Tuesday, April 06, 2010

Recommended Reading: Shadows in the Cloud

In a followup to the "Tracking GhostNet" report, a new analysis of attacks against Tibetan and Indian cyber targets has been released titled "Shadows in the Cloud: Investigating Cyber Espionage 2.0". I highly recommend this report.

The report is an excellent synopsis of an in-depth investigation into attacks and information thefts that:
"...documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information."
The analysis shows strong links to the People's Republic of China as the origin of the attacks.

I have not completed a detailed reading of the report but a first pass provides two immediate impressions:
  1. The strong similarities with investigations performed in the late 1980s involving espionage by the then Soviet Union using German nationals a proxies; and,

  2. The analysis, including attribution, appear to be sound.
The similarities described in this report to other, known cases of computer based espionage is striking. The only major difference between the Soviet espionage case of the 1980's and this one is that most of the techniques of infiltration, compromise and data theft are now automated. The patterns of behavior, use of proxies and movement and collection of information are very similar.

Furthermore, this analysis, at least on first reading, appears to be careful, methodical and does not suffer from some of the errors made by other technicians analyzing large-scale international cyber attacks (see Analyzing the Google Attacks - Plenty of Room for Mistakes).

This care of analysis is best summed up by the authors when discussing the attribution of the source of the attacks (emphasis added):
"Attribution concerning cyber espionage networks is a complex task, given the inherently obscure modus operandi of the agents or groups under investigation. Cyber criminals aim to mask their identities, and the networks investigated in this report are dispersed across multiple platforms and national jurisdictions. Complicating matters further is the politicization of attribution questions, particularly concerning Chinese intentions around information warfare. Clearly this investigation and our analysis tracks back directly to the PRC, and to known entities within the criminal underground of the PRC. There is also an obvious correlation to be drawn between the victims, the nature of the documents stolen, and the strategic interests of the Chinese state. But correlations do not equal causation. It is certainly possible that the attackers were directed in some manner — either by sub-contract or privateering — by agents of the Chinese state, but we have no evidence to prove that assertion. It is also possible that the agents behind the Shadow network are operating for motives other than political espionage, as our investigation and analysis only uncovered a slice of what is undoubtedly a larger set of networks. Even more remote, but still at least within the realm of possibility, is the false flag scenario, that another government altogether is masking a political espionage operation to appear as if it is coming from within the PRC. Drawing these different scenarios and alternative explanations together, the most plausible explanation, and the one supported by the evidence, is that the Shadow network is based out of the PRC by one or more individuals with strong connections to the Chinese criminal underground. Given the often murky relationships that can exist between this underground and elements of the state, the information collected by the Shadow network may end up in the possession of some entity of the Chinese government."

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

No comments: