Massive Cyber Attacks Uncovered

More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.

The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.

News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.

This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness’s chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia.

The attack also highlights the inability of the private sector — including industries that would be expected to employ the most sophisticated cyber defenses — to protect itself.

“The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.”

The intrusion, first reported on the Wall Street Journal’s Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.

The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or “bots,” enabled the attackers to commandeer users’ computers, scrape them for log-in credentials and passwords — including to online banking and social networking sites — and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.

“Because they’re using multiple bots and very sophisticated command and control methods, once they’re in the system, even if you whack the command and control servers, it’s difficult to rid them of the ability to control the users’ computers,” Yoran said.

The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.

Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage.

Among the companies hit were Cardinal Health, located in Dublin, Ohio, and Merck, according to the Wall Street Journal. A spokesman for Cardinal said the firm removed the infected computers as soon as the breach was found.

Also affected were educational institutions, energy firms, financial companies and Internet service providers. Ten government agencies were penetrated, none in the national security area, NetWitness said.

The systems penetrated were mostly in the United States, Saudi Arabia, Egypt, Turkey and Mexico, the firm said.

Pentagon Struggles with Cyber Security

WASHINGTON — On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.

The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy. … Continue Reading

Chinese Hacker “Community” Exposed

For years, the U.S. intelligence community worried that China’s government was attacking our cyber-infrastructure. Now one man has discovered it’s worse: It’s hundreds of thousands of everyday civilians. And they’ve only just begun.

At 8 a.m. on May 4, 2001, anyone trying to access the White House Web site got an error message. By noon, whitehouse.gov was down entirely, the victim of a so-called distributed denial-of-service (DDoS) attack. Somewhere in the world, hackers were pinging White House servers with thousands of page requests per second, clogging the site. Also attacked were sites for the U.S. Navy and various other federal departments.

Xiao Tian: In the male-dominated world of hacking

A series of defacements left little doubt about where the attack originated. “Beat down Imperialism of America, Attack anti-Chinese arrogance!” read the Interior Department’s National Business Center site. “CHINA HACK!” proclaimed the Department of Labor home page. “I AM CHINESE,” declared a U.S. Navy page. By then, hackers from Saudi Arabia, Argentina and India had joined in. The military escalated its Infocon threat level from normal to alpha, indicating risk of crippling cyber-attack. Over the next few weeks, the White House site went down twice more. By the time the offensive was over, Chinese hackers had felled 1,000 American sites.

The cyber-conflict grew out of real-world tensions. A month earlier, a U.S. EP-3 reconnaissance aircraft flying off the southern coast of China had collided with a Chinese F-8 fighter jet. The American pilot landed safely, but the Chinese pilot was killed. China’s hackers lashed out. It wasn’t the first foreign attack on American sites, but it was the biggest — “the First World Hacker War,” as the New York Times dubbed it.

The Chinese attacks were poorly coordinated, and it’s tempting to dismiss them as harmless online vandalism. But subsequent attacks have become more serious. In the past two years, Chinese hackers have intercepted critical NASA files, breached the computer system in a sensitive Commerce Department bureau, and launched assaults on the Save Darfur Coalition, pro-Tibet groups and CNN. And those are just the attacks that have been publicly acknowledged. Were these initiated by the Chinese government? Who is doing this?

Cyber Attack on U.S., S. Korean Governments

Cyber attacks that have crippled the Web sites of several major American and South Korean government agencies since the July 4th holiday weekend appear to have been launched by a hostile group or government, South Korea’s main government spy agency said on Wednesday.

Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups.

A spokesman at the intelligence agency said it could not confirm the Yonhap report, which said that the spy agency briefed lawmakers about their suspicions on Wednesday. The opposition Democratic Party accused the spy agency of spreading unsubstantiated rumors to whip up support for a new anti-terrorism bill that would give it more power.

Access to at least 11 major Web sites in South Korea — including those of the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, the mass-circulation daily newspaper Chosun Ilbo and the top Internet portal Naver.com — have crashed or slowed down to a crawl since Tuesday evening, according to the government’s Korea Information Security Agency.

On Wednesday, some of the sites regained service, but others remained unstable or inaccessible.

In an attack linked with the one in South Korea, 14 major Web sites in the United States — including those of the White House, the State Department and the New York Stock Exchange — came under similar attacks, according to anti-cyberterrorism police officers in Seoul.

“This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level,” the National Intelligence Service said in a statement, adding that it is cooperating with the American investigative authorities to investigate the attacks.

The Associated Press reported Tuesday night that a widespread and unusually resilient computer attack that began July 4 knocked out the Web sites of several American government agencies, including some that are responsible for fighting cybercrime.

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, The A.P. reported, citing officials inside and outside the American government. The fact that the government Web sites were still being affected after three days signaled an unusually lengthy and sophisticated attack, the news agency reported, citing anonymous American officials.

The Washington Post, which also came under attack, reported on its Web site Wednesday that a total of 26 Web sites were targeted. In addition to sites run by government agencies, several commercial Web sites were also attacked, including those operated by Nasdaq, it reported, citing researchers involved in the investigation.

Amy Kudwa, a Department of Homeland Security spokeswoman, said that the agency was aware of the attacks on “federal and private sector public-facing Web sites.” The department, she said, has issued a notice to federal departments and agencies, as well as other partner organizations, on the activity and advised them of steps to take to help mitigate against such attacks.

“We see attacks on federal networks every day, and measures in place have minimized the impact to federal websites,” she said.

In the attack, an army of thousands of “zombie computers” infected by the hackers’ program were ordered to request access to these Web sites simultaneously, causing an overload that caused the sites’ servers to crash, South Korean officials said.

Although most of the North Korean military’s hardware is decrepit, the South Korean authorities have recently voiced their concern over possible cyberattacks from the North. In May, South Korean media reported that North Korea was running a cyberwarfare unit that operates through the Chinese Internet network and tries to hack into American and South Korean military networks.

In South Korea, the Blue House reported no data loss or other damage except disrupted access. The Defense Ministry and banks attacked also reported no immediate loss of security data or financial damage.

“The traffic to our site surged nine times of the normal level,” the Blue House said in a statement. “Computer users in some regions still suffer slow or no access at all to our site.”

Hwang Cheol-jeung, a senior official at the government’s Korea Communications Commission, said the attacks were launched by computers infected by a well-known “distributed denial of service,” or DDoS, hackers’ program.

The spy agency said 12,000 computers in South Korea and 8,000 overseas appeared to have been mobilized in the attacks. The Korea Communications Commission reported 22,000 infected computers.

“The infected computers are still attacking, and their number is not decreasing,” Mr. Hwang told reporters in a briefing. The government was urging users to upgrade their computers’ antivirus software.

Denial of service attacks against Web sites are not uncommon, but they can be made far more serious if hackers infect and use thousands of computers. Hackers frequently single out the American government: According to the Homeland Security Department, there were 5,499 known breaches of American government computers in 2008, up from 3,928 the previous year, and just 2,172 in 2006, The A.P. said.

The South Korean news agency Yonhap said the police have traced a possible starting point for the attack back to members of a small cable TV Web site in Seoul. But officials said that does not mean it originated there.

Mr. Hwang said South Korean authorities suspected that the hackers used a new variant of the denial of service program to attack the Web sites.

Obama Describes Cyber Security Plan

President Obama declared Friday that the country’s disparate efforts to “deter, prevent, detect and defend” against cyberattacks would now be run out of the White House, but he also promised that he would bar the federal government from regular monitoring of “private-sector networks” and the Internet traffic that has become the backbone of American communications.

Mr. Obama’s speech, which was accompanied by the release of a long-awaited new government strategy, was an effort to balance the United States’ response to a rising security threat with concerns — echoing back to the debates on wiretapping without warrants in the Bush years — that the government would be regularly dipping into Internet traffic that knew no national boundaries.

One element of the strategy clearly differed from that established by the Bush administration in January 2008. Mr. Obama’s approach is described in a 38-page public document being distributed to the public and to companies that are most vulnerable to cyberattack; Mr. Bush’s strategy was entirely classified.

But Mr. Obama’s policy review was not specific about how he would turn many of the goals into practical realities, and he said nothing about resolving the running turf wars among the Pentagon, the National Security Agency, the Homeland Security Department and other agencies over the conduct of defensive and offensive cyberoperations.

The White House approach appears to place a new “cybersecurity coordinator” over all of those agencies. Mr. Obama did not name the coordinator Friday, but the policy review said that whoever the president selects would be “action officer” inside the White House during cyberattacks, whether they were launched on the United States by hackers or governments.

In an effort to silence critics who have complained that the official will not have sufficient status to cut through the maze of competing federal agencies, Mr. Obama said the new coordinator would have “regular access to me,” much like the coordinator for nuclear and conventional threats.

Many computer security executives had been hoping that Mr. Obama’s announcement would represent a turning point in the nation’s unsuccessful effort to turn back a growing cybercrime epidemic. On Friday, several said that while the president’s attention sounded promising, much would depend on whom he chose to fill the role.

James A. Lewis, a director at the Center for Strategic & International Studies, a Washington group that published a bipartisan report last year calling on the president to appoint a cyberczar, said that the White House had now narrowed the list of candidates for the position to fewer than 10, but that choosing the right person would be difficult.

“There aren’t a lot of people who have the policy and the strategy skills and the technological knowledge to carry this out,” Mr. Lewis said. “If you’re talking about missiles and space, there are a lot of people who know policy and technology, but in cyber its such a new field we’re talking about a really small gene pool.”

For the first time, Mr. Obama also spoke of his own brush with cyberattacks, in the presidential campaign. “Between August and October, hackers gained access to e-mails and a range of campaign files, from policy position papers to travel plans,” he said, describing events that were known, though sketchily, at the time.

“It was,” he said, “a powerful reminder: in this information age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities.”

Mr. Obama’s speech delved into technology rarely discussed in the East Room of the White House. He referred to “spyware and malware and spoofing and phishing and botnets,” all different approaches to what he called “weapons of mass disruption.”

Although the president did not discuss details of the expanding role for the military in offensive and pre-emptive cyberoperations, senior officials said Friday that the Pentagon planned to create a new cybercommand to organize and train for digital war, and to oversee offensive and defensive operations.

A lingering disagreement has been how to coordinate that new command with the work of the National Security Agency, home to most of the government’s expertise on computer and network warfare. One plan now under discussion would put the same general in charge of both the new cybercommand and the N.S.A. Currently, the security agency’s director is Lt. Gen. Keith B. Alexander, who would be expected to be the leading contender for the new, dual position.

Industry executives were generally supportive of the initiative Mr. Obama announced, but also cautious.

“There was nothing I was disappointed in,” said Mark Gerencser, a cybersecurity executive at Booz Allen Hamilton, a consulting firm that deals extensively in the government’s cybersecurity strategy.

Mr. Hamilton noted that the United States had separated defense and offense in the cybersecurity arena, while its opponents, including Russia and China, had a more fluid strategy.

“It’s like we’re playing football and our adversaries are playing soccer,” he said.