ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

Cyber war or Cyber hype?

On July 4th several US government web sites were hit with a distributed denial of service (DDOS) attack. In human speak that means you couldn’t get to those web sites because too many other computers were making them unavailable. Many of the attack failed, but some sites, like www.ftc.gov effectively disappeared. Shortly after this attack another wave of attacks started and also included sites in South Korea.

Some reports blamed North Korea for the attack. It does appear than many of the attacking computers were from South Korea, but it is difficult to know who really is behind the attack. The computers actually dong the attacking are infected with programs called “bots”. These computers belong to ordinary people, but are zombies under the control of someone else. Maybe it was North Korea behind the attack, but that doesn’t make a lot of sense to me or most security experts.

The fact that it is unlikely to be North Korea is not enough to prevent rampant hype. One or two people speculate that it is North Korea and not only does North Korea get blamed, but a media whore in the US congress calls for a cyber attack against North Korea, regardless of whether or not they are to blame. Here’s the story. Http://www.wired.com/threatlevel/2009/07/show-of-force/

To see Rep. Peter Hoekstra’s enlightened speech, click here.

The attacks are only a cyber war in the minds of the deranged, the manipulative, and the ignorant. Frankly, those blaming North Korea for this round of attacks are far more likely suspects than North Korea.  Rep Heokstra has far more to gain from attacking these sites and blaming North Korea than North Korea had to gain from instigating the attacks.

This looks like a classic Wag the Dog.

Randy Abrams
Director of Technical Education

I thought I’d blogged myself to a standstill over the weekend, but it seems there’s plenty of life left in the Tibet/China story, even if it’s only the East and the West exchanging accusations.

A China Daily headline claims that "Analysts dismiss ‘cyber spy’ claims", though in fact the quotes in the article talk about exaggeration rather than absolute denial. Most of China Daily’s readers (or at any rate those who’ve commented on the article) have written it off as "China-bashing", or as an attempt by the West to deflect attention from its economic problems.

Meanwhile, closer to home (well, my home…), the Times reports that a "confidential" memo (not any more it isn’t…) circulating in Whitehall expresses concern by the chairman of the Joint Intelligence Committee that BT’s buy-in of components for its new £10 billion network from the Chinese telecoms supplier Huawei would expose the UK’s communications to deliberate attack from China, though it concedes that ‘there is at present a “low” risk of China exploiting its capability’.

Nevertheless, the report points out the impact of such an attack would have a serious impact. I don’t have enough data to assess the seriousness of such an attack in practical terms, but it seems unfortunate that "government departments, the intelligence services and the military" are apparently committed to the use of the new BT network if that network cedes significant potential control, even at component level, to a nation that clearly isn’t trusted at high levels of government.

I have to wonder how many elements of the UK’s Critical National Infrastructure (CNI) are labelled "made in China". Not that I want to buy into the universal xenophobia that seems to dominate this story, but if you’re building or maintaining a CNI, don’t you try to keep it in-house, even if it costs more to buy from trusted sources?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I’ve mentioned here before that targeted malware, often delivered by "spear phishing" carried by apparently "harmless" documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term "whaling" rather than "spear phishing" to reflect the size of the organizations targeted (and, presumably, the scale of the potential impact).

This impact can be so great because instead of being distributed to huge numbers of random people, the social engineering messages are distributed to a few people who have particular influence, or access to particularly interesting and/or valuable information. Today’s Big Issue is concerned with what are alleged to be attacks largely originating in China, against various diplomatic and governmental organizations and the Dalai Lama’s Tibetan exile centres, following the simultaneous release of an article in the New York Times, a paper from the University of Toronto, and another from the University of Cambridge in the UK. At the time of writing, the Toronto paper is unavailable because of a problem with the site, but it’s currently mirrored here.

While I haven’t come across these attacks against the exiled Dalai Lama’s supporters before, both the mechanisms and the far-East connection have been known for some years, even before the UK Centre for the Protection of National Infrastructure (then called NISCC) and security services went semi-public with an advisory. And I’ve referred here before to a chapter section in my "AVIEN Malware Defense Guide" where Ken Dunham and Jim Melnick describe zero-day attacks by "Wicked Rose" and the NCPH group centred on Trojans targeting such organizations as the Department of Defense.

Even if you’ve no particular interest in the locales and organizations named in these reports, there’s an issue touched on in the Cambridge paper by Shishir Nagaraja and Ross Anderson that demands further consideration, when they suggest that "What Chinese spooks did in 2008, Russian Crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course." Here’s why I think they’re right.

What Nagaraja and Anderson call social malware – what I’d call a combination of sophisticated Trojan malware and effective, targeted social engineering - is not the sole preserve of governments spying on governments. (In fact, government contractors and other organizations with significant political interest have been targeted from the beginning: it’s naive to think that a Critical National Intrastructure (CNI) is just an aggregation of government departments.)

The on-line world is full of crooks trying to make money from some form of phishing or other forms of fraud. There are plenty of potential victims out there, but maybe not as many as there were:

• global recession has made the world poorer
• the level of awareness of criminal activity among internet users in general is rising, albeit painfully slowly

So criminals may have to share smaller pots between more people.

Furthermore, random dissemination of phishing and similar scams has a fatal weakness: massive random mailouts don’t lend themselves to personalized content.

For instance, I’m not likely to fall for -any- Bank of America phish because I don’t have an account with BoA, and hopefully you won’t send your credit card details to someone who addresses you as "Dear American Express User".

But even a sceptic like me might fall for an email that looks (and sounds) as if it comes from someone I trust, and includes or directs me to a document rather than a program file. Right now, you are most likely to get such a mail if you’re working in certain sectors. But as more blackhats get into the game who are more interested in cash than ideology, the more enterprising among them will spend more time on customizing and targeting, in the hope of getting a better hit rate and higher profits.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence