Introduction to Cyber-Warfare - Proiect SEMPER FIDELIS

More documents

Recommendations

Info

CYBER WAR THROUGH INTELLECTUAL PROPERTY THEFT: OPERATION AURORA145Second, the investigators obtained a document describing how to use Yahoo! Mail to remotecontrol-infected computers. This document also contained an e-mail address which when investigatedby the researchers led to several advertisements for apartment rentals—also located inChengdu. The Information Warfare Monitor researchers point out that a Technical ReconnaissanceBrigade (TRB) of the Chinese government (traditionally tasked with SIGINT collectionand believed to be involved in cyber espionage) is located in Chengdu. Unfortunately, thereis not much more analysis that can link the attacks to the Chengdu TRB. However, it seems plausiblethat the Shadow Network, an international cyber espionage ring, is the type of operationthat would fall within the TRB’s traditional role—intelligence collection through SIGINT.The stories of Gh0stNet and the Shadow Network illustrate how cyber espionage operatorsmonitored target systems over a long period of time for intelligence collection purposes. Thetargets of these cyber espionage operations included Tibetan dissidents and governmentalorganizations from countries that China may have a substantial interest in. In the next section,we examine another attack largely attributed to the Peoples’ Republic in China—OperationAurora. The level of sophistication increases yet again in this cyber espionage operation, butthis time the targets are mainly part of the industry sector.CYBER WAR THROUGH INTELLECTUAL PROPERTY THEFT:OPERATION AURORAOn January 12, 2010, Google announced shocking news. The firm published on its officialblog that it had been the victim of a cyber warfare originating from China. According to theblog, the purpose of the operation was to access the Gmail e-mail accounts of Chinese humanrights activists. 74 As a result of this cyber espionage operation, Google announced that itwould no longer censor results on its flagship search engine in China—google.cn—a movethat caused consternation with the PRC. The company stated that if they could not run theirsearch engine uncensored, they would be willing to close operations in China.Literally, minutes after the announcement from Google, Adobe—another major softwarevendor—announced that their corporate systems had also been hacked. 75 It turns out thatboth Google and Adobe were targets of the same adversary—an adversary that conductedthe very same operation against 32 more companies. These firms included Dow Chemical,Northrop Grumman, Symantec, and Yahoo. 76 It seems the purpose of the operation was toexfiltrate not only information about Chinese human rights activists but also intellectualproperty—namely, source code of commercially developed software. 77This operation—known as “Operation Aurora”—is the topic of this section. It leveragedsocial engineering along with an advanced Trojan known as Hydraq to steal intellectual property.Several analysts strongly suspect PRC involvement. Here, we review the attack, reviewthe evidence of PRC involvement, and discuss the implications of intellectual property theftfrom corporations.Trojan.HydraqThe act of cyber espionage dubbed “Operation Aurora” employed an exploit in MicrosoftInternet Explorer that was exploited by software referred to as Trojan.Hydraq by the security
146 7. WHY CYBER ESPIONAGE IS A KEY COMPONENT OF CHINESE STRATEGYfirm Symantec. As with several of the cyber espionage operations discussed in this chapter,Operation Aurora was initiated with spear phishing. In the case of the Google break-in, itis thought that this initial spear phishing was directed at an employee using the MicrosoftMessenger instant chat software. The user supposedly received a link to a malicious Web siteduring one of his chat. 78 It is unknown if the operations against the other firms were also initiatedwith chat software. Based on similar operations (such as those discussed earlier in thischapter), it seems likely that e-mail may have also been used as a way to initiate the infiltrationof the malicious software. Either way, the initial communication to these firms had three characteristics.First, they were sent to a select group of individuals, which suggests that this typeof targeting (spear phishing) indicates that the hackers had some additional source of intelligenceon their targets. Second, the communications were engineered in a way to appear asthough they originated from a trusted source, which also shows that the perpetrators wereoperating with profiles of their targets. Third, they all contained a link to a Web site—clickingupon which initiated a certain series of events.Once the user clicked on the link, their Web browser would visit a site based out of Taiwan.This Web site, in turn, executed malicious JavaScript code—this is source code that runs on aWeb site normally used to provide interactive features to the user. The malicious JavaScriptcode exploited a weakness in the Microsoft Internet Explorer Web browser that was largelyunknown at the time. Often, such a new vulnerability is termed a “zero-day exploit.”The malevolent JavaScript code proceeds to download a second piece of malware fromTaiwan—disguised as an image file. This secondary malicious software would proceed torun in Windows and set up a back door allowing a cyber-spy access to the targeted system. 79A back door refers to a method of accessing a system that allows an intruder to circumvent thenormal security mechanism.The use of a zero-day exploit is significant because identifying such a vulnerabilitymost likely required a skillful engineering effort. This, along with the highly targetedspear-phishing campaign (suggesting that the hackers had access to some additional intelligenceon their targets), might hint at the backing of a larger organization—possibly a nationstate.Theft of Intellectual PropertySeveral months after Google announced that it had been hacked, the New York Timesreported that more than just e-mail accounts of Chinese human rights activists had beencompromised. Citing an unnamed source with direct knowledge of the Google investigation,reporter John Markoff wrote that the source code to Google’s state-of-the-art password systemhad likely been stolen during Operation Aurora. 80 The system, known as Gaia, wasdesigned to allow users of Google’s software to use a single username and password to accessthe myriad of Google services. This software is also known as “Single Sign-On.” Markoffreported that Google addressed the problem by adding an additional layer of encryptionto their password system.The compromise of Gaia is significant for more than one reason. First, obtaining softwaresource code of a commercial system is intellectual property theft and thus unlawful in theUnited States. As with the data stolen during Titan Rain, the stolen source code could allow
Page 2 and 3:
INTRODUCTION TOCYBER-WARFARE
Page 4 and 5:
INTRODUCTIONTO CYBER-WARFAREA Multi
Page 6 and 7:
ContentsPreface ixForeword xiIntrod
Page 8 and 9:
CONTENTSviiHow Real-World Dependenc
Page 10 and 11:
PrefaceSince Stuxnet emerged in 201
Page 12 and 13:
ForewordThe concept of cyber warfar
Page 14 and 15:
IntroductionIt is 2006. An American
Page 16 and 17:
INTRODUCTIONxvinfamous hacking grou
Page 18 and 19:
BiographyPaulo Shakarian, Ph.D. is
Page 20 and 21:
C H A P T E R1Cyber Warfare: Here a
Page 22 and 23:
IS CYBER WAR A CREDIBLE THREAT?3sec
Page 24 and 25:
ATTRIBUTION, DECEPTION, AND INTELLI
Page 26 and 27:
INFORMATION ASSURANCE74. Time: Temp
Page 28 and 29:
P A R T ICYBER ATTACKInformation ha
Page 30 and 31:
C H A P T E R2Political Cyber Attac
Page 32 and 33:
RUDIMENTARY BUT EFFECTIVE: DENIAL O
Page 34 and 35:
THE DIFFICULTY OF ASSIGNING BLAME:
Page 36 and 37:
ESTONIA IS HIT BY CYBER ATTACKS17FI
Page 38:
ESTONIA IS HIT BY CYBER ATTACKS19Th
Page 41 and 42:
22 2. POLITICAL CYBER ATTACK COMES
Page 43 and 44:
24 3. HOW CYBER ATTACKS AUGMENTED R
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
34 4. CYBER AND INFORMATION OPERATI
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
44 5. CYBER ATTACK AGAINST INTERNAL
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
68 6. CYBER ATTACKS BY NONSTATE HAC
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114: 94 6. CYBER ATTACKS BY NONSTATE HAC
Page 119 and 120: 100 6. CYBER ATTACKS BY NONSTATE HA
Page 131 and 132: Intentionally left as blank
Page 133 and 134: 114 7. WHY CYBER ESPIONAGE IS A KEY
Page 163: 144 7. WHY CYBER ESPIONAGE IS A KEY
Page 179 and 180: 160 8. DUQU, FLAME, GAUSS, THE NEXT
Page 191 and 192: 172 9. LOSING TRUST IN YOUR FRIENDS
Page 205 and 206: 186 10. INFORMATION THEFT ON THE TA
Page 215 and 216:
196 10. INFORMATION THEFT ON THE TA
Page 217 and 218:
Intentionally left as blank
Page 219 and 220:
200 11. CYBER WARFARE AGAINST INDUS
Page 221 and 222:
Page 223 and 224:
Page 225 and 226:
Page 227 and 228:
Page 229 and 230:
210 12. CYBER ATTACKS AGAINST POWER
Page 231 and 232:
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
224 13. ATTACKING IRANIAN NUCLEAR F
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
242 CONCLUSION AND THE FUTURE OF CY
Page 263 and 264:
Page 265 and 266:
246 APPENDIX I. CHAPTER 6: LULZSEC
Page 267 and 268:
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
258 APPENDIX II. CHAPTER 6: ANONYMO
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
Page 321 and 322:
Page 323 and 324:
Page 325 and 326:
Page 327 and 328:
308 GLOSSARYDDoS distributed denial
Page 329 and 330:
310 GLOSSARYNIST National Institute
Page 331 and 332:
Page 333 and 334:
314 INDEXCyber exploitation (Contin
Page 335 and 336:
316 INDEXNATO (Continued)high-level
Page 337:
318 INDEXTechnical intelligence (TE
show all

Introduction to Cyber-Warfare - Proiect SEMPER FIDELIS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?