Massive Cyber Attacks Uncovered

More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.

The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.

News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.

This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness’s chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups’ sophistication in cyberattacks is approaching that of nation states such as China and Russia.

The attack also highlights the inability of the private sector — including industries that would be expected to employ the most sophisticated cyber defenses — to protect itself.

“The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.”

The intrusion, first reported on the Wall Street Journal’s Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.

The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or “bots,” enabled the attackers to commandeer users’ computers, scrape them for log-in credentials and passwords — including to online banking and social networking sites — and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.

“Because they’re using multiple bots and very sophisticated command and control methods, once they’re in the system, even if you whack the command and control servers, it’s difficult to rid them of the ability to control the users’ computers,” Yoran said.

The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.

Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage.

Among the companies hit were Cardinal Health, located in Dublin, Ohio, and Merck, according to the Wall Street Journal. A spokesman for Cardinal said the firm removed the infected computers as soon as the breach was found.

Also affected were educational institutions, energy firms, financial companies and Internet service providers. Ten government agencies were penetrated, none in the national security area, NetWitness said.

The systems penetrated were mostly in the United States, Saudi Arabia, Egypt, Turkey and Mexico, the firm said.

Pentagon Struggles with Cyber Security

WASHINGTON — On a Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.

The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

After that, the trail disappeared into a cloud of angry Chinese government denials, and then an ugly exchange of accusations between Washington and Beijing. That continued Monday, with Chinese assertions that critics were trying to “denigrate China” and that the United States was pursuing “hegemonic domination” in cyberspace.

These recent events demonstrate how quickly the nation’s escalating cyberbattles have outpaced the rush to find a deterrent, something equivalent to the cold-war-era strategy of threatening nuclear retaliation.

So far, despite millions of dollars spent on studies, that quest has failed. Last week, Secretary of State Hillary Rodham Clinton made the most comprehensive effort yet to warn potential adversaries that cyberattacks would not be ignored, drawing on the language of nuclear deterrence.

“States, terrorists and those who would act as their proxies must know that the United States will protect our networks,” she declared in a speech on Thursday that drew an angry response from Beijing. “Those who disrupt the free flow of information in our society or any other pose a threat to our economy, our government and our civil society.”

But Mrs. Clinton did not say how the United States would respond, beyond suggesting that countries that knowingly permit cyberattacks to be launched from their territories would suffer damage to their reputations, and could be frozen out of the global economy. … Continue Reading

Chinese Hacker “Community” Exposed

For years, the U.S. intelligence community worried that China’s government was attacking our cyber-infrastructure. Now one man has discovered it’s worse: It’s hundreds of thousands of everyday civilians. And they’ve only just begun.

At 8 a.m. on May 4, 2001, anyone trying to access the White House Web site got an error message. By noon, whitehouse.gov was down entirely, the victim of a so-called distributed denial-of-service (DDoS) attack. Somewhere in the world, hackers were pinging White House servers with thousands of page requests per second, clogging the site. Also attacked were sites for the U.S. Navy and various other federal departments.

Xiao Tian: In the male-dominated world of hacking

A series of defacements left little doubt about where the attack originated. “Beat down Imperialism of America, Attack anti-Chinese arrogance!” read the Interior Department’s National Business Center site. “CHINA HACK!” proclaimed the Department of Labor home page. “I AM CHINESE,” declared a U.S. Navy page. By then, hackers from Saudi Arabia, Argentina and India had joined in. The military escalated its Infocon threat level from normal to alpha, indicating risk of crippling cyber-attack. Over the next few weeks, the White House site went down twice more. By the time the offensive was over, Chinese hackers had felled 1,000 American sites.

The cyber-conflict grew out of real-world tensions. A month earlier, a U.S. EP-3 reconnaissance aircraft flying off the southern coast of China had collided with a Chinese F-8 fighter jet. The American pilot landed safely, but the Chinese pilot was killed. China’s hackers lashed out. It wasn’t the first foreign attack on American sites, but it was the biggest — “the First World Hacker War,” as the New York Times dubbed it.

The Chinese attacks were poorly coordinated, and it’s tempting to dismiss them as harmless online vandalism. But subsequent attacks have become more serious. In the past two years, Chinese hackers have intercepted critical NASA files, breached the computer system in a sensitive Commerce Department bureau, and launched assaults on the Save Darfur Coalition, pro-Tibet groups and CNN. And those are just the attacks that have been publicly acknowledged. Were these initiated by the Chinese government? Who is doing this?

Activation of U.S. CYBERCOM (Cyber Command)

On June 23 U.S. Defense Secretary Robert Gates signed a memorandum that announced the launch of U.S. Cyber Command (CYBERCOM). A plan by sec-urocrats in the works for several years, the order specifies that the new office will be a “subordinate unified command” under U.S. Strategic Command (STRATCOM).

According to the memorandum, CYBERCOM “will reach initial operating capability (IOC) not later than October 2009 and full operating capability (FOC) not later than October 2010.”

Gates has recommended that this new Pentagon domain be led by Lt. General Keith Alexander, the current Director of the ultra-spooky National Security Agency (NSA). Under the proposal, Alexander would receive a fourth star and the new agency would be based at Ft. Meade, Maryland, NSA’s headquarters.

Gates’ memorandum specifies that CYBERCOM “must be capable of synchronizing warfighting effects across the global security environment as well as providing support to civil authorities and international partners.” … Continue Reading

China’s GhostNet

Researchers in Toronto have released a document that describes what may be the first real evidence of a government-operated cyber-espionage network in action. In a ten-month investigation, the team documented the operation of what they dubbed GhostNet, and its various worldwide infection.

The existence and operation of massive, coordinated, government-affiliated online espionage networks is typically the province of television or the silver screen, rather than the subject of  research. In the real world, even a direct link between online and offline action (Russia’s invasion of Georgia and the simultaneous online attacks against that country are a good example) is not enough to automatically prove that the government behind the one is automatically behind the other.  This is almost like we’ll undoubtedly see more of this type of crowd sourced aggression in the future.

Researchers in Toronto, however, may have actually discovered and tracked a hacking effort that can be traced back to a foreign intelligence network China, in this case, over the past ten months. The team, which is affiliated with the Munk Centre for International Studies, has published an extensive report on the activities of what they dub the GhostNet. Their investigation took place from June 2008 through March of 2009, and focused on allegations that the Chinese had engaged in systemic online espionage activities against the Tibetan community. GhostNet was spread through the use of a wide variety of Trojans, many of which were controlled through a program nicknamed gh0st RAT (Remote Access Tool).

The report can be read (PDF) in one of two ways: either as a primer on the operation and capabilities of both the gh0st RAT tool and the GhostNet network, or as an intelligence document detailing (with some redactions) where GhostNet infections were found and, perhaps more importantly, where the espionage network’s C&C servers appear to be located. For the purposes of this discussion, we’re going to focus more on the sociopolitical implications of GhostNet and less on the technical details. It will have to suffice to say that gh0st RAT is apparently a complex and nasty bit of business that does not rely on the successful installation of one particular Trojan in order to operate.

Its various payloads appear to have been delivered using standard social engineering and/or spear phishing techniques. This could be seen as further proof that relatively simple attack vectors are sufficient to overwhelm the security training and/or antivirus software of high-level government institutions; many of the targets GhostNet infiltrated should never be susceptible to a gussied up version of a social engineering attack. … Continue Reading