Transcript Slide 1

Cyber Espionage and Criminal Hacking: The
New Threat Matrix
Paul M. Joyal, NSI Managing Director,
Public Safety & Homeland Security Practice
GovSec | US Law Conference March 23-24, 2010
Cyber Threat Actors
• “Cyber threats to federal information systems and cyber-based
critical infrastructures… can come from a variety of sources,
such as foreign nations engaged in espionage and information
warfare, criminals, hackers, virus writers, and disgruntled
employees and contractors working within an organization.”
– Gregory C. Wilshusen,
Director, Information Security Issues
Government Accountability Office, 2009
Cyber Crime Increases in the Private Sector
• More than 75,000 computer systems at nearly 2,500
companies in the United States and around the world have
been hacked in what appears to be one of the largest and most
sophisticated attacks by cyber criminals
• The attack targeted proprietary corporate data, e-mails, creditcard transaction data and login credentials at companies in the
health and technology industries in 196 countries, according to
NetWitness.
Cyber Crime and Espionage
• Ten government agencies were penetrated, none in the
national security area, NetWitness said.
• The systems penetrated were mostly in the United States,
Saudi Arabia, Egypt, Turkey and Mexico
• Some estimate the global cyber-crime business amounts to
$100 billion-a-year.
Cyber Crime Cash is bigger than Narcotics Trade
• Cyber-crime, by some estimates, has outpaced the amount of
illicit cash raked in by global drug trafficking.
• Hackers from Russia and China are among the chief culprits,
and the threat they pose now extends far beyond spam,
identity theft and bank heists.
• “The Internet can now be used to attack small countries,”.
“There are Russian and Chinese hackers that have the power to
do that.”
Yevgeny Kaspersky, chief executive of Moscow-based Kaspersky Lab
Criminals are spamming the Zeus banking Trojan to
attack government computers
• According one state government security expert who received
multiple copies of the message, the e-mail campaign —
apparently designed to steal passwords from infected systems
— was sent exclusively to government (.gov) and military (.mil)
e-mail addresses.
• The messages appear to have been sent by the National
Intelligence Council (address used was [email protected]), which
serves as the center for midterm and long-range strategic
thinking for the U.S. intelligence community and reports to the
office of the Director of National Intelligence.
E-Mail spoofs the National Security Agency
• The e-mails urge recipients to download a copy of a report
named “2020 Project.” Another variant is spoofed to make it
look like the e-mail from [email protected]. The true sender,
as pulled from information in the e-mail header, is
[email protected]
Growth of Cyber Threats
High
Sophistication
of Available Tools
Growing
Sophistication
Required of Actors
Declining
Convergence
Staging
“Stealth”/advanced
scanning techniques
Sophisticated C2
Cross site scripting / Phishing
Denial of Service
Distributed attack tools
Packet spoofing
www attacks
Sophistication
Sniffers
Automated probes/scans
Sweepers
Back doors
Disabling audits
GUI
Network mngt. diagnostics
Hijacking sessions
Burglaries
Low
Exploiting known vulnerabilities
Password cracking
Self-replicating code
Password guessing
1980
1985
1990
Estonia DoS
1995
2000
Russia invades
Georgia
2009
8
The Vulnerability Matrix
Home
Users
2,800 power plants
Viruses,
Worms
3,000 govt.
facilities
5,800 registered hospitals
5,000 airports
Wireless
300 maritime
ports
Broadband
Connections
104 commercial
Government
66,000 chemical
plants
26,000 FDIC
institutions
Emergency
Services
nuclear plants
Transportation
Configuration
150,000 miles transmission lines
Chemical
Electric
Banking
Rail 130 overlapping grid controllers
Natural Gas
120,000 miles
of major rails
2 million miles
of pipelines
Insiders
Water
Problems
300,000
production sites
Oil
Telecom
Waste Water
E-commerce
Natural
Gas
1,600 municipal
wastewater facilities
2 billion miles of cable
80,000 Dams
CIA Report: Cyber Extortionists Attacked Foreign Power
Grid, Disrupting Delivery
• Tom Donahue, the CIA's top cybersecurity analyst, said, "We
have information, from multiple regions outside the United
States, of cyber intrusions into utilities, followed by extortion
demands. We suspect, but cannot confirm, that some of these
attackers had the benefit of inside knowledge.
• We have information that cyber attacks have been used to
disrupt power equipment in several regions outside the United
States.
Could these probes come from China?
• According to Jian-Wei Wang and Li-Li Rong, Chinese
researchers at the Institute of Systems Engineering of Dalian
University of Technology, have concluded in a published
research journal a counter intuitive conclusion:
• that attacks on power grid nodes with the lowest loads is
more harmful than an attack on the ones with the highest
loads.
Cascade-Based Attack Vulnerability – US Power Grid
• They published these findings in a paper on how to attack
a small U.S. power grid sub-network in a way that would
cause a cascading failure of the entire U.S. electrical grid.
• While some maintain that the research promotes a
defense posture, Mr. Wang’s research subject was
particularly unfortunate because of the widespread
perception, particularly among American military
contractors and high-technology firms, that adversaries
are planning to attack critical infrastructure like the United
States electric grid.
The Cyber Threat
Assessing the threat
(like a criminal threat)
Behavioral Profile
Technical Feasibility
THREAT
Operational Practicality
Cyber Infrastructure
14
Russia’s NSA----FAPSI also Identified in Cyber theft
• In 1998 a U.S.-German satellite known as ROSAT, used for
peering into deep space, was rendered useless after it turned
suddenly toward the sun. NASA investigators later determined
that the accident was linked to a cyber-intrusion at the
Goddard Space Flight Center in the Maryland suburbs of
Washington. The interloper sent information to computers in
Moscow, NASA documents show.
• U.S. investigators fear the data ended up in the hands of a
Russian spy agency.
Russia’s NSA----FAPSI also Identified in Cyber theft
• A team of agents from NASA, the FBI, and the U.S. Air Force
Office of Special Investigations to follow the trail of what they
concluded was a criminal hacking ring with dozens of Internet
addresses associated with computers near Moscow.
• The investigators made an even more alarming discovery,
according to people familiar with the probe: The cyber-crime
ring had connections to a Russian electronic spy agency known
by the initials FAPSI.
European Credit Card Crime Accelerates
• Card-related crime is the fastest-growing criminal activity in the
United Kingdom, and, throughout Europe. Payment card
systems are under unprecedented attack from well-organized
and well-financed criminal gangs.
Card Fraud Plagues Europe some say its FAPSI
• The payments business is increasingly the subject of organized,
methodical attacks by Russian criminals, characterized by high
technical sophistication and even including access to systems
designed by FAPSI, the Russian state cryptographic agency.
• "We've seen techniques that could only have come from FAPSI," says
Jan Eivind Fondal, director of risk management at Europay Norge in
Oslo, Norway. "It's beyond anything we've seen. It's a new breed of
fraudster.“ "He had covered his tracks in a way only a security
professional would."
Russian Viruses Attack Banks
• Russian hackers rely on viruses that record keystrokes as
customers type log-ins and passwords. Russian-made viruses
are believed to be behind several major online heists, including
the theft of $1 million from Nordea Bank in Sweden in 2007
and $6 million from banks in the United States and Europe that
same year.
• Viruses and other types of “malware” are bought and sold for
as much as $15,000
• Rogue Internet service providers charge cyber-criminals $1,000
a month for police-proof server access.
Russian hacking flourishes as “a cyber-criminal
ecosystem”
• Russian hacking flourishes as “a cyber-criminal ecosystem” of
spammers, identity thieves and “botnets,” vast networks of
infected computers controlled remotely and used to spread
spam, denial-of-service attacks or other malicious programs. A
denial-of-service attack floods a Web site with inquiries, forcing
its shutdown.
• Yevgeny Kaspersky, chief executive of Moscow-based Kaspersky
Lab, one of the world’s leading computer security firms.
RBN: First Cyber Strike on Georgia was not Hactivists
• "The individual, with direct responsibility for carrying out the
cyber "first strike" on Georgia, is a RBN operative named
Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in
the attack was a programmer and spammer from Saint
Petersburg named Andrey Smirnov.
• These men are leaders of RBN sections and are not "scriptkiddies" or "hacktivists," as some have maintained of the cyber
attacks on Georgia – but senior operatives in positions of
responsibility with vast background knowledge.
RBN-Prime Mover
• Intelligence can suggest further information about these
individual cyber-terrorists. According to Spamhaus SBL64881,
Mr. Boykov operates a hosting service in Class C Network
79.135.167.0/24.
• It should be noted that the pre-invasion attacks emanated from
79.135.167.22, clearly showing professional planning and not
merely ‘hacktivism.’ Due to the degree of professionalism and
the required massive costs to run such operations, a statesponsor is suspected.
Known Russian Business Network routes identified
• The IP addresses of the range, 79.135.160.0/19 are assigned to
Sistemnet Telecom to provide services to companies who are
classified as engaging in illicit activities such as credit card
fraud, malware and so on.
• • 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet
(Turkey) are associated with AbdAllah_Internet which is linked
with cybercrime hosting such as thecanadianmeds.com. These
are known Russian Business Network routes. "
Hacking for Money and Politics in Russia
• And when it’s not money that drives Russian hackers, it’s
politics—with the aim of accessing or disabling the computers,
Web sites and security systems of governments opposed to
Russian interests. That may have been the motive behind a
recent attack on Pentagon computers.
• A new generation of Russian hacker is behind America’s latest
criminal scourge. Young, intelligent and wealthy enough to zip
down Moscow’s boulevards in shiny BMWs, they make their
money in cyber-cubbyholes that police have found impossible
to ferret out.
Proprietary . Confidential
25
RSA 2010 Conference: Malware industry getting
increasingly professional, warn experts
• The Russian Business Network (RBN), one of the most powerful
and extensive malware and hacking organisations, has been
buying time on Amazon's EC2 platform to build malware and
attack passwords, according to Ed Skoudis, founder of security
consultancy InGuardians.
Russian Cyber Attack model: as seen in Estonia and
Georgia attacks – Information Warfare
• The Kremlin, with the help of the FSB, targets opposition Web
sites for attack.
• Attack orders are passed down through political channels to
Russian youth organizations whose members initiate the
attack, which gains further momentum through crowdsourcing.
Russian Cyber Attack model – Information Warfare
• Russian organized crime provides its international platform of
servers from which these attacks are launched, which in some
cases are servers hosted by badware providers in the U.S.
• LESSON
• For DoD planners and policy makers, an awareness of this
model should trigger a re-evaluation of the approach that is
taken in our cyber security strategy.
Iranian Crackdown Goes Global: RBN supports Efforts to
Track Dissidents
• Wall Street Journal investigation shows, Iran is extending its crackdown to
Iranians abroad. Part of the effort involves tracking the Facebook, Twitter
and YouTube activity of Iranians around the world, and identifying them at
opposition protests abroad. People who criticize Iran's regime online or in
public demonstrations are facing threats intended to silence them.“
• Caught by surprise with the power of social media during the disputed
election, Tehran has commissioned white paper studies by the Research
Center of Islamic Republic of Iran Broadcasting (crspa.ir) to "study the role
of social capital in knowledge sharing".
• The crspa.ir web site has been assisted by the Russian Business Network at
the well known RBN IP address 61.61.61.61, which is home to the many of
the RBN's spam, scam, and malware DNS servers.
Local Governments are defrauded also
• The New York town of Poughkeepsie reported that thieves had
broken into the town’s bank account and stolen $378,000 in
municipality funds.
• Poughkeepsie officials said $95,000 was recovered from a
Ukrainian bank.
China acquires US Rocket Engine designs
• Four years later, in 2002, an online intruder penetrated the
computer network at the Marshall Space Flight Center in
Huntsville, Ala., stealing secret data on rocket engine designs—
information believed to have made its way to China, according
to interviews and NASA documents.
Data flows to China
• Howard A. Schmidt, a technology consultant who served as a
White House special adviser on cyber-security from 2001 to
2003, concurs.
• "All indications are that the attacks are coming in from China,"
he says, "and the data is being exfiltrated out to China."
Intelligence Chief on Cyber Challenge
• “But cybersecurity is the soft underbelly of this country.”
Mike McConnell told a group of reporters Jan. 16, 2009
• “If we were in a cyberwar today, the United States would lose.”
Mike McConnell testimony to Congress, February 23, 2010
"Cyber Shockwave,"
Feb. 17, 2010
• Cyberattack Drill Shows U.S. Unprepared
• A group of high-ranking former federal officials scramble to
react to mobile phone malware and the failure of the electricity
grid in a staged exercise.
• Imagine what would happen if a massive cyber attack hit the
U.S., crippling mobile phones and overwhelming both
telephone infrastructure and the electricity grid.
RF’s Military Doctrine and Principles of state policy on
nuclear deterrence to 2020, on Information Warfare:
•
•
•
•
•
RF’s Military Doctrine and Principles of state policy on nuclear deterrence to 2020, the following
sections relate to Information Warfare:
12. (d) Acknowledgment of the intensification of the role of information warfare in
contemporary military conflict.
13. (d) The prior implementation of measures of information warfare in order to achieve
political objectives without the utilization of military force and, subsequently, in the interest of
shaping a favorable response from the world community to the utilization of military force.
41. The tasks of equipping the Armed Forces and other troops with armaments and military
and specialized equipment are: (c) to develop forces and resources for information warfare
But what if 41 (c) said “to develop state and non-state actors as forces in the use of
information warfare”.
Can you imagine the uproar that would occur; that Russia has “outed” its own use of nonstate actors? Well, that’s essentially what this document has done for the U.S. government.
From Russian Military Thought Leaders
• There is no need to declare war against one’s enemies and to
actually unleash more or less large military operations using
traditional means of armed struggle. This makes plans for
“hidden war” considerably more workable and erodes the
boundaries of organized violence, which is becoming more
acceptable.
• Viruses are viewed as force multipliers that can turn the initial
period of war into pure chaos if they are released in a timely
manner. (See Russia-Georgia War)
Make No Mistake You and America Are the Target
• Protect your Computer
• You are only a click away from anywhere in the world
• Report to FBI or appropriate US Government Agencies any
cyber attempts to compromise your identity or accounts.
• If you see something say something
• Get involved and stay vigillent
• It Takes a Network to Defeat a Network
• You are part of our network
Paul M. Joyal
NSI | Managing Director, Public safety and Homeland Security Practice
1400 Eye Street NW Suite 900| Washington, DC 20005
T 202 . 349 . 7005 (direct) | M 571 . 205 . 7126
[email protected]
www.nationalstrategies.com