Photo: Stasys Eidiejus

Researchers from McAfee say they have uncovered one of the largest series of cyber espionage activities to date. 

According to a report released today called “Operation Shady RAT,” some 72 organizations and governments around the world fell victim to a massive,  five-year long cyber attack carried out by an unnamed, specific “state actor.”

Of the 72 victim organizations, 49 are based in the United States, with 14 listed as U.S. government entities and another 13 as defense contractors. Other targeted countries include Taiwan, Vietnam, South Korea, Canada and India, among others.

According to the report’s author, Dmitri Alperovitch, Operation Shady RAT is a comprehensive analysis of an examination of logs that reveal the full extent of the victim population since mid-2006. It was discovered the compromises were executed through standard spear-phishing emails that initiated communication channels and deployed a series of data exfiltration activities.

RAT is an acronym for “remote access tool,” a type of software hackers and security experts use to access computer networks from afar.

“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Alperovitch said. “Although we will refrain from explicitly identifying most of the victims, describing only their general industry, we feel that naming names is warranted in certain cases, not with the goal of attracting attention to a specific victim organization, but to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.”

The full extent of the data breaches is still largely unknown. However, if any of the stolen information was used in a way to gain an economical edge, the loss represents a massive economic threat to both individual and entire countries alike, explained Alperovitch.

What led the researchers to believe the organization behind the major cyber espionage operation was a nation-state actor was the discovery of the intrusions at the Asian and Western national Olympic Committees, as well as the International Olympic Committee and the World Anti-Doping Agency. This pointed a finger at a state actor because there is likely no commercial benefit to be earned from such hacks, explained Alperovitch.

McAfee researches made the discovery through the access of one specific server. If more than 70 victims were uncovered through the monitoring of this single network, Alperovitch explained, then every sector of the economy may potentially be at risk to cyber attacks due to the overwhelming amount of servers connecting them.

“This is the critical issue that we need to be worrying about,” he said.

Steven Joyce

The government in New Zealand has launched an initiative to stop cyber crime, espionage, online terrorist recruitment and even hacktivism, The New Zealand Herald reports.

Communications Minister Steven Joyce yesterday announced the cybersecurity strategy document detailing the government’s response to a “growing cyber threat.” The strategy calls for the creation of a national cybersecurity center that counters cyber attacks of federal agencies as well as develops a national cyber incident response plan and more government support for the commercial sector.

Joyce said the strategy was needed with the launch of ultra-fast broadband and growing Internet use across New Zealand, which increases vulnerability to cyber threats.

With 70 percent of adults in New Zealand  saying they have been targeted by some form of cyber crime, the strategy pays special attention to cyber crime, online espionage, hacktivism and terrorist use of the online medium as threats.

The strategy raises concerns about foreign military, intelligence services and organized criminal groups pilfering information and state secrets from government systems.

It also also points to hacktivism as a growing problem, as well as cites online recruitment and fundraising efforts by terrorist groups as particularly troubling.

Image: Melanie Gamarra

More than a week after Iran said it had been the victim of another cyber attack by foreign adversaries, computer security experts around the globe are voicing their skepticism about the country’s claims.

After the Stuxnet incident last year, Iran claims it was recently hit with another cyber attack. The Iranian government said it suspected a virus called “stars” being responsible for the attack, but did not share any information on the malware or the damage it might have caused.

McAfee security strategist Toralv Dirro told Reuters he is unsure of what to believe.

“If it is real or a hoax, it is impossible to tell,” he said. “There is a possibility that they are working with some anti-virus company under a nondisclosure agreement for analysis/remediation, something that is not uncommon.”

Even if the “stars” virus was a genuine foreign attack, it could be created to extract information rather than do physical damage.

“It sounds more like cyber espionage than cyber sabotage,” said Mikko Hypponen, chief research officer at F-Secure. “Cyber espionage happens all the time. Cyber sabotage doesn’t.”

Image: Melanie Gamarra

Australia’s intelligence agency, ASIO, has created a unit to handle cyber attacks on security and business computer systems by foreign enemies, according to The Australian.

Attorney-General Robert McClelland detailed the government’s worries about the cyber threat in a speech yesterday, saying the explosion of cyberspace has expanded infinitely the opportunities for the covert pilfering of information by state and non-state actors.

“As these attacks can be staged from anywhere in the world, they can infiltrate the control systems of critical infrastructure, be activated remotely, causing damage and mayhem to our technology-dependent lives,” he said.

Known as the cyber espionage branch, the unit was created in the past nine months and is believed to be under the control of the ASIO’s counterespionage and interference division, The Age said.

The Australian said ASIO has confirmed that adversarial intelligence services have used the Internet to steal classified  government and business information, and ASIO Director-General David Irvine has described cyber espionage as a rapidly growing threat, according to The Australian.

Photo: U.S. Navy/PH3 Alta I. Cutler

The Department of Defense in a new report about espionage in 2009 said foreign governments are focusing their spying efforts on naval and marine technology that could provide the foundation for a next generation “blue water” navy.

Kaspersky’s ThreatPost reports the revelation comes in the 2010 edition of “Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry,” an annual publication by the Defense Security Services, part of DoD. The report concludes that web-based spying and targeted attacks from what the report refers to as “entities” from “East Asia and the Pacific region” continued to be a significant threat for U.S. military and military contractors.

Foreign governments and foreign-owned commercial entities sought out restricted technologies through various means, including the Internet, which offers a “low cost, high gain” method to obtain sensitive or classified technology and information, the report said. Phishing attempts and attacks aimed at compromising networks were most-commonly used cyber tools.

DSS also saw a spike in inquiries about business partnerships and R&D agreements. Many of those inquiries were linked to efforts to obtain sensitive technology. In fact, commercial spying far outweighed more traditional types of government-to-government espionage when it came to the acquisition of sensitive technology, the report said.

Although information systems technology was of particular interest to foreign spies, technology related to modeling and simulation software that can be used in military modernization programs were given extra attention. The report noted there had been an increased interest in marine sensors technology, which includes sonar buoys, bottom-scanning sonar and autonomous underwater vehicles.

“Collectors likely targeted emerging marine technology in efforts to transform their capabilities from brown-water to blue-water,” the report says. “Because the United States is a world leader in naval R&D and naval defense technologies, cleared contractor employees should be aware of this burgeoning threat.”

Richard Stiennon, Photo: twitter.com/stiennon

Don’t call Richard Stiennon a cyberwar alarmist. While his new book, Surviving Cyberwar, is the latest in a series of recent books about the global online threat, he told The New New Internet he’s not just another voice in the “sky is falling” cyber chorus. Instead, Stiennon, who serves as chief research analyst at IT-Harvest, offers what he calls a historical analysis to prove his thesis: that state-sponsored cyber attacks have already happened and are on the rise.  While cyber warmongers are harping about some future, amorphous threat to cyber sovereignty, Stiennon quietly makes the case that the future of cyber war is already here.

The New New Internet: What are some of the key findings or the main takeaway points from your research and from the book?

Richard Stiennon: The first key finding is that cyber espionage has been going on for at least 10 years, and it has been going on from China as well as from other countries. But China appears to be the main aggressor. The research for the book included interviewing and digging into the story of Titan Rain that involved a young man by the name of  Shawn Carpenter who was one of the first to discover the Chinese hacking. When he saw it, he took it upon himself to back hack into Chinese servers. [He] discovered documents belonging to all of these research labs and defense agencies in the U.S., and that led up to reaching out to them. He started getting involved in helping them discover where the leaks were and patch them. It also led to being recruited by the FBI as a confidential informant, which led to being fired from his day job at Sandia Labs in Albuquerque.

That’s the cyber espionage we’ve seen just grow, like the attacks against Google, which have been attributed to China. Also just this past week, the WikiLeaks information from the State Department that at least members of diplomatic corps attribute the Google attacks to the Chinese Politburo. There’s a growing body of evidence of attribution there. On the cyber espionage side, we’re talking about the engagement of militaries in the cyber world and that’s closer to cyber warfare. The militaries are all taking the asymmetric capabilities of adversaries very, very seriously and responding by reorganizing thus the creation of the U.S. Cyber Command and similar organizations in every modern western nation in the world.  They are preparing and training to protect their cyber domain during future conflicts.

The New New Internet: You mentioned a lot of the hacking comes from China, why is that?

Richard Stiennon: It is a very, very old tradition for countries that are behind of the times economically and industrially to try and leapfrog their technology. In the mid ‘90s, China academics started publishing articles about what they call the Revolution of Military Affairs, which has a strong information warfare component. Basically, most research labs in the United States and around the world were pretty open to remote hacking. You can deny it, which China has done consistently, and yet you can gather all of this information and use it for economic benefit if you are trading the world markets for oil and gas and other resources, for industrial benefits, if you are stealing industrial designs or for military benefit. If you are for instance stealing the entire data set of the design of the U.S. joint Strike Fighter, all of these things can happen.

The New New Internet: There has been a lot of talk about cyber war and there as many definitions for the term as there can be. How do you define cyber war?

Richard Stiennon: My definition of cyber war is using network-based attacks against computer infrastructure coinciding with physical attacks. Actually, my definition always used to have . . .  tanks rolling across the border. That happened in 2008, when Russia attacked Georgia.  The actual cyberwar incidents around the world are harder to come by than all of the attacks going on with WikiLeaks right now. We learned from Richard Clarke that during the Gulf War, they contemplated attacks – they didn’t do it. We heard about Israeli’s invasion of Lebanon, where they took out radar installations supposedly by a cyber attack delivered over those radar antennae.

The New New Internet: How does your book differ from these similar topics on cyber warfare; for instance, Richard Clarke’s book, or Jeffrey Carr’s Inside Cyber Warfare?

Richard Stiennon: My book is meant to be the historical argument that state-sponsored cyber attacks are on the rise.  Both Richard Clarke and Jeffrey Carr take a warning that the sky is falling and we have to do something drastic, or the end of the world will come. I believe that there will be malware and cyber attacks that lead to power outages or interruptions, or something like that. I don’t believe that those are going to be as damaging as some of the others do. My book wasn’t to warn of the next threat to our sovereignty, or whatever the title of Richard’s book is.  The focus was to demonstrate all of the things that have happened and they are going to continue to happen.

The New New Internet: Some people say all of this talk about cyber war–and especially when you couch it as a warning– is not very helpful and kind of ratchets up the rhetoric about cyber warfare. What is your take on it?

Richard Stiennon: I don’t think there is any value in heightening the rhetoric because all of these attacks are not only possible but have been going on. It’s much more important for those that are responsible for the security of all of our infrastructure to just pay attention to what has happened and start reacting to that, not reacting to some future threat that has not materialized yet.  You can’t predict what that future threat will be.  There are too many openings, too many types of dastardly things people can do. Who could have predicted that MasterCard would have their website taken down by a bunch of activists just because they complied with the press . . . the United States and WikiLeaks.

The New New Internet: It’s kind of difficult to talk about cybersecurity post-Thanksgiving without WikiLeaks being brought up. Do you think governments will crack down on information sharing or make it harder for whistle-blower sites to spring up? Or does it open the flood gates and it will only be a continuous stream?

Richard Stiennon: Where I’ve seen the fractionalization of WikiLeaks is [in] special organizations such as OpenLeaks, due to go public this week. There will be other models that will make it easier to share information and prevent it from being squelched by government. That was of course always possible, and WikiLeaks is just heightening the rise of free information.  At the same time, governments will react in such a way to actually curtail freedom of information.  We’ve already seen several bills in conflict before Congress just last week and around the world. There will be a battle for freedom of information going on that is going to get more and more interesting to watch.

The New New Internet: Some say WikiLeaks and the hacktivists afterward shutting down credit card company’s websites was the opening shot in a cyber war, or an information war. What’s your take on that?

Richard Stiennon: I liken it more to like a cyber riot. For social and government stability, the street is very, very important. In the Middle East, the street is what the government kowtows to. In the U.S. and other Western nations, the street is usually a little bit more sedate and limited to peaceful rallies. But what we have going on online right now is people that think that they are anonymous engaging in cyber riots.  They get together and decide on their targets and they start lobbing the equivalent of digital bricks at their target’s windows. They are breaking those windows and doing that damage, but nothing that shuts down the business.

The New New Internet: I have to admit I’ve never heard of Shawn Carpenter or the Titan Rain.  That was something that went under my radar.  I thought it presented a kind of dichotomy between the idea of the benevolent whistle-blower to this idea of WikiLeaks, and who knows what kind of whistle-blower that is.  I was wondering if you could talk about that?

Richard Stiennon: Whoever the WikiLeaks whistle-blower was felt that he was acting in the best interest of the world, I guess.  Shawn Carpenter felt that he had uncovered attacks against his country and the government that he worked inside.  He didn’t publicize what he had found, but reached out to those individuals or organizations – he notified them.  He stepped over the lines potentially that what his employers thought was appropriate.  For a member of the armed service to steal information is first of all highly illegal and well defined as illegal. Everybody knows what their top secret clearance means; and then the next level beyond that is the organizers of WikiLeaks are the recipients of the illegally gained information so making it public is their decision. They are motivated by something that they think that the world has to know.

The New New Internet: 2010 saw a lot of cyber-related events; Operation Aurora, Stuxnet and now WikiLeaks.  Is there anything else that might have slipped under the radar that didn’t get as much attention but would be a notable thing for cybersecurity for the past year?

Richard Stiennon: There’s one more that I think and that is the rise of denial service attacks in Asia. From China through Hong Kong to Singapore and even Australia, denial service attacks have taken off dramatically. It’s criminal organizations extorting money from online gaming sites, which are allowed in that region, but it’s also just one website hiring an attacker to take down their competitor website because their revenue goes up if the competitor is not available. That level of the wild, wild west if that were to translate into the rest of the digital world would be extremely disruptive.

The New New Internet: Your book is called Surviving Cyber War; in the event of a cyber war in the future, how would a country survive?

Richard Stiennon: I’m a technologist at heart, and I believe that most of the identified attacks can be addressed with technology.  I don’t even think that we need to completely revamp the Internet to get there. Certainly, for individual companies they can do a much better job of investing in defenses if only they didn’t wait until after their attacks, which sadly is the way a corporation works.  Why spend $1 million on preventing something that has never happened – wait until after the fact and then spend $2 million as TJX found out. They set aside $200 million to counter a pretty simple breach that occurred against them.

Government has a long, long way to go to get up to speed with the cyber-defense posture that most corporations are at today. There is a complete revamping of how things are done inside government from the IT perspective that has to happen.  Obviously, there has been lots and lots of talk and chest beating about how we have to do something. Congress has 40 bills in process last session – nothing got close to passing, of course. There has been a cybersecurity coordinator appointed by the president. That role doesn’t have the power to get something done. It is going to take a bigger breach or outage than the Pentagon has suffered so far to really get things to start happening. As a nation, we are reactive and as humans we are reactive, and certainly the bureaucracies are reactive.

The New New Internet: Those were all of my questions, is there anything that I didn’t touch on that you think is important to note?

Richard Stiennon: You’ve already pointed out the acceleration. There are three ground-breaking events – we haven’t talked about Stuxnet, but Stuxnet is the wake-up call for manufacturing, I believe. Manufacturing has been on the sidelines of cybersecurity because they don’t have a lot of credit cards [and] cyber criminals aren’t after them. But Stuxnet was designed to target control systems [so] it doesn’t matter if it is a bunch of centrifuges that ran for a robot paint shop at an automotive plant.  The types of new attacks that we are going to see target those control systems. These will be very expensive for those manufacturing operations. The types of things that they are going to have to do to prevent it are pretty straight forward and a lot of them won’t do it until after the fact.

Image: Sonar

Governments should set up hotlines between their cyber commands, similar to those used between nuclear commands, to help them battle against cyber attacks, as well as establish treaties to battle digital weaponry,  a security expert proposes.

Writing an op-ed for Financial Times, security guru Bruce Schneier highlights that the unknown nature of cyber attacks and the lack of definition make it hard to determine exactly whom one is fighting.

“It is obviously not an act of war just to develop digital weapons targeting another country,” he points out. “Using cyber attacks to spy on another nation is a gray area, which gets grayer still when a country penetrates information networks, just to see if it can do so. Penetrating such networks and leaving a back door open, or even leaving logic bombs behind to be used later, is a harder case – yet the U.S. and China are doing this to each other right now.”

Conflict on the digital battleground is much different compared to conventional warfare, not just because the tools of war have changed, but because cyberspace places them in the hands of a broader group of people. Until recently, only the military had weapons. These days, anyone with sufficient computer skills can take matters into their own hands, Schneier writes.

It also becomes problematic when the origin of an attack in unknown. In a regular conflict, a variety of military and civil institutions respond. In cyberspace, however, it is often unclear who the attackers are and what their motive is.

“When you don’t know, it’s easy to get it wrong; and to retaliate against the wrong target, or for the wrong reason,” Scheiner remarks. “That means it is easy for things to get out of hand. So while it is legitimate for nations to build offensive and defensive cyber war capabilities, we also need to think now about what can be done to limit the risk of cyber war.”

A first step would be a hotline between the world’s cyber commands, allowing governments to communicate with each other rather than guessing from where an attack came. Additionally, new cyber war treaties could stipulate “a no-first-use policy, outlaw un-aimed weapons, or mandate weapons that self-destruct at the end of hostilities,” Schneier writes.

It is not too late to reverse the cyber arms race currently underway, he notes. Otherwise, it is only a matter of time before something big happens, be it the rash actions of a low-level military officer, or by a non-state actor, or even by accident.

“And if the target nation retaliates, we could actually find ourselves in a cyber war,” Schneier predicts.

Photo: Luisafer

With the latest disclosures from WikiLeaks, it became clear what many already suspected about the culprits behind the 2009 Google attacks: They originated from China.

The whistle-blower site on Sunday released another massive batch of diplomatic cables that contained communications between the Department of State and some 270 embassies and consulates, The New York Times reports.

One of the cables allegedly points out the Chinese government as the mastermind of Operation Aurora–a cyber attack that targeted Google and dozens of other corporations, defense contractors and federal agencies.

According to WikiLeaks, an unnamed source in China told the American Embassy in Beijing that China’s Politburo directed the hack into Google’s computer systems in that country. The cyber attack was part of a coordinated campaign of cyber sabotage carried out by government operatives, private security experts and hackers recruited by the Chinese government, who have hacked into U.S. government computers and those of Western allies, the Dalai Lama and American businesses since early 2000s, cables said, according to The Times.

Security experts have long suspected China to be behind the Google attacks. According to media reports earlier this year, the Google hackers seemingly originated from a China-based university, however, the Chinese government has vehemently denied its involvement in the Internet assaults.

The plan was uncovered last year when the official became suspicious of an email she received from a contact she had met at a conference. The official showed the highly personalized message to Ministry of Defence IT experts, who then discovered the attachment contained malicious code created to leak classified material to a foreign intelligence agency.

Although MoD declined to comment on the incident, The Register established the foreign spies’ target was Joanna Hole, who served as MoD’s chief of safety and sustainable development until she retired in March. Her duties included business continuity and she regularly briefed ministers and forces chiefs. The Register also reported that in her previous role, Hole represented MoD at the highly sensitive COBRA emergency committee.

Jim Garrettson and Richard Clarke

In the wake of reports of more countries being targeted by complex malware, cyber espionage has become an increasingly global concern for government and industry leaders over the past year, making loss of sensitive information and data an everyday problem for most nations.

Although cyber espionage is relatively new way of stealing secret government and corporate data, security training company Spy-Ops estimated last year roughly 140 countries and more than 50 terrorist and criminal/extremist groups were developing cyber weapons and espionage capabilities.

While conventional snooping relies on clandestine operatives to gather intelligence, cyber espionage uses computer systems and data combined with conventional techniques to gain intelligence and sensitive information. To penetrate the desired systems, cyber spies launch cyber attacks, using techniques that involve Trojans and spyware to gain access–over and over again.

Case in point: U.S. military and civilian networks are probed thousands of times a day, and the systems of NATO headquarters are attacked at least 100 times a day, according to NATO Secretary General Anders Fogh Rasmussen.

“It’s no exaggeration to say that cyber attacks have become a new form of permanent, low-level warfare,” he said, according to The Wall Street Journal.

More recently, last week former DHS Secretary Michael Chertoff told RSA Conference Europe nations should adopt Cold War-era methods to deal with Internet-based attacks.

“[President Eisenhower's workshopping exercise] Project Solarium gave us the theory of deterrence, where rules of the road were clearly understood,” he said, according to ZdNet UK. “An attack on the U.S. or its allies with a nuclear weapon would be responded to with overwhelming force.”

Countries should be able to respond to cyber attacks “with overwhelming force,” Chertoff said. He told ZDNet UK ultimate attribution was difficult for cyber attacks, but said nation states should be able to respond against technologies in countries being used as a platform for attack, regardless of whether that specific country is behind the attack.

Richard Clarke, former counterterrorism czar in the Clinton and Bush administrations and current chair of  Good Harbor Consulting, LLC, repeated his message that espionage has evolved from clandestine meetings a la Robert Hanssen to warfare conducted by the click of a mouse, from thousands of miles away. The difference between such cyber espionage activities and actual cyber war represents just a “few keystrokes,” Clarke said, speaking at a Potomac Officers Club event Oct. 5.

The United States is naturally not alone in this emerging threat. Recent news reports from Australia indicate the Australian military networks are under continuous attack by foreign spy agencies. In Finland, reports last week emerged about how corporate espionage is spreading and the Scandinavian nation was recently targeted by the infamous Stuxnet worm. Also last week, British spy chief Iain Lobban revealed how the U.K. is engaged in a cyber war with terrorists, organized criminals and enemy states. Lobban said worms targeting government systems have already caused significant disruption, and e-crime is costing the nation “well into the billions.”

In the United States, the solution to battle cyber spies appears to be a global collaboration between the Pentagon and NATO, experts say. In September, Lynn said NATO is the perfect platform to fight the cyber threat, as the alliance understands the need for cybersecurity and is already moving in that direction.

The deputy secretary addressed the nature of what collective defense means in the cyberspace, stressing a collaborative protection does not mean opening up networks to all users, but instead calling for NATO members sharing information on attacks and solutions.

Interestingly enough, although cyber espionage has been decried by government leaders and industry experts, the public seems to have a different opinion. According to an August report from Sophos, the majority of survey respondent said they were fine with a little bit of cyber spying. Sixty three percent of those polled believe it is OK for their nation to engage in cyber espionage–23 percent said yes at any time, 40 percent said only during wartime, and 37 percent said no.

Furthermore, one in 14 respondents believe denial of service attacks against another country’s communication or financial websites are acceptable during peacetime. Roughly half said it was OK only in wartime, while 44 percent said DoS attacks were never acceptable.

Graham Cluley, senior technology consultant at Sophos, said it may be surprising so many seem to think cyber espionage is acceptable practice; however, by giving approving these kind of activities, “you’d also have to expect to be on the receiving end too,” he concluded.