Governments “contracting out” cyber-attacks to criminal networks

You would figure that sensitive information about something like the U.S.’s new breed of fighter jets would be well-secured against hackers. But all it took was one e-mail to compromise a computer that could have leaked information about the Joint Strike Fighter program.

Last April, cyber-attackers targeted a specific individual working on the top-secret weapons technology. Spoofing a Pentagon e-mail address, the attacker sent a message that looked like an official memo about BAE Systems – the lead contractor on the program. That e-mail actually contained an exploit that would have compromised the computer and established a command and control tunnel directly back to the hacker.

It’s an example of spear phishing – a targeted and well-honed attack that involves some social engineering. Cyber-spies have relied on the technique for years to gain access to government systems and now the threat is migrating to the business world, says Amit Yoran, CEO of NetWitness Corp.

Based in Herndon, Va. Yoran is the former director of the Department of Homeland Security’s national cyber-security division.

In the U.S. successive administrations have grappled with “advanced threats” for decades, he says.

But the threat environment has changed, and the perpetrators include governments — that aren’t just looking to attack other governments but also to identify “softer targets with commercial and economic interests.”

Yoran will address the first responders of a computer security breach at the World Conference on Disaster Management, June 21 to 24 in Toronto. He wants them to leave his presentation with “a great uneasiness” about the state of security on the Internet and what that means for a business networks.

As the world is becoming more aware of how often high-value targets are compromised, new defences are being sought. Typical computer security products available just don’t cut it, experts agree.

“Organizations are typically blind to what’s happening in their environment,” Yoran says. “Because their antivirus isn’t going off, because they don’t see any unusual activity in their intrusion detection systems, they just assume that everything is operating as it should.”

Ron Deibert agrees that your typical, off-the-shelf antivirus won’t help guard against today’s more sophisticated threats. Asdirector of the Citizen Lab at the University of Toronto, Deibert was part of a team of Canadian researchers that recently uncovered a cyber-espionage network dubbed “GhostNet”. The network spanned 1,200 computers in 103 countries and about one-third of its targets were considered high-value.

Most cybercrime conducted is either done with a national interest, or an economic interest in mind, he adds. “More money was made by cybercrime in 2008 than in drug trafficking in the U.S.”

Compromised computers were found in the foreign ministries of Iran, Bangladesh, Latvia, Indonesia, the Philippines, Brunei, Barbados and Bhutan. Not to mention in embassies for India, South Korea, Indonesia, and more. Most notably, the private office of the Dalai Lama was infected.

After tracking down and gaining control of GhostNet, researchers from the Citizen Lab and Ottawa-based SecDev Group found that only 11 of 34 computer security products could identify the Trojan that was used in the attack.

Cybercrime “is a worldwide market and its difficult for even the best security organizations to keep up,” Deibert says. “Their [techniques] are dynamic and constantly changing. There’s always another tool being created, always another vulnerability being exploited.”

It was a spear phishing attack that compromised the Dalai Lama’s office – using an attachment that posed as a letter about the Tibetan resistance movement. The attachment contained the Trojan with capabilities to steal information and even use the computer as a surveillance device – activating Webcams and microphones.

The news about GhostNet didn’t surprise Yoran.

“This sort of activity has been going on for years,” he says. “I’d suggest a decade or longer – in an organized and large-scale way.”

NetWitness offers interested companies an evaluation of their network security that 19 times out of 20 reveal a compromise, Yoran says.

It goes to show that traditional computer security defences sitting on the network layer – such as firewalls, intrusion detection systems – just don’t cut it.

“In today’s threat environment, defensive measures need to be much more data oriented, looking at the applications that matter to the organization,” he says. “Look at the content and where the value lies.”

Companies too often rely on signature-based security products, the CEO adds. These use a database of already existing threats to identify potential problems. But high-value targets are facing advanced threats specifically designed and unique in method. With big stakes on the table, hackers are taking the time to better hone their attacks.

Most cybercrime conducted is either done with a national interest, or an economic interest in mind, he adds. “More money was made by cybercrime in 2008 than in drug trafficking in the U.S.”

It’s suspected that GhostNet was an operation of the Chinese government, but it’s hard to prove, Deibert says.

“It’s not like at the end of the trail, there’s a made in China sign,” he explains. “The circumstantial evidence points heavily towards this being a Chinese intelligence operation or an operation that was contracted to someone else.”

Many governments will often contract out cyber-espionage work to criminal organizations and illicit networks so they can deny involvement, Deibert says. This is common in former Soviet countries such as Krygyzstan. There, it was found the government has sub-contracted denial-of-service attacks against opposition newspapers.

The weakest link of an organization’s computer security is often human, the researcher adds. Particularly in the developing world, it is common to not keep security programs up to date and open up e-mail attachments without verifying the source.

A move away from Windows operating systems to open source may be one way organizations can improve their computer security, he says. Windows contains more security vulnerabilities.

“It’s in part due to the proprietary nature of the operating system itself,” Deibert says. “If you have a closed architecture, it’s harder to find security vulnerabilities. If there’s a closed system of development, there’s a smaller group of researchers that can develop the code.”

To help remedy the security threats found on the Internet, Yoran advocates a different mindset. A mindset that’s not lulled into a false sense of security because an antivirus program is installed on a computer – one that demands real visibility into a computer’s activities.

“Attackers have the technical engineering and the technical acumen and the patience to create a unique attack geared towards a particular target,” he says.

Share on LinkedIn Share with Google+
More Articles