It was perhaps the first time that evidence had publicly emerged linking the Chinese with specific cyberwarfare and espionage practices. A Chinese documentary, The Internet Storm Is Coming, recently became available online. Buried in the program around 11 minutes in was B-roll footage of a tool enabling users to attack selected websites via a distributed denial-of-service technique. The clip, later pulled by the Chinese government, gave even more credence to the idea that the state was deliberately involved in cyberwarfare and espionage.
We’ve come a long way from Cold War espionage, when microdots, miniature cameras, and drop zones defined the shady world of spying. Today, misappropriating information from your enemies is more often than not an online affair. But the origins of cyber espionage stretch back to the Cold War.
Markus Hess, a German citizen employed by the KGB, was convicted of hacking his way into US government systems to find information about the Strategic Defense Initiative and other nuclear programs. Hess used the ARPANET, a precursor to the modern internet, but was captured after Clifford Stoll, a systems administrator at the Lawrence Berkeley National Laboratory, was asked to investigate a small accounting error in the usage billing for the laboratory’s computer system. Stoll wrote up the resulting investigation, involving a complex honeypot operation designed to trap Hess and reveal his identity, in a book called The Cuckoo’s Egg.
From Cold War to Cyber War
Hess’s capture involved an intricate chase through multiple network exchanges and postal addresses, following an elaborate trap laid for him by Stoll. These days, with an internet so ubiquitous that you can get onto it from anywhere, the tell-tale 1200 baud telephone link that set Stoll on Hess’s trail is not available. The upshot? Zero attribution, and zero justice.
“The protocols within the internet make it very difficult to attribute an attack with a satisfying degree of certainty to a precise party”, warns Guillaume Lovet, senior manager for the Threat Response Team at Fortinet. “Above all, those conducting cybercriminal activity will have the knowledge to easily forge the origins of attacks, such as a trojan horse, making it harder to know where the attack(s) come from, and from who.”
| "The protocols within the internet make it very difficult to attribute an attack with a satisfying degree of certainty to a precise party" |
| Guillaume Lovet, Fortinet |
When spies were caught back in the day, they would be rejected from a country with much fanfare, in an attempt to shame their country of origin. These days, spies attack computer systems to obtain intellectual property, which can quickly be extracted from target databases and document stores without the target even knowing. When hacking activity does come to light, finding the perpetrator is next to impossible.
Even when the originating IP addresses for attacks are found in a particular country, the country still enjoys plausible deniability. Who could prove, for example, that a Chinese IP address from which an attack was launched was not itself compromised by another party, in another country?
Plausible Deniability
This is why researchers are especially careful not to directly accuse, even when all evidence points to a particular state actor. Take GhostNet, for example, the cyber-espionage ring discovered in 2009 by SecDev, a Canadian company specializing in researching and engaging complex problems of insecurity and violence.
SecDev, which carries out analytical investigations into cyber espionage, found a relatively small, targeted botnet focusing on key targets specific to Chinese interests. These included oil companies, the Office of His Holiness the Dalai Llama (essentially the hub of the Tibetan movement), Indian software technology parks, and the Taiwanese Institute for Information Industry.
“The attacker(s)’ IP addresses examined here trace back in at least several instances to Hainan Island, home of the Lingshui signals intelligence facility and the Third Technical Department of the People’s Liberation Army”, said the GhostNet report. “However, we must be cautious to rush to judgment in spite of circumstantial and other evidence, as alternative explanations are certainly possible and charges against a government of this nature are gravely serious.”
| "A lot of these things are coming over voice over IP. They’re a totally different ballgame than the older phones back in the day" |
| JD LeaSure, ComSec |
Unlike consumer-focused malware attacks, which typically sweep large numbers of machines using malware delivered via drive-by downloads, most espionage attacks are more targeted. Some cases have involved PDFs delivered to key individuals via email, designed to look like documents relevant to their industry. The documents contained zero-day attacks intended to circumvent even up-to-date malware signatures.
But not all attacks use sophisticated techniques such as these. “A lot of these attacks are coming over voice over IP. They’re a totally different ballgame than the older phones back in the day”, says JD LeaSure, chief executive of security firm ComSEC LLC. LeaSure has been involved in counter-surveillance activities since 1984.
Stealing Secrets
Even as the possibility of attribution decreases, the amount of data being stolen is skyrocketing. Billions of dollars worth of sensitive information is being leaked from corporate systems. We have seen various attacks, including Operation Aurora in 2008–09, in which numerous companies in the tech industry were targeted by an organized hacker. More recently, Night Dragon specifically targeted oil and gas firms. Attackers stole sensitive information about contract negotiations, and the victims of the attack lost crucial contracts.
“You’re seeing wholesale transfers of IP from one country to another”, says Dmitri Alperovitch, McAfee’s vice president of threat research, who wrote a contentious (and much-contested) report about an espionage network called ‘Shady RAT’ in August. “You can see the impact of that. Not only are they stealing the R&D data, but they’re stealing all of the go-to-market information, such as customer lists, and marketing strategies.”
McAfee also discovered Operation Aurora, an attack mounted against Google and dozens of other technology companies, designed to steal intellectual property. While some researchers may not be willing to directly attribute blame to governments for attacks, Google’s executives were sufficiently confident in their conclusions to realign their relationship with the country, effectively thumbing their noses at the Chinese government by redirecting their traffic through their Hong Kong services. The company has since capitulated in a bid to maintain its operating license in China.
| "Stuxnet was an incredibly sophisticated piece of code with a number of man-years behind it. It took the resources of a nation state" |
| Richard Walters, Invictis |
There is considerable background evidence that state actors work with private individuals and groups to varying degrees for the purpose of cyber warfare and espionage. In his book Dark Visitor, about the history of the Chinese hacking movement, Scott Henderson charts the rise of patriotic hacking groups, such as the Green Army and the China Eagle Union.
The author says that the Indonesian riots in 1998 (during which the Chinese in Indonesia were blamed for financial troubles) provoked a concerted effort among these dislocated hacker groups to attack domestic Indonesian targets. From there, a more cohesive tracking movement developed in China, leading to the creation of, among others, the Red Hacker Alliance and the Honker Union.
Tacit Complicity
Henderson speculates that while the Chinese government may not actively sponsor these groups, there may be, at least, a tacit complicity. They are, after all, allowed to continue their activities without being shut down by what is one of the most heavy-handed governments in the world when it comes to internet control and censorship. The increasing commercialization of these groups also makes it possible that there is some financial compensation between the two.
The move toward industrial espionage has revealed some interesting links to Chinese industry in the past. The Myfip trojan released in 2004 targeted standard systems for research and development-related files, and sent them to an individual in Tianjin, a huge manufacturing hub for the Chinese electronics sector. The fact that the hackers didn’t bother to obscure their location lends credence to the idea that the government there is willing to turn a blind eye, Henderson says.
The US, too, has its private-sector intelligence effort, although rather than small groups of patriotic hackers, it has outsourced some of its intelligence and counterintelligence efforts to secretive boutique firms, according to sources close to the matter who did not want to be identified. This tendency ramped up after the 9/11 terror attacks, and continues today.
| "You’re seeing wholesale transfers of IP from one country to another…Not only are they stealing the R&D data, but they’re stealing all of the go-to-market information, such as customer lists, and marketing strategies" |
| Dmitri Alperovitch, McAfee |
Was it a boutique private-sector firm or a state-employed team that put together Stuxnet, the attack on the Iranian Bushehr nuclear reactor? “Stuxnet in Iran was an incredibly sophisticated piece of code with a number of man-years behind it”, says Richard Walters, director and co-founder at international risk management firm Invictis. “It took the resources of a nation state.”
The team, he asserts, effectively replicated the computing infrastructure for Iran’s key nuclear installations, carefully constructing malware to take down systems by compromising obscure programmable logic controller equipment.
Physical Espionage
It is important to remember that not all threats are online. ComSEC’s LeaSure focuses on counter-surveillance, and will regularly sweep offices for electronic bugs. “Many times, organizations will put 99% of their security budget into an online threat but leave a gaping hole in any kind of physical offline threat”, he cautions. “Those lower-level threats are just as important, if not more so. Many times, they can be used to gain access much easier than the online threats.”
LeaSure sweeps customers’ premises across the spectrum for suspicious radio transmissions, but will also conduct thermal imaging, and uses non-linear junction detectors to look for harmonics output in any device that has diodes in it. This will pick up small digital recorders, for example, that do not transmit and are difficult to find.
He even checks building ductwork to evaluate the possibility of people eavesdropping through ventilation shafts. But how many are that diligent, and know where to look for those who would steal their secrets? In the world of cyberspace, just as in the physical realm, spies understand one thing above all others: the best way to hear your enemies is to stay silent.