Edward Swing, VSTI, a SAS Company: ed.swing@vsticorp.com [PRIMARY contact]
Kevin Boone, VSTI, a SAS Company
For this challenge,we used a number of different tools, determining which tools would be most appropriate for each challenge.
For the microblog challenge, we applied Base SAS 9.2 to prepare the dataset for analysis. This tool allowed us to subset the data, and transform it as needed. For the geotemporal analysis, we used ESRI's ArcGIS 10. This allowed us to visualize the distribution of messages on different topics. It enabled us to easily analyze both spatial and temporal components of the blog messages.
For the cyber-security challenge, we used Base SAS 9.2 along with Wireshark to transform and merge log files. SAS Enterprise Data Guide and JMP Pro provided the analytical capabilities used, and generated the visualizations.
For the text analysis challenge, we used the Luminary prototype system for the automated extraction and analysis. Luminary in turn used SAS Content Categorization and several open source entity extraction tools (Alchemy, OpenCalais, Lingpipe, and OpenNLP). Finally, we used Semantic MediaWiki for browsing through the text articles and presentation of the results.
To coordinate information among the three challenges, we started to create additional pages within the wiki to provide a collaborative area where we could view all analytical data in a cohesive framework. Unfortunately, time constraints prevented our completing this step.
The city of Vastopolis has recently seen a rise in domestic terrorist incidents, ranging from simple pranks to arson and bioterrorism. A number of local terror groups, including the Paramurderers of Chaos (PoC) and the Network of Hate, have increasingly caused problems in the city. The activities of the PoC are particularly troubling, demonstrating a combination of fanaticism, biological expertise, and the ability to conduct sophisticated cyber-attacks. In addition, they likely have allied with the F-Alliance, a group of disaffected university student hackers.
In March, a number of farm animals near Vastopolis died as a result of microbial infections. This unusual outbreak was caused by a spore-forming microbe, but it was deemed harmless for humans. Farmers reported seeing suspicious trespassers on their farms. The PoC were likely testing infectious microbes on livestock, but found that it failed to infect humans.
On 10 April, members of the F-Alliance stole an entire room full of computers from the Vast University library, and vandalized the computer room.
On 11 April, members of the PoC likely attended a presentation given by Dr. Edward Patino at Vast University. Dr. Patino, a molecular biologist, spoke about the dangers of bioterrorism.
On 13 April, five workstations at the All Freight Trucking Company began to communicate with other workstations within the company at a high bandwidth setting. This was to prepare the other workstations to receive a high volume of data. Immediately following this, a Denial of Service (DoS) attack against the company's web server originated from external IP addresses. This possibly masked an upload of malware onto the workstations and web server. On the 14th, similar activity was observed. Finally, on the 15th, suspicious communications occurred between the company’s webserver and shipping/routing server. The nature of the communications suggest those servers had been added to a botnet in preparation for another DoS attack.
The DoS attack against All Freight may have masked an attempt to install backdoor software to enable hackers to access All Freight's database. This suggests that All Freight's external webserver had been compromised by sophisticated malware, possibly allowing outside hackers to access the trucking company databases. The PoC likely used this access to either obtain shipping manifests or insert a false shipment. Either of these could have helped the culprits engineer the truck accident on 17 May.
On 19 April, members of the F-Alliance were arrested for attempting to hack into Vastopolis banks. This apparently unrelated activity may be connected to the PoC. Both groups seem to have university ties. The sophisticated hacking attack on All Freight may be a result of a collusion between the F-Alliance and the PoC, though no explicit link has been discovered yet.
On 26 April, the PoC broke into Dr. Patino's microbiology lab, and stole large amounts of equipment and materials. The similarity of this theft with the theft of the computers from the Vast University library again suggests that the F-Alliance and the PoC are working together.
Using the equipment stolen from Dr. Patino, the PoC set up one or more basement laboratories, and developed a strain of microbe that would be infectious to humans. On 13 May, three PoC members were discovered in a basement lab. When discovered, they destroyed their equipment rather than evade capture. The remaining equipment included high-end workbenches, probably those stolen from Dr. Patino.
The PoC were also scouting food preparation plants to find a way to deliver the microbes. On 15 May, a suspect wearing the gang colors of the PoC was arrested after midnight near the loading docks of a food preparation plant, but this was likely not an isolated incident. Guard dogs noticed the PoC member at the food preparation plant.
Also in early May, the city fell prey to several incidents of arson and bomb scares. It is possible that some of this activity related biological weapon. One particularly suspicious arson attempt occurred at an abandoned warehouse in Downtown Vastopolis.
Using the information gained from All Freight Trucking and their expertise in biological warfare, the PoC engineered, or directly caused, a truck accident on May 17. Two 18-wheelers collided on the I-610 bridge over the Vast River. Neither truck had time to avoid the accident, as one truck drifted into the oncoming lane to collide with the other truck at high speed. While originally believed to be an accident, it is apparent this was a deliberate collision.
One truck carrying chemicals caught fire and exploded. The prevailing winds, flowing eastward that day, spread smoke and airborne chemicals or microbes into Downtown Vastopolis, causing an outbreak of respiratory infections and flu-like symptoms throughout the city. Fuel, other contaminants, or food laced with infectious microbes, fell into the river, and caused an outbreak of gastro-intestinal infections in Vastopolis inhabitants downriver. In addition, the accident tied up traffic for hours while crews worked to clean up debris and chemicals, increasing the exposure time for all motorists.
Suggested further lines of investigation include determining the details of the trucks involved in the collision. Was either of the trucks involved in the collision from All Freight? Or did either truck have a relatively new driver? Another possible line of investigation would be to see if security cameras from other food preparation plants showed any PoC members trespassing.
In addition, it would be prudent to investigate the F-Alliance members more thoroughly, and check their seized computers for evidence. The possible connection between the PoC and the F-Alliance suggests a connection through Vast University. Questioning Dr. Patino to have him identify students with enough expertise to manufacture such microbes would also be prudent.