Tag Archives: cyber war

Ooops, a Gentlemen’s Agreement Breaks

The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May 2017 has been releasing alleged National Security Agency secrets for the past eight months.  Former intelligence officials now fear that the hackers, who go by the name Shadow Brokers, are taking a new tack: exposing the identities of the NSA’s computer-hacking team. That potentially could subject these government experts to charges when traveling abroad.

The Shadow Brokers on April 14, 2017 posted on a Russian computer file-sharing site what they said were NSA files containing previously unknown attack tools and details of an alleged NSA hack affecting Middle Eastern and Panamanian financial institutions.

But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.  Additionally, the hacking group in April, 2017 sent several public tweets that seemingly threatened to expose the activities of a fifth person, former NSA employee Jake Williams, who had written a blog post speculating the group has ties to Russia… Security experts who have examined the documents believe they contain legitimate information, including code that can be used in hacks, as well as the names of the files’ creators and editors.

Because nation-state hackers might run afoul of other countries’ laws while discharging their duties, they could, if identified, face charges when outside their country. So, to keep their own people safe, governments for decades have abided by a “gentleman’s agreement” that allows government-backed hackers to operate in anonymity, former intelligence officials say….

Some former intelligence officials suggested the U.S. prompted the outing of state-sponsored hackers when it indicted five Chinese military hackers by name in 2014, and more recently brought charges against two officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.  By exposing cyberagents, the Shadow Brokers appear to be taking a page from the U.S. playbook, said Mr. Williams, who worked for the NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman said the agency doesn’t comment about “most individuals’ possible current, past or future employment with the agency.”  “We’ve fired first,” Mr. Williams said, referring to the U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”…

The documents revealed jealously guarded tactics and techniques the NSA uses to access computer systems…For example, the files include source code for software designed to give its creators remote access to hacked machines, and to evade detection from antivirus software. If the code was created by the NSA, it now gives security professionals a digital fingerprint they can use to track the NSA’s activities prior to the leak.

That could prove disruptive to NSA activities, forcing the agency to consider pulling its software from others’ networks and taking other steps to erase its tracks. And while the information could help companies determine whether they have been hacked by the NSA, it could also be used to create more malicious software. The Shadow Brokers tools, for example, are now being used to install malicious software such as WannaCry on corporate networks.

Mr. Williams initially thought the Shadow Brokers had access only to a limited set of NSA tools. His assessment changed after three tweets directed at him April 9, 2017 included terms suggesting the group had “a lot of operational data or at least operational insight” into his work at the NSA, he said.  The tweets, which are public, are cryptic. They express displeasure over an article Mr. Williams wrote attempting to link the Shadow Brokers to Russia. They also mention apparent software code names, including “OddJob” and “Windows BITS persistence.”…..OddJob is a reference to software released by the Shadow Brokers five days after the tweets. “Windows BITS persistence” is a term whose meaning isn’t publicly known.

Excerpts from In Modern Cyber War, the Spies Can Become Targets, Too, Wall Street Journal, May 25, 2017

 

Smart and Sensitive: the Power Grid

Raytheon Company  and Utilidata have formed a strategic alliance to help power utilities proactively detect, defend against and respond to cyber threats.  The effort will combine Utilidata’s experience in the use of real-time data from the electrical grid to detect and respond to cyber attacks and Raytheon’s expertise in proactive cyber threat hunting, automation and managed security services to provide world-class cybersecurity, analytics and other innovative technologies….

[According to] Scott DePasquale, chairman and CEO of Utilidata. “With more and more devices and systems connected to the internet, and all of them needing electrical power, these challenges are increasing exponentially. This new alliance will help define the future of cybersecurity in the power utilities sector.”  In December 2015, a cyber attack shut down a large section of the Ukrainian power grid – an incident that the Department of Energy identified in the 2017 installment of the Quadrennial Energy Review as an ‘indicator of what is possible.’

Excerpts from  Raytheon, Utilidata to deliver defense-grade cybersecurity for utilities, PRNewswire, Feb. 8, 2017

Who Controls the Computers in North Korea–the Wapomi worm

Trojan. image from wikipedia

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

Cyberwarriors: US and China

cyberhacking

On May 19th, 2014 the Justice Department unveiled 31 charges against five members of China’s People’s Liberation Army (PLA), involving breaking six laws, from relatively minor counts of identity theft to economic espionage, which carries a maximum sentence of 15 years. This is the first time the government has charged employees of a foreign government with cybercrime. The accused are unlikely ever to stand trial. Even so, the Justice Department produced posters with mugshots of the men beneath the legend “wanted by the FBI”. They may never be punished, but that is not the point. Google any of their names and the mugshots now appear, the online equivalent of a perp walk.

That China’s government spies on the commercial activities of companies in America is not news in itself. Last year Mandiant, a cyber-security firm based in Virginia, released a report that identified Unit 61398 of the PLA as the source of cyber-attacks against 140 companies since 2006. But the indictment does reveal more details about what sorts of things the Chinese cybersnoops have been snaffling.

Hackers stole designs for pipes from Westinghouse, an American firm, when it was building four nuclear power stations in China, and also took e-mails from executives who were negotiating with a state-owned company. They took financial information from SolarWorld, a maker of solar panels; gained access to computers owned by US Steel while it was in a trade dispute with a state-owned company; and took files from Alcoa, an aluminium producer, while it was in a joint venture with another Chinese government-backed firm. ATI, another metal firm, and the United Steelworkers union were hacked, too.

American firms that do business in China have long lobbied behind closed doors for Uncle Sam to do something about Chinese hackers. America’s government has hitherto followed a similar logic, pressing China in private. The decision to make a fuss reflects the failure of that approach. When the existence of Unit 61398 became public its troops paused for a while, then continued as before.

Confronting the PLA’s hackers comes at a cost. China has pulled out of a bilateral working group on cyber-security in response to the indictments. Global Times, a Chinese English-language daily, denounced America as: “a mincing rascal”. But doing nothing has a cost, too. Companies like Westinghouse and US Steel have a hard enough time competing with Chinese firms, without having their business plans and designs pinched by thieves in uniform. Nor is the spying limited to manufacturers: tech companies have been targeted by the same group…

Second, America’s spying on Huawei, a Chinese maker of telecoms and networking equipment, makes China’s government doubt that America follows its own rules.

Chinese spying: Cybersnoops and mincing rascals,  Economist, May 24, at 28

Automated Cyber-Security Systems: DARPA

data

From the DARPA website:

DARPA’s Cyber Grand Challenge takes aim at an increasingly serious problem: the inadequacy of current network security systems, which require expert programmers to identify and repair system weaknesses—typically after attackers have taken advantage of those weaknesses to steal data or disrupt processes. Such disruptions pose greater risks than ever as more and more devices, including vehicles and homes, get networked in what has become known as “the Internet of things.

“Today’s security methods involve experts working with computerized systems to identify attacks, craft corrective patches and signatures and distribute those correctives to users everywhere—a process that can take months from the time an attack is first launched,” said Mike Walker, DARPA program manager. “The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly.”

To help accelerate this transition, DARPA launched the Cyber Grand Challenge, the first computer security tournament designed to test the wits of machines, not experts. The Challenge plans to follow a “capture the flag” competition format that experts have used for more than 20 years to test their cyber defense skills. That approach requires that competitors reverse engineer software created by challenge organizers and locate and heal its hidden weaknesses in a live network competition. The longest-running annual capture-the-flag challenge for experts is held at an annual conference known as DEF CON, and under the terms of a new agreement the Cyber Grand Challenge final competition is scheduled to co-locate with the DEF CON Conference in Las Vegas in 2016…

At the event, computers that have made it through a series of qualifying events over the next two years would compete head-to-head in a final tournament. Custom data visualization technology is under development to make it easy for spectators—both a live audience at the conference and anyone watching the event’s video stream worldwide—to follow the action.   Details about the Cyber Grand Challenge and some of the other registered teams can be found at www.cybergrandchallenge.com.

Showing off American Military Hackers: DARPA Plan X

oculus

At the Pentagon Wednesday (May 21, 2014) the armed forces’ far-out research branch known as the Defense Advanced Research Projects Agency showed off its latest demos for Plan X, a long-gestating software platform designed to unify digital attack and defense tools into a single, easy-to-use interface for American military hackers. And for the last few months, that program has had a new toy: The agency is experimenting with using the Oculus Rift virtual-reality headset to give cyberwarriors a new way to visualize three-dimensional network simulations–in some cases with the goal of better targeting them for attack.

“You’re not in a two-dimensional view, so you can look around the data. You look to your left, look to your right, and see different subnets of information,” Darpa’s Plan X program manager Frank Pound told WIRED in an interview. “With the Oculus you have that immersive environment. It’s like you’re swimming in the internet…..If Plan X’s Oculus software ever reaches the eyeballs of actual soldiers–a development that Darpa says is still years away–Pound doesn’t deny that the interface would be used for actual offensive hacking as well as defense and reconnaissance. Like the rest of Plan X, he says it’s meant to be a simpler and more intuitive way for the U.S. Cyber Command and other American military hackers to visualize everything they do in their cyberwar operations. “Think of Plan X like an aircraft carrier,” says Pound. “It can carry any weapon system or capability.”

That sort of admission will no doubt set off alarm bells for critics of the American military’s increasingly aggressive posture on the Internet. The revelation in 2012 that the United States created the Iran-targeted Stuxnet malware and a year of Edward Snowden’s leaks have already demonstrated that the NSA engages in more advanced cyberattack operations than practically any country on the planet. Enabling American hackers to launch those attacks with a tool that’s literally designed for video games could be seen as encouraging a brazen attitude towards cyberwar, disconnecting it from the reality of its consequences.

But Darpa’s Pound counters that safeguards against reckless hacking will be built into Plan X, and that it may actually reduce collateral damage from military cyberattacks by allowing soldiers to better understand the networks they’re attacking.

Excerpt from ANDY GREENBERG, Darpa Turns Oculus Into a Weapon for Cyberwar, Wired, May 23, 2014

The Digital Bombs of DARPA: Plan X

Cyberwar: United States Official Doctrine

"A Photo Safari in the Land of War" Français : World Skin - Maurice Benayoun.  Image from wikipedia

In his first major speech [March 28, 2014] on cyber policy, Defense Secretary Chuck Hagel sough to project strength but also to tame perceptions of the United States as an aggressor in computer warfare, stressing that the government “does not seek to militarize cyberspace.”…

Hagel said that the fighting force at U.S. Cyber Command will number more than 6,000 people by 2016, making it one of the largest such ­forces in the world. The force will help expand the president’s options for responding to a crisis with “full-spectrum cyber capabilities,” Hagel said, a reference to cyber operations that can include destroying, damaging or sabotaging an adversary’s computer systems and that can complement other military operations.

But, Hagel said, the military’s first purpose is “to prevent and de-escalate conflict.” The Pentagon will maintain “an approach of restraint to any cyber operations outside of U.S. government networks.”  Although some U.S. adversaries, notably China and Russia, which also have formidable cyber capabilities, may view his remarks with skepticism, Hagel said the Pentagon is making an effort to be “open and transparent” about its cyber­forces and doctrine. The hope, senior officials said, is that transparency will lead to greater stability in cyberspace.  To underscore the point, Hagel’s speech was broadcast live from NSA headquarters at Fort Meade, the first such broadcast from the agency…

Tensions over U.S. cyber operations intensified again last weekend after a report that the NSA had penetrated the networks of a Chinese telecommunications giant, Huawei Technologies, in search of evidence that it was involved in espionage operations for Beijing and to use its equipment to spy on adversaries such as Iran. After the disclosure, first reported by the New York Times and Der Spiegel, China demanded a halt to any such activity and called for an explanation…

Analysts said that China and Russia were unlikely to be convinced by Hagel’s remarks. Revelations about the NSA’s activities, based on documents provided by former contractor Edward Snowden, make U.S. assertions that it is focused on protecting U.S. national security — and not actively infiltrating others’ networks — that much harder to accept, they said.

Excerpts from: Ellen Nakashima, U.S. cyberwarfare force to grow significantly, defense secretary says, Washington Post, Mar. 28, 2014

See also http://www.defense.gov/news/newsarticle.aspx?id=121928