Espionage in 2010
Espionage has been described as “the second oldest profession, and just as honourable as the first.” The practice of intercepting wireless signals existed at the time of the Russo-Japanese War of 1904. The disciplines of electronic warfare (EW) and signals intelligence (SIGINT) evolved over the years. The doctrine of Information Warfare (IW) reached its peak in 1994, and cyber espionage then emerged in nation states. China and Russia were quick to add the concepts to their arsenal, which evolved throughout the 20th century into “the last, best-kept secret of the state.”
Cyberspace has transformed the practice of signals intelligence. Previously, signals intelligence agencies spent billions of dollars building collection platforms that snatched conversations out of the ether. Today’s cyber spies simply rely upon a globally interconnected set of networks, and automated bot nets to harvest information and engage in espionage.
Russia and China regard their telecommunications infrastructure and industrial base as a national asset and use it as a weapons platform to: facilitate foreign Signals Intelligence collection; project foreign policy agendas; perpetrate state-assisted crime; shape the global supply chain; or launch an all-out cyberwar coordinated with a ground battle, as in the cases of the Georgian and Estonian conflicts.
Nation states are not the only organizations driving the transformation of signals intelligence. Increasingly, espionage is becoming privatized – run by shady networks of contractors, cyber criminals, and privateers. This ‘unique’ private-public partnership applies Internet crowd sourcing to espionage and war fighting – enabling the rapid development and deployment of technology and tradecraft. We now find ourselves decisively engaged with foes that lead with their best offensive line – and pay top dollar for top talent.
‘The threat sees the network as an asset, not a commodity.’ For instance, the 2007 Annual Report to Congress on the Military Power of the People’s Republic of China contends that: “The People’s Liberation Army (PLA) is building capabilities for information warfare, computer network operations, [which could] be used in pre-emptive attacks. China’s CNO concepts include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to achieving ‘electromagnetic dominance’ early in a conflict. The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks.”
China has not been shy in flexing its cyber muscles. In the spring of 2010, its state-owned China Telecommunications propagated false routing tables from IDC China Telecommunication, which effectively hijacked 37,000 networks, (12% of the Internet) redirecting them to IDC China Telecommunication instead of their rightful owners. These included about 8,000 networks in North America.
The Problem Set
During the cold war, spy cases were intriguing but irrelevant to most folks. It was a war fought in secret between cloak and dagger intelligence agencies. The average citizen and business-owner were not immediately affected by the spectre of espionage.
These lines between the state and private enterprises, crime, espionage and warfare are now blurred. We can no longer think of spying as a distinct phenomenon. Nor can we conduct counter-espionage operations in a traditional way. Spying can switch from a criminal vector at the speed-of-light. E-spionage is an industrial-grade problem that affects everyone insidiously.
Conventional misconceptions contend that only nation-states possess the sophistication, means, motive and mandate to conduct e-spionage; and that e-spies are only after military secrets. This is simply no longer the case.
Focused targeting and a persistence of attack, rather than technology are the distinguishing features of e-spionage today. Organized crime is by far the most prevalent and resourced threat in cyberspace. The tradecraft and technological sophistication is, for the most part, identical to that of hostile intelligence services.
It is no surprise that hostile nation-states systematically outsource e-spionage and computer network attacks (CNA) to national telecommunications providers and indigenous organized criminal groups. The privateering of CNA with virtual Letters-of-Marque provides the state non-attribution and a safe harbour for the criminals. E-spionage can hide in the noise generated by broadband use of criminal botnets.
However, spying and cyberwar do not pay the bills. So, organized crime is left to run the business by economic pillaging using robot networks; with the duplicity of the state. “We use computers to send viruses to the West and then we poach your money,” says Russian ultra nationalist, Vladimir Zhirinovsky.
Likewise, foreign e-telligence no longer focuses exclusively on military targets; increasingly it targets political and economic assets. In part, this is a consequence of characteristics of the cyber environment. Systems are now so interconnected that data leaks from classified systems to public networks. Moreover, this interconnection means that attacks that leverage social vectors – basically the trust people put into relationships with others – can successfully overcome even the most sophisticated firewalls and technical defences.
Tradecraft has adapted to take advantage of these soft targets. Espionage is often carried out by sophisticated commercial grade botnets which are difficult to detect, and the deployment costs are close to zero. Intelligence actors can focus on targeting and analysis, and can essentially outsource the collection activity to third parties.
E-spionage may compromise your supply chain through the persistent shaping of infrastructure components and traffic.
On a slightly more sophisticated level, the foreign ownership control and influence of critical infrastructure and the pervasive use of untrusted providers for goods and services (such as Internet and telephony), exposes many organizations to e-spionage. Treating critical infrastructure solely as a commodity is a most precarious strategy.
A recent investigation by the Information Warfare Monitor uncovered security and privacy breaches affecting TOM-Skype – the Chinese version of the popular voice and text chat software Skype, marketed by the domestic Chinese company TOM Online. TOM-Skype routinely collects, logs and captures millions of records that include personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform. The report called into question the extent that TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents.
Russia is one of the clear leaders in evolving and adapting its intelligence practices to the cyber domain. While the remaining largely undeclared, cyberspace operations consisting of sophisticated botnet attacks, denial of service events, and selective use of private communications harvested from cellular phones and Internet vacation, have been used to silence opposition and shape domestic politics, and that within the Commonwealth of Independent states. These aggressive new techniques stand in direct contrast to traditional human source methods – which have remained cautious and conservative.
Criminal groups are alleged to be “in cahoots” with Russian security forces. The most often cited is the Russian Business Network (RBN) which has been described as embodying the greatest concentration of evil in cyberspace, and is considered by some experts as the most significant deliberate threat to Canadian information infrastructures. RBN offers Internet access, computer network exploitation and attack services to organized crime and state security services alike. Spamhaus describes RBN as “the world’s worst spammer, child-pornography, malware, phishing and cybercrime hosting network, providing bulletproof hosting.”
The RBN’s apparent immunity from prosecution in Russia, lends credence to the theory of that they operate under some umbrella of protection by Russian officials, possibly in return for providing information against targets of mutual interest and a platform for e-spionage.
The PLA considers active-offence to be the most important requirement for information warfare to destroy or disrupt an adversary’s capability. Contrast this with Canada’s predilection for a strategy of incidence-response and disaster recovery.
Gordon Housworth writes – “Informationalization, has entered Chinese military thinking in earnest, affecting both foreign commercial and military assets.”
U.S. and EU commercial assets have already suffered serious predation from Chinese military assets and Chinese commercial assets operating under military direction. Shifting from passive to active cyberwarfare, the People’s Republic of China (PRC) intends to “be able to win an ‘informationized war’ by 2050.”
Lengthy investigations like Titian Rain, Moonlight Maze, and Aurora have uncovered a tangled web of intrigue and skulduggery involving their former cold war antagonists. The Deputy Defense Secretary in a congressional hearing stated “in no uncertain terms” that “we are in the middle of a cyberwar.”
The report Shadows in the cloud: Investigating cyber espionage 2.0 by SecDev Group, Citizen Lab and the Shadowsever Foundation, describes a complex ecosystem of cyber espionage that systematically compromised government, business, academic and other computer networks. Data was stolen from politically sensitive targets. The report analyzed the malware ecosystem employed by the attackers, which leveraged multiple redundant cloud computing, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in Chengdu, China.
Similarly, the Tracking Ghostnet: Investigating a Cyber espionage network investigation discovered over 1,295 infected computers in 103 countries, 30% of which were high-value targets, including ministries of foreign affairs, embassies, international organizations, news media and NGOs. The capabilities of Ghostnet are far-reaching. The report provided evidence that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself forms of signals intelligence. It is a clear warning to policy makers that information security requires serious attention.
Attribution is difficult because there is no agreed international legal framework for being able to pursue investigations down to their logical source, which is often local.
Google was compromised in January 2010 along with other hi-tech and defense companies. Netwitness revealed the existence of a Zeus-based botnet that had compromised over 74,000 computers around the world where the attackers demonstrated technical sophistication “on par with many intelligence services.”
SecDev’s investigation confirmed that Zeus infected targets within the government and military sectors with second instances of malware designed to ex-filtrate data and sensitive documents from the compromised computers.
The investigation found 81 compromised computers that had uploaded a total of 1,533 documents to the drop zone. They found sensitive contracts between defense contractors and the U.S. Military – documents relating to, among other issues, computer network operations, electronic warfare and defense against biological and chemical terrorism. The investigation found the security plan for an airport in the United States as well as documents from a foreign embassy and a large UN-related international organization.
On 6 February 2010, Brian Krebs reported that attackers using the Zeus trojan targeted a variety of U.S. government and military email addresses in a spear phishing attack that appeared to be from the National Security Agency, and enticed users to download a report called the ‘2020 Project.’ Following publication of Krebs’ article, attackers used portions of it as lures in further spear phishing attacks. The malware was connected to a command and control server located in China.
The Zeus botnet was highly active, coincident with the 2010 Olympic Games.
Cyberspace is expanding beyond billions of computers and other Internet-aware devices; all are highly exposed to hijacking malware that can assimilate them into a larger criminally-controlled robot network.
Most organizations use traditional security architecture practices to secure their networks. These are inadequate safeguards against advanced persistent threats. As recent studies show, considerable amounts of botnet traffic continue going to and from these networks. In this study, evidence was provided of extremely large distributed denial of service attacks, sophisticated foreign-controlled robot networks, spynets and high volumes of cybercrime affecting both public and private sectors.
The Resolve to Solve
E-spionage must be addressed by a proactive, pre-emptive strategy. A reactive strategy focused on passive-reactive-defense serves only to invite cyber attack. The increased activity in cyberspace by actors like China and Russia attests to an emerging ecosystem in cyberspace – one which requires attention at foreign policy as well as technical levels. A failure to do so will result in increased exposure and encourage even more audacious acts.
The answer to this e-spionage threat requires a coordinated response. At a technical level, we must focus on rapidly engineered ‘best’ security practices for modern High Performance Secure Networks. This advice goes beyond ‘common’ policy and standards that are decades behind advanced persistent threats. Classified networks are no longer safe – everything is connected.
The attack vectors used for e-spionage can be closed off by mitigating against broad advanced persistent threats like criminal botnets and their controllers.
Corporate IT architectures must be built on a strong foundation. Trusted Internet connectivity, core intelligence and ‘clean pipes’ provided by upstream security are the cornerstones of the U.S. Comprehensive National Cyber Security Initiative, the impetus for which was the e-spionage threat. Traditional paper risk assessments are obsolete upon publication. Real-time risk management and adaptive-dynamic enterprise security architectures are necessary.
Engineering a solution to e-spionage must be performed in the context of an integrated risk management framework that clearly explains (and calculates) business imperatives, the TCO (Total Cost of Ownership), and ROI (Return on Investment) per dollar spent.
Education and awareness is key. Most spynets are built by social engineering entry into a network of interest by using a well-crafted email harbouring a malicious link or attachment – hence ‘executive spear phishing.’ There is no technical defense against a well executed social attack, or ‘viruses of the mind.’ Network owners and users must be vigilant in opening suspicious emails containing links or questionable attachments.
Protecting Our Assets
Policy is critical. Cyberspace needs to be recognized as a national asset, and both a potential national weapon system and a vulnerability. Security policy focused on the defense of networks is simply insufficient. An effective cyberspace strategy requires an effort that synchronizes our activities across the whole of national governance – including foreign affairs, defense, public safety, and industry. Our strategy must emphasize manoeuvre; to do less renders our best efforts and cyber security to no more than a 21st century version of the Maginot Line that any hacker can crack.
Dr. Rafal Rohozinski is the Director of SecDev Group and David McMahon is with National Security Programs at Bell Canada.
© FrontLine Security 2010