That foreign adversaries are using computer network vulnerabilities to steal military data from the U.S. government and its contractors is well known and hardly surprising.
Nations for centuries have long sought to steal such secrets from one another and spy-craft has simply moved into cyberspace.
However, the unveiling of a massive cyber-espionage network in August goes well beyond the unwritten rules that informally govern nations when it comes to the theft of technical data or insights into the minds of leaders and their intentions, said Dmitri Alperovitch, vice president of threat research at network security firm, McAfee.
Alperovitch analyzed one command-and-control server that had been used to spread malware for five years before McAfee exposed it.
“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” he wrote in a blog.
Examining the logs to determine who the victims were, and how long the intrusion lasted before it was detected, Alperovitch found 30 different industries on the list.
Many were, indeed military contractors and information technology companies, but the list revealed a U.S. real estate firm that had its data laid bare for 8 months, a U.S. agricultural trade organization for three months, a U.S. natural gas wholesaler for seven months, a German accounting firm for 20 months and a U.S. insurance association for three months.
A U.S. news organization’s Hong Kong bureau was infiltrated for a whopping 21 months and a U.S. satellite company for 25 months. Other entities that had been penetrated included think tanks, nonprofits involved in democracy building programs overseas, U.S., Canadian and Indian local governments, several U.S. and South Korean construction companies and Olympic committees.
Such organizations rarely tell the public when they have been hacked, which is why the analysis of the server is so telling, he said.
“The primary lesson is … that small, large — whatever your industry is — you’re being targeted if you have something valuable, and it is something someone else in another country may be interested in,” Alperovitch told National Defense.
Cyberspies will continue to attack a target relentlessly if they want to penetrate a business or organization, he said. “We’re in this dilemma where we have to be right 100 percent of the time to defend against it; they only have to be right one percent of the time to get in.”
The successful organizations are those that are adept at identifying breaches once they occur and are able to shut them down before data is exfiltrated, he said.
There is no department in the government currently overseeing the private sector’s security. The military is responsible for its own networks, and has little leverage over its contractors, he said. The Department of Homeland Security is responsible for protecting all .gov domains.
How widespread is the problem? This report included just one server, he said. McAfee knows of hundreds of other servers used by this hacker, but it does not have access to the logs that would help it identify the victims.
“If you extrapolate the activity from this one server, to hundreds — perhaps even thousands — you can get an appreciation for the true magnitude and scale of the activity,” he said.