Breach, Threat Management, Threat Intelligence, Data Security, Threat Management

Future crimes: Are WikiLeaks, piracy and malware related?

Could valuable goods in commercial transport be targeted through malware? Will your high-value commodities become pwned [owned] by someone mining stolen data? What are the chances that your shipping agent has been compromised? Is there a focus on transportation by cybercriminals? 

WikiLeaks, malware and freight hijacking: Related?

Based on the WikiLeaked diplomatic cable information, an excellent article showing the nexus between piracy and foreign affairs has been written detailing an attack by pirates on the M/V Faina cargo vessel a few years back.

It is long been speculated that the cargo of 32 T-72 tanks, 150 grenade launchers and six antiaircraft guns were being shipped from the Ukraine to Sudan. Now, the diplomatic cables released by WikiLeaks (love em or hate em) definitively show the weapons were en route to the war-torn nation.

In fact, the tanks were just the latest shipment in a large-scale effort to arm the breakaway government with modern tools of war. An effort that the U.S. tacitly approved of and then changed its mind about when the Obama administration took charge.

According to WikiLeaks cables, this was a shipment which the U.S. government knew about. In immediate historical terms, this seems to have been done in response to U.S. citizen pressure to "do something about Sudan."

History: Bipartisan support for Darfur in 2006

Rewind four years to this event on the National Mall:

April 2006 – WASHINGTON – Thousands of people joined celebrities and lawmakers at a rally Sunday urging the Bush administration and Congress to help end genocide in Sudan's Darfur region.

The event attracted high-profile speakers, such as actor George Clooney, just back from Africa; Sen. Barack Obama, D-Ill.; House Democratic leader Nancy Pelosi of California; Nobel Peace Prize winner Elie Wiesel; Olympic speedskating champion Joey Cheek, who gave his bonus money to the cause; and Roman Catholic Cardinal Theodore McCarrick, archbishop of Washington.

"If we care, the world will care," Obama told the crowd. "If we act, then the world will follow." Pelosi said Democrats for once agree with Bush: "This genocide must stop."

Unfortunately, the Speaker of the House's term "genocide" is not a word that the UN was willing to use in Former Yugoslavia, Rwanda or in Darfur, Sudan. The use of the term "genocide" would mandate that the UN become involved as that is part of its charter.

Therefore, the unilateral actions the United States took in 2006 "to do something about Sudan" led somehow to Ukrainian armor being sent to the rebels of Sudan in the hopes that they could "do something themselves."

How are pirates in the 21st Century targeting their victims?

How to determine which ships hold the best cargo when even the people manning the rails don't know what's below decks? While a few $20 bills in the right bar to the right person could have gained insight in the days of crating products pierside, container shipping has placed most of that out of the viewing public's reach.

Along with the piracy was speculation by some private military corporation (PMC) sources about the intelligence of pirate groups in the past two years. The question had occurred to some maritime security specialists that many cargo vessels would pass through an area, only to have some cargo shipments stopped. One PMC and I sat down for coffee and he asked me what could be causing that trend?

Only a few weeks before this meeting, I had the fortune to share a couple of beers with a sealine administrator and the very topic we discussed was piracy and motivation. In this specific matter, my intel reach within this seagoing world was increasing. With another confidential interview from within an Inc. 500-rated sealine company, I gained some industry insight into this very cloaked world of trans-oceanic shipping.

After hearing their stories, cybersecurity considerations were on my mind.

Cybersecurity and old-school piracy on the high seas

One confidential source related to me over beers in 2009 that many cargoes were not fully disclosed; the merchant ship companies may not show fully accurate manifests. He gave the example of gold or other state-sponsored equity transactions going back and forth on a frequent basis with little more than a wink and a nod between the carrier and the customer.

Another resource stated that data networking between ports often was spotty at best. They were not alone; in other transportation industries, malware prevention and education was not a priority – even a recent airline crash had malware in ground computers listed as a contributing factor.

With high-value cargoes onboard, which often the crew themselves wouldn't know about, how would pirates target the most beneficial cargoes? One answer is with intelligence, possibly malware generated. All the pirates would need is updated position information to make their attack more successful – visibility is very limited on the ocean and small boats are hard for watchstanders and radar to spot.

But why would cybercriminals get involved?

One answer is that wherever there's money the incentive-based behavior of cybercriminals will easily fit the job. As opportunists, when a shipping network would become compromised, the cargo and manifest data would be of value. In the instance of the Ukrainian tank cargo, another theory has risen.

The assessment I gave to my PMC friend was that there may have been more than simply a lucky pirate involved – there was political and financial incentive to break the profit chain – starting within the Ukraine and ending in Darfur.

One theory voiced two years ago from a reputable resource was that the Faina shipment may have been specifically targeted for interception. Passing on the cargo targeting information to interested parties (pirates), as well as keeping them updated on the position of the ships as they were in transit, would result in success.

My viewpoint during that conversation was simpler: Any time heavy armor like tanks are being shipped from one point to another, somebody, somewhere, doesn't want them to arrive where they're supposed to be. Denial of transport was the whole game-changing mission of submarines in WWI and WWII – to attack and remove wartime assets from the game before they got to the game board.

Nowadays, outsourcing even affects naval combatants. Pirates can do the job cheaper, faster and better than a $300 million - $1 billion submarine and nobody can blame a silly pirate for more than being an opportunist. Or can they?

Malware or intelligence-based?

Clearly one cannot hide 20 or 30 T-72 tanks. It wouldn't have to have been a malware-related manifest leak – simply a dockworker relaying back cargo information from the port in Ukraine would have completed the same purpose. But this isn't as simple as it seems. Human intelligence (HUMINT) sources have to be recruited, handled and paid. They often run the risk of being countered or doubled. Life gets complicated.

Malware on the other hand is relatively cheap and reliable. Since most businesses in 2008 were relatively insecure, the key becomes how data mined through malware could be repurposed.

Additionally, tanks to Sudanese rebels threatened the balance of power in the region. This whole mess has the air of an intel operation, and now that Wikileaks has confirmed a few details, it has the polish of a chess-master's strategy revealed.

The pirate's (theoretical) friend in this instance was someone who didn't want the Ukrainian-built tanks to get to their destination.

Motive: 94 percent of Sudan's export = Oil

In the criminology 101 world, crimes all come down to a root of three factors: MMO – method, means, and opportunity. In order for cybersecurity to be considered a factor, the method/opportunity of the suspect must have access to strong cyberespionage skill and resources. Clearly, the pirates don't have organic cybercriminal abilities. Who could assist them and why?

My exercise with the PMC shipping protection contact went through the following:

  1. Hypothetical motives could be to weaken or embarrass the Ukraine or for a top trading partner of the Sudanese government to support the status quo.
  2. Hypothetically, if the motive was Ukraine/U.S.-based, the actor must have stellar cybercriminals at their disposal (MEANS), as well as not wanting Ukraine out of their sphere of influence (MOTIVE), and again having the chance to pull off the perfect caper because of no international cooperation in cybersecurity (OPPORTUNITY). M-M-O.
  3. Hypothetically, if one were looking for friends of Sudan with cyberespionage capability with connections to the Sudanese government, the import/export snapshot shows the top trading partner to be China with 49.8 percent of Sudan's export, 94 percent of which is oil.

Revealed two years ago: the Wikileaked skinny on China's state support of cyberespionage points to a strong tie between cybercrime developers and official government sources as well.

Remember: this is merely theoretical – analysis only, no confirming sources!

Hard data: Malware's vertical risk assessment

Separately, the question arose of why the transportation sector was targeted. ESET currently does not publish data on vertical markets targeted by malware. Other resources do and in a 2008 ScanSafe survey, three sectors showed considerable growth in custom-designed malware. In a year where conventional wisdom said cybercrime was going after the money, the top vertical sector targeted by malware was transportation.

ScanSafe (www.scansafe.com), was acquired in 2009 by Cisco. They are currently the largest global provider of SaaS web security. Their report considered more than 20 billion web requests and 200 million blocks each month for customers in more than 100 countries. These statistics derived from 21 verticals, which they measured in 2008. Even their researchers were surprised at the results:

For example, we assumed verticals such as travel, education, and media would likely have much higher rates of web malware exposure simply because these were industries consistent with a higher and more diverse degree of web surfing.

Our assumption was wrong.

According to our analysis of focus companies across 21 industry verticals, the top five most at risk verticals were energy & oil, pharmaceutical & chemical, engineering & construction, transportation & shipping, and (finally) the expected travel & entertainment industry.

From the ScanSafe Global Threat Report in 2009 comes this information pointing toward data theft trojans and the energy sector:

The heightened risk of data theft trojan encounters continued throughout 2009; energy & oil experienced an encounter rate 356 percent higher than the rate for all customers combined.

Unlike Google and Adobe, the energy companies alleged to have been breached did not confess to the compromise. Indeed, few victim companies choose to self report. Instead, the breaches that get acknowledged publicly are generally only those which involve theft of consumer or employee data – and only then because the laws require it.

This selective disclosure fuels the misconception that cybercriminals are only intent on stealing data intended for credit card fraud and identity theft.

Analysis

The key issue is that any valuable goods in commercial transport may be targeted.

  1. Cybercrime and piracy – within any industry the cream rises to the top. If malware has not been involved with freight hijacking, it soon will be. When it becomes commoditized, supply chain issues need to be anticipated.
  2. If the network of your shipping agent has been compromised at any of about 20 different spots from point to point, your high-value commodities could become PWNED in real life.
  3. Note to CIOs: If you're involved with decisions about data partnerships, keep a close eye on your transportation resources' policies and procedures because they could become a liability.
  4. Be aware that friends of countries in conflict will be targeting those who do commercial business – which could be you or your company. Keep your data networks and endpoints secure from rootkits and follow the counter-intelligence steps in our Spy vs. spy series from November 2010.

There's not enough open source proof about malware's involvement in the Ukrainian tank hijack but the operating theory behind data theft is that all data is valuable to someone, somewhere. Additionally, pirates are opportunists; the attack could have happened to any container ship on the open seas. It just happened to occur to a strategic asset transporting a game-changing amount of armament to support a revolution. One has to question why that ship was picked out of dozens or hundreds transiting through the Indian Ocean.

Personal note: Somalia and Sudan

My interest in this region initially came from being part of the "to do something about Somalia" exactly 18 years ago this week in 1992 when I was in the first carrier-based patrol down the Somali coastline – 10 months later, Army Rangers in Mogadishu were being attacked in the events made famous through the film Black Hawk Down.

While unilateral support for Darfur intervention was crowd-pleasing in the short term, according to the leaked documents, a changing administration changed course in this intervention strategy much to the frustration of a historically strong U.S. regional ally, Kenya. Sort of like Somalia in 1992, we were there to help.

My opinion: Being asked "to do something" anywhere seems to be the popular idea, but putting it into motion can get sticky. Consider carefully the causes you support and the costs in carrying out the cause.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.