Cyberespionage: Another Summit, Another Spy Game

Posted on September 4, 2007
Filed Under Apparatchiks, China Internet, Cyberespionage, Malware |

This past June, according to Arstechnica the US’ Department of Defense (DoD) was compromised:

According to Gates, portions of the Pentagon e-mail system were disabled in response to hacking activity. “Elements of the OSD unclassified e-mail system were taken offline yesterday afternoon, due to a detected penetration,” said Gates, according to a transcript of the event published by the Defense Department. “We obviously have redundant systems in place, and there is no anticipated adverse impact on ongoing operations. There will be some administrative disruptions and personal inconveniences.”

A “detected penetration” most likely means that an email server was compromised and some form of malware was installed on it.

Today’s Financial Times ratchets the story up another notch with inside information from “American officials” that:

The Chinese military hacked into a Pentagon computer network in June in the most successful cyber attack on the US defence department, say American ­officials.

The Pentagon acknowledged shutting down part of a computer system serving the office of Robert Gates, defence secretary, but declined to say who it believed was behind the attack.

Current and former officials have told the Financial Times an internal investigation has revealed that the incursion came from the People’s Liberation Army.

For anyone keeping track of coincidences, President Bush will be meeting President Hu Jintao in Australia this week during the APEC summit. As with Chancellor Merkel’s meeting with Premier Wen Jiabao (see my post earlier here), it seems to be getting pretty tough to meet senior Chinese leaders without a concomitant surge in cyberespionage stories.

China and the US have been down this road before. “Titan Rain” began in 2003, according to this amusing article in Time:

Carpenter had never seen hackers work so quickly, with such a sense of purpose. They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will. An entire attack took 10 to 30 minutes. “Most hackers, if they actually get into a government network, get excited and make mistakes,” says Carpenter. “Not these guys. They never hit a wrong key.”

Carpenter used to work at Sandia Labs before being fired for his reverse hacking that traced the source to Guangdong. What was the nature of the attacks? The previous edition of Time explains:

This was a scanner program that “primed the pump,” according to a former government network analyst who has helped track Titan Rain, by searching vast military networks for single computers with vulnerabilities that the attackers could exploit later. As with many of their tools, this was a simple program, but one that had been cleverly modified to fit their needs, and then used with ruthless efficiency against a vast array of U.S. networks. After performing the scans, the source says, it’s a virtual certainty that the attackers returned within a day or two and, as they had on dozens of military networks, broke into the computers to steal away as much data as possible without being detected.

They hit hundreds of computers that night and morning alone, and a brief list of scanned systems gives an indication of the breadth of the attacks. At 10:23 p.m. pacific standard time (PST), they found vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona. At 1:19 am PST, they found the same hole in computers at the military’s Defense Information Systems Agency in Arlington, Virginia. At 3:25 am, they hit the Naval Ocean Systems Center, a defense department installation in San Diego, California. At 4:46 am PST, they struck the United States Army Space and Strategic Defense installation in Huntsville, Alabama.

The attackers used a scanning program to find (the software performed with “ruthless efficiency”, no less) computers that have known, unpatched and/or unprotected, vulnerabilities and promptly exploited them. Scanners first target an IP address, or block of IP addresses, and then identify individual ports (where a service or application is “listening” for a connection) where a connection is possible.

It should be noted that China is consistently ranked number two as the source country for anomalous port scans, according to the Internet Storm Center. The United States is number one.

cyber.jpgThanks to the Arstechnica article by Ryan Paul, I found a slew of stories about this in Federal Computer Week. Without going through all of them, I’ll just summarize a few key points:

I find it disheartening to discover that these attacks are not acts of technical wizardry. Rather they are due to the laziness and incompetence of the system custodians and users. You would think that the DoD would be a little more competent than that.

Based on the public admission by senior public officials (such as Secretary Gates) about the compromises that have occurred, I’m quite sure that cyberespionage is a common practice of nations.

But I wouldn’t go pointing any fingers. There’s no digital smoking gun with China’s fingerprints, just presumptions, assumptions, and innuendo. There’s lots of talk of “tracing” the attacks back to China, but little explanation of how it was actually done. Moreover, just because the trail stopped in China that doesn’t mean it started there.

As interesting as I find these stories they are also frustrating. They raise more questions than they answer. Questions not about the technology of cyberespionage and cyberwarfare, but about another form of war: disinformation.

Comments

Leave a Reply