Threat Management, Threat Intelligence, Threat Management

Cyberespionage: Raids from afar

Rather than cloaks and daggers, today's spies are armed with computers capable of reaching anywhere in the world, reports Greg Masters.

Move over James Bond, you're an anachronism. If you don't know how to get past a firewall, a martini shaken, not stirred, won't help you anymore. Nor will any gadget devised by Q.

When a group of eight Republican senators warned the Obama administration last August to be wary of the possibility of a Chinese vendor winning a bid to sell equipment to American telecom giant Sprint Nextel, they argued that the company, Huawei, had supplied equipment to Saddam Hussein's regime in Iraq and Iran's Islamic Revolutionary Guard. They also said that because the company reportedly had ties with China's People's Liberation Army (PLA), the selection would "present a national security threat for technology leakage or enhanced espionage against the United States." The Communist state's intention to develop cyber warfare capabilities was well-documented, the lawmakers claimed.

Whether or not their efforts can prevent one of the world's largest telecom equipment suppliers – it earned revenue of $20 billion last year – from succeeding in winning the contract, the questions it raises regarding cyberespionage warranted coverage on the front page of the New York Times. While once only a concern of military and government officials, with more businesses going global and more manufacturing being sourced overseas, the senators' concerns are reaching the ears of a wider public.

At the end of September, as he prepped for testimony before the House Armed Services Committee, Gen. Keith B. Alexander, the commander of the military's new Cyber Command, told a group of reporters he called for the creation of a secure computer network separate from the traditional internet in order to protect government agencies and those industries he dubbed critical, such as the nation's power grid and financial institutions, against attacks via the internet. More details on how this would be implemented have yet to be provided.

Trends in cyberwar

Some of these attacks are actually being discussed publicly and the public discussion is on the increase, says Kurt Baumgartner (left), senior security researcher at Moscow-based Kaspersky Lab (Baumgartner is based in Boulder, Colo.). The volume and persistence of targeted attacks seem to be on the increase, he says. "The objectives of the successful attacks under discussion is spreading out to more identity and financial information, intellectual property and geo-political related."

Cyberespionage attacks, often carried out as “targeted attacks,” have been going on for years and haven't received much public disclosure or attention, he adds. "Google changed that for the American multinational corporate stage, and made cyberespionage a front and center story this past year when they disclosed their “Aurora” breach.

That breach was related to a coordinated series of targeted attacks on a large number of massive multinational corporations operating in China, and while the other corporations continue to enforce a silence, Google shared some details, Baumgartner says. "In addition to Google's actions driving that trend, security breach notification laws in the United States have also made it more difficult for companies in this part of the world to maintain a silence about break-ins.

In fact, the Pentagon recently issued a warning that China's People's Liberation Army is using "information warfare units" comprised of civilian computer experts skilled at launching malware attacks.

Also, a widely cited report released in April 2010, "Shadows in the Cloud," compiled by a group calling itself Information Warfare Monitor (comprised of Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa), in collaboration with the Shadowserver Foundation, said that although a Chinese spy network that siphoned information out of the offices of the Indian Defense Ministry, the United Nations, and the Dalai Lama, and others was probably comprised of civilians with ties to a criminal underground,  the data they gathered may have been passed on to the Chinese government.

The hackers, the report states, used a multilayered command-and-control infrastructure making use of social media systems, such as Twitter, Google Groups, Blogspot, Baidu Blogs, and Yahoo! Mail. Using this setup, the group was able to re-direct messages to servers in China.

Forensic investigations into these claims provide only circumstantial rather than substantive evidence – Chinese code, IP addresses based in China – but the suspicion and negative attention, if not actual deeds, is poisoning business, as well as diplomatic relations between the United States and China, at a time when the stated intentions of both nations is to increase cooperation.

The number of reported cases of cyberespionage is growing, with high-value, highly visible data emerging as the primary target, says Patricia Titus, VP, chief information security office, Unisys. "The criminal has moved away from the traditional tactic of hacking the perimeter of the targeted infrastructure and toward developing an entire espionage ecosystem in which he shares internet and cloud resources with other criminals to collaborate, share hacking tools or sell their services," she says. The large quantities of processing power available in cloud computing environments allows these criminals to grow in strength and power while remaining relatively hidden in plain sight, she adds. "This is possible because the nature of cloud computing gives users access to infrastructure and software services while remaining unassociated to a particular company or organization."

In the past, it was difficult for just anyone to play in this new game of cyberespionage, says Titus. But with the low-cost of computing resources available today through cloud computing, nearly anyone with some technical sense and a will to do harm can participate. "It no longer requires nation-state sponsorship," she says. "I predict we'll see more pockets of this type of criminal activity popping up. The cyber mafia grows every day." 

As far as how cyber attackers are gaining entry, Joe Stewart (left), director of malware research at SecureWorks, observes an increased use of zero-day exploits, coupled with malware which is often not detected by anti-virus vendors. "For example, in August and September of this year, the security community saw no less than four zero-day exploits released in Adobe products," he says. "Clearly a lot of effort is being put into development of methods and tools to launch these attacks."

Cyberespionage is succeeding today, there's no question about it, says Eddie Schwartz (right), chief security officer at NetWitness. "The damage is typically serious and includes everything from data theft to data destruction to use of the victim network as a trusted spear phishing platform for other partner organizations," he says. "The enemy employs what we call "offense in depth" – meaning that they use malware that is completely undetectable to legacy security tools to get an initial offensive foothold, have plenty of undetected free time to wander around the victim network and figure out the weaknesses in an organization's incident response capability, and then establish a deep entrenchment."

There are a number of trends that we should pay attention to, says Amichai Shulman, co-founder and CTO of Imperva, where he heads the Application Defense Center. Some of the trends are with respect to the technical nature of the threat, while others relate to political social/environmental nature of targets and threats, he says.

"Nations are using self-propagating/viral, semi-targeted software agents for the attack," Shulman says. "We are seeing virus-like or botnet-like technology used by nations to try and infect as many computers as possible, some of which may be of interest for the attacking entity. It is semi-targeted in the sense that the infection routine is sometimes looking for specific settings (locale) or configuration in order to decide whether to infect a computer or not."

These attacks are, of course, not only occurring on the nation-state level. For organizations large and small, corporate espionage is a significant concern and especially when it comes to intellectual property, says Lee Graves, threat communications specialist, eSoft. Corporate attacks are continually becoming more sophisticated, exhibiting a high degree of coordination and complexity, he says. "Today's attacks tend to target one or a few specific individuals within organizations—individuals who have access to intellectual property or financial controls. Once a user's system has been compromised, attackers have the potential to steal confidential and proprietary information. Next, information can be sold on the black market, used for profit in the competitive global economy, or taken by governments to bolster their own programs or intelligence."

To combat these threats, whether nation-state or corporate, Unisys' Titus says that first, a discussion around cybersecurity must begin from the boardroom all the way down to the lowest level employees.  "People need to be educated, because they play a large role in solving this problem," she says.  "The criminal is not discriminatory in who they solicit to participate." Following that, she calls for more diligent monitoring of network resources. "IT professionals need to watch traffic patterns and quickly identify data behavior changes," she says.  "We also need to be sure that basic security principles are actually applied. It isn't good enough to talk about it. You have to actually do it."

However, the problem is that there are an an increasingly wide variety of high value targets that attackers are attempting to access and steal, says Kaspersky's Baumgartner. "Anything from source code for authentication systems and flagship products, to SCADA-related information, to customer lists and transaction records, to individual employees' meeting schedules and emails, have been targeted," he says.

Are the attackers succeeding?

So, the question is: Are attackers succeeding in making their way into government and corporate networks? As with any crime, sometimes they do, Baumgartner says. "In the case of Aurora, they most likely succeeded at obtaining the intellectual property that they were interested in," he says. "But again, not all of the corporations involved are discussing publicly what was targeted. In the case of Stuxnet this summer, there is speculation as to what was targeted, and it is on a geo-political scale. But again, it is only speculation. Measuring success is difficult when details are not being disclosed publicly, and the consequences of these intrusions are even more difficult to assess."

In the long run, attackers hold the advantage, so it is difficult to fend off the constant barrage, he says. "The old, wise advice of using a layered, proactive security approach continues to hold weight," he says. "Many of these intrusions were realized because attackers were easily able to attack older, unpatched software. In the case of Aurora, older browser software was among the vulnerable software exploited, and the source code systems managing access to intellectual property was found to maintain loose security policy. Maintaining proactive security at the network, workstation, mobile/portable device, and maintaining a practical security policy that employees can follow and supports their work process can help prevent these intrusions. Sometimes there are more effective security solutions out there – the latest VBMania outbreak could have been prevented with a scanning heuristic."

The battle certainly is not easing. "We're seeing a pick-up in nation-state versus nation-state attacks," says JR Reagan (right), executive director of the Center for Cyber Innovation, which is part of Deloitte LLP, and develops cyber solutions for clients in the public and private sectors. While no one is willing to admit that they're on the offensive, a number of corporations and states – i.e., Google and Israel – have admitted they've been the victim of attack.

"What we're seeing a lot in the United States is probing to steal military secrets, plans, nuclear data, but it goes beyond that," he says. "The military can disable an enemy's radar or satellite communications from afar. There's no need to send in troops. If one nation has a beef with another nation, it can educate some smart people in cyber techniques and point them at military installations. A lot of nations have the capabilities now."

It is, he says, a fifth war-fighting domain, appending the tradional battlefields – sea, air, land and space.

It is a highly complicated area that is so interconnected that it will take more than simply preparation, Reagan adds. "It will be necessary to go from reactive to proactive to preemptive,"  he says. "A sniper in cyberspace can take out a system without a lot of collateral damage."

Most defensive actions taken by nations are secret, so if they are doing something about it, we can't necessarily say what it is, adds SecureWorks's Stewart. "Certainly many groups and individual researchers are tracking these attacks closely and developing countermeasures."

But whether they are succeeding, it depends on how you define success, he says. "We can't stop a foreign state from launching espionage attacks even if we knew who the actors involved were. I think a lot has been done in terms of sharing information about these attacks in the past several months which is helping. We have a long way to go, however. Most organizations being penetrated by cyberespionage attacks are keeping silent about whatever details they've learned, and when they do so, it makes it difficult for other targets to defend themselves."

Stewart agrees that defense-in-depth is still the best approach. "One needs to really pay attention to what is being transmitted via the communication channels into the organization," he says. "Emails with malicious links or attachments are a primary vector for these attacks, but IM was reportedly used in the Aurora attacks as well. Lastly, the web is often the delivery mechanism once the initial social-engineering trap is sprung."

Close scrutiny should be placed on all documents coming in from the outside, he adds. "Ideally, there should be a quarantine for all incoming attachments where they can be analyzed in a sandnet and/or require sender confirmation before releasing them. Additionally, emails/messages containing links to third-party sites should also be examined for potential redirects to malicious code and potentially subject to the same kind of sandnet analysis with sender confirmation," Stewart says.

Outside of these advanced techniques, having strong firewall egress policies, host-and-network-based IPS, and employing executable whitelisting can also have a strong impact on a lot of the malware we've seen used in these attacks, he says.

Cyberespionage is constantly taking place with significant success (probably on both sides), Shulman says. There is no silver bullets or magic here. "Proper risk management and layered security are the key factors," he says. "Emphasis must be put on solutions that thwart most prominent threats today, which are mostly data layer and application layer oriented. Attention should also be put to detecting the existence of deployed malware after the fact or detecting outbound covert channels. A major effort should be done to consolidate and standardize the protection of national infrastructure and government systems, specifically the control of their interfaces to the rest of the world. For example, creating a unified ISP for all federal as well as local government entities would greatly improve on the ability to detect, and react upon this type of intrusion.

Reagan points to a solid defense-in-depth strategy as well, so that if one layer is breached, there are other defenses in place so as to not "lose it all." The regulated industries – such as banking and infrastructure – seem to be doing a good job, he says, though he admits there are incidents. "It's not perfect."

The U.S. government, Reagan says, is doing a fair job at warding off attacks, considering it is under constant cyberattack from everyone ranging from miscreants determined to cause mischief to possible nation-states after military plans. The challenge, he says, is that we're used to having years to build up defenses. "It's getting more and more complex."

The good news for the IT security industry is that all this activity is making the field more and more important, says Reagan. It is very vibrant and becoming specialized, with workers in the field migrating to blue and white collar roles depending on their different skill sets.

One danger Reagan sees, however, is that today's CxO may not be prepared as they need to be. "These roles traditionally have been eyes in the back room. Now we're asking more of them." He believes the security pros managing network systems may not be prepared to drive the necessary changes across the entire organization.


How they gain entry

Technology isn't the only way cyber attackers are gaining access to information systems, says Patricia Titus, VP, chief information security office, Unisys. By harvesting and extracting data from multiple sources, they are able to fuse data together to obtain the information they want. They acquire data in a number of ways, such as:

  • Social engineering, in which they call employees posing as a company official requesting information. They instruct employees to send the information to what appears to be a secure website with the look and feel of the employer.
  • Accessing data normally as it is transmitted between two trusted entities without proper encryption or security.
  • Penetrating network perimeters and randomly harvesting massive volumes of data rapidly. This data can then be run through filters that grab high value data.

Stuxnet: Aftermath

The damage inflicted by the Stuxnet worm at the Bushehr atomic reactor in Iran (right) has generated a lot of press attention, yet coming up with a smoking gun to determine the attackers' origination point is proving to be complicated. Fingers are being pointed at likely culprits, but the evidence is circumstantial, not substantive, say experts.

The Stuxnet worm, a sophisticated self-replicating bit of malicious code, targets Supervisory Control and Data Acquisition (SCADA) systems made by Siemens. If the origin point of the worm is unknown, most experts agree that this is clear evidence of cyberwar. Israel, for example, has reportedly invested heavily in its Unit 8200, a clandestine cyberwar operation, which has been cited as a possible source of Stuxnet. The United States has been taking noticeable steps to build up its cyber operations, particularly inside the National Security Agency and the military.

In fact, in September, Gen. Keith Alexander, the commander of the military's new Cyber Command, called for the creation of a secure computer network separate from the traditional internet in order to protect government agencies and those industries he dubbed critical, such as the nation's power grid and financial institutions, against attacks perpetrated via the internet.

Illustration by Roy Wiemann

Photo of Bushehr atomic reactor by IIPA via Getty Images

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.