Cyberattacks Reaching New Heights of Sophistication
In August, the Stuxnet virus shocked the same experts. The malware that infected Siemens operating systems was orders of magnitude beyond anything they had seen in terms of sophistication.
The year 2010 may prove to be a watershed for cyber-security. The three incidents: the Aurora operation; the hijacking of data and the Stuxnet virus were all stunning new developments, said Dmitri Alperovitch, vice president of threat research at McAfee, the world’s largest dedicated Internet security firm.
“Most of the days we feel like we really don’t have a chance,” he told National Defense. “The threats are escalating at a pretty significant pace, defenses are not keeping up, and most days attackers are succeeding quite spectacularly.”
The year that may go down in infamy in Internet security circles began when the Aurora attack was discovered in January. The operation came to light when a student in California involved in human rights in China realized that someone was inside her Google G-mail account. That revealed a much larger operation that had targeted about two dozen U.S. information technology companies.
Using a “social networking,” or a spear-phishing, operation, hackers sent emails to top officials at U.S. companies with high levels of access to their company’s computer systems. The emails appeared to come from close friends or colleagues, and would ask the targeted person to link to some pictures. The link would go to a blank screen, but by the time they were there, malware taking advantage of a zero-day vulnerability had already been installed.
A “zero-day vulnerability” is an undiscovered security flaw in software. Cyber-criminals and spies pay large amounts of money to hackers who have ferreted out these flaws. Hundreds of thousands of dollars can exchange hands in the black market, Alperovitch explained.
Within seconds of the Aurora malware being installed, hackers were standing by and ready to exfiltrate data, he said.
“They had people at the keyboard ready to jump on the moment the computers beaconed out and said they were infected,” Alperovitch said.
“The most interesting thing is that they went after intellectual property such as source codes,” he added. They used the first computer to establish a beachhead in a company, and spread the malware from there. The operation set up backdoors in software programs that could be exploited later. The campaign was first launched in late 2009. The malware had infiltrated about 24 companies for several months before it was discovered. Google is one of the few companies that has come forward and admitted that it was a victim. Other companies are major suppliers of services to the U.S. government. These organizations have thousands of desktops. Discovering which computers have been infected is like finding a needle in a haystack, he said.
Source codes are the “crown jewels” of information technology companies, he noted. Once they are known, they can be used to exploit additional vulnerabilities, he added.
Spying on human rights activists turned out to be a secondary operation. The organization that launched the campaign was after much bigger fish, and going after dissidents may have been a huge misstep. The operation may not have been detected for another six months, he noted.
Google accused China of instigating the Aurora attack, which country officials denied. A U.S. diplomatic cable revealed on the WikiLeaks website cited an unnamed source inside the China who said the attack originated in the Chinese government.
As always, finding a smoking gun in such operations is nearly impossible, Alperovitch said.
The hijacking of 15 percent of the Internet’s routes in April could definitely be attributed to China, Alperovitch said. For 18 minutes in April, the state-controlled telecommunications company China Telecom Corp., redirected some of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies. A “route” in web-terms is akin to a postal code, he said.
This incident initially received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for most outside the cyber-security community to grasp, said Alperovitch.
In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country, or decrypted messages, Alperovitch said.
Nobody outside of China can say, at least publicly, what happened to the terabytes of data after it entered China.
“This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”
The telephone giants of the world work on a system based on trust, he explained. Machine-to-machine interfaces send out messages to the Internet informing other Internet service providers that they are the fastest and most efficient way for data packets to travel. For 18 minutes last April, China Telecom told about 15 percent of the ISPs of the world that its routes were the best paths to send traffic.
For example, a person sending information from Arlington, Va., to the White House in Washington, D.C. — only a few miles away — could have had his data passed through China. Since traffic moves around the world in milliseconds, the computer user would not have noticed the delay.
This happens accidentally a few times per year, Alperovitch said. What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this massive amount of data and send it back out again without anyone noticing a disruption in service. In previous incidents, the data would have reached a dead end, and users would not have been able to connect.
Also, the list of hijacked data just happened to include preselected destinations around the world. The incident affected traffic to and from U.S. government and military sites, including the Senate, Army, Navy, Marine Corps, Air Force, the office of the secretary of defense, NASA, the Department of Commerce, the National Oceanic and Atmospheric Administration, “and many others,” said a report by the U.S.-China Economic and Security Review Commission.
China Telecom has said that the rerouting of traffic was accidental.
“Why would you keep that list?” Alperovitch asked.
The amount of data included in all these packets is difficult to calculate, he said.
The data could have been stored so it could be examined later, he added.
“Imagine the capability and capacity that is built into their networks. I’m not sure there was anyone else in the world who could have taken on that much traffic without breaking a sweat,” Alperovitch said.
The report, quoting Danny McPherson, chief security officer at Arbor Networks, an Internet security firm, said the data could be diverted to a computer where a user didn’t intend to go, for example, a “spoofed site” that could be used to trick him or her into downloading data. The massive diversion of traffic could have “been intended to conceal one targeted attack,” the report said.
McAfee has briefed U.S. government officials on the incident, but some weren’t alarmed. They said their Internet communications are encrypted.
However, encryption also works on a basis of trust, McAfee experts pointed out. And that trust can be exploited.
Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unbeknownst to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems.
Among the certificates is one from the China Internet Information Center, an arm of the China’s Ministry of Information and Industry.
“If China telecom intercepts that [encrypted message] and they are sitting in the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said.
The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said.
“It is a flaw in the way the Internet operates,” said Joris Evers, director of worldwide public relations at McAfee.
No one outside of China can say whether any of these potentially nefarious events occurred, Alperovitch stressed. It is not defined as a cyberattack because no one’s sites were hacked or shut down. “But it is pretty disconcerting.”
The sophistication of the Stuxnet virus, however, was several magnitudes in sophistication beyond any other cyber-security incident, Alperovitch said.
McAfee experts believe the operation took about 12 experts working for more than a year and a budget of at least $10 million to carry out.
It targeted Seimens supervisory control and data acquisition, or SCADA, systems, which are used to control power plants and other industrial machinery.
“If you look at the cyber-security experts in the world, you can probably count on one hand the number of people who are proficient in malware and also have deep inside knowledge of a SCADA system like this,” Alperovitch said.
What floored analysts was the exploitation of five “zero-day” vulnerabilities.
“Typically one zero-day vulnerability as part of an attack indicates some level of sophistication,” he said. “When you have five, this is through-the-roof type of sophistication.”
One of the vulnerabilities was found in every version of Microsoft Windows since 1995, meaning it would work on any of the company’s software released during the last 15 years, and had gone undiscovered by hackers for that amount of time.
The attacker initially used a USB drive to infect a Siemens system. SCADA systems are normally walled off from the Internet. As soon as he did that, it automatically triggered that vulnerability.
“The user doesn’t have to click on anything, he doesn’t see anything. It is completely stealth, and on every Windows version since 1995.
“If that was all that Stuxnet had, it would probably be the most sophisticated worm we had ever seen before. But that was only 10 percent of its capabilities.” It embedded itself deep in the operating system where it could hijack various capabilities.
Meanwhile, it came with two legitimate public encryption keys signed and verified by Microsoft. These keys came from two different companies located in the same technology park in Taiwan, Alperovitch said. Since these keys are never kept on computer networks, and are the type of codes that are normally locked away in safes, that means someone had to physically break in to steal them. Or it could have been an insider job, he noted.
McAfee Labs Research and Communications Director Dave Marcus said, “It hides the malware under a legitimate shell. It’s making it look like a legitimate application and that’s exceptionally dangerous.”
McAfee analysts believe that the attackers were not reaching their original target after they first launched the operation. Between January and March this year, they allowed the virus to spread from computer to computer in hopes that it would be installed in the intended computer system.
“At some point they made the decision that stealth was just not worth it because they were not getting to the target they were intending to hit,” Alperovitch said.
Most of the infected computers are in Iran, and a Belorussian Internet security company on contract with that nation first detected it. There has been speculation that the attack was targeting Iran’s nuclear power program. The evidence is circumstantial, Alperovitch said.
He could say that there was no financial motivation for the attack.
“The sophistication here is way beyond any individual or cyber-crime group.
No one person has the capability to do all these things — SCADA knowledge, discover zero-day vulnerabilities, steal encryption certificates and sign them.
“Einstein couldn’t do that,” he said.