There are lots of different types of intelligence out there. Human intelligence measured in IQ points; social intelligence aka social competence; artificial intelligence (discussed in the last Bulletin) and its many variations, including “big data”, “machine learning”, “neural networks”, etc. The focus this time is on “signals intelligence” (SIGINT) or, to be more precise, “threat intelligence” (ThreatINT) – the intelligence usually provided by clandestine secret agencies, obtained by observation and espionage, through dubious channels or clever infiltration.
While this sounds a bit dodgy, there’s nothing wrong with being interested in whether there are some burglars operating in your village, some thieves interested in your make of car, or some criminals on the prowl to steal your credit card details. It’s best to be alert and find out about their wrong-doings before any malicious act occurs. In order to improve your defences. In order to increase your protection level. In order to be prepared.
The same holds true for the digital world. For the most efficient protection of CERN – to detect an attack as effectively as possible, to be alert, prepared and ready – it’s essential to gather as much information as possible about the intentions of the malicious evil. Intentions that are discussed via hidden channels. Attack vectors that are advertised on the dark web. Stolen credentials and vulnerabilities that are sold on underground markets. ThreatINT about CERN, CERN’s domains (cern.ch, .cern, but also zenodo.org, etc.), CERN’s networks, CERN accounts or other digital resources owned by the Organization. ThreatINT aimed against CERN, WLCG and its affiliated institutes and universities.
After a one-off data gathering and analysis of dark web ThreatINT about CERN in 2020, the CERN Computer Security team has started a proof of concept with another ThreatINT provider and expert in dark-web information gathering. Their first round of analysis threw up more than 1000 passwords of CERN primary (31%) and application-specific accounts (69%) used to log in to, for example, CERN’s Single Sign-on, LHC@BOINC or Zenodo. While the majority of the CERN primary account passwords turned out to be false positives or came from old password dumps already handled long ago, more than 60 of the application-specific account* passwords were valid. The passwords had been obtained from different password stealers installed via malware infections on the (most probably home) PCs of the corresponding account owners. A malware infection implies that every password typed on that PC should be deemed compromised and must be changed (AFTER reinstalling the PC in order to avoid the new passwords being compromised again, of course). Too bad for those who haven’t enabled their two-factor authentication protection yet.
CERN is also now receiving, almost on a daily basis, immensely important ThreatINT regarding large research and education (R&E) institutions. Since the beginning of 2023, SAFER – the global trust group of security experts, including from CERN – has helped ransomware attack victims in Australia, Austria, Canada, Denmark, Germany, Hong Kong, Iceland, Italy, Kenya, Switzerland, Taiwan and the US ─ many affiliated with CERN or part of our academic community. The data indicated that these organisations had been compromised by high-profile threat actors, but that the final payload (ransomware deployment) had not been activated… yet! The high quality and precision of that intelligence allowed the institutions to act, monitor, detect and finally contain and stop any attack before it was too late.
Thus, building strong trust relationships and sharing sensitive ThreatINT is essential. Even if it’s not being shared in public, this is what’s going on constantly behind the scenes to the benefit of the community (see here, here, or here). Our favourite R&E security experts are never far away!
Building strong trust relationships and sharing sensitive ThreatINT is essential to protect CERN. It is not a question of “if” the Organization will be subjected to an attack, but “when”. It’s best to learn about it sooner than not at all. Thanks to SIGINT. Thanks to protective intelligence.
* Application-specific accounts are those providing access to public resources like Zenodo.org or LHC@BOINC. The operational impact on CERN due to the exposure of such passwords is zero.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.