Cybercrime and Espionage
Solar Sunrise
In 1998, the United States DoD took a strong step forward into the cyber frontier by establishing the first of its units with a dedicated mission to combat cyber
threats. This unit, originally known as the Joint Task Force-Computer Network Defense, and its central reason for existence were to demonstrate that the need for a new approach and attitude toward emerging
threat vectors, in particular, those associated with cyberspace, was required by the DoD and its affiliates.
5 The attitude adjustment came in the form of two key procedures:
•
Exercise Eligible Receiver 97
•
An unnamed cyber attack originally thought to be the work of Iraqi agents in 1998
These studies served to demonstrate that in addition to being able to inflict a great degree of damage against DoD computer systems and networks, it was also possible to capitalize on non-DoD systems to exploit vulnerabilities and thus render nations vulnerable to, and in some cases, potentially helpless against, advanced cyber attacks. Eligible Receiver 97 was directed and overseen by the Chairman of the Joint Chiefs of Staff and run from June 9 through June 13, 1997.
6 It was the first-of-a-kind large scale, zero warning, military field exercise designed to test the United States’ ability to respond to an attack on both U.S. civilian and military infrastructure. The operational exercises focused emphasis on key elements of civilian infrastructure such as the following:
•
Crucial infrastructure (namely power) organizations
•
Communications corporations
•
Defense Information System targets within the Pentagon, the Joint Chiefs of Staff, Defense Intelligence Agency, Central Intelligence Agency, and other ancillary agencies and commands
Vulnerabilities exploited included but were not limited to the following:
•
Operating system vulnerabilities
•
System configuration anomalies
•
Weak user awareness and operational security cognizance
•
Sensitive data posted to publicly accessible Web pages
Additionally, the National Security Agency (NSA) commanded a “Red Team,” which possessed no sensitive internal information, yet was able to successfully inflict a great deal of simulated damage because of the time it took to properly execute reconnaissance of targets of interest.
7
The lessons learned as a result of Exercise Eligible Receiver 97 were profound. It was proven to the Joint Chiefs of Staff and other high-ranking officials in the United States DoD and Intelligence Community that significant flaws and vulnerabilities existed not only in the systems that powered them but also in personnel.
8 Although the evidence was there to warrant change, the change would come too late as in 1998 the United States would face for the first of what can arguably be considered a series of high-profile cyber attacks known as Solar Sunrise. Solar Sunrise presented an all too real
threat and adversary to the people and government of the United States of America. It verified the vulnerability demonstrated in Exercise Eligible Receiver 97, yet unlike that operation which was a military and intelligence community field grade operational event this was an actual event of interest. An unplanned, unapproved event was taking place via a still relatively new communications medium which was now steadily becoming available to allies and adversaries alike the world over. Prior to this event, the concept of large-scale compromise, infiltration, and extraction of data from systems and networks belonging to the United States of America was largely academic, although probably enough to warrant exploratory exercises such as those conducted in Exercise Eligible Receiver 97. The potential for hostile adversarial groups and Nation States to purposefully disrupt or influence the state of the United States of America through the manipulation of information systems and networks was not only attractive but also possible. It was seen as an equalizing factor leveling the playing field for all globally.
In February 1998, a series of attacks were detected beginning on the 1st of the month and continuing on through the 26th of the month. During this period, approximately 11 attacks were launched on various targets belonging to the United States Navy, United States Marine Corps, and United States Air Force, respectively.
9 The attacks were predominantly directed toward machines running the Sun Microsystems Operating System Solaris and were classified as denial of service (DoS). The attacks all followed the same attack pattern and profile:
1.
Network address space enumeration to determine the presence of a vulnerability
2.
Exploitation of the vulnerability
3.
Deployment of a malicious program (in the case of Solar Sunrise a sniffing program) to gather data
4.
Return to the compromised hosts to gather collected data followed by exit
Given that the attacks were taking place in close proximity to the United States’ intended timeframe for possible combat missions in Iraq, an interagency investigation involving the United States Air Force, United States Navy, United States Marine Corps, United States Army, National Aeronautic and Space Agency, National Security Agency, Department of Justice, Federal Bureau of Investigations, and the Central Intelligence Agency ensued with several court orders being issued in an expeditious manner. Eventually, the investigations led to two California
teenagers and an 18-year-old Israeli boy.
10 Although none of the systems exploited was classified, it was argued by investigators and prosecutors that the disruptions could have been used to immobilize DoD communications systems, rendering the nation and its fighting forces at a definitive disadvantage should they be called into combat in the middle east.
11 As a result of the DoS attacks associated with Solar Sunrise, the DoD chose to move quickly to improve areas of weakness noted in the investigation. The DoD strove to improve operational security by the following measures:
•
Increasing situational awareness via the implementation of a 24-hour watch center
•
Implementation of intrusion detection systems on critical nodes and segments
•
Mature computer emergency response teams (CERT)
•
Robust contingency planning
•
Greater degrees of communication with the FBI’s National Infrastructure Protection Center and other law enforcement agencies (LEA)
The United States DoD continued to face cyber-driven computer infiltration challenges beyond the scope of routine computer viruses and relatively unsophisticated hacker attacks. As we shall see in the next section, although precautions were taken to reduce the attack surface noted by various organizations within the United States government (DoD, State Department, NASA, Pentagon, etc.), compromise, exploitation, and extraction of data continued at an alarming rate.
Moonlight Maze
Moonlight Maze is the code name given to a highly classified incident believed by many experts in both information security and intelligence to be the longest lasting example of an advanced persistent cyber attack in history to date.
12 Researchers and security experts alike first became aware of the incident in the spring (March) of 1998.
13 Officials of the United State government noticed anomalous activity occurring in restricted network environments. Systems within the Pentagon, National Aeronautics and Space Administration (NASA), the Department of Energy (DOE), Weapons Laboratories, and universities throughout the United States were affected by precise targeted efforts occurring over elongated periods of time. This was markedly different than what had been noted in previous attacks of a similar nature such as Solar Sunrise that preceded Moonlight Maze.
14,15,16 Once it had been detected, it was evident to those conducting incident response and analysis (IR) that the
threat was focusing on predominantly sensitive yet unclassified information and systems hosting such data. Incident response teams noted on conducting lengthy analysis of the data and affected systems, that the attack had been ongoing for nearly two years! This was noteworthy, given the nature of the systems and the organizations in which they were located. According to the news media organization FRONTLINE, sources indicated that the alleged invaders had been making their way through thousands upon thousands of files including a variety of data such as the following:
•
Maps of military installations
•
Military hardware designs
Theories arose in abundance regarding the attribution and origins of the attacks although nothing of a substantial nature was presented. Michael Vatis, the director of the FBI National Infrastructure Protection Center said that the intrusions appeared to have originated in Russia
17 although the evidence was deemed circumstantial at best. The consensus seemed clear however that the attacks were of a structured type and most likely originated outside Moscow. What troubled representatives of the collective environments most about the attack was the “magnitude of the extraction.”
18 The impact of Moonlight Maze on the day-to-day operations and comfort levels of the environments affected, in addition to the sentiment in Washington, was obvious and profound. Republican Senator Jon Kyl of Arizona chairing a Senate subcommittee hearing investigating Moonlight Maze noted that it was an event of extraordinary significance but certainly not a solitary example. The recognition that Moonlight Maze was but one of many events in 1997 that the people of the United States and its government should be concerned with was quite poignant. As a result of the discovery and investigation of the attack, the Pentagon had ordered $200 million dollars in new cryptographic equipment in addition to having upgraded its intrusion detection solutions and firewalls. These measures were taken to strengthen the risk posture of NIPRNET although their effectiveness would come under scrutiny at later dates as we shall see later in this chapter. Moonlight Maze accentuated serious vulnerabilities found within systems and networks belonging to the United States of America. Many of these systems played key roles in portions of network infrastructure deemed critical by authoritative bodies within the DoD, DOE, and Department of Justice (DoJ) among other federal agencies and departments. Utilizing attack profiles similar to those described in the Solar Sunrise case, attackers were able to carry out the following tasks:
•
Enumerate the network address space
•
Scan for vulnerabilities
•
If successful in identifying them, exploit them delivering a malicious payload—in this case a backdoor program enabling the attackers to reenter the system at their leisure in order to identify them
•
Conduct other probing activities (some resulting in the destruction of file and system structures)
To date, Moonlight Maze is still being actively investigated by United States Intelligence Agencies.
Titan Rain
No discussion of state-sponsored cyber attacks would be complete without discussing the story of Titan Rain and Shawn Carpenter. Neither of these is a household term although in information security and intelligence communities you would be hard-pressed to find someone who had not heard of one or both. Shawn Carpenter is a citizen of the United States of America, a United States Navy (USN) veteran, whistleblower (Mr. Carpenter was previously employed by Sandia National Laboratories when his adventure began), and a hero. Shawn Carpenter was instrumental in tracking down the points of origin for the attacks commonly referred to as Titan Rain today. In 2003, Shawn Carpenter was an employee of Sandia National Laboratories where he worked as a network analyst focusing on security breaches within the Sandia network infrastructure. Like most analysts whose work sees them engulfed by packet captures, trace analysis, and behavioral patterns, Mr. Carpenter vigilantly performed his work on behalf his employer and his country. Sandia National Laboratories had a mission of critical importance to the United States of America. Much of the Nation’s (the United States’) nuclear arsenal was designed there, along with a great deal of advanced energy and military research and development. The work conducted there was of paramount importance and required a dedicated mission-oriented staff to ensure that it remained free from obstruction and
threat. In late 2003, Mr. Carpenter had been asked to undertake another mission which was perhaps his most important to date.
19 It would see him cross the globe via the information highway taking him to faraway locations to establish attribution of foreign entities who had taken it on themselves to explore, compromise, exploit, and extract data from networks like and including those of Sandia National Laboratories.
The mission Mr. Carpenter would assume would see his nights and weekends disrupted for months on end as he tirelessly pored over data armed with coffee and Nicorette gum.
20 His work would see him track a group of alleged Chinese cyber spies bent on gaining deeper access inside American networks while remaining unfettered. He monitored their communications, hidden in the darkness of chat rooms, forums, and covert communications channels recording as much data for future analysis as possible on behalf of his
other employers, the United States Army and later the FBI. Mr. Carpenter first became aware of this group of alleged Chinese cyber spies while aiding in the investigation of a breach incurred by defense industrial base (DIB) firm, Lockheed Martin in September 2003. Several months later, Mr. Carpenter would note that an attack with a familiar signature was seen on the Sandia National Laboratories network. After looking into the event more deeply, Mr. Carpenter compared his findings with the findings of a trusted colleague in the United States Army. Both sets of data concluded which a very sophisticated, methodical initiative was underway which was targeting sensitive data contained within network environments deemed sensitive and restricted by the United States Government. These networks housed intelligence related to research and development initiatives, military bases and institutions, DIB contracting firms such as Lockheed Martin, and various aerospace corporations. The attacks were worthy of note and on later investigation were referred to as elegant in their execution. The attackers were well-versed in system architecture and careful in their actions. They sought out hidden portions of hard drives and attempted to aggregate as much data as possible in compressed file structures in order to transmit them in an expeditious manner to drop zones located in South Korea, Hong Kong, and Taiwan prior to forwarding the data on to mainland China.
21,22 Their execution was flawless; perfect in all ways. Their escapes were always nonevents; quiet without drawing attention to themselves or their points of egress. They were meticulous in cleaning up after themselves, taking care to remove any telltale signs or fingerprints left behind on the systems that they had compromised. They were sly, leaving behind on all systems enumerated and added to their Web of compromised hosts virtually undetectable beacons that allowed them to reenter a given host without fanfare at will. Their attacks were clean and swift averaging approximately 10–30 minutes per attack. Mr. Carpenter noted that they never made a mistake and took every measure possible to fend off prying eyes. To a security analyst like Shawn Carpenter, the temptation to give chase to these unknown and unwelcome “visitors” to his network and the networks of the United States of America proved quite strong and so he began tracking them globally. His efforts eventually led him to tracking the group to their geographic point of origin in the southern province of Guangdong.
23
In Washington D.C, officials remained noticeably quiet with respect to Titan Rain for several years stating only that details related to the case were considered classified.
Time magazine was able to confirm that at least three high-ranking officials in government positions considered the breaches outlined in the work conducted by Shawn Carpenter to be serious.
24 A great degree of speculation ensued on the disclosure of the breaches and compromises identified by Mr. Carpenter. The FBI began formal inquisition and investigation into the possibility that the attacks were in fact state sponsored by the government of the People’s Republic of China although many still remain noncommittal with respect to the attribution of the attacks. Many researchers and members of both law enforcement and the intelligence community have debated and continue to debate the involvement of the People’s Republic of China in these activities citing the voluminous numbers of insecure workstations and servers that are used on a continuous basis by cyber actors of various denomination to accomplish their agendas.
25,26 China’s State Council Information Office has gone on record as saying that the allegations are irresponsible and unfounded.
27 Despite the official U.S. silence, several government analysts who protect the networks at military, nuclear-lab, and defense-contractor facilities still maintain that Mr. Carpenter was correct and that Titan Rain is among the most pervasive cyber espionage
threats that U.S. computer networks have ever faced. We now know that this unit has grown and rivals a United States Army Brigade in standing troop strength. Examples of the types of information that was compromised and extracted includes the following:
28
1.
Aerospace documentation
2.
Hundreds of detailed schematic drawings related to propulsion systems, solar paneling, and fuel tanks for the MARS Reconnaissance Orbiter
3.
Falconview 3.2 flight planning software used by the United States Army and United States Air Force
The People’s Liberation Army of the People’s Republic of China announced the formal creation of “information warfare units” at the 10th National People’s Congress in 2003. General Dai Qingmin
29,30,31 said that Internet attacks would run in advance of any military operations executed by the People’s Liberation Army in order to cripple their enemies while creating fear and confusion. Additionally, he and other Chinese Generals conveyed to that audience and others subsequently that there were six core elements necessary to invoke information warfare successfully:
1.
Mastery of operational security
4.
Mastery of electronic warfare and security
5.
Computer network warfare
In 2007, activity associated with the People’s Liberation Army’s cyber-warfare units was noted in Germany and the United Kingdom. Both examples were considered logical extensions of what originated as Titan Rain.
32
Compromise Of The United States Power Grid And Critical Infrastructure
In March of 2005, Patrick H. Wood
33 III had much on his mind. Wood, who is the former Chairman (then the Chairman) of the Federal Energy Regulatory Commission (FERC), had warned the top executives within the electricity industry in a private meeting held in January (only three months prior) that much more emphasis and care needed to be placed on cybersecurity within their areas of responsibility. In March of 2005, Wood experienced what many would consider a terrifying event.
34 He was invited to the DOE’s Idaho National Laboratory for a private demonstration. It was a demonstration that would support the assertions he conveyed to utility corporation executives just three months earlier. So compelling was the demonstration which Wood witnessed that after the fact, he increased his efforts and those of his office in increasing awareness and education about cyber security. The demonstration was a simulation of what could occur if a skilled attacker were to compromise the national power grid. Now, what is interesting about this is that it occurred well after both Black Ice and Blue Cascade during the period 2001–2003 in the Pacific Northwest. Via the demonstration, Wood learned the following:
1.
The Internet-based business-management systems in use at the time were highly susceptible to attack
2.
On compromising them, an attacker could take control of other systems—systems that control the utility operations environment
3.
On gaining access and entry, the attackers could, via the escalation of privileges and exploitation of system vulnerabilities, accomplish the following:
a.
Attackers could cut off the supply of oil to the turbine powered generators—the same generators that produce electricity
b.
Cause destruction of the equipment and potentially the facility as a result
Ken Watts,
35 an employee of Idaho National Laboratory at the time who witnessed the demonstration confirmed the results and the realities presented by the events of that day. When later asked about the events of that day and the impact they had on him, Watts had only this to say, “I wished I’d had a diaper on.”
36 A powerfully concise and descript message, one that should have been paid more heed. One might think that on receiving information of that nature the FERC would have immediately begun taking steps to address these issues. However, it would not end there. In August of 2007, Scott Lunsford,
37 a security researcher working with IBM Internet Security Systems successfully compromised a nuclear power station. Initially he was told that it would be impossible to do as the infrastructure, he was assured, was not Internet facing. The plant owners were wrong. By the conclusion of the first day, Lunsford had penetrated the network. Within one week’s time he and his team were controlling the nuclear power plant. Obviously, this was a major problem, which foreshadowed others to come. What Lunsford identified were flaws, which would be noted in a report released by the United States Federal Government in the April of 2009. The report was generated and released by the United States Government after completing a full audit of the national power grid infrastructure.
It was the first time that commercial power and utility companies gave the United States Government permission to conduct such an audit. The results were shocking and provided a grave look into the state of critical infrastructure within the United States in addition to the use and prevalence of APTs sourced by many entities, for the express purpose of deep compromise of the environment.
The report revealed that the Nation States involved included the following:
1.
The People’s Republic of China (People’s Liberation Army)—may be a continuation of the effort known as “Titan Rain”
4.
Other nondisclosed entities
What made the report both chilling and infuriating was that in addition to the presence of foreign entities within critical infrastructure of the United States of America (later confirmed by former CIA staff officers), it was pervasive throughout the United States. It was not localized to one region or Power Company but gross in its scope and penetration across utilities (e.g., electric, natural gas, water, etc.). Furthermore, the report revealed the presence of what authorities at the time referred to as “calling cards,” which were later disclosed as being rootkits and backdoors; classic elements and attributes of APT-based attacks. 2009 would quickly become the year of the APT and our next example demonstrates this just as clearly as its predecessors.
Byzantine Foothold (“Ghost Net”)
On March 29, 2009, the details of what would become one of the most, if not the most, talked about example of APT activity in recent history were released via a story in The New York Times. The history of this particular attack is intriguing and its depth and breadth are impressive to say the very least. The target of interest was the Office of the Dalai Lama (the Tibetan government in exile), which was, at the time, located in Dharamsala, India. Suspecting that they were the unwitting victims of espionage, the representatives of the Tibetan Government engaged a group of third-party investigators, the Infowar Monitor (IWM). The team comprised researchers from Secdev Group, and other consultancies and research bodies. The results were quite shocking and revelatory.
Compromised systems were identified in 103 countries the world over including systems in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Portugal, Germany, and Pakistan in addition to the Office of the Prime Minister of Laos. In addition to these national embassies, financial institutions within the region were also compromised leading to approximately 1295 hosts having been compromised and identified. Estimates suggested the progression of the attack saw about a dozen computers being attacked on a weekly basis. The attackers in question did not engage with advanced next generation or designer malware. In fact, they engaged their targets after conducting rigorous reconnaissance and assessment of the target environment and were able to use commonly obtainable tools in order to accomplish their goals. Voluminous amounts of data were accessed and harvested by the assailants. Email traffic had been siphoned out of the target hosts while conversations were eavesdropped on using listening and recording devices via integrated microphones and/or Webcams.
Google China Attacks (“Aurora”)
The importance of this specific SMT, which was categorized as an APT, by McAfee Avert Labs was the first real public use case of a specific attack that would have been typically directed at a public sector entity. This attack was very sophisticated and targeted Silicon Valley’s high-tech firms. The attackers used vulnerability in the IE Web browser that allowed them to send an encrypted payload to the targeted host on visiting a given Website. Once the code was executed, it would then set up a covert SSL connection in order to transmit various types of data out of the network. This attack introduced a new class of attack that the mainstream security community thought was new but had been plaguing the public sector and other high profile industry verticals for decades. Up until Aurora, many security vendors didn’t address APTs nor did they talk about them openly. In the case of Aurora, the attackers used multiple vectors that were very sophisticated and required many point security solutions to work together in order to deny the attack. As APTs evolve into SMTs, the security industry is going to have to change a lot of their detection capabilities to include deep packet inspection and the ability to discover covert channels quicker.