Cyber Threats and Security

CYBER THREATS AND SECURITY

PROTECTING THE INFORMATION

n April 2009, the Wall Street Journal (WSJ) reported that computer hackers – thought FORTRESS to be Chinese or Russian – had breached a key computer network of U.K. defence Igiant BAE Systems in 2007 and 2008 and stolen “several terabytes of data” related by Blair Watson to the United States’ F-35 Lightning II Joint Strike Fighter (JSF). BAE has been a major industrial partner on the $382-billion aerospace program during the past eight years. Not surprisingly, U.S. officials downplayed the story.

On March 11, 2012, The Sunday Times, fly-by-wire interface, sophisticated AESA The following month, the U.S. Office of a British newspaper, reported: “Details of radar, colour liquid crystal cockpit monitors the Inspector General released a report con- the [cyber] attack on BAE have been a and holographic head-up display, and other firming that Chinese hackers had gained closely guarded secret within Britain’s intel- 21st-century war-fighting innovations. control over NASA’s Jet Propulsion Labora- ligence community since it was first uncov- tory in November, which gave them the ered nearly three years ago. But they were CYBERATTACKSAGAINST ability to delete sensitive files, add user disclosed by a senior BAE executive during DIVERSEORGANIZATIONS accounts to mission-critical systems, upload a private dinner in London for cyber secu- Hardly a week goes by without a news hacking tools, and more. rity experts late last year.” According to the report of a prominent organization being Paul Martin, NASA’s inspector general, report, the executive confirmed that the cyber-assaulted. “Hackers attack Vatican told U.S. lawmakers: “The attackers had full Chinese had electronically penetrated website 2nd time in days” was the FOX functional control over these [computer] net- BAE’s network and stolen plans for the News headline in mid-March. Authorities works.” His report said that in 2010 and F-35’s stealthy design, electronics, and other believe the notorious Internet hacker group 2011, “NASA reported 5,408 computer secu- systems. Anonymous was behind the onslaught. Four rity incidents that resulted in the installation In late 2010, China unveiled its weeks earlier, Information Week (IW) reported of malicious software on or unauthorized Chengdu J-20 stealth fighter-attack jet. that Anonymous had taken down a U.S. access to its systems. These incidents Photographs reveal JSF-like housings for Central Intelligence Agency website via a spanned a wide continuum from individuals electro-optical sensors and all-moving tail- distributed denial of service (DDoS) blitz. testing their skill to break into NASA sys- fins. With the WSJ report and photographic “Anonymous and other hacktivists also left tems, to well-organized criminal enterprises evidence, military aviation experts think their marks on the U.S. Census Bureau, Inter- hacking for profit.” Some of the incidents the J-20 is probably equipped with Chinese pol, and Mexico, as well as law enforcement “may have been sponsored by foreign intel- versions of the American fighter jet’s electro- websites in Alabama and Texas,” wrote IW ligence services seeking to further their optical distributed aperture system, digital in February. countries’ objectives.”

FrontLine Security I www.frontline-security.org I 35 The Chengdu J-20 on a test flight may try to carry out cyber attacks on the U.S., and advised government to be pre- pared. “To date, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent,” he warned. “They may seek to train their own recruits or hire outsiders, with an eye

F-35 Lightning II. PHOTO: BAE SYSTEMS toward pursuing cyber attacks. As our nation’s national security and criminal adversaries constantly adapt and evolve, so infiltrated Iranian computer networks and must the FBI be able to respond with new accessed control systems of the country’s or revised strategies and operations to nuclear program. Reportedly, about 1,000 counter these threats.” centrifuges used to enrich uranium were secretly ordered to spin so fast that they Industrial Spies and Organized Crime As a result of the computer destroyed themselves, setting the program Groups: These individuals and collectives breach reported in the Wall back by months. pose a medium-level threat because of their ability to conduct industrial espionage as Street Journal, and photographic The Stuxnet malware (malicious software) also fed erroneous indications to tech- well as large-scale monetary theft. They evidence, military aviation experts nicians in the control facility, making it typically have the resources to hire or think the J-20 is probably equipped appear that the centrifuges were running develop hacking expertise. Their motiva- with Chinese versions of the normally. The U.S. and Israeli governments tion is money and their methods include American fighter jets’ electro- are widely believed to have been behind the attacks on infrastructure for profit, stealing trade secrets, and acquiring potentially optical distributed aperture operation. In a September 2010 statement, computer security firm Kaspersky Labs embarrassing information that can be used system, sophisticated AESA described the worm as a “fearsome proto- to blackmail key officials. radar, digital fly-by-wire interface, type of a cyber-weapon that will lead to the Hacktivists: Nuisance hackers, like those colour liquid crystal cockpit creation of a new arms race in the world.” in Anonymous, target organizations in monitors and holographic head-up The company is convinced that the mal- furtherance of a political agenda. Their displays, and other 5th Genera- ware could only have been created with isolated-yet-damaging assaults, pose a “nation-state support.” tion war-fighting innovations. medium-level threat to organizations, says Terrorists: In early March, FBI Director the DHS. Most hacktivist groups have Robert Mueller warned a House appropria- focused on carrying out irritating attacks tions subcommittee that violent extremists rather than damaging important infrastruc- Using the code name OpPiggyBank, a hacking collective called CabinCr3w attacked the Los Angeles Police Department website in February and obtained email addresses, passwords, names, and physical addresses What types of organizations are targeted the most? of more than 1,000 officers. They also copied 15,000 police warrants; hundreds of Robert Freeman, manager of IBM’s X-Force Research thousands of court summons; more than “Although government organizations have always worried about the threat 40,000 Social Security numbers; and thou- of state sponsored computer intruders, it is apparent that both large and sands of police reports. small private enterprises also face this type of threat. A number of prominent publicly reported breaches in 2010 and early 2011 appear to drive THREATSOURCES this point home. Attackers are interested in the intellectual property of busi- According to the U.S. Department of nesses of all sizes, and are even interested in businesses that may not have Homeland Security (DHS), there are five interesting intellectual property but are key business partners with those main sources of threats to computer net- that do. In the latter case, they are looking for ways to gain access to data works or other types of linked electronic by pivoting in. Attackers may also target small, seemingly irrelevant busi- control systems: governments, terrorists, nesses that can act as storage and proxy for their attacks. Organizations industrial spies and organized crime groups, of all sizes should be concerned. Usually the more elaborate enterprise hacktivists, and hackers. attacks are part of what the industry commonly refers to as ‘Advanced Persistent Threat’ or APT. These attacks rarely use high tech exploits and Governments: Various state players have malware these days. The complexity is in the operation and management of developed cyber resources that pose a sig- the attack towards stealing data and keeping a foothold in a given organi- nificant threat to systems and programs zation. Only once discovered does the complexity tend to increase. There are deemed important to national security and many steps to a successful attack that pivots and steals data. If an organi- economic stability. For example, in 2010 a zation can detect and stop any of the events during the attack, it wins.” new computer “worm” dubbed Stuxnet

36 I FrontLine Security I Volume 7, Issue 1 Criminals will borrow techniques from Black Hat SEO (search engine optimiza- Do organizations have adequate tion) to deceive current botnet defences resources to deal with cyber threats? like dynamic reputation systems that compute “reputation” scores of domain Kurt Baumgartner, senior security researcher at Kaspersky Labs names. “Unfortunately, it’s uncommon to see all of an organization’s resources fully secured. Potentially less than 50% of them have adequate planning, imple- WHATCANBEDONE? mentations, and maintenance in regards to securing important resources. Robert Freeman of IBM recommends the There are diverse infectors, some of which are omnipresent in cyberspace following steps to better secure a network: (e.g., Sality, Virut, Xpaj, Qbot). Usually there are established procedures – Perform regular third party external to deal with them. Mass exploitation and cyber criminals spreading Zbot, and internal security audits. FakeAV, TDSS, SpyEye and other spyware is a problem for every organi- – Control your endpoints. zation, whether the adversary is after financial data or other private – Segment sensitive systems and resources. The APT (Advanced Persistent Threat) is a different story, information. however. Depending on the group, they don’t go away for years, and inno- vate to get in. It’s rare to see organizations adequately protected with – Protect your network. technology, and human error will continue to be a critical weak point.” – Audit your web applications. – Train end users about phishing and spear phishing. ture. Achieving notoriety for their cause is Expect compound threats targeting – Search for bad passwords. part of their motivation. mobile devices that use SMS, e-mail and – Integrate security into every Hackers: The large majority of hackers do the mobile Web browsers, then silently project plan. recording and stealing data. not have the requisite knowledge or expe- – Examine business partners’ policies. USB flash drives have long been recog- rience to threaten difficult targets such as – Have a solid incident response plan. critical computer networks or systems nized for their ability to spread malware, directed by programmable logic controllers but mobile phones are becoming a new Keep malicious activity out of an enterprise (nuclear enrichment centrifuges for example). vector that could introduce attacks on network by keeping up with vulnerability However, the electronic penetration of BAE otherwise-protected systems. patches and detecting attacks at the perime- Systems, NASA, and other high-tech and The good news is: encapsulation and ter can be a significant challenge,” says sensitive organizations (including govern- encryption of sensitive portions on a mobile Robert Freeman, a manager at IBM’s ment departments, banks and law firms) device can strengthen security. X-Force Research, “and the threat landscape proves that some hackers are very good appears to be getting only more compli- at their craft. BOTNETS cated.” S Botnet controllers build massive informa- EMERGINGTHREATS tion profiles on their compromised users Blair Watson is a contributing editor at FrontLine Magazine. According to cyber security experts, threats and sell the data to the highest bidder. are constantly evolving. Georgia Tech’s Adversaries query botnet operators in Emerging Cyber Threats Report 2012 warns search of already compromised machines about the Mobile Threat Vector and Botnets. belonging to their attack targets. The latter is a collection of compromised computers, each known as a ‘bot’, which are set up to forward transmissions such as spam or viruses via the Internet. Often, when a computer is penetrated by a hacker, Is cyber security in government code within the introduced malware organizations better than in the private sector? commands the device to become part of a botnet. The “botmaster” or “bot-herder” Gerry Egan, Symantec’s Director of Product Management controls compromised computers via stan- dards-based network protocols such as IRC “They’re very similar. The quality of personnel is the same as you’d find in the and http. The following are highlights of private sector, and cyber security as a priority is just as high. IT [informa- Georgia Tech’s report: tion technology] organizations in the public sector are just as constrained by resources and trained security personnel as what you would find in the private sector. The shortage of trained cyber security personnel is a national MOBILE THREAT VECTOR issue that spans across all industries – public and private – and can only be Mobile applications, such as those on solved with a renewed emphasis on science and mathematics at the middle smartphones, increasingly rely on a and high school levels, followed by more courses, professors and research browser, presenting unique challenges to funding at the collegiate level.” security in terms of usability and scale.

FrontLine Security I www.frontline-security.org I 37