Abstract
Recently, APT (Advanced Persistent Threats) groups are using the COVID-19 pandemic as part of their cyber operations. In response to cyber threat actors, IoCs (Indicators of Compromise) are being provided to help us take some countermeasures. In this paper, we analyse how the coronavirus-based cyber attack unfolded on the academic infrastructure network SINET (The Science Information Network) based on the passive measurement with IoC. SINET is Japan's academic information infrastructure network. To extract and analyze the traffic patterns of the COVID-19 attacker group, we implemented a data flow pipeline for handling huge session traffic data observed on SINET. The data flow pipeline provides three functions: (1) identification the direction of the traffic, (2) filtering the port numbers, and (3) generation of the time series data. From the output of our pipeline, it is clear that the attacker's traffic can be broken down into several patterns. To name a few, we have witnessed (1) huge burstiness (port 25: FTP and high port applications), (3) diurnal patterns (port 443: SSL), and (3) periodic patterns with low amplitude (port 25: SMTP) We can conclude that some unveiled patterns by our pipeline are informative to handling security operations of the academic backbone network. Particularly, we have found burstiness of high port and unknown applications with the number of session data ranging from 10,000 to 35,000. For understanding the traffic patterns on SINET, our data flow pipeline can utilize any IoC based on the list of IP address for traffic ingress/egress identification and port filtering.
Highlights
The outbreak of the COVID-19 pandemic crisis around the world had imposed an unexpected and great impact on everyday life
We present some traffic patterns unveiled from COVID-19 related IoC [2] in huge academic backbone network SINET
We analyze how the coronavirus-based threat actors behave on the academic infrastructure network SINET
Summary
The outbreak of the COVID-19 pandemic crisis around the world had imposed an unexpected and great impact on everyday life. COVID-19 has become a global pandemic, which represents an opportunity for ATP groups to exploit the situation. Since January 2020, APT groups have done just that, targeting academic networks as well as government and non-government networks using COVID-19 as a lure. We present some traffic patterns unveiled from COVID-19 related IoC [2] in huge academic backbone network SINET. Our traffic observation is based on passive measurement and session data obtained by PaloAlto-7080.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have