20 ~ June/July 2012

Counter Th e

THE RISE OF CYBER-ESPIONAGE

Case Study:

©istockphoto/loops7

~ June/July 2012 21

At a Hopkinton, Massachusetts, offi ce, an executive received an email that appeared to be from a coworker on March 1, 2011. Attached to the email was an Excel spreadsheet titled “2011 Recruitment Plan.” The man opened the spreadsheet. The email was not from a coworker, it was a carefully crafted attack known as ”spearfi shing” in which a fraudulent email is sent to a specifi c person.

he spearfi shing email contained an Excel spreadsheet with a zero-day exploit and a version of the Poison Ivy RAT (remote administration tool) payload embedded. Th e RAT enabled a hacker to gain privileged access to the network of RSA Security (an American computer and network security com-pany). Th e company had been founded by Ron Rivest, Adi Shamir, and Leonard Adleman, the inventors of the RSA public key cryptographic algorithm. Th is single event initiated an attack that would result in the compromise of one of the largest and most respected data security compa-nies in the world.

Within weeks, hackers had penetrated RSA’s defenses and stolen the source code to the vaunted two-factor authentication

system, SecurID. SecurID is used by an estimated 250 million people worldwide. Th e attack was believed to have been ini-tiated using a zero-day exploit created by a Chinese hacker. Evidence suggests the possibility of Chinese-sponsored cyber- espionage.1 RSA’s CEO, Art Coviello, stated the stolen SecurID information “could potentially be used to reduce the eff ectiveness of a current two-factor authentication implementation as part of a broader attack (italics added).”2 Th is proved to be an ominous prediction.

On May 27, 2011, an employee at L-3 Communications, a major supplier of communication, intelligence, surveil-lance, and reconnaissance technology to the Department of Defense, noticed suspicious activity in the network. An in-

T

The US government and US companies are losing the battle to protect sensitive data.

By Chris Mark

22 ~ June/July 2012

vestigation showed a hacker had accessed the network using cloned RSA SecurID tokens3 and potentially accessed critical intellectual property related to defense projects. This is only one of several re-ported attacks that seem to have originat-ed from the RSA breach months before.4 It is believed that Northrup Grumman Corporation (a designer, systems integra-tor, and manufacturer of military aircraft) may have been targeted, and Lockheed Martin (an American aerospace, de-fense, security, and advanced technology company) announced that it too was the target of a “significant and tenacious” attack, which also apparently originated from the compromised RSA tokens.5

By February 2012 security analysts began to acknowledge what many have known for a long time. The US govern-ment and US companies are losing the battle to protect sensitive data. At RSA’s

295

Panel discussion at the 3rd annual State of the Net conference, held in Washington, D.C. From Left: Lord w:Toby Harris (UK Parliament), Chrsitopher Painter (US DoJ), Scott Charney, (MSFT),

Chris Young (RSA Security) and Ari Schwartz (CDT). Photo: Joe Hall

~ June/July 2012 23

“One man’s freedom fi ghter is another man’s terrorist. So let them call us terrorists. I'll still bomb their buildings.”

—Jeremy Hammond, Anonymous hacker

annual security convention, Robert Mueller, head of the Federal Bureau of Investigation, told the audience, “Th ere are only two types of companies. Th ose that have been hacked, and those that will be.” Echoing his sentiments, RSA’s Coviello took the stage and ominously informed the crowd, “Our networks will be penetrated. We should no longer be surprised by this.” He added, “Th e reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.”6

Th e comments at RSA accurately depict the state of cybersecurity today. Organizations are spending billions of dollars per year and are being literally and fi guratively eviscerated by people intent on stealing data. Th ere are growing num-bers of reasons why data is stolen but, in general, the motivations can be fi t into three broad categories: political or social activism, cyber- espionage, and fi nancial crimes. Regardless of the basic motiva-tions, the methods of attack are similar

and the same techniques used to perpe-trate politically motivated attacks are used to steal fi nancial data.

During a London speech in 2007 on credit card security and compliance, a French participant stated unequivocally to me that the recommendations provid-ed did not apply to companies accepting credit cards in France because, “In France we do things diff erently.” My response was to ask a series of simple questions. “Is the Internet in France based on the Inter-net protocol? Does the OSI model apply in France? Is structured query language used in France?” He sheepishly answered “yes” to all the questions. Whether the motivation is stealing credit card data, intellectual property, or state secrets, the attack principles are the same because the underlying protocols and technologies are the same.

To understand the diffi culty of protect-ing systems from today’s attacks, it is use-ful to look at the concepts of unrestricted warfare and guerilla tactics. As stated in

299

24 ~ June/July 2012

ther of two who lives on public assistance in a housing project in New York’s Lower East Side. With a dilapidated computer he allegedly wreaked havoc on numer-ous companies, including Fox, Sony, and PBS.8 He does not require sophisticated equipment. All he needs is knowledge, patience, time, and motivation to attack a company.

As mentioned previously, there are several motivations that drive hacking be-havior. Although these motivations often intersect and may overlap, generally, they tend to be either financial or ideological. Financially driven crimes are, arguably, easier to anticipate and counter. Volumes have been written on the exploits of the Russian Business Network, BOA Factory, Mazafaka, and other alleged financially motivated criminal groups. Today, companies are also facing increasingly dangerous adversaries driven by ideology. People driven by ideology are often more dangerous and difficult to deter. Their willingness to accept greater risk and focus greater resources for less-perceived return makes them particularly chal-lenging. There are primarily two types of ideologically motivated adversaries threat-ening companies today: social or politi-cally motivated hacktavists, and “patriotic hackers” involved in cyber-espionage.

Hacktavism refers to cyberattacks or data thefts that are conducted primarily to make a political, social, or other state-ment. It should be noted that although the primary objective may be politically or so-cially motivated, these attacks often result in stolen financial and other data that may be used for financial gain. Two of the most prominent groups active today appear to be LulzSec and Anonymous.

In 2004 a relatively anonymous hacker named Jeremy Hammond presented the LulzSec manifesto at the hacker conven-tion known as DefCon. To a chorus of boos and hisses, and with a bandana cov-

INL cybersecurity researcher operates a Supervisory Control and Data Acquisition System inside the lab’s Information Operations Research Center. Photo: Idaho National Laboratory

Mao Tse-tung’s On Guerilla Warfare:“At one end of the spectrum, ranks of

electronic boxes buried deep in the earth hungrily spew out endless tapes. Scientists and engineers confer in air conditioned offices; missiles are checked by intense men who move about them silently, almost reverently….in forty minutes the countdown begins.

At the other end of the spectrum, a tired man wearing a greasy felt hat, a tattered shirt, and soiled shorts is seated, his back against a tree. Barrel pressed between his knees, butt resting on the moist earth between his sandaled feet, is a browning automatic rifle...Draped around his neck, a sausage-like cloth tube with three day’s supply of rice…In forty minutes his group of fifteen men will oc-cupy a previously prepared ambush.”7

In today’s world of cybersecurity, companies are spending billions of dollars on cutting-edge equipment and monitor-ing systems and networks around the clock. On the other end of the spectrum is Hector Xavier Monsegur, also known as “Sabu.” Sabu is a 28-year-old unem-ployed, high school graduate. He is a fa-

~ June/July 2012 25

ering his face, the hacker, political activ-ist, and self-styled anarchist known online as “anarchaos” and “crediblethreat” stated defi antly, “One man’s freedom fi ghter is another man’s terrorist. So let them call us terrorists.” He added moments later, “I’ll still bomb their buildings.”9 He served two years in prison in 2006 for cyberat-tacks. In 2011 Hammond was arrested again for a hack against the US intelli-gence company Stratfor.

Although Anonymous is believed to be a loosely knit, decentralized group of hackers whose members may overlap with those of LulzSec, its motivations can be seen in its published manifesto. Like LulzSec, Anonymous has political interests.10 Its manifesto states:

“Th e intention of Anonymous is to protect free fl ow of information of all types from the control of any individual, corporation, or government entity. We

will do this until our proverbial, dying breath. We do this not only for ourselves, but for the citizens of the world. We are people campaigning at this very mo-ment for your freedom of information exchange, freedom of expression, and free use of the Internet. Please remember this as you watch the news, read posts on Twitter, comment on YouTube or Face-book, or send email to a friend or loved one: Anonymous is making every eff ort to defend free speech and free informa-tion on the Internet”

Anonymous concedes that it does not control, or try to control its own mem-bers’ actions.

“May we remind you that Anony-mous is a dynamic entity. Furthermore, anything attributed, credited, or tagged to Anonymous is not always based on the consensus of us as a whole. Even the document you read now was written by at

327

T 2 S H U T D O W N T I M E R

PROTECTYOUR VEHICLE BATTERY USING 2

SEPARATE TIMING DELAYS

1.800.697.3701 info@lindelectronics.com www.lindelectronics.com

26 ~ June/July 2012

least ten people simultaneously.’State-sponsored cyber-espionage

includes hacks perpetrated directly by foreign governments, or by foreign orga-nizations and individuals associated with foreign governments. Although numerous countries engage in cyber-espionage, the largest perpetrator of cyber-espionage appears to be the People’s Republic of China. Although the motivations are of-ten ultimately financial, we see a glimpse into how China reportedly motivates attackers to perpetrate the crimes. China calls those who steal for the benefit of China, “patriot hackers”.11 By appealing to the patriotism of the hacker, it applies moral relativism to the act. In short, the hacker, in their eyes, is not committing a wrong, he or she is patriotically support-ing China.

On April 15, 2011, the US Congres-sional Subcommittee on Oversight and Investigations conducted a hearing on

297

Chinese cyber-espionage. The hearing revealed the US government’s awareness of Chinese cyberattacks. In describing the situation in her opening remarks, sub-committee chairperson Dana Rohrbacher astutely stated:

“[The]United States is under attack.”12

“The Communist Chinese Govern-ment has defined us as the enemy. It is buying, building and stealing whatever it takes to contain and destroy us. Again, the Chinese Government has defined us as the enemy.”

The RSA compromise, as well as the theft of data from DuPont, and the theft of intellectual property from American Superconductor, Microsoft, Cisco, and Motorola to name but a few, demonstrate the motivation and sophistication of the efforts to steal data from US compa-nies.13 It should be noted that the United States is not the only victim. The United Kingdom reportedly loses $45 billion per

The economics of cyber-theft is

simple: Stealing technology is far

easier and cheaper than doing original

research and development.

28 ~ June/July 2012

year from cybercrime with $28 billion in losses directly attributable to cyber-espi-onage.14 As detailed in the congressional report:

“Th e PRC utilizes a large well-orga-nized network of enterprises, defense fac-tories and affi liated research institutes and computer network operations to facilitate the collection of sensitive information and export-controlled technology.”

“Th e economics of cyber-theft is simple: Stealing technology is far easier and cheaper than doing original research and development. It is also far less risky to the spy than historic cloak and dagger economic espionage.”15

Cybercrime has been an issue for companies since the Internet boom of the late 1990s. Early criminal eff orts focused on stealing fi nancial data such as credit and debit card information, and website defacements. Th roughout the 2000s companies have been plagued with data thieves stealing fi nancial data. Today, companies and governments are increas-ingly facing more dangerous hacktivist and cyberespionage attacks. Companies that have focused on protecting fi nancial data are now faced with the daunting task

FREE EXPO

PASSES

REGISTER TODAY! Quote Promo Code: CT12

Get your FREE EXPO PASS for limitlessinformation sharing and networking withover 2,500 professionals in two days ofexhibit time at the LARGEST stand alonemilitary vehicles event in the world!

Benefit from 15+ free educational sessionsin the Presentation Theater and evaluate thelatest products from over 200 exhibitors. July 10-13, 2012 | Cobo Center, Detroit, MI

Go online for complete speaker and agenda details! www.MilitaryVehiclesExpo.com/CT12

New Dates. New Pavilions. New Opportunities.

113

news/government/security/229700151 (accessed 3/15/12)

6Cowley, Stacy. (Feb 28, 2012) “New Cybersecurity Reality: Attack-ers are winning.” http://money.cnn.com/2012/02/28/technology/rsa_cy-bersecurity_attacks/index.htm (accessed 3/15/12)

721st Century U.S. Military Manuals: Mao Tse-tung on Guerrilla Warfare (Yu Chi Chan) U.S. Marine Corps Reference Publication FMFRP 12-18 (accessed 3/18/12)

8http://www.foxnews.com/sci-tech/2012/03/06/exclusive-unmasking-worlds-most-wanted-hacker/

9http://www.belch.com/blog/2012/03/08/lulzsec-hacker-deliv-ered-defcon-manifesto-in-2004/ (accessed 3/12/12)

10http://www.indybay.org/news-items/2010/12/09/18666107.php (ac-cessed 3/12/12)

11of Representatives, United States House (2011-06-30). Communist Chi-nese Cyber-Attacks, Cyber-Espionage and Th eft of American Technology (Kindle Locations 188-189). Kindle Edition. (ac-cessed 3/13/12)

12House of Representatives, United States House (2011-06-30). Communist Chinese Cyber-Attacks, Cyber-Espionage and Th eft of American Technology (Kindle Location 66). Kindle Edition. (accessed 3/12/12)

13http://articles.boston.com/2011-09-19/news/30176716_1_alternative-energy-china-ties-data-theft-case (accessed 3/18/12)

14http://cyberpointllc.com/news_09.html (accessed 3/13/12)

15House of Representatives, United States House (2011-06-30). Communist Chinese Cyber-Attacks, Cyber-Espionage and Th eft of American Technology (Kindle Locations 188-189). Kindle Edi-tion. (accessed 3/13/12)

of protecting intellectual property and systems from a motivated, sophisticated adversary often driven by ideology.

ABOUT THE AUTHOR Mr. Mark is the founder of Mark Consulting Group, Inc. He is a data security and risk professional. He has consulted for numerous Fortune 500 companies and publishes the blog: www.GlobalRiskInfo.com.

END NOTES 1http://jeff reycarr.blogspot.

com/2011/06/18-days-from-0day-to-8k-rsa-attack.html (accessed 3/18/12)

2http://www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communica-tions-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/ (accessed 3/18/12)

3http://www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communica-tions-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/ (accessed 3/18/12)

4http://www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communica-tions-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/ (accessed 3/18/12)

5http://www.informationweek.com/