View Full Version : State-based Cyberwarfare

07 Aug 11,, 13:06
China chief suspect in major cyber attack - Telegraph (http://www.telegraph.co.uk/technology/news/8679658/China-chief-suspect-in-major-cyber-attack.html)

China has been accused of mounting a five-year hacking operation that stole industrial and national secrets on an unprecedented scale, after an investigation by a leading internet group uncovered a huge international security breach.
More than 70 organisations, including the United Nations, the International Olympic Committee (IOC) and defence contractors for both the UK and US were said to have been victims of the attack which was the work of a single “state actor”.
McAfee, the internet security group, stopped short of naming China as responsible, but independent security experts said the choice of targets, such as the Olympic Committee before the 2008 Olympic Games, suggested Beijing was the most likely culprit.
"Everything points to China,” said James Lewis, a cyber security expert at the Center for Strategic and International Studies who was briefed on the report, “You can think of at least three other large programs attributed to China that look very similar. It's a pattern of activity that we've seen before.”
The victims of the attacks were all tracked to a single computer server, McAfee said in its 14-page report which added that some networks, including that of the UN secretariat in Geneva, has been penetrated for two years by the malicious software.

“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” wrote Dmitri Alperovitch, McAfee’s vice president of threat research.
“Companies and government agencies are getting raped and pillaged every day. They are losing economic advantage and national secrets to unscrupulous competitors. This is the biggest transfer of wealth in terms of intellectual property in history,” he added.
It was unclear precisely what purpose stolen data had been used for, with other targets including sensitive data on US military systems and satellite communications.
As well as the governments of the United States, Taiwan, India, South Korea, Vietnam and Canada; other targets included the Association of Southeast Asian Nations (ASEAN); the World Anti-Doping Agency; and an array of companies high-tech enterprises.
Other experts have warned against rushing to accuse China which routinely denies being behind hack attacks, which are attributed to independent actors in China, or other countries using China as a smokescreen for their activities.
The report was released to coincide with the start of the Black Hat and Defcon conferences in Las Vegas at which both security expert and hackers gather to discuss the growth threat of cyber intrusions.
Earlier this year senior Obama administration officials called for the Geneva and Hague conventions governing the conducts of wars to be adapted to reflect the possibility of cyber attacks on civilian installations such as hospitals and power stations.
American security chiefs are openly moving to strengthen the US’s ability to deal with cyber attacks, with the departments of Defence, Homeland Security and several other federal agencies openly recruiting in Las Vegas.
The National Security Agency (NSA) was among those hoping to find future agents among the hackers and computer enthusiasts who paid $150 in cash to register anonymously at the Defcon conference.
“Today it's cyber warriors that we're looking for, not rocket scientists,” Richard George, technical director of the NSA's Information Assurance Directorate, the agency's cyber-defence side told Reuters, “That's the race that we're in today. And we need the best and brightest to be ready to take on this cyber warrior status.”

Why aren't any of the major states holding China to account over this?

It has been over a month since the Pentagon changed its stance regarding Cyber-attacks as a declaration of war, but it hasn't translated to reality

Washington moves to classify cyber-attacks as acts of war | World news | The Guardian (http://www.guardian.co.uk/world/2011/may/31/washington-moves-to-classify-cyber-attacks)

The US government is rewriting its military rule book to make cyber-attacks a possible act of war, giving commanders the option of launching retaliatory military strikes against hackers backed by hostile foreign powers.

The Pentagon has concluded that the laws of armed conflict can be widened to embrace cyberwarfare in order to allow the US to respond with the use of force against aggressive assaults on its computer and IT infrastructure.

The move, to be unveiled in a US department of defence strategy document next month, is a significant step towards the militarisation of cyberspace, with huge implications for international law.

Pentagon officials disclosed the decision to the Wall Street Journal, saying it was designed to send a warning to any hacker threatening US security by attacking its nuclear reactors, pipelines or public networks such as mass transport systems. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," an official said.

The new strategy would adapt the existing right of self-defence contained in the UN charter by bringing cyberweapons under the definition of armed attacks.

Joel Reidenberg, a professor at Fordham University in New York who teaches IT law, said the policy was an important recognition that new forms of warfare could harm Americans, "and that the US will protect its citizens in their 21st-century activities."

Sami Saydjari, a former Pentagon cyber expert who now runs a consultancy called Cyber Defense Agency, said the rule change was a logical and reasonable next step. "The US is vulnerable to sabotage in defence, power, telecommunications, banking. An attack on any one of those essential infrastructures could be as damaging as any kinetic attack on US soil."But other cyber specialists warned the new provision would be extremely hard to implement and could escalate the militarisation of the internet.

Jody Westby, co-author of the UN publication The Quest for Cyber Peace, said attacks were difficult to track and trace back to their origins, often making it impossible to determine who is behind them.

She called for more diplomatic efforts to increase co-operation between governments rather than widening military options. "Sabre-rattling like this in the cyber age could backfire on the US, as it could spark further cyber-attacks on US infrastructure that could be massively destructive for American civilians."

The Obama administration signalled its intentions two weeks ago when the White House released its vision for the future of cyberspace. "When warranted, the US will respond to hostile acts in cyberspace as we would to any other threat to our country," it said, adding that such responses included "all necessary means" including military ones.

The US is considered especially prone to cyber-attacks because millions of computers in America have been infected and because its military networks are so highly computerised.

Alan Paller, research director at the Sans Institute, which trains computer security professionals, said military and defence computers in the US had come under attack from foreign states at least since 2003, with losses including key technical data for the $300bn F35 fighter.

"The military knows its systems are under constant and increasingly sophisticated attacks," he said.

US analysts have their sights particularly on China and Russia as potential sources of state-sponsored cyberwarfare. A congressional panel has warned that China had the capability of hitting federal networks connected via the internet, such as the national electricity grid, in a way that "could paralyse the US".But tRussia was blamed in 2008 for a computer attack on the US Central Command which oversees the wars in Afghanistan and Iraq. Russia was also implicated in more localised cyber attacks on Georgia and Estonia.

The US has also been implicated in cyber sabotage. It has been suggested that Stuxnet, the computer worm unleashed last year against Iran, was the work of the Israeli government, backed by Washington. Westby pointed out that the US has not denied the claim. "It seems we're happy to launch our own cyber-attacks when it suits us. That's hardly good diplomacy."

Kaspersky slams McAfee Response


Whether it's spite, semantics or something lacking in the research, some of McAfee's competitors are challenging the company's findings about "Operation Shady RAT," the worldwide series of cyber attacks disclosed by McAfee earlier this week that could be the biggest series of cyber attacks to date.
Both Symantec, maker of Norton Anti-Virus, and Kaspersky Lab, another security software maker, are questioning McAfee's report, which says Operation Shady RAT targeted 72 organizations including the United Nations, governments and companies around the world. The United States was the main focus of the attacks, which were aimed at stealing intellectual property, such as ideas, strategies and plans, rather than financial data, McAfee said.
"While this attack is indeed significant, it is one of many similar attacks taking place daily," wrote Hon Lau of Symantec, in a piece called "The Truth Behind the Shady RAT" on the company's blog.
"Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets," he wrote. "Is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case."
Symantec analyzed and shared on its blog what it believes were the three stages of the attacks, including the use of email and Trojans (hidden malware).
Alex Gostev, Kaspersky Lab's chief security expert, said the contention that Operation Shady Rat is the biggest cyber attack in history is "premature," and is not backed up by evidence.
"The information presented by McAfee’s specialists would be more convincing if it answered a number of vital questions," Gostev wrote in a commentary emailed to media organizations.
"The report only tells us that the company’s experts discovered access logs of connections with a certain Web server, which at some point had been used by hackers," he said in the email. "In their turn these logs indicate that interaction between this server and computers of large organizations were snooped on."
The Kaspersky email continued:
Based only on this information, McAfee makes two interesting assumptions: first — that a series of attacks has taken place; second — that valuable data has been stolen ... However, the report contains nothing on what particular data has been stolen or how many computers in each organization were hit by the attacks. The names of the malicious programs listed in the document that are in some way related to the server in question are too general: particularly which Trojans have been used cannot be established. And as far as we are aware McAfee has not provided samples of the Trojans to other antivirus companies, as normally occurs in the industry in situations like these.
Gostev also took McAfee to task for not saying "who is responsible for the attack." McAfee said it believes there was one "state actor" behind the effort, but declined to name it. Some security experts have suggested China, but the government-run People's Daily there said Friday it was "irresponsible" to link China with the attacks.
"We would point out that the Internet is connected to a great many servers of this type, they are used by cybercriminals, and several of them have indeed been functioning for years," Gostev wrote. "However, a situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them — this is something that can certainly be described as unusual."
McAfee, asked for comments about the criticisms Friday, had little to say.
A company spokesperson said McAfee has "good reasons not to provide more in-depth detail behind Shady RAT" right now because of an ongoing "law enforcement investigation."
The earliest breaches date back to mid-2006, the company said in its report, though there might have been other intrusions as yet undetected. (RAT stands for "remote access tool" — it's a type of software that is used to access computer networks from afar).
"This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing," wrote McAfee's vice president of threat research, Dmitri Alperovitch, in the report.

Also, a more detailed look at what exactly the hackers hit - 49 US attacks out of 72 in total


The United States was the main target of cyber attacks that were part of "Operation Shady RAT," the five-year-long hacking effort revealed by McAfee late Tuesday.
The security company has said it believes there was one "state actor" behind the attacks but declined to name it, though one security expert who was briefed on the hacking told Reuters that the evidence points to China. There has been no comment from China so far about the report.
Of the 72 "victims" where governments, corporations or organizations were compromised, 49 of those were in the U.S., according to a breakdown provided by McAfee, followed by four in Canada, and three each in South Korea and Taiwan.
Next were Japan, Switzerland and the United Kingdom, followed by Indonesia, Vietnam, Denmark, Singapore, Hong Kong, Germany and India.
"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth —  closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts ... design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries," wrote McAfee's vice president of threat research, Dmitri Alperovitch, in the report.
The United Nations, the Association of Southeast Asian Nations (ASEAN); the International Olympic Committee (IOC); the World Anti-Doping Agency; and "an array of companies, from defense contractors to high-tech enterprises" were among those hacked, Reuters said.
Alperovitch did say in the report that "the vast majority of the victims have long since remediated these specific infections."
But, the issue of "what is happening to all this data — by now reaching petabytes as a whole — is still largely an open question," he wrote.
"Although we will refrain from explicitly identifying most of the victims, describing only their general industry, we feel that naming names is warranted in certain cases, not with the goal of attracting attention to a specific victim organization, but to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team or even an unfortunate computer security firm."
Of the 72 "compromised parties," McAfee broke down a list of 32 "unique organization categories." The largest number, 22, was government agencies, including county, state and federal governments in the U.S., as well as a "U.S. government contractor," the United Nations, Canada, South Korea, Vietnam, Taiwan and India.
Thirteen organizations involved the defense industry; another 13, the electronics industry, computer security, information technology, satellite communications, news media, information services and communications technology. Twelve were categorized by McAfee as international sports, economics/trade, think tanks, international government/economics/trade groups, a "political non-profit" and "U.S. national security non-profit."
Another six were construction/heavy industry; steel industry; energy and solar power. Four were real estate, the accounting industry, agriculture and insurance.