Case Study: THE RISE OF CYBER-ESPIONAGE

5HFUXLWPHQW3ODQ

CounterTh e

20 7KH&RXQWHU7HUURULVW ~ June/July 2012 ©istockphoto/loops7 By Chris Mark

At a Hopkinton, Massachusetts, offi ce, an executive received an email that appeared to be from a coworker on March 1, 2011. Attached to the email was an Excel spreadsheet titled “2011 Recruitment Plan.” The man opened the spreadsheet. The email was not from a coworker, it was a carefully crafted attack known as ”spearfi shing” in which a fraudulent email is sent to a specifi c person.

he spearfi shing email contained an system, SecurID. SecurID is used by an Excel spreadsheet with a zero- estimated 250 million people worldwide. Tday exploit and a version of the Poison Th e attack was believed to have been ini- Ivy RAT (remote administration tool) tiated using a zero-day exploit created by payload embedded. Th e RAT enabled a Chinese hacker. Evidence suggests the a hacker to gain privileged access to the possibility of Chinese-sponsored cyber- network of RSA Security (an American espionage.1 RSA’s CEO, Art Coviello, computer and network security com- stated the stolen SecurID information pany). Th e company had been founded “could potentially be used to reduce by Ron Rivest, Adi Shamir, and Leonard the eff ectiveness of a current two-factor Adleman, the inventors of the RSA public authentication implementation as part key cryptographic algorithm. Th is single of a broader attack (italics added).”2 Th is The US government event initiated an attack that would result proved to be an ominous prediction. in the compromise of one of the largest On May 27, 2011, an employee at and US companies and most respected data security compa- L-3 Communications, a major supplier are losing the battle to nies in the world. of communication, intelligence, surveil- Within weeks, hackers had penetrated lance, and reconnaissance technology protect sensitive data. RSA’s defenses and stolen the source code to the Department of Defense, noticed to the vaunted two-factor authentication suspicious activity in the network. An in-

7KH&RXQWHU7HUURULVW ~ June/July 2012 21 vestigation showed a hacker had accessed the network using cloned RSA SecurID tokens3 and potentially accessed critical intellectual property related to defense projects. This is only one of several re- ported attacks that seem to have originat- ed from the RSA breach months before.4 It is believed that Northrup Grumman Corporation (a designer, systems integra- tor, and manufacturer of military aircraft) may have been targeted, and Lockheed Martin (an American aerospace, de- fense, security, and advanced technology company) announced that it too was the target of a “significant and tenacious” attack, which also apparently originated from the compromised RSA tokens.5 By February 2012 security analysts began to acknowledge what many have Panel discussion at the 3rd annual State of the Net conference, held in Washington, D.C. From Left: Lord w:Toby Harris (UK Parliament), Chrsitopher Painter (US DoJ), Scott Charney, (MSFT), known for a long time. The US govern- Chris Young (RSA Security) and Ari Schwartz (CDT). Photo: Joe Hall ment and US companies are losing the battle to protect sensitive data. At RSA’s

22 7KH&RXQWHU7HUURULVW ~ June/July 2012 &LUFOH295RQ5HDGHU6HUYLFH&DUG annual security convention, Robert and the same techniques used to perpe- Mueller, head of the Federal Bureau of trate politically motivated attacks are used Investigation, told the audience, “Th ere to steal fi nancial data. are only two types of companies. Th ose During a London speech in 2007 on that have been hacked, and those that credit card security and compliance, a will be.” Echoing his sentiments, RSA’s French participant stated unequivocally Coviello took the stage and ominously to me that the recommendations provid- informed the crowd, “Our networks will ed did not apply to companies accepting be penetrated. We should no longer be credit cards in France because, “In France “One man’s freedom surprised by this.” He added, “Th e reality we do things diff erently.” My response today is that we are in an arms race with was to ask a series of simple questions. “Is fi ghter is another our adversaries, and right now, more the Internet in France based on the Inter- man’s terrorist. So let often than not, they are winning.”6 net protocol? Does the OSI model apply Th e comments at RSA accurately in France? Is structured query language them call us terrorists. depict the state of cybersecurity today. used in France?” He sheepishly answered I'll still bomb their Organizations are spending billions of “yes” to all the questions. Whether the dollars per year and are being literally and motivation is stealing credit card data, buildings.” fi guratively eviscerated by people intent intellectual property, or state secrets, the —Jeremy Hammond, on stealing data. Th ere are growing num- attack principles are the same because the bers of reasons why data is stolen but, in underlying protocols and technologies are Anonymous hacker general, the motivations can be fi t into the same. three broad categories: political or social To understand the diffi culty of protect- activism, cyber- espionage, and fi nancial ing systems from today’s attacks, it is use- crimes. Regardless of the basic motiva- ful to look at the concepts of unrestricted tions, the methods of attack are similar warfare and guerilla tactics. As stated in

&LUFOH299RQ5HDGHU6HUYLFH&DUG 7KH&RXQWHU7HUURULVW ~ June/July 2012 23 ther of two who lives on public assistance in a housing project in New York’s Lower East Side. With a dilapidated computer he allegedly wreaked havoc on numer- ous companies, including Fox, Sony, and PBS.8 He does not require sophisticated equipment. All he needs is knowledge, patience, time, and motivation to attack a company. As mentioned previously, there are several motivations that drive hacking be- havior. Although these motivations often intersect and may overlap, generally, they tend to be either financial or ideological. Financially driven crimes are, arguably, easier to anticipate and counter. Volumes have been written on the exploits of the INL cybersecurity researcher operates a Supervisory Control and Data Acquisition System inside Russian Business Network, BOA Factory, the lab’s Information Operations Research Center. Photo: Idaho National Laboratory Mazafaka, and other alleged financially Mao Tse-tung’s On Guerilla Warfare: motivated criminal groups. Today, “At one end of the spectrum, ranks of companies are also facing increasingly electronic boxes buried deep in the earth dangerous adversaries driven by ideology. hungrily spew out endless tapes. Scientists People driven by ideology are often more and engineers confer in air conditioned dangerous and difficult to deter. Their offices; missiles are checked by intense willingness to accept greater risk and men who move about them silently, focus greater resources for less-perceived almost reverently….in forty minutes the return makes them particularly chal- countdown begins. lenging. There are primarily two types of At the other end of the spectrum, a ideologically motivated adversaries threat- tired man wearing a greasy felt hat, a ening companies today: social or politi- tattered shirt, and soiled shorts is seated, cally motivated hacktavists, and “patriotic his back against a tree. Barrel pressed hackers” involved in cyber-espionage. between his knees, butt resting on the Hacktavism refers to cyberattacks or moist earth between his sandaled feet, data thefts that are conducted primarily to is a browning automatic rifle...Draped make a political, social, or other state- around his neck, a sausage-like cloth tube ment. It should be noted that although the with three day’s supply of rice…In forty primary objective may be politically or so- minutes his group of fifteen men will oc- cially motivated, these attacks often result cupy a previously prepared ambush.”7 in stolen financial and other data that may In today’s world of cybersecurity, be used for financial gain. Two of the most companies are spending billions of dollars prominent groups active today appear to on cutting-edge equipment and monitor- be LulzSec and Anonymous. ing systems and networks around the In 2004 a relatively anonymous hacker clock. On the other end of the spectrum named Jeremy Hammond presented the is Hector Xavier Monsegur, also known LulzSec manifesto at the hacker conven- as “Sabu.” Sabu is a 28-year-old unem- tion known as DefCon. To a chorus of ployed, high school graduate. He is a fa- boos and hisses, and with a bandana cov-

24 7KH&RXQWHU7HUURULVW ~ June/July 2012 ering his face, the hacker, political activ- will do this until our proverbial, dying ist, and self-styled anarchist known online breath. We do this not only for ourselves, as “anarchaos” and “crediblethreat” stated but for the citizens of the world. We are defi antly, “One man’s freedom fi ghter is people campaigning at this very mo- another man’s terrorist. So let them call us ment for your freedom of information terrorists.” He added moments later, “I’ll exchange, freedom of expression, and still bomb their buildings.”9 He served free use of the Internet. Please remember two years in prison in 2006 for cyberat- this as you watch the news, read posts on tacks. In 2011 Hammond was arrested Twitter, comment on YouTube or Face- again for a hack against the US intelli- book, or send email to a friend or loved gence company Stratfor. one: Anonymous is making every eff ort Although Anonymous is believed to to defend free speech and free informa- be a loosely knit, decentralized group tion on the Internet” of hackers whose members may overlap Anonymous concedes that it does not with those of LulzSec, its motivations control, or try to control its own mem- can be seen in its published manifesto. bers’ actions. Like LulzSec, Anonymous has political “May we remind you that Anony- interests.10 Its manifesto states: mous is a dynamic entity. Furthermore, “Th e intention of Anonymous is to anything attributed, credited, or tagged protect free fl ow of information of all to Anonymous is not always based on types from the control of any individual, the consensus of us as a whole. Even the corporation, or government entity. We document you read now was written by at

PROTECT YOUR VEHICLE BATTERY USING 2 SEPARATE TIMING DELAYS

T2 SHUT DOWN TIMER ‡ 3URWHFW YHKLFOH EDWWHULHV IURP RYHUGLVFKDUJH E\ VKXWWLQJRIIXSWRVLQJOHDPSDQGDPSORDGVDWD SUHVHWWLPHDIWHUWKHHQJLQHLVVKXWGRZQRUZKHQWKH EDWWHU\LVGLVFKDUJHGWRDORZYROWDJHOHYHO

‡ 0DQDJH SRZHU ORDGV VHSDUDWHO\ XVLQJ  LQGHSHQGHQW WLPLQJFLUFXLWV

‡ $QHPHUJHQF\VZLWFKDOORZVPLQXWHVRIRSHUDWLRQ DIWHUWKHWLPHUVKXWVGRZQWKHHTXLSPHQW

‡ 7KHWLPHGVHTXHQFHVFDQEHDFWLYDWHGE\VHQVLQJZKHQ WKHLJQLWLRQLVWXUQHGWRRUWKHDOWHUQDWRUJRHVRII

76>,9:7,*0(30:;:-6946)03,*647<;05.

1.800.697.3701 ‡[email protected] ‡www.lindelectronics.com

&LUFOH327RQ5HDGHU6HUYLFH&DUG 7KH&RXQWHU7HUURULVW ~ June/July 2012 25 least ten people simultaneously.’ Chinese cyber-espionage. The hearing State-sponsored cyber-espionage revealed the US government’s awareness The economics includes hacks perpetrated directly by of Chinese cyberattacks. In describing the foreign governments, or by foreign orga- situation in her opening remarks, sub- of cyber-theft is nizations and individuals associated with committee chairperson Dana Rohrbacher simple: Stealing foreign governments. Although numerous astutely stated: countries engage in cyber-espionage, the “[The]United States is under attack.”12 technology is far largest perpetrator of cyber-espionage “The Communist Chinese Govern- easier and cheaper appears to be the People’s Republic of ment has defined us as the enemy. It is China. Although the motivations are of- buying, building and stealing whatever than doing original ten ultimately financial, we see a glimpse it takes to contain and destroy us. Again, research and into how China reportedly motivates the Chinese Government has defined us attackers to perpetrate the crimes. China as the enemy.” development. calls those who steal for the benefit of The RSA compromise, as well as the China, “patriot hackers”.11 By appealing theft of data from DuPont, and the theft to the patriotism of the hacker, it applies of intellectual property from American moral relativism to the act. In short, the Superconductor, Microsoft, Cisco, and hacker, in their eyes, is not committing a Motorola to name but a few, demonstrate wrong, he or she is patriotically support- the motivation and sophistication of the ing China. efforts to steal data from US compa- On April 15, 2011, the US Congres- nies.13 It should be noted that the United sional Subcommittee on Oversight and States is not the only victim. The United Investigations conducted a hearing on Kingdom reportedly loses $45 billion per

26 7KH&RXQWHU7HUURULVW ~ June/July 2012 &LUFOH297RQ5HDGHU6HUYLFH&DUG news/government/security/229700151 (accessed 3/15/12) 6Cowley, Stacy. (Feb 28, 2012) “New Cybersecurity Reality: Attack- ers are winning.” http://money.cnn. com/2012/02/28/technology/rsa_cy- year from cybercrime with $28 billion in of protecting intellectual property and bersecurity_attacks/index.htm (accessed losses directly attributable to cyber-espi- systems from a motivated, sophisticated 3/15/12) onage.14 As detailed in the congressional adversary often driven by ideology. t 721st Century U.S. Military Manuals: report: Mao Tse-tung on Guerrilla Warfare (Yu “Th e PRC utilizes a large well-orga- ABOUT THE AUTHOR Chi Chan) U.S. Marine Corps Reference nized network of enterprises, defense fac- Mr. Mark is the founder of Mark Publication FMFRP 12-18 (accessed tories and affi liated research institutes and Consulting Group, Inc. He is a data 3/18/12) 8 computer network operations to facilitate security and risk professional. He has http://www.foxnews.com/sci- the collection of sensitive information consulted for numerous Fortune 500 tech/2012/03/06/exclusive-unmasking- and export-controlled technology.” companies and publishes the blog: worlds-most-wanted-hacker/ 9 “Th e economics of cyber-theft is www.GlobalRiskInfo.com. http://www.belch.com/ simple: Stealing technology is far easier blog/2012/03/08/lulzsec-hacker-deliv- and cheaper than doing original research END NOTES ered-defcon-manifesto-in-2004/ (accessed 3/12/12) and development. It is also far less risky 1http://jeff reycarr.blogspot. 10http://www.indybay.org/news- to the spy than historic cloak and dagger com/2011/06/18-days-from-0day-to-8k- 15 items/2010/12/09/18666107.php (ac- economic espionage.” rsa-attack.html (accessed 3/18/12) cessed 3/12/12) Cybercrime has been an issue for 2http://www.eweek.com/c/a/Security/ 11of Representatives, United States companies since the Internet boom of the Northrop-Grumman-L3-Communica- House (2011-06-30). Communist Chi- late 1990s. Early criminal eff orts focused tions-Hacked-via-Cloned-RSA-SecurID- nese Cyber-Attacks, Cyber-Espionage and on stealing fi nancial data such as credit Tokens-841662/ (accessed 3/18/12) Th eft of American Technology (Kindle and debit card information, and website 3http://www.eweek.com/c/a/Security/ Locations 188-189). Kindle Edition. (ac- defacements. Th roughout the 2000s Northrop-Grumman-L3-Communica- cessed 3/13/12) companies have been plagued with data tions-Hacked-via-Cloned-RSA-SecurID- 12House of Representatives, United thieves stealing fi nancial data. Today, Tokens-841662/ (accessed 3/18/12) States House (2011-06-30). Communist companies and governments are increas- 4http://www.eweek.com/c/a/Security/ Chinese Cyber-Attacks, Cyber-Espionage ingly facing more dangerous hacktivist Northrop-Grumman-L3-Communica- and Th eft of American Technology and cyberespionage attacks. Companies tions-Hacked-via-Cloned-RSA-SecurID- (Kindle Location 66). Kindle Edition. that have focused on protecting fi nancial Tokens-841662/ (accessed 3/18/12) (accessed 3/12/12) data are now faced with the daunting task 5http://www.informationweek.com/ 13http://articles.boston.com/2011- 09-19/news/30176716_1_alternative- energy-china-ties-data-theft-case (accessed New Dates. New Pavilions. New Opportunities. 3/18/12) 14 Get your FREE EXPO PASS for limitless http://cyberpointllc.com/news_09. information sharing and networking with html (accessed 3/13/12) over 2,500 professionals in two days of exhibit time at the LARGEST stand alone 15House of Representatives, United military vehicles event in the world! Benefit from 15+ free educational sessions States House (2011-06-30). Communist in the Presentation Theater and evaluate the Chinese Cyber-Attacks, Cyber-Espionage July 10-13, 2012 | Cobo Center, Detroit, MI latest products from over 200 exhibitors. and Th eft of American Technology REGISTER TODAY! (Kindle Locations 188-189). Kindle Edi-

FREE EXPO PASSES Quote Promo Code: CT12 tion. (accessed 3/13/12)

Go online for complete speaker and agenda details! www.MilitaryVehiclesExpo.com/CT12

&LUFOH113RQ5HDGHU6HUYLFH&DUG 28 7KH&RXQWHU7HUURULVW ~ June/July 2012