Tag Archives: cyber warfare

Ooops, a Gentlemen’s Agreement Breaks

The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May 2017 has been releasing alleged National Security Agency secrets for the past eight months.  Former intelligence officials now fear that the hackers, who go by the name Shadow Brokers, are taking a new tack: exposing the identities of the NSA’s computer-hacking team. That potentially could subject these government experts to charges when traveling abroad.

The Shadow Brokers on April 14, 2017 posted on a Russian computer file-sharing site what they said were NSA files containing previously unknown attack tools and details of an alleged NSA hack affecting Middle Eastern and Panamanian financial institutions.

But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.  Additionally, the hacking group in April, 2017 sent several public tweets that seemingly threatened to expose the activities of a fifth person, former NSA employee Jake Williams, who had written a blog post speculating the group has ties to Russia… Security experts who have examined the documents believe they contain legitimate information, including code that can be used in hacks, as well as the names of the files’ creators and editors.

Because nation-state hackers might run afoul of other countries’ laws while discharging their duties, they could, if identified, face charges when outside their country. So, to keep their own people safe, governments for decades have abided by a “gentleman’s agreement” that allows government-backed hackers to operate in anonymity, former intelligence officials say….

Some former intelligence officials suggested the U.S. prompted the outing of state-sponsored hackers when it indicted five Chinese military hackers by name in 2014, and more recently brought charges against two officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.  By exposing cyberagents, the Shadow Brokers appear to be taking a page from the U.S. playbook, said Mr. Williams, who worked for the NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman said the agency doesn’t comment about “most individuals’ possible current, past or future employment with the agency.”  “We’ve fired first,” Mr. Williams said, referring to the U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”…

The documents revealed jealously guarded tactics and techniques the NSA uses to access computer systems…For example, the files include source code for software designed to give its creators remote access to hacked machines, and to evade detection from antivirus software. If the code was created by the NSA, it now gives security professionals a digital fingerprint they can use to track the NSA’s activities prior to the leak.

That could prove disruptive to NSA activities, forcing the agency to consider pulling its software from others’ networks and taking other steps to erase its tracks. And while the information could help companies determine whether they have been hacked by the NSA, it could also be used to create more malicious software. The Shadow Brokers tools, for example, are now being used to install malicious software such as WannaCry on corporate networks.

Mr. Williams initially thought the Shadow Brokers had access only to a limited set of NSA tools. His assessment changed after three tweets directed at him April 9, 2017 included terms suggesting the group had “a lot of operational data or at least operational insight” into his work at the NSA, he said.  The tweets, which are public, are cryptic. They express displeasure over an article Mr. Williams wrote attempting to link the Shadow Brokers to Russia. They also mention apparent software code names, including “OddJob” and “Windows BITS persistence.”…..OddJob is a reference to software released by the Shadow Brokers five days after the tweets. “Windows BITS persistence” is a term whose meaning isn’t publicly known.

Excerpts from In Modern Cyber War, the Spies Can Become Targets, Too, Wall Street Journal, May 25, 2017

 

Who Controls the Computers in North Korea–the Wapomi worm

Trojan. image from wikipedia

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

DARPA for Transparent Computing

image from wikipedia

From the DARPA website
Modern computing systems act as black boxes in that they accept inputs and generate outputs but provide little to no visibility of their internal workings. This greatly limits the potential to understand...advanced persistent threats (APTs). APT adversaries act slowly and deliberately over a long period of time to expand their presence in an enterprise network and achieve their mission goals (e.g., information exfiltration, interference with decision making and denial of capability). Because modern computing systems are opaque, APTs can remain undetected for years if their individual activities can blend with the background “noise” inherent in any large, complex environment. ..

The Transparent Computing (TC) program aims to make currently opaque computing systems transparent by providing high-fidelity visibility into component interactions during system operation across all layers of software abstraction, while imposing minimal performance overhead. The program will develop technologies to record and preserve the provenance of all system elements/components (inputs, software modules, processes, etc.); dynamically track the interactions and causal dependencies among cyber system components; assemble these dependencies into end-to-end system behaviors; and reason over these behaviors, both forensically and in real-time. By automatically or semi-automatically “connecting the dots” across multiple activities that are individually legitimate but collectively indicate malice or abnormal behavior, TC has the potential to enable the prompt detection of APTs and other cyber threats, and allow complete root cause analysis and damage assessment once adversary activity is identified. In addition, the TC program will integrate its basic cyber reasoning functions in an enterprise-scale cyber monitoring and control construct that enforces security policies at key ingress/exit points, e.g., the firewall.

Excerpt from http://www.darpa.mil/Our_Work/I2O/Programs/Transparent_Computing.aspx

Cyberwar: United States Official Doctrine

"A Photo Safari in the Land of War" Français : World Skin - Maurice Benayoun.  Image from wikipedia

In his first major speech [March 28, 2014] on cyber policy, Defense Secretary Chuck Hagel sough to project strength but also to tame perceptions of the United States as an aggressor in computer warfare, stressing that the government “does not seek to militarize cyberspace.”…

Hagel said that the fighting force at U.S. Cyber Command will number more than 6,000 people by 2016, making it one of the largest such ­forces in the world. The force will help expand the president’s options for responding to a crisis with “full-spectrum cyber capabilities,” Hagel said, a reference to cyber operations that can include destroying, damaging or sabotaging an adversary’s computer systems and that can complement other military operations.

But, Hagel said, the military’s first purpose is “to prevent and de-escalate conflict.” The Pentagon will maintain “an approach of restraint to any cyber operations outside of U.S. government networks.”  Although some U.S. adversaries, notably China and Russia, which also have formidable cyber capabilities, may view his remarks with skepticism, Hagel said the Pentagon is making an effort to be “open and transparent” about its cyber­forces and doctrine. The hope, senior officials said, is that transparency will lead to greater stability in cyberspace.  To underscore the point, Hagel’s speech was broadcast live from NSA headquarters at Fort Meade, the first such broadcast from the agency…

Tensions over U.S. cyber operations intensified again last weekend after a report that the NSA had penetrated the networks of a Chinese telecommunications giant, Huawei Technologies, in search of evidence that it was involved in espionage operations for Beijing and to use its equipment to spy on adversaries such as Iran. After the disclosure, first reported by the New York Times and Der Spiegel, China demanded a halt to any such activity and called for an explanation…

Analysts said that China and Russia were unlikely to be convinced by Hagel’s remarks. Revelations about the NSA’s activities, based on documents provided by former contractor Edward Snowden, make U.S. assertions that it is focused on protecting U.S. national security — and not actively infiltrating others’ networks — that much harder to accept, they said.

Excerpts from: Ellen Nakashima, U.S. cyberwarfare force to grow significantly, defense secretary says, Washington Post, Mar. 28, 2014

See also http://www.defense.gov/news/newsarticle.aspx?id=121928

 

Cyberattack can Trigger a Conventional Response

United States Power Grid. Image from wikipedia

Cyberattacks on U.S. infrastructure or networks could be met with a conventional military response, the chairman of the Joint Chiefs of Staff said today.  “There is an assumption out there … that a cyberattack that had destructive effects would be met by a cyber response that had destructive effects,” Army Gen. Martin E. Dempsey said to an audience at a Brookings Institution forum. “That’s not necessarily the case. I think that what [President Barack Obama] would insist upon, actually, is that he had the options and the freedom of movement to decide what kind of response we would employ.”  The impact of a cyberattack is a key question for elected officials to answer when considering the level of response, Dempsey said. “When does cyber theft become a hostile act?” the chairman asked. “Or when does cyber theft, added to distributed denial of services, become a hostile act? Or is a hostile act simply defined as something that literally is destructive in nature?”

Cyber has many features in common with other domains, and shouldn’t be thought of as a wholly exceptional realm, Dempsey said. Although it can sometimes feel abstract, he explained, cyber is a physical domain in the sense that it is operated by men and women over routers and servers, and cyberattacks can result in real, physical damage.  “I think that to the extent that we can always think about it in the way that we’ve always organized our thinking about the other domains, it might illuminate the challenge a little better,” the chairman said. “I do think that there are capabilities out there that are so destructive in nature and potential that it would be very difficult not to see them as acts of war.” But, he noted, “the decision to declare something a hostile act — an act of war — is certainly one that resides in the responsibility of our elected leaders.”

By Claudette Roulo American Forces Press Service, Dempsey: Cyberattacks Could Prompt Conventional Response, June 27, 2013

United States Cyber Range, how to replicate the internet to test cyberweapons

Replicating the complexity of thousands of globally interconnected network systems is a challenge faced by researchers developing tools to protect our nation against the growing threat of cyber attacks. Sophisticated attacks as well as adaptive malware have the ability to devastate defense and commercial networks. DARPA was tasked by the Comprehensive National Cybersecurity Initiative (CNCI) to “establish a front line of defense against today’s immediate threats by creating or enhancing…the ability to act quickly to reduce our current vulnerabilities and prevent intrusions” (National Security Presidential Directive 54 (NSPD)-54) .

Under the National Cyber Range (NCR) program, DARPA has developed the architecture and software tools for a secure, self-contained testing capability to rapidly emulate large-scale complex networks that match the depth and diversity of real-world networks. The capability, demonstrated at scale with an operational prototype, will enable realistic testing and evaluation of new cyberspace concepts, policies and technologies by the Department of Defense (DoD) and other federal entities. DoD’s Strategy for Operating in Cyberspace, released in July 2011, highlights the NCR’s role in DoD’s pursuit of revolutionary cyberspace technologies.

The NCR complements federal cyber testing capabilities by providing rapid and automated configurability and scalability for users across the government. It should provide a 5-10x reduction in the time and cost to test and evaluate new cyber tools while improving confidence in the real-world performance of these tools, a vital feature considering the extremely dynamic and evolving real-world cyber threat. The NCR is designed to allow potentially virulent code to be introduced and tested on the range without compromising the range itself. Additionally, multiple experiments will be able to run on the range simultaneously at different security levels, maximizing the range’s use across government agencies.

The NCR program began in 2009 and has been developed in three phases. The current phase (Phase II-B) will involve operation and beta testing of the prototype range; enhancing existing software tools to ensure that the range hardware and software are stable and to allow for a seamless transition; developing a business model for sustainable range operation beyond fiscal year 2012; and to transition the range and associated technologies to USCYBERCOM and other government organizations.

See DAPRA

When Governments Hack Each Other: how to steal secrets and cover your tracks

The number of cyber attacks against Chinese websites surged in 2011, rising to 8.9 million computers affected, up from 5 million in the previous year, according to a report published by China Daily.  It claimed a total of 47,000 overseas IPs were involved in the attacks, with the majority located in Japan, US and South Korea.  The report, released yesterday by China’s National Computer Network Emergency Response Technical Team and Coordination Center (CNCERT), found 11,851 IP addresses based overseas had gained control of 10,593 Chinese websites in 2011.  “China has become the world’s biggest victim of cyber attacks,” Zhou Yonglin, director of CNCERT’s operation department, told People’s Daily.  The report claims Japan was the source of most attacks (22.8 percent), followed closely by the United States (20.4 percent) and the Republic of Korea (7.1 percent).  Attacks ranged from wiping servers and defacing websites to stealing personal and corporate data from Chinese web users.  Although it was discovered that many hackers used Trojan programs to steal personal data, Zhou said “money is not the sole motivation”, as in several cases the hackers had intended to access state networks and steal confidential government information.  To assist damaged private websites and maintain online security, the Ministry of Industry and Information Technology has launched several investigations, and authorities claim they prevented the spread of online viruses 14 times last year.

People’s Republic itself has been accused several times of creating a cyber army for espionage purposes. In March last year, hackers with Internet addresses based in China launched an attack intended to steal files relating to the G20 summit held in Paris. The following October, two US satellites were discovered to have been hacked repeatedly, with evidence once again pointing at China.  Then, in November, the US Office of the National Counterintelligence Executive singled out China and Russia as the most aggressive “collectors” of American secrets. In return,China had claimed 75,000 cyber attacks it repelled in 2010 originated from US IP addresses.  It is important to note that the theoretical location of the IP address is by no means a guarantee that an attack was launched from a particular location. Hackers often use proxy servers to hide their identity, or take advantage of Tor’s anonymity network to cover their tracks.

Max Smolaks, China ‘World’s Biggest’ Cyber Attack Victim?,TechWeekEurope. Mar. 20, 2012