Political Cyber Crimes Growing

The increasing nature of politically motivated computer crime is the subject of a recent article discussing how companies focus on profit motivated cyber crime while ignoring other threats. The author states that because of "fear-mongering from the media and opportunistic profiteers, we've all become myopically obsessed with [profit based] cyber-crime."

"While monetary gains are certainly a big motivator for cybercrime, increasingly cyber-criminals are acting out of political interests."

The article blames much of this on security vendors hyping specific threats that their products are designed to protect against. I agree: I see it every day when advising my clients.

The author then prescribes three actions companies should take. These are summarized as:

"...put up the best defenses you can. Make sure that you are putting the resources you already have, such as log files, to the best possible use";




"...implement the best people-processes you can"; and,





prepare to be "hacked".

Unfortunately, these recommendations just repeat the very error the article points out: Blindly implementing security controls without understand the nature of the threats the organization faces.

There are many cyber threats with a multitude of motives and one of the key contributors to the increased effectiveness of all types of cyber-crime is the myopic focus on technology while not understanding threats and risks. This leads to some threats not being mitigated while others are over-protected thereby wasting valuable budget and resources (see IT security professionals must evolve for changing market for further discussion).

Companies need to start with a thorough assessment of threats and risks. Then, they can design the organization, skills, policies and processes to best mitigate those risks. Only after these steps are completed should they begin to choose and implement (technical) controls that help automate and manage the mitigation and monitoring processes. Anything else is just a waste of money.

Managing threats and risks should drive the selection and use of controls - not the other way around.

The author is correct that too many organizations are not prepared for cyber attacks and assume (incorrectly) that if they have a firewall and some log management or other tools in place they don't need to worry. No security control or process is perfect even if resources and budgets weren't an issue. Companies need to have a robust incident response capability and one that isn't developed when a crisis occurs.

Focus on Cyber-Crime Misses Real Threat

NATO Facing Increased Cyber Threats

NATO's Secretary-General commented at a NATO seminar in Finland that the alliance needs to increase defenses against cyber threats. While not releasing any details it appears NATO is concerned about a wide range of potential problems:

"It's really a broad range of threats. There are many actors in cyberspace, and we have to develop a capacity to protect ourselves against those attacks," [said Secretary-General Anders] Fogh Rasmussen."

Swedish Foreign Minister Carl Bildt also commented at the same meeting on the threat saying:

"There are terrorists, spies, subversive attempts, ongoing attacks as well as preparations for much more disruptive and destructive operations... There will be no security for our societies if we can't secure both our cyberspace and our orbital space."

NATO chief calls attention to cyber threats

Germany Suspends Communication Data Retention Law

Citing security and transparency concerns, the German Federal Constitution Court has suspended the law requiring communication providers and ISPs to retain traffic information for six months for use by law enforcement:

"The judges said the data storage was not secure enough and that it was not sufficiently clear what it would be used for."

The law was implemented to follow an EU Directive aimed at fighting terrorism but the court ordered the suspension until new rules for the storage and use of the data could be implemented:

"The court demanded that stricter conditions be attached to the use and storage of the data, saying it needed to be encoded and that there should be "transparent control" of what the information was used for."

The court additionally ordered all data stored to date to be deleted.

German High Court Limits Phone and E-Mail Data Storage

Political Motivation Behind Google Ruling in Italy?

The New York Times suggests the recent Italian court ruling that Google executives are criminally responsible for offensive Internet content may have a broader political motivation and that the ruling is related to Prime Minister Berlusconi's ownership and control of many of Italy's media outlets:

"Critics of Mr. Berlusconi say the measures go beyond routine copyright questions and are a way to stave off competition from the Web to public television stations and his own private channels — and to keep a tighter grip on public debate."

Specifically, the accusation is that those who control the broadcast media in Italy want to control the Internet as well:

"Paolo Gentiloni, a leading opposition member and a former communications minister, said Internet regulation was inevitably political. Today in Italy, he said, “political power is in the hands of people who do TV, not the Internet."

The Italian government denies any such motivation for the courts ruling or recently proposed measures by the Italian legislature to regulate Internet activities:

"Paolo Romani, a deputy communications minister who sponsored the measure, said the issue was copyright protection. “It has nothing to do with the fact that our prime minister also owns television stations,” he said. “It’s in Berlusconi’s interest not to be accused of conflict of interest.”

Larger Threat Is Seen in Google Case

In a Cyberwar, US Would Lose

The U.S. Senate heard testimony from "industry experts" warning of catastrophic consequences from cyber war attacks - including pronouncements that the "government faces the prospect of losing in an all-out cyberwar".

As part of the debate of the Cyber Security Act of 2009, Senator's were told the status quo is not acceptable:

We are "...under attack every day, losing every day vital secrets. We can not wait," [James Lewis, Center for Strategic and International Studies] said. "We need a new framework for cybersecurity and this bill helps provide that.

Lewis went on to add that "...[t]he cyberattack is mainly espionage, some crime".

There is no doubt that the U.S. and most other developed countries are at high risk from significant cyber attacks as demonstrated almost daily by intrusions into military, government, commercial and non-profit organizations. However, it is interesting that many of the companies that would benefit the most from the funding to "fix" the problem are the ringing the congressional alarm bells the loudest.

Experts warn of catastrophe from cyberattacks

Hacktivists Attack Australian Government Systems

A hacktivist group call "Anonymous" is claiming responsibility for Distributed Denial-of-Service attacks against government systems in Australia. The attacks are a protest against proposed filtering of Internet content by the Australian government.

"The group consists of "a few thousand people" based all over the world Coldblood said."

Coldblood is a psydonym for an individual claiming to be a spokesperson for the group. The spokesperson also claimed responsibility for other hacktivist attacks protesting other forms of censorship:

"They staged cyber attacks on Iran following the election protests and have publicly protested against the Scientology movement. "

Cyber attacks against Australia 'will continue'

US Faces "Significant" Threat from Cyber Espionage

John Brennan, Deputy National Security Adviser for Homeland Security and Counterterrorism, stated during a television interview that the United States faced a "serious and significant" threat from cyberspace:

"We're looking at these issues from the standpoint of espionage, from governments, from different individuals, whether they be hackers or terrorist organizations," Brennan said.

"National security is something that is at risk. That's why what we're trying to do is to ensure that our networks, our government networks, our private sector networks have the ability to withstand these attempts to hack in."

US faces 'serious' cyberspace threats: advisor

Wide Ranging Espionage by China in Britian

The Sunday Times reports on a leaked MI5 memo warning UK companies of extensive espionage by China including both traditional means and cyber attacks.

The targets are described as:

"UK defence, energy, communications and manufacturing companies in a concerted hacking campaign. It claims China has also gone much further, targeting the computer networks and email accounts of public relations companies and international law firms."

Several methods are mentioned in the article including "sexual entrapment" knowledge of "illegal activities to pressurise individuals to co-operate with them", bugging hotel rooms in China and other countries, and:

"...that undercover intelligence officers from the People’s Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of “gifts” and “lavish hospitality”.

"The gifts — cameras and memory sticks — have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users’ computers."

An important point, left to the end of the article, provides some insight into the seriousness that the UK government gives the problem:

"The growing threat from China has led [Jonathan] Evans [Jonathan Evans, the director-general of MI5] to complain that his agency is being forced to divert manpower and resources away from the fight against Al-Qaeda."

China bugs and burgles Britain

Analyzing the Google Attacks - Plenty of Room for Mistakes

SecureWorks has posted an analysis of the malicious code alleged to have been used to attack Google and other companies, collectively referred to as "Operation Aurora". SecureWorks' posting is one of the first pieces of evidence and technical analysis that goes beyond simple speculation.

The analysis centers on a somewhat unique piece of error-correcting code (called a CRC) that appears to have been developed in China and only published in Chinese language papers.

It is great that some good technical analysis is starting to come out and I recommend those interested to read the posting. It has some technical information but the main points should be accessible to non-technical readers.

However, from an investigator's point of view, there are some shortcomings in this type of analysis and it might prove interesting to discuss a few of these.

Most technical analysis focuses on answering what happened and how an incident occurs. Technicians can reverse engineer (malicious) code, analyze network traffic patterns and review logs of system activity to understand how someone gained access to a system and what they did. This analysis is a very necessary and important step. However, just knowing how an incident occurs is not enough for security professionals.

To understand the risk from these types of attacks requires more information. If our response to an attack is solely based on how it occurs then we risk wasting resources by over reacting or misapplying controls that are ineffective (one of the most common problems in information security). The current Google incident is a perfect example.

Based on the current public information there is tremendous speculation that this may be sponsored or directed by the Chinese government for the purposes of espionage. If that is true, it requires a significant reaction both in terms of spending by (potential) targets and by action from other governments. However, if this is being carried out by a group of teenagers in Romania (just using Chinese systems as a front) simply for the technical challenge, our response can and should be completely different. Therefore, understanding who the adversaries are and their motives changes the risk equation and our response to it (additionally, we need to understand capabilities but that's another topic).

We need to answer not only what happened and how but also by whom and why.

Here we often hit a brick wall: Due to the virtual nature of data and the Internet, it can be very difficult to clearly identify who and why - yet it is not impossible. Unfortunately, many technicians take the what and how information and try to infer answers to who and why- often with poor results.

Inference chains, or inference concatenates, are used by intelligence analysts, investigators and prosecutors to link data points and evidence to develop a conclusion based on what is known or to prove guilt based on evidence. Inference chains can be either weak or strong. Unfortunately, most inferences used to determine "who" perpetrates a cyber attack are weak.

With this in mind, let's go back and look at the technical analysis and where it might have some shortcomings or problems.

One example is the following quote from the SecureWorks posting:

"...outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC or any agents thereof."

It is great to see such caution in analysis but it needs to go a little further: How do we know the PRC (People's Republic of China) IP addresses "prove" any involvement by anyone in China or their agents? It might be someone outside of China using a Chinese system. Until we know exactly who the perpetrators are, we don't know what their affiliation with the PRC is. Therefore, we would say that to infer that the perpetrator is Chinese based solely on the use of a Chinese IP address is weak: It might be true but it might not.

Another example of this problem is the conclusion that because the (legitimate) CRC used in the malicious code appears to have been developed in China, the perpetrators must be Chinese (again, using what information to infer who).

The post describes the CRC code and that it appears to have been created in China and only published in simplified Chinese (a form of written Chinese promoted by the PRC).

The inference chain then goes like this:

1. A specialized CRC code (called CRC-16) was created in China for legitimate purposes;
2. A simple Google search returns only references to the CRC code in simplified Chinese papers;
3. Malicious code was developed that, in part, uses a CRC that "matches the structural implementation" of the CRC-16 code;
4. The malicious code was used to attack Google (and others);
5. Therefore, the "use of this unique CRC implementation in Hydraq [the malicious code] is evidence that someone from within the PRC authored the Aurora codebase".

Is this a strong inference chain? Not if other reasonable conclusions could be drawn. For example, simplified Chinese is also use in Singapore. We could also equally conclude (based solely on the inference chain above) that the perpetrator was in Singapore. Or perhaps a Chinese emigrant living in France. Within reason, we could come of up several other possibilities.

Again, it may be true, but it may not. Does this level of analysis, common in technical cyber crime studies, give us the information we need to react appropriately (technically, legally or politically) to the threat?

One additional problem with the analysis/inference is to rely solely on a simple Google search and conclude that it represents an exhaustive search of the whole space where the articles related to the CRC-16 code could have been published.

I don't want to be overly harsh on this particular analysis. As I said earlier, I think it answers some important what and how questions and, at a technical level, is an excellent piece of work: We need more like it. Likewise, it does provide some very interesting data points that can begin to be used to build the circumstantial evidence needed to answer the who and why questions. However, that will require more information (both technical and non-technical) to build strong inference chains that point to a single, reasonable conclusion. This can be done but with large international cyber cases it requires significant time, data collection and analysis of literally thousands and thousands of data points. It also requires intelligence and analysis of more than just technical information.

Unfortunately, this rarely happens.

We need to be very careful in how we infer the who and why of international cyber crimes. The consequences of making a mistake could be disastrous.


Operation Aurora: Clues in the Code

Attack on London Based Jewish Website

The London based Jewish Chronicle's website was defaced with anti-Semitic and pro-Palestinian messages:

"In a message posted in English and Turkish, a group calling itself the "Palestinian Mujaheeds" quotes from the Quran and attacks Jews in anti-Semitic terms."

Associated Press articles attributed the attack to a recent dispute between Turkey and Israel:

"It comes a week after the eruption of a damaging diplomatic feud between Israel and Turkey. Ankara was outraged when Israel summoned its ambassador to express anger over a Turkish television drama that depicts Israeli agents kidnapping children and shooting old men."

The Jerusalem Post attributes the attacks to Turkish "hackers" and provides some background on previous cyber attacks believed to have originated in Turkey:

"Turkish hackers are notorious for playing a major role in coordinated international Web attacks, which usually come in response to international incidents perceived as affronts by the hackers."

and;

"After Operation Cast Lead in Gaza last year, Turkish hackers took part in a coordinated assault on Israeli and Western Web sites."

Palestinian attack on JC website

Turkish group hacks 'Jewish Chronicle'

London-based Jewish newspaper attacked by hackers

Indian National Security Advisor Believes Cyber Attacks Originated from China

MK Narayanan, India's National Security Adviser, has reported that his office was subjected to attempted cyber attacks from malicious code contained in PDF files sent in emails. The attacks occurred on December 15, 2009 and coincided with similar attacks on US companies that are alleged to have originated from China.

Mr. Narayanan stated that he believed the Indian cyber attacks were from the same source:

"People seem to be fairly sure it was the Chinese. It is difficult to find the exact source but this is the main suspicion. It seems well founded."

China tried to hack our computers, says India’s security chief M.K. Narayanan

Attempted Cyberattack on Law Firm that Sued China

The U.S. law firm Gipson Hoffman & Pancione has received email with malicious code they belive originated from China. Gipson Hoffman & Pancione is the firm representing Solid Oak Software Inc., a maker of Internet filtering software that they alleged was stolen and used by Chinese companies to create the "Green Dam Youth Escort" filtering software required by the Chinese government. The lawsuit named various Chinese companies and the Chinese government.

After analyzing the malicious code, a company spokesperson said:

"We have every reason to believe they're coming out of China... We have solid indications. We can say the payloads of these Trojan e-mails were located within China and the ISP routing bears out the connections with China. But what we don't know is specifically who they were sent by, where they were sent from, and why they were sent."

The spokesperson also noted the timing of the attack in relation to Google's announcement to stop censoring Internet searches in China:

"It is difficult to believe that the timing is merely coincidental."

U.S. Law Firm That Sued China Reports Cyberattack

Google Throws Down the Gauntlet to China - Maybe

A flood of news reports have come out concerning the looming battle between Google and China over intrusions into the accounts of human rights activists ala Ghostnet.

To add to the confusion are almost simultaneous reports of alleged attacks by Iranians on China's largest search engine, Baidu, and the inevitable counterattacks of Iranian websites with pro-Chinese graffiti. What remains to be answered is why anyone in Iran would be motivated to attack and deface the Baidu website with pro-Iranian messages and graphics. The timing of these attacks are interesting as well.

As usual, there is plenty of speculation concerning the Google - China attacks and their motivations but little factual information available for analysis. Of course there is the usual problems with accurate attribution and sourcing of attacks and determining exact motivations and potential external influences including whether the Chinese government may have a role in the breaches.

However there are many other unanswered questions in the Google - China standoff. To name a few:

1. Are these attacks related to, or a continuation of, the Ghostnet attacks? In an official blogpost, David Drummond, Google's Chief Legal Officer, pointed specifically to the Ghostnet report but didn't explicitly link them;


2. Mr. Drummond's post also stated that "[a]s part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted." A full list of these companies has not been made public to date but it would be very informative to understand the exact relationship between the Google attacks (believed to target human rights activists) and the other companies. Is someone in China targeting human rights activists in chemical companies?!?;


3. What are Google's and China's next steps? It's obvious that both entities have merely set up negotiating positions: Google did not close google.cn nor has it (yet) stopped censoring Chinese Internet searches; China's initial, official responses have been muted. Obviously, both sides don't want to do anything rash and there may be other agendas in play.

One of the biggest problems in understanding these attacks is the disjointed approach to investigating. These attacks span the world (The US, China, Iran, EU countries, Japan, Taiwan...) each with its own agenda and political and economic considerations. Additionally, there is no central coordination of information or analysis. Even within the US, some victims will cooperate; others will not. Among those that cooperate, some will have good monitoring and data collection capabilities; others will not. It's most likely we will never fully understand these attacks and if we don't understand them it will be next to impossible to effectively counter them.


Iranian Hackers Deface Top China Website
Hackers in Frontline of China's Cyberwar
A New Approach to China
China gives first response to Google threat

Belarus to Implement Controls over Internet

Belarus' President Alexander Lukashenko announced new legislation that:

"...would require the registration and identification of all online publications and of each Web user, including visitors to Internet cafes. Web service providers would have to report this information to police, courts and special services."

Belarus to toughen control over Internet

Isaeli Chief of Military Intelligence Comments on Cyberwar

Israel's Chief of Military Intelligence, Major-General Amos Yadlin provided a glimpse into the Israeli cyberwarfare program in his first public comments on the subject.

Speaking to the Israeli Institute for National Security Studies, he said:

"Cyberspace grants small countries and individuals a power that was heretofore the preserve of great states"...

and added:

"The potential exists here for applying force ... capable of compromising the military controls and the economic functions of countries, without the limitations of range and location."

Spymaster sees Israel as world cyberwar leader

U.S. Predator Drones Compromised

In a stunning admission, the U.S. military confirmed that Iraqi insurgents have intercepted video streams from Predator Drones [emphasis added]:

"Shiite fighters in Iraq used off-the-shelf software programs ... available for as little as $25.95 on the Internet — to regularly capture drone video feeds, the Wall Street Journal reported Thursday. The hacking was possible because the remotely flown planes have an unprotected communications link."

"...in December 2008, the military apprehended a Shiite militant in Iraq whose laptop contained files of intercepted drone video feeds, the Journal reported. In July, they found pirated feeds on other militant laptops, leading some officials to conclude that groups trained and funded by Iran were regularly intercepting feeds and sharing them with multiple extremist groups."

Even more incredulous is the admission that the system was not originally designed to encrypt transmissions:

"The military has known about the vulnerability for more than a decade, but assumed adversaries would not be able to exploit it."

This is a classic, textbook example of inadequate security design and risk assessments - the root causes of most security issues in both the public and private sector.

What should be more alarming is, if this vulnerability has been there for more than a decade, who else (with better resources) had access to the feeds and what other vulnerabilities exist in other systems that are not being addressed?

Pentagon: Insurgents intercepted drone spy videos

Importance of the Internet for Opposition Groups in Iran

Like many modern political opposition groups, Iranian protesters make extensive use of social networks and other Internet services to plan and coordinate protest activity:

"The opposition, which relies on the Web and cell phone service to organize rallies and get its message out, has vowed to hold rallies Monday, the first anti-government show of force in a month."

Likewise, governments may target these communications as a means to limit protests. Reports are alleging the Iranian Government is restricting Internet and mobile phone services to limit opposition communications prior to planned protests:

"Internet connections in the capital, Tehran, have been slow or completely down since Saturday. Blocking Internet access and cell phone 'service has been one of the routine methods employed by the authorities to undermine the opposition in recent months.

"The government has not publicly acknowledged it is behind the outages, but Iran's Internet service providers say the problem is not on their end and is not a technical glitch. A day or two after the demonstrations, cell phone and Internet service is restored."

Iran slows Internet access before student protests

International Telecommunications Union (ITU) Focus on Cybersecurity

ITU has announced a partnership with the Intentional Multilateral Partnership against Cyber Threats (IMPACT) to increase international cooperation.

"IMPACT... set up its Global Response Centre (GRC) in Cyberjaya, Malaysia, earlier this year as the international community’s foremost cyberthreat resource, to proactively track and defend against cyberthreats."

The ITU Secretary-General spoke at the ITU Telecom World 2009 on the need for better coordination:

"ITU Secretary-General Dr Hamadoun Touré stressed the importance of cyberpeace, where nations collaborate in a global cybersecurity framework based on enlightened self-interest. "Every country is now critically dependent on technology for commerce, finance, healthcare, emergency services, food distribution and more. Loss of vital networks would quickly cripple any nation – and none is immune to cyberattack."

Cybersecurity in action at ITU Telecom World 2009

Russian FSB Arrests for Dagestan Intrusions

Axis Information and Analysis provided a short report on the arrest by Russian FSB (Federal Security Services) of an individual for politically motivated intrusions into the systems of various Russian republics:

"In the course of investigation the FSB employees managed to find cyber-criminals of the Ansar group of insurgents who had been engaged in hacker attacks with an aim of distribution of their ideas through the world-wide web, and the 27 y.o. hacker Albert Saayev. The FSB established his participation in breaking of some of the state information resources, including sites of authorities of the Chechen Republic, Dagestan and Ingushetia."

The article alleges that Mr. Saayev had previously been arrested and convicted of similar crimes.

Dagestan hackers suspected of cyber-extremism detained by Federal Security Service in Moscow

Attack Aimed at Foreign Journalists in China

Infowar Monitor has posted a short analysis of a cyber attack targeting foreign journalists based in China including "Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa." The attack consisted of an email from a purported journalists interested in visiting China containing an attached PDF file with malware. The technique appears to be related to previous attacks with political motivation in the region:

"The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past."

The post also provides some speculation on motives and attribution.

Targeted Malware Attack on Foreign Correspondents based in China