Pure Blind cyber-attack Updates

Pure Blind: Arrival


From: Avio Yaken
Sent: 2020.07.13 22:43
To: Suha Raibuya,

========================================


Suha

I’ve arrived in Pure Blind and I’m settling in. I’m crashing at a port operated by the Sisters of EVE, I haven’t made special contact with anyone here and just trying to pose as any other Capsuleers loitering around the region looking for sites to plunder. Though I’m almost certain that the Sisters keep a close eye on every Capsuleer that is in their turf, regardless of why they’re out here.

Don’t got many options, Majority of the region is Capsuleer country and the only other organization with open ports is Mordu’s Legion. Now the Legion gots beef with the Guristas, so I’m gonna try and keep my distance from them. Sisters on the other hand are pretty consistently neutral enough that I should be comfy as long as I don’t take their generosity for granted.

Now on with the mission, here’s how it’s gonna work. I approached that Vherokior hacker I told you about - name’s Komi Valentine, she helped explain what we’re dealing with here and how to make some progress. She advised hunting down copies of the worms so that they can be analyzed to develop a solution and figure out what flaws in the system it’s exploiting.

A thought did occur to me however.

Suha, I don’t think we can bring any of this data into Venal. This worm is self replicating and spreading in the region’s Network continuously, as if it’s trying to reach a target. I do not feel comfortable bringing anything i find out here into Venal and risk compromising the networks out there. I know this is gonna make my job harder, but we should be careful with what we’re dealing with to avoid further embarrassments.

ss+(2020-07-13+at+12.07.10)
I have with me in station a Kestrel I got off the markets, I’ve gutted it of any useful spaceflight capabilities and will use it’s computer systems as storage to contain and quarantine any kind of data I can recover from the Guristas routers in region. so far I’ve managed to track down one data center in the same system as my base port and scrap all the data I could out of the mainframes and comms towers within. Data cores, decryptors and some contaminated files.

We’re gonna need more data, and I’ll have that for you next time I report in. I’ll also be seeing if I can figure out what kind of damage this Network worm has caused for this region. Right now I’m just checking in with you as promised and letting you know I’m on site and getting to work.

  • Avio
3 Likes

Pure Blind: Hollow Nodes


From: Avio Yaken
Sent: 2020.07.15 16:56
To: Suha Raibuya,

========================================

Suha

Made some progress on the worm situation. Nothing ground-breaking, but I’m putting in the leg-work to get some more data to work with and potentially even slow down the cyberattack, I’ll explain.

Firstly, not finding many Guristas fluid routers out here, most have been picked cleaned by other Capsuleers or are just running on low-energy so that they don’t give off a cosmic signature FOR Capsuleers to scan down and pick clean.

Though I did find two clusters of mainframes and data banks in the system of S-MDYI, a lucky find after hours of looking around the region. One of the clusters was a part of another Data survey site like I found in J-CIJV, but the other happened to be a Central Data Mining node for the Guristas.

With the exception of tripping the failsafe of one of the node’s databases and setting it ablaze, I managed to clear out the Data Mining Center and the Survey site with relative ease and I got a decent stack of data cores as a result to examine and analyze. All of this has been safely contained in that Kestrel I told you about, we’ll refer to it as the “WormBox” from this point forward for simplicity.

I’m gonna need some experts to look at this data and tell me what I’m looking at, but I’ll handle it.

Also, the current tally


5x Guristas Comm Towers
7x Guristas Databanks
6x Guristas Mainframe.

Aside from Data sites, I’ve found many many many derelict spacecrafts in the region. I know, it’s sorta unrelated to hunting down this worm - But you did tell me to report on things even if they were mundane, so I’m I closing this - I’ve been clearing out the wrecks in region as a side hustle while on the hunt for routers and I gotta say if this search bares no fruit, at least we’ll have some more kredits to play around with after I find buyer for all the salvage.

Now I have one last thing to report on, thinking outside the box a little on this one. That Vherokiorian Komi Valentine I told you about gave me some advice, and amongst it was the idea to set up some market modes of my own for the virus to infect. A sound idea, just didn’t know how to do that at first until I remembered mobile depots were a thing. I bought a stack of the structures, stripped them of their original functionality and stuffed it with additional computer systems. Then, I use the same code, files, algorithm as the Guristas’s financial network uses (Had to ‘borrow’ this while digging through their routers) to build a “Hollow” node that resemble any other financial node apart of a scrip Network, just without any way to store, move or receive any actual financial data.

I have one depot per constellation in Pure Blind, totalling in thirteen nodes. All of them I have latched onto the wider Gurista network for the worm to detect and hopefully try to spread into. I’ll be checking up on these nodes to see if they caught anything or if a Capsuleer tried removing them. Gonna be a pain in the ass, but I like the idea of having locations to set my destination to and patrol the route there for any data routers to plunder.












I hope to have something more substantial for you soon.

  • Avio
2 Likes

Pure Blind: Fine now?


From: Avio Yaken
Sent: 2020.07.17 01:45
To: Suha Raibuya,

========================================
Suha

Well, I honestly don’t know what to tell you, it’s quite embarrassing If I’m being honest. Miraculously the networks out here in Pure Blind have made a complete recovery overnight. Everything is working again, as if the attack never happened.

I don’t know what this means for the worm, it’s unclear whether the operators of the network managed to already discover a counter for the worm or merely managed to uncripple the systems and the worm is still actively swimming in the network’s data.

I’m admittedly uncertain on how to proceed. Either I stat in Pure Blind and try to see if the worm still has a presence out here, or pack it up and head home.

I don’t have much data to show for it, in fact it’s the same amount as the last update. These sites aren’t too common to find I’m afraid, so I don’t think I have a satisfying amount of recovered data to work with.

I’m gonna contact Valentine again, see if I can get her to take a look at what scraps I have on hand. Maybe she can do something with it. If the owners did managed to find a counter this quickly then i don’t doubt the Guristas themselves will figure it out much faster than we can.

Don’t be too hard on yourself, I share your frustration on these turns of events. However you should be proud of yourself, you took charge and acted on what could have posed a serious threat to the Venal Networks. And with what compromised data I did recover, maybe we can work on a counter to reinforce the Prosperity Network from an attack like this.

And look, I’m not trying to dance around the idea… I know you still wanna weaponize this Worm and somehow turn it against the State or Intara directly, I get that. I don’t know if we got enough samples to work with, but maybe we can look into it for the sake of having a deterrent on hand. We shouldn’t be carelessly unleashing cyberattacks in the State that could cripple their scrip networks, as that could interfere with any Guristas operations and be an annoyance to them.

I’ll contact Komi and stay out here for awhile longer, just to see what’s going on.

  • Avio
5 Likes

Pure Blind: Worm Traces


From: Avio Yaken
Sent: 2020.07.22 00:08
To: Suha Raibuya,

========================================
Suha

Touched base with Komi, most of the recovered data she says is more or less useless. However, she did have some interest in a high-tech data chip that I pulled from one of the nodes in Pure Blind.

I ferried it off to Empire space for her so she can get to cracking on examining it. This was a day or two ago, today she wrote back.

We might’ve lucked out, she says she believes the chip has traces of the worm, but there’s a ton of useless bulk data on it that she needs to shift though first.

She tells me she’s got a lot of tests to run, but informs me that she’s finding some interesting stuff about it on the surface level, she’s holding off on the details for a report she’s gonna be sending my way.

She mentioned Intara, tells me that she can’t find anything linking it directly to them that makes them out to be the worm’s creators. As far as she can tell, there’s no way this attack could’ve even have happened without insider information on the region’s scrip networks.

However, she has an idea on how it works in the first place and an idea on how to try and reproduce it. Though stated that without having the actual hardware that made the thing, might be easier said than done. I’ll talk to Utatis once Komi gives me her report, maybe we can track down whatever equipment was used and borrow it.

By the way, when I say borrow - i really mean steal - But hey, maybe I really can just get away with asking the owners… We’ll see.

  • Avio
3 Likes

Pure Blind: Worm Report

From: Avio Yaken
Sent: YC122.07.30 13:30
To: Suha Raibuya,

Suha

Komi got back to me with her report on the worm. It’s… Complicated to say the least. Admittedly taking me a few reads to fully understand it, but even then I feel a little in over my head at the depth of these Scrip networks.

No wonder we hire experts for this… Anyway, I’m gonna supply her report in full so you get the context and try to break it down as best as i can.


Technical Analysis of Pure Blind Scrip Network Worm (PB9318041.84b)
#sample 1 = High-Tech Data Chip

#sample 1:

While analyzing the Data provided by #sample 1, I’ve found some the fragments of an interesting program, that seems to have the signature of the worm we will call PB9318041.84b

How does the Scrip Network work?

To see how the worm could cause this much damage, first we need to understand how the Scrip-Network works. If you are not familiar with it, let me explain: It uses a decentralised structure of network arrays we will call “Node”.

Each Node has it’s own security certificate and a state of the art firewall for safety measures. In order to perform a transaction, not only one Node has to sign it, but the whole network has to verify it. Meaning in case one Node get’s corrupted and Scrip that are not backed up are transferred, the error will be corrected within the system.

The Scrip Network uses the most advanced security and quantum entangled encryption methods. It is nearly impossible to hack, even for me.
Which makes the worm very interesting from my perspective.


Basically I think she’s saying that every “node” in this scrip network acts as it’s own checkpoint for any data flowing through it. Every step of the way of a transaction being verified and asked to show it’s papers before passing through to the next stepping stone of it’s journey.

Alarming thing is that these Networks all have high-end security measures, and why wouldn’t they? You never wanna be screwing around recklessly with someone else’s money…


How could the worm manage the impossible?

While analyzing #sample 1 I found signatures of a program that I considered to be very unusual software. Clearly some kind of mutating code that is often used with harmful software to prevent signature detection.

Trust me, it took really long to analyze this probably AI generated mess of a code. But it turned out to be what I expected.

I found some promising functions that I renamed after studying the functionality:

#func erase_carrier()
#func encrypt_sig(hash,sig)
#func createtransfer(v,source,addr)
#func OnRecvTrigger(hash)
#func delete

This led me to the conclusion that this is probably the worm you are looking for.

Worm mechanics.

Once PB9318041.84b occupies a System, the following will happen in sequence or parallel:

  1. The carrier worm will create a mutated version of the actual program and save it in the core system.
  2. A number of ISK-Transfers will be placed
  3. The worm will go to sleep and wait for something I could not identify, because the sample was incomplete at this point. Probably some dependency I don’t know.

So we did luck out and get a hold of an actual worm sample based off these lines of codes she uncovered while examining the chip. What i believe she’s saying here is that once the worm is in the system, it’ll start rooting itself into the node and prepare itself for the next step, and this is where it gets interesting…


But how could the worm circumvent the security?

Well, I wanted to check if I can get any information about the transactions the worm does and they were not what I expected them to be. I expected to see a large amount of Scrip being transferred but instead I found this:

Transaction No: value, ,source , receiver,
#1 1,01 Sc #H9Q589JAlJ465FF1MMYYX11CI #HFM484DF2V48W954SIV34
#2 0,009194028111322 Sc #H922KLL03919OAA11NNKAH11 #HFMA99112ANAU136KALAA
#3 0,001489449712326 Sc #H781QQL0004004003HSWQQQ #77SV16C13QC1Q11BBBBY3
#4 0,009994512000400 Sc #Z86DPOL416SC132YXX12V81L #75AV123VW943A21V98V3V
#5 0,000047169669120 Sc #GWE56484SFJJJ2481AWQR1C #SFVB1321VAQQQ31BBBNZZ

[…]

The amount’s are very unusual. Normally a transaction would be expected to be at least 0,01 Scrip. It’s similar to the ISK-network where the minimum transaction is 0,01 ISK

This was very suspicious so I decided to dig deeper.

Conclusion:

  1. The Attack on the Guristas Facility happened to infect the first Scrip-Node. They probably needed control of the hardware to first initialise the worm.

  2. The worm sent those impossible transactions to connected Nodes. This transactions were verified. The neighboring Nodes would receive those impossible transactions (since they were verified by a valid certificate) and would use the garbage collection to discard them. And here the interesting thing happens.
    If there was for example an exploid in the garbarge collection or the chipset itself, the data won’t be lost but assembled in Memory. This way it might have been possible to inject the trigger program into the core memory without any security measurements preventing it, since it was a verified transaction of 0,00 Sc (rounded).
    Of course it didn’t took the network security team that operates the nodes long to figure out something bad happened after seeing multiple of those 0,00 Sc transactions in their logs.

  3. Once the carrier program is completely loaded into memory, it will extract the mutated worm and write it into the system. Now The worm takes over and will create more of those transactions with the Nodes certificate until all Nodes are infected.

  4. Once a critical amount of Nodes is infected, the worm has control over the whole network. Probably this is the point where the REAL Scrip transfers happened.


I think what she’s implying with her bullet points is that the raid on the Guristas facility by Intara was a literal brute force attempt to get the worm into the system by first getting ahold of some center that had admin rights to freely place whatever data they would want in a node and letting it spread from there.

How the Worm would get past the security of other nodes however is by sending out transactions that are impossible to follow through with…Like 0 Scrip, you can’t really transfer anything now can you? As a result, the nodes that receive this order will discard the data on it’s hardrive’s recycling bin - At that point however the worm has made it inside, the data was sent by a trusted source (It’s fellow node) and thus the receiving node’s security measures wern’t triggered and thought little of the strange data it was getting.

IT’s rinse and repeat at that point, the Worm will extract itself and get to work doing what it did in it’s origin node.

She also provided a small little example of the process.


Thoughts:
I’m not 100% sure if this is the way it really happened, but it’s my best guess from the limited data I could analyze.
Insider information about the chipset is crucial. Without it, there is no way to perform this highlevel attack. I think it took a team of specialists months to create this interesting piece of software.

If you want to protect your systems, contact the manufacturer of the chipset or look for a firmware update. The Scrip network was designed to be impossible to hack, the hardware it was running on sadly not.

Hope this helps you

o/ Komi


The Guristas might have a mole, Komi insisted once again that someone on the inside must have had prior knowledge of how these scrip networks are set up, what their security is like and how their files are structured. This worm is something truly sophisticated and wasn’t made by any lone hacker that you see in holo-reels. Who exactly made it is still uncertain, Komi gives me the impression that Intara were just the muscle on this attack and that the actual brains behind the worm are still in the shadows here.

I’m gonna ask Komi about coming up with some kind of “Cure” for the Worm, I believe I was told in passing that a cure would be designing our own Worm to go in and eat the first one. Frankly all this stuff is still a mystery to me so I’m just going with whatever the expert is telling me.

Designing one to counter this one won’t be easy, certainly not cheap - But if something like this hits the Venal networks? Could be catastrophic for the region’s economy and hurt the Guristas in a way not yet seen. I’ll pass this info to Mumo, maybe she can keep an eye out on our networks for anything like this in the meantime. I’ll pay our friend here a retainer and see if she can help develop a counter to this before it bites us all in the ass

  • Avio
3 Likes