Tag Archives: cyber spying

The Heist: hacking central banks

federal reserve bank ny, Image from wikipedia

Hackers broke into the Bangladesh central bank’s computer systems in early February, 2016, according to the news service, which cited anonymous officials at the financial institution. The attackers stole the credentials needed to authorize payment transfers and then asked the Federal Reserve Bank of New York to make massive money transfers — nearly three dozen of them — from the Bangladeshi bank’s account with the Fed to accounts at other financial institutions overseas.  Four transfers to accounts in the Philippines, totaling about $80 million, worked. But then a fifth request, for $20 million to be sent to an apparently fictitious Sri Lankan nonprofit group, was flagged as suspicious by a routing bank because of the “fandation” error.

Bangladesh’s central bank was able to stop that transaction after the routing bank asked for confirmation. “The Sri Lankan bank did not disburse it immediately, and we could recover the full amount,” the central bank told the Financial Times.  The requests waiting to be processed — amounting to a total of between $850 million and $870 million, according to an unnamed official cited by Reuters — were also halted. So if it weren’t for that typo, the attackers might have escaped with a bigger payday. Bangladesh’s finance minister has blamed the incident on the Federal Reserve and said his government will “file a case in the international court against” the financial institution, according to the Dhaka Tribune. A New York Fed spokesman denied the accusation, telling The Washington Post in a statement that “there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question” or that the institution’s systems were compromised. The spokesman said the payment instructions were “fully authenticated” using standard methods.

Excerpts from Andrea Peterson Typo thwarts hackers in $1 billion cyber heist on Bangladesh central bank, Washington Post, Mar. 11, 2016

DARPA for Transparent Computing

image from wikipedia

From the DARPA website
Modern computing systems act as black boxes in that they accept inputs and generate outputs but provide little to no visibility of their internal workings. This greatly limits the potential to understand...advanced persistent threats (APTs). APT adversaries act slowly and deliberately over a long period of time to expand their presence in an enterprise network and achieve their mission goals (e.g., information exfiltration, interference with decision making and denial of capability). Because modern computing systems are opaque, APTs can remain undetected for years if their individual activities can blend with the background “noise” inherent in any large, complex environment. ..

The Transparent Computing (TC) program aims to make currently opaque computing systems transparent by providing high-fidelity visibility into component interactions during system operation across all layers of software abstraction, while imposing minimal performance overhead. The program will develop technologies to record and preserve the provenance of all system elements/components (inputs, software modules, processes, etc.); dynamically track the interactions and causal dependencies among cyber system components; assemble these dependencies into end-to-end system behaviors; and reason over these behaviors, both forensically and in real-time. By automatically or semi-automatically “connecting the dots” across multiple activities that are individually legitimate but collectively indicate malice or abnormal behavior, TC has the potential to enable the prompt detection of APTs and other cyber threats, and allow complete root cause analysis and damage assessment once adversary activity is identified. In addition, the TC program will integrate its basic cyber reasoning functions in an enterprise-scale cyber monitoring and control construct that enforces security policies at key ingress/exit points, e.g., the firewall.

Excerpt from http://www.darpa.mil/Our_Work/I2O/Programs/Transparent_Computing.aspx

CyberWeapons: the Regin Malware

Malware Statistics

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report .  The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software…

The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases….

The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India. [ Regin have been identified also in Afghanistan, Algeria, Belgium, Brazil, Fiji, Germany,Indonesia, Iran, Kiribati, Malaysia, Pakistan, Syria]

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.  The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.  Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.  “Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

Excerpt from Steven Musil Stealthy Regin malware is a ‘top-tier espionage tool’, CNET, Nov. 23, 2014

See also White paper Karspersky Lab 

Cyberwarriors: US and China

cyberhacking

On May 19th, 2014 the Justice Department unveiled 31 charges against five members of China’s People’s Liberation Army (PLA), involving breaking six laws, from relatively minor counts of identity theft to economic espionage, which carries a maximum sentence of 15 years. This is the first time the government has charged employees of a foreign government with cybercrime. The accused are unlikely ever to stand trial. Even so, the Justice Department produced posters with mugshots of the men beneath the legend “wanted by the FBI”. They may never be punished, but that is not the point. Google any of their names and the mugshots now appear, the online equivalent of a perp walk.

That China’s government spies on the commercial activities of companies in America is not news in itself. Last year Mandiant, a cyber-security firm based in Virginia, released a report that identified Unit 61398 of the PLA as the source of cyber-attacks against 140 companies since 2006. But the indictment does reveal more details about what sorts of things the Chinese cybersnoops have been snaffling.

Hackers stole designs for pipes from Westinghouse, an American firm, when it was building four nuclear power stations in China, and also took e-mails from executives who were negotiating with a state-owned company. They took financial information from SolarWorld, a maker of solar panels; gained access to computers owned by US Steel while it was in a trade dispute with a state-owned company; and took files from Alcoa, an aluminium producer, while it was in a joint venture with another Chinese government-backed firm. ATI, another metal firm, and the United Steelworkers union were hacked, too.

American firms that do business in China have long lobbied behind closed doors for Uncle Sam to do something about Chinese hackers. America’s government has hitherto followed a similar logic, pressing China in private. The decision to make a fuss reflects the failure of that approach. When the existence of Unit 61398 became public its troops paused for a while, then continued as before.

Confronting the PLA’s hackers comes at a cost. China has pulled out of a bilateral working group on cyber-security in response to the indictments. Global Times, a Chinese English-language daily, denounced America as: “a mincing rascal”. But doing nothing has a cost, too. Companies like Westinghouse and US Steel have a hard enough time competing with Chinese firms, without having their business plans and designs pinched by thieves in uniform. Nor is the spying limited to manufacturers: tech companies have been targeted by the same group…

Second, America’s spying on Huawei, a Chinese maker of telecoms and networking equipment, makes China’s government doubt that America follows its own rules.

Chinese spying: Cybersnoops and mincing rascals,  Economist, May 24, at 28

Automated Cyber-Security Systems: DARPA

data

From the DARPA website:

DARPA’s Cyber Grand Challenge takes aim at an increasingly serious problem: the inadequacy of current network security systems, which require expert programmers to identify and repair system weaknesses—typically after attackers have taken advantage of those weaknesses to steal data or disrupt processes. Such disruptions pose greater risks than ever as more and more devices, including vehicles and homes, get networked in what has become known as “the Internet of things.

“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere—a process that can take months from the time an attack is first launched,” said Mike Walker, DARPA program manager. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”

To help accelerate this transition, DARPA launched the Cyber Grand Challenge, the first computer security tournament designed to test the wits of machines, not experts. The Challenge plans to follow a “capture the flag” competition format that experts have used for more than 20 years to test their cyber defense skills. That approach requires that competitors reverse engineer software created by challenge organizers and locate and heal its hidden weaknesses in a live network competition. The longest-running annual capture-the-flag challenge for experts is held at an annual conference known as DEF CON, and under the terms of a new agreement the Cyber Grand Challenge final competition is scheduled to co-locate with the DEF CON Conference in Las Vegas in 2016…

At the event, computers that have made it through a series of qualifying events over the next two years would compete head-to-head in a final tournament. Custom data visualization technology is under development to make it easy for spectators—both a live audience at the conference and anyone watching the event’s video stream worldwide—to follow the action.   Details about the Cyber Grand Challenge and some of the other registered teams can be found at www.cybergrandchallenge.com.

Showing off American Military Hackers: DARPA Plan X

oculus

At the Pentagon Wednesday (May 21, 2014) the armed forces’ far-out research branch known as the Defense Advanced Research Projects Agency showed off its latest demos for Plan X, a long-gestating software platform designed to unify digital attack and defense tools into a single, easy-to-use interface for American military hackers. And for the last few months, that program has had a new toy: The agency is experimenting with using the Oculus Rift virtual-reality headset to give cyberwarriors a new way to visualize three-dimensional network simulations–in some cases with the goal of better targeting them for attack.

“You’re not in a two-dimensional view, so you can look around the data. You look to your left, look to your right, and see different subnets of information,” Darpa’s Plan X program manager Frank Pound told WIRED in an interview. “With the Oculus you have that immersive environment. It’s like you’re swimming in the internet…..If Plan X’s Oculus software ever reaches the eyeballs of actual soldiers–a development that Darpa says is still years away–Pound doesn’t deny that the interface would be used for actual offensive hacking as well as defense and reconnaissance. Like the rest of Plan X, he says it’s meant to be a simpler and more intuitive way for the U.S. Cyber Command and other American military hackers to visualize everything they do in their cyberwar operations. “Think of Plan X like an aircraft carrier,” says Pound. “It can carry any weapon system or capability.”

That sort of admission will no doubt set off alarm bells for critics of the American military’s increasingly aggressive posture on the Internet. The revelation in 2012 that the United States created the Iran-targeted Stuxnet malware and a year of Edward Snowden’s leaks have already demonstrated that the NSA engages in more advanced cyberattack operations than practically any country on the planet. Enabling American hackers to launch those attacks with a tool that’s literally designed for video games could be seen as encouraging a brazen attitude towards cyberwar, disconnecting it from the reality of its consequences.

But Darpa’s Pound counters that safeguards against reckless hacking will be built into Plan X, and that it may actually reduce collateral damage from military cyberattacks by allowing soldiers to better understand the networks they’re attacking.

Excerpt from ANDY GREENBERG, Darpa Turns Oculus Into a Weapon for Cyberwar, Wired, May 23, 2014

The Digital Bombs of DARPA: Plan X

Cyberwar: United States Official Doctrine

"A Photo Safari in the Land of War" Français : World Skin - Maurice Benayoun.  Image from wikipedia

In his first major speech [March 28, 2014] on cyber policy, Defense Secretary Chuck Hagel sough to project strength but also to tame perceptions of the United States as an aggressor in computer warfare, stressing that the government “does not seek to militarize cyberspace.”…

Hagel said that the fighting force at U.S. Cyber Command will number more than 6,000 people by 2016, making it one of the largest such ­forces in the world. The force will help expand the president’s options for responding to a crisis with “full-spectrum cyber capabilities,” Hagel said, a reference to cyber operations that can include destroying, damaging or sabotaging an adversary’s computer systems and that can complement other military operations.

But, Hagel said, the military’s first purpose is “to prevent and de-escalate conflict.” The Pentagon will maintain “an approach of restraint to any cyber operations outside of U.S. government networks.”  Although some U.S. adversaries, notably China and Russia, which also have formidable cyber capabilities, may view his remarks with skepticism, Hagel said the Pentagon is making an effort to be “open and transparent” about its cyber­forces and doctrine. The hope, senior officials said, is that transparency will lead to greater stability in cyberspace.  To underscore the point, Hagel’s speech was broadcast live from NSA headquarters at Fort Meade, the first such broadcast from the agency…

Tensions over U.S. cyber operations intensified again last weekend after a report that the NSA had penetrated the networks of a Chinese telecommunications giant, Huawei Technologies, in search of evidence that it was involved in espionage operations for Beijing and to use its equipment to spy on adversaries such as Iran. After the disclosure, first reported by the New York Times and Der Spiegel, China demanded a halt to any such activity and called for an explanation…

Analysts said that China and Russia were unlikely to be convinced by Hagel’s remarks. Revelations about the NSA’s activities, based on documents provided by former contractor Edward Snowden, make U.S. assertions that it is focused on protecting U.S. national security — and not actively infiltrating others’ networks — that much harder to accept, they said.

Excerpts from: Ellen Nakashima, U.S. cyberwarfare force to grow significantly, defense secretary says, Washington Post, Mar. 28, 2014

See also http://www.defense.gov/news/newsarticle.aspx?id=121928