return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

Malicious marketplace uniting espionage, criminal groups, crackers, terrorism, vulnerable systems, commercial and government targets

  #

The black hat community attacking commercial and military targets is as large as it is diverse and global:

1. State espionage against foreign commercial and military targets

2. Criminal enterprises focused on money over fame or ideology

3. Stateless terrorism and its associated criminal money raising campaigns (phishing for example)

4. "Outsourced" smaller criminal enterprises in low cost, permissive cultures (who can fabricate exploits too labor intensive for more established criminal groups)

5. Cracker groups selling exploits to groups 1, 2, and 3 directly or through brokers

White hats and black hats will produce interacting swarms of rootkits, trojans, worms, adware and spyware spoke, in part, to a deteriorating security environment in which Black hat exploits will combine "unrelated white hat DRM audio, video and text implementations in concert with other secondary weak points" that will likely erase years of armoring by operating systems, ISPs and e-mail systems.

Alan Paller, Director of Research at SANS, notes that "Attackers are now targeting the whole range of applications that users are now installing on their systems… That means we're back to the Stone Age. Everything you worried about five or six years ago" is again a primary concern in which these programs do not have a robust, rapid means to detect, fix and disseminate. Vulnerabilities must meet four criteria to make the SANS Top 20 list:

  • They must affect a large number of users.
  • Most systems must lack patches against them.
  • They must allow remote, unauthorized users to control affected systems.
  • There must be enough information about them on the Internet for attackers to exploit them.

Worse, private and commercial users that have grown accustomed to focusing on installing updates for their operating system and a preferred browser must now attempt to locate and install fixes from a potentially large group of secondary product manufacturers - and who knows how good their patch procedures are. (Were I a funded black hat, I would acquire some of these secondary providers as sleeper sites to launch a trap-doored patch when the opportunity was right, but in the interim, operate within the security process so as to acquire an understanding of national and international defense mechanisms.)

The totality of threat and environment forms what Roger Cummings, the director of the UK's National Infrastructure Security Co-ordination Centre (NISCC) calls a "malicious marketplace." Cummings went on to say that the most significant electronic threats to England's Critical National Infrastructure (CNI), including government agencies as well as firms "in the finance, transportation and telecommunications sectors," are "content-based, targeted, Trojan horse e-mail attacks from the far east, primarily China, South Korea and India.

Noting that "Foreign states are probing the CNI for information," Cummings ranks the threats to CNI from today's malicious marketplace, from highest to lowest:

  • Foreign states targeting information ("most significant")
  • Criminal enterprises acquiring information for resale
  • Hackers of "variable capability" selling capability or exploits to other consumers
  • Terrorists currently possessing "low capability"

This tracks with our experience that 'cyber-collection' far outranks cyberterrorism. Take for example the superb Chinese hacker team Titan Rain that has been raiding US commercial and governmental sites at least from 2003. I recommend Nathan Thornburg's The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them), George Ou's How the undermining of US intelligence continues in cyberspace and Ira Winkler's appalling summary of the blowback against the volunteer US investigator and counter-hacker, Shawn Carpenter, in The case of Shawn Carpenter: A cautionary tale.

As Ou notes, the Titan Rain saga is still ongoing and frames the "alarming ineffectiveness of US cyber intelligence policy" "Titan Rain is thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced." On the night of 1 November, 2004, Titan Rain breached federal computer systems at the U.S. Army Information Systems Engineering Command (Fort Huachuca, AZ), Defense Information Systems Agency (Arlington, VA), the Naval Ocean Systems Center (San Diego, CA) and the U.S. Army Space and Strategic Defense (Huntsville, AL).

How such a breach was accomplished with such skill and speed is clear from Shawn Carpenter' investigations:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. "Most hackers, if they actually get into a government network, get excited and make mistakes," says Carpenter. "Not these guys. They never hit a wrong key."

On a voluntary basis on his own time, Carpenter counter-attacked, piercing the Titan Rain organization and placing bugs in their network. Competence and zeal, however, proved no match for bureaucracy. Working first in an unofficial liaison with US Army Intelligence, Carpenter was passed onto the FBI as federal "rules prohibit military-intelligence officers from working with U.S. civilians." For months, Carpenter works in the same unofficial capacity with the bureau where "his work was folded into an existing task force on the attacks."

In a painful reprise of the 1975 Church Committee and the subsequent 1976 Levi Guidelines that, while they addressed excesses, went further so as to effectively geld our intel services in the gray and black HUMINT areas that are so essential today, by law it is illegal for a US national to hack into a foreign computer system. Carpenter's employer, Sandia National Labs, expressly forbid him to share his work, then fired him. The bureau abandoned him to the point that it launched an investigation into the legality of his activities which had occurred with the bureau's knowledge. At some point the bureau moved to protect itself as under current guidelines the US cannot proactively track and shut down a foreign site but must "go through a cumbersome authorization process" that involves the cooperation of the host nation. (The UK endures a similarly delicate and glacial process in China and India.)

Given that "China's State Council Information Office, speaking for the government, told TIME the charges about cyberspying and Titan Rain are "totally groundless, irresponsible and unworthy of refute" one should not expect a speedy resolution, yet Carpenter's research showed that Chinese sites in Guangdong province were the source of Titan Rain attacks and not a zombie botnet controlled from elsewhere:

Titan Rain presents a severe test for the patchwork of agencies digging into the problem. Both the cybercrime and counterintelligence divisions of the FBI are investigating, the law-enforcement source tells TIME. But while the FBI has a solid track record cajoling foreign governments into cooperating in catching garden-variety hackers, the source says that China is not cooperating with the U.S. on Titan Rain. The FBI would need high-level diplomatic and Department of Justice authorization to do what Carpenter did in sneaking into foreign computers. The military would have more flexibility in hacking back against the Chinese, says a former high-ranking Administration official, under a protocol called "preparation of the battlefield." But if any U.S. agency got caught, it could spark an international incident.

The scale, skill and duration of Titan Rain points to state sponsorship but that can be murky in China as state sponsorship, or state tolerance, could included the PLA, a PLA dual-use subsidiary, an outsourced Chinese firm (which the PLA has increasingly used to speed up various activities), or a Triad. David Szady, Assistant Director, FBI Counterintelligence Division, has noted that "the Chinese are more aggressive" than other collectors, adding "If they can steal it and do it in five years, why [take longer] to develop it?"

Readers must not assume this to be China bashing but merely recognition of skill and achievement, better than most, of one among many examples of foreign state probing of commercial and government critical infrastructure. As Ou noted, "The Titan Rain are just doing their jobs as Chinese patriots, but we're not doing our jobs to stop them." (Ou's observations on security, networking and architecture are always recommended. I would also recommend Kabay's series on industrial espionage - links below.)

In the above context, it is easier to understand Bruce Schneier's complaint that cyberterrorism is "over-hyped" (and used in the US as a means for federal and commercial entities to plump their budgets and manpower) while cybercrime is "under-hyped." Schneier supports Cumming's concept of a malicious marketplace and its merger of criminal and hacker assets, while reserving his concern that a monomaniacal focus on cyberterrorism distracts our attention from more immediate threats.

I would broaden cybercrime to 'cyber-collection' by both state and criminal assets as the vastly under-hyped hole which our infrastructure, statues, diplomacy and distraction leaves us increasingly ill-prepared to combat.

Security experts lift lid on Chinese hack attacks
By Tom Espiner, CNET News.com
Published on ZDNet News
November 23, 2005, 11:48 AM PT

Cyberterror 'overhyped,' security guru says
By Tom Espiner, ZDNet (UK)
Published on ZDNet News
November 23, 2005, 7:41 AM PT

Schneier on security
Tom Espiner interview with Bruce Schneier
ZDNet UK
November 23, 2005, 13:00 GMT

Foreign powers are main cyberthreat, U.K. says
By Tom Espiner, CNET News.com
Published on ZDNet News
November 22, 2005, 12:23 PM PT

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts Consensus
Version 6.0 November 22, 2005
SANS Institute

Guard against Titan Rain hackers
Opinion by Ira Winkler
COMPUTERWORLD
OCTOBER 20, 2005

Industrial espionage series by M. E. Kabay, Network World:

Industrial espionage, Part 1: Methods
Methods of conducting industrial espionage
09/22/05
Industrial espionage, Part 2: More methods
Even more ways to conduct industrial espionage
09/29/05
Industrial espionage, Part 3: Survey results
Surveys showed rise in industrial espionage in 1990s
10/06/05
Industrial espionage, Part 4: Risk factors and losses
Industrial espionage responsible for huge losses, much of which isn’t reported
10/13/05
Industrial espionage, Part 5: People from many countries targeting U.S.
Reports show long list of countries involved in industrial espionage
10/20/05
Industrial espionage, Part 6: Cases
Cases of industrial espionage
10/27/05
Industrial espionage, Part 7: More cases
More cases of industrial espionage
11/03/05
Industrial espionage, Part 8: China and Titan Rain
‘Titan Rain’ investigation leads to China
11/10/05

The case of Shawn Carpenter: A cautionary tale
By Ira Winkler
SearchSecurity.com
22 Sep 2005

How the undermining of US intelligence continues in cyberspace
Posted by George Ou @ 8:35 am
August 29, 2005

The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)
An exclusive look at how the hackers called TITAN RAIN are stealing U.S. secrets
By NATHAN THORNBURGH
Time
Posted Monday, Aug. 29, 2005
Scrolled to fee
archive
Mirror, Mirror

Hackers Attack Via Chinese Web Sites
U.S. Agencies' Networks Are Among Targets
By Bradley Graham
Washington Post
August 25, 2005

Web of Crime, PC World 5-part series:

Enter the Professionals
Erik Larkin
August 22, 2005
Zombie PC Armies Designed to Suck Your Wallet Dry
Erik Larkin
August 23, 2005
Web of Crime: Internet Gangs Go Global
Liane Cassavoy
August 24, 2005
Internet Sieges Can Cost Businesses a Bundle
Robert McMillan
August 25, 2005
Who's Catching The Cybercrooks?
Tom Spring
August 26, 2005

Between phishers and the deep blue sea
By Dawn Kawamoto, CNET News.com
Published on ZDNet News
July 18, 2005, 4:00 AM PT

Hacking for dollars
By Joris Evers, CNET News.com
Published on ZDNet News
July 6, 2005, 4:00 AM PT

Asian Trojans attacking U.K., agency warns
By Dan Ilett, ZDNet (UK)
Published on ZDNet News
June 16, 2005, 8:38 AM PT

Security guru slams misuse of 'cyberterrorism'
By Dan Ilett, ZDNet (UK)
Published on ZDNet News
April 26, 2005, 3:24 PM PT

Gordon Housworth



Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  
 
In order to post a message, you must be logged in
Login
message date / author


There are no comments available.

In order to post a message, you must be logged in
Login