 months]. In the Toolkit, data theft and cyber espionage against government departments are analysed in [[Scenario 02: Cyber espionage against government departments|Scenario 02]]. Given that private sector organizations were among the victims, [[Scenario 09: Economic cyber espionage|Scenario 09]] on economic cyber espionage is also relevant.</div> |
||
| ⚫ | |||
<option> |
<option> |
||
<!-- INCIDENT 14--> |
<!-- INCIDENT 14--> |
||
| Line 88: | Line 78: | ||
</div> |
</div> |
||
</option> |
</option> |
||
<option |
<option> |
||
<!-- INCIDENT 17--> |
<!-- INCIDENT 17--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HackedForeignMinistry.png|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:HackedForeignMinistry.png|left|150px]] |
||
| Line 94: | Line 84: | ||
</div> |
</div> |
||
</option> |
</option> |
||
<option |
<option> |
||
<!-- INCIDENT 18--> |
<!-- INCIDENT 18--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:UN emblem blue.svg|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:UN emblem blue.svg|left|150px]] |
||
| Line 100: | Line 90: | ||
</div> |
</div> |
||
</option> |
</option> |
||
<option |
<option> |
||
<!-- INCIDENT 19--> |
<!-- INCIDENT 19--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;"> [[File:WaikatoHospital.jpg|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;"> [[File:WaikatoHospital.jpg|left|150px]] |
||
| Line 128: | Line 118: | ||
</div> |
</div> |
||
</option> |
</option> |
||
<option weight=" |
<option weight="4"> |
||
<!-- INCIDENT 23--> |
<!-- INCIDENT 23--> |
||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Flag of Albania.svg|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Flag of Albania.svg|left|150px]] |
||
Multiple websites and services of the Government of Albania were [https://www.kryeministria.al/en/newsroom/videomesazh-i-kryeministrit-edi-rama/ rendered unavailable on 15 July 2022] as well as the e-Albania portal, and [https://edition.cnn.com/2022/09/10/politics/albania-cyberattack-iran/index.html on 9 September 2022 the border system of the state police was targeted]; however, other state systems were compromised [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ between October 2021 and May 2022]. |
|||
It is speculated that, although Homeland Justice declared its responsibility for the disruptive activity, the cyber operations were carried out by [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ four state-sponsored actors with ties to Iran]. The cyber operations were accompanied by [https://www.cisa.gov/uscert/ncas/alerts/aa22-264a information operations by HLJ] accusing the Albanian government of corruption and spreading messages against Mujahideen E-Khalq (an Iranian opposition organization based in Albania). Data from various state databases was allegedly exfiltrated and some even published (e.g. data related to [https://balkaninsight.com/2022/11/08/albania-authorities-silent-over-alleged-security-service-data-hack/ the Prime Minister, the State Information Service] or [https://balkaninsight.com/2022/10/03/iranian-hackers-leak-database-of-albanian-criminal-suspects/ criminal suspects]). There is a suspicion that the cyber operations serve [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ as a payback for cyber operations] attributed to a hacktivist group called Predatory Sparrow. |
|||
It is speculated that, although Homeland Justice declared its responsibility for the disruptive activity, the cyber operations were carried out by [https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ four state-sponsored actors with ties to Iran]. |
|||
| ⚫ | In response to the July cyber operation, Albania decided to [https://www.reuters.com/world/albania-cuts-iran-ties-orders-diplomats-go-after-cyber-attack-pm-says-2022-09-07/ cut diplomatic ties with Iran]. NATO has declared its support of Albania and [https://www.nato.int/cps/en/natohq/official_texts_207156.htm acknowledged the attribution, by some Allies, of the responsibility for the cyber operations to Iran] |
||
| ⚫ | In response to the July cyber operation, Albania decided to [https://www.reuters.com/world/albania-cuts-iran-ties-orders-diplomats-go-after-cyber-attack-pm-says-2022-09-07/ cut diplomatic ties with Iran]. NATO has declared its support of Albania and [https://www.nato.int/cps/en/natohq/official_texts_207156.htm acknowledged the attribution, by some Allies, of the responsibility for the cyber operations to Iran]. [https://www.politico.com/news/2022/10/05/why-albania-chose-not-to-pull-the-nato-trigger-after-cyberattack-00060347 Albania was also considering invoking] Article 5 of The North Atlantic Treaty, to trigger collective defence, but eventually decided against it. Iran has denied its involvement. |
||
In the Toolkit, [[Scenario 02: Cyber espionage against government departments|Scenario 02]] considers cyber espionage against government departments and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] addresses collective responses to cyber operations. |
In the Toolkit, [[Scenario 02: Cyber espionage against government departments|Scenario 02]] considers cyber espionage against government departments and [[Scenario 17: Collective responses to cyber operations|Scenario 17]] addresses collective responses to cyber operations. |
||
</div> |
</div> |
||
| ⚫ | |||
</choose> |
</choose> |
||
<h2 id="mp-other" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Quick links</h2> |
<h2 id="mp-other" style="clear:both; margin:0.5em; background:#bbceed; font-family:inherit; font-size:120%; font-weight:bold; border:1px solid #a3b0bf; color:#000; padding:0.2em 0.4em;">Quick links</h2> |
||
| Line 229: | Line 222: | ||
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Brno_(znak).svg|left|150px]] |
<div id="mp-itn" style="padding:0.1em 0.6em;">[[File:Brno_(znak).svg|left|150px]] |
||
On 13 March 2020, Brno University Hospital, the second-largest hospital in the Czech Republic, at the time also providing COVID-19 testing capacities, was [[Brno University Hospital ransomware attack (2020)|targeted by ransomware]]. The hospital was forced to shut down its entire IT network, postpone urgent surgical interventions, and reroute patients to other nearby hospitals. It took several weeks before the hospital was fully operational again. [[Scenario 14: Ransomware campaign|Scenario 14]] in the Toolkit provides the legal analysis of a ransomware campaign against municipal and health care services abroad; [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] and [[Scenario 23: Vaccine research and testing|Scenario 23]] both focus on various cyber operations against hospitals.</div> |
On 13 March 2020, Brno University Hospital, the second-largest hospital in the Czech Republic, at the time also providing COVID-19 testing capacities, was [[Brno University Hospital ransomware attack (2020)|targeted by ransomware]]. The hospital was forced to shut down its entire IT network, postpone urgent surgical interventions, and reroute patients to other nearby hospitals. It took several weeks before the hospital was fully operational again. [[Scenario 14: Ransomware campaign|Scenario 14]] in the Toolkit provides the legal analysis of a ransomware campaign against municipal and health care services abroad; [[Scenario 20: Cyber operations against medical facilities|Scenario 20]] and [[Scenario 23: Vaccine research and testing|Scenario 23]] both focus on various cyber operations against hospitals.</div> |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | On 2 March 2021, Microsoft issued a [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ statement] about multiple zero-day exploits in its Exchange Server email software and urged customers to update their systems using a patch released at the same time. Nevertheless, malicious cyber activities escalated, resulting in more than [https://edition.cnn.com/2021/03/10/tech/microsoft-exchange-hafnium-hack-explainer/index.html 250,000 affected customers globally] (including governments as well as the private sector) and involving at least [https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/?utm_source=Twitter&utm_medium=cpc&utm_campaign=WLS_apt_groups&utm_term=WLS_apt_groups&utm_content=blog 10 APT groups]. The original campaign was [https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ attributed] by Microsoft to ‘Hafnium’, described as a State-sponsored group operating out of China. The hackers used the exploits to gain access to victim organisations’ email systems and to install malware allowing them to maintain long-term access to files, inboxes, and stored credentials. [[Scenario 02: Cyber espionage against government departments|Scenario 02]] of the Toolkit analyses cyber espionage against government departments; economic cyber espionage is discussed in [[Scenario 09: Economic cyber espionage|Scenario 09]].</div> |
||
</option> |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | On 13 December 2020, FireEye [https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html announced] the discovery of an ongoing supply chain attack that trojanized SolarWinds Orion business software updates in order to distribute malware. The [https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?r=US&IR=T victims] included many U.S. governmental organisations (such as the Department of Homeland Security, the Department of Energy, or the Treasury) and businesses (including Microsoft, Cisco, or Deloitte). Once the systems were infected, hackers could transfer files, execute files, profile the system, reboot the machines, or disable system services. The U.S. government has [https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure attributed] the attack to an ‘Advanced Persistent Threat Actor, likely Russian in origin’. Even though the campaign’s full scope remains unknown, recovering from the hack and conducting investigations may take up to [https://www.technologyreview.com/2021/03/02/1020166/solarwinds-brandon-wales-hack-recovery-18-months/ 18 months]. In the Toolkit, data theft and cyber espionage against government departments are analysed in [[Scenario 02: Cyber espionage against government departments|Scenario 02]]. Given that private sector organizations were among the victims, [[Scenario 09: Economic cyber espionage|Scenario 09]] on economic cyber espionage is also relevant.</div> |
||
</option> |
</option> |
||
<option> |
<option> |
||
Revision as of 14:46, 2 February 2023
About the projectThe Cyber Law Toolkit is a dynamic interactive web-based resource for legal professionals who work with matters at the intersection of international law and cyber operations. The Toolkit may be explored and utilized in a number of different ways. At its core, it presently consists of 28 hypothetical scenarios. Each scenario contains a description of cyber incidents inspired by real-world examples, accompanied by detailed legal analysis. The aim of the analysis is to examine the applicability of international law to the scenarios and the issues they raise. You can see all scenarios in the box immediately below – just click on any of them to follow the relevant analysis. In addition, you may want to explore the Toolkit by looking for keywords you’re interested in; by viewing its overall article structure; by browsing through the national positions on international law in cyberspace; or by reading about individual real-world examples that serve as the basis of the Toolkit scenarios. Finally, you may want to use the search function in the top right corner of this page to look for specific words across all of the Toolkit content.
Cyber law scenarios |
Featured incident Multiple websites and services of the Government of Albania were rendered unavailable on 15 July 2022 as well as the e-Albania portal, and on 9 September 2022 the border system of the state police was targeted; however, other state systems were compromised between October 2021 and May 2022. It is speculated that, although Homeland Justice declared its responsibility for the disruptive activity, the cyber operations were carried out by four state-sponsored actors with ties to Iran. In response to the July cyber operation, Albania decided to cut diplomatic ties with Iran. NATO has declared its support of Albania and acknowledged the attribution, by some Allies, of the responsibility for the cyber operations to Iran. Albania was also considering invoking Article 5 of The North Atlantic Treaty, to trigger collective defence, but eventually decided against it. Iran has denied its involvement. In the Toolkit, Scenario 02 considers cyber espionage against government departments and Scenario 17 addresses collective responses to cyber operations. Quick links
Behind the scenesThe project is supported by the following six partner institutions: the Czech National Cyber and Information Security Agency (NÚKIB), the International Committee of the Red Cross (ICRC), the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), the University of Exeter, United Kingdom, the U.S. Naval War College, United States, and Wuhan University, China. The core of the project team consists of Dr Kubo Mačák (ICRC) – General Editor; Mr Tomáš Minárik (NÚKIB) – Managing Editor; and Ms Taťána Jančárková (CCDCOE) – Scenario Editor. The individual scenarios and the Toolkit as such have been reviewed by a team of over 30 peer reviewers. The Toolkit was formally launched on 28 May 2019 in Tallinn, Estonia; its Chinese launch took place on 2 November 2019 in Wuhan, China; it received its most recent general annual update on 20 October 2022; and it remains continuously updated. For questions about the project including media enquiries, please contact us at cyberlaw@exeter.ac.uk.
|
