Inside Cyber Warfare Part 9

The advent of a netcentric world has changed the threat environment dramatically and, as a result, governments and private corporations need to rea.s.sess how they collect and a.n.a.lyze intelligence on the emerging threats that will impact them.

The recent and as yet unsourced attacks against US and South Korean government websites that began over the Independence Day weekend in July 2009 is an interesting case in point.

Another is the August 2009 DDoS attacks that were launched against one Georgian blogger and that knocked Twitter offline and substantially degraded access to Facebook and LiveJournal.

Project Grey Goose (PGG) investigators looked at both incidents, along with established Internet security companies, US-CERT, and the usual collection of government agencies charged with such tasks. This chapter focuses on how PGG research was done and the conclusions that were reached. It also presents the findings of other agencies and proposes some ideas about how and why radically different findings can emerge from the same set of facts.

Finally, this chapter suggests a new approach to conducting cyber intelligence that takes into account the unique problem set a.s.sociated with cybers.p.a.ce in general and cyber attacks in particular.

The Korean DDoS Attacks (July 2009).

The first set of information that came into the hands of Project Grey Goose investigators was the technical characteristics of the attacks. This information is typically shared between Internet security firms and is fairly objective and noncontroversial.

The best technical a.n.a.lysis came from the Vietnamese security firm BKIS. Figure 5-1 shows a breakdown of what was known about the attacks after BKIS gained control of two of the command and control (C&C) servers.

Figure 5-1. BKIS diagram of the MyDoom attack program Thanks to information shared between KR CERT and AP CERT (of which BKIS is a member), BKIS researchers were able to gain access to two of the C&C servers and determined that the botnet was controlled by a total of eight C&C servers. The zombie PCs in this botnet were instructed to log onto a different, randomly chosen server every three minutes.

More importantly, the researchers discovered the existence of a yet another server, located in the UK, which acted as a master server by controlling the eight C&C servers. This prompted BKIS to name the UK as the source of the attacks.

If the South Korean government (ROK) had wished to retaliate against the botnet authors, and failing that, against the government of the country from which the attack originated, it would have found itself in a very awkward position indeed. Members of the Republic of Korea government, as well as their National Intelligence Service and particularly the ROK press, all levied blame at the North Koreans (DPRK). Not only did the attack not come from the North, it came from an allied nation. But the situation quickly became even more complicated.

The master server was owned by a legitimate British company, Global Digital Broadcast. When it was contacted by its Internet provider, CRI, as well as the UK's Serious Organized Crime Agency, it investigated further and discovered that the master server was not in the UK after all. It was in Miami, Florida, on a server that belonged to Global Digital's partner, Digital Latin America (DLA).

The DLA Miami office connects with Global Digital's Brighton office by way of a virtual private network (VPN), which made it appear as though the master server was in Britain instead of in the United States. An official statement from DLA said that viruses were found on the Miami server, but details on what kind of viruses were not forthcoming.

So once again, as was seen in the case of the StopGeorgia.ru forum, a key component of a malicious attack was hosted not inside the borders of a known adversary but within the United States itself.

This phenomenon has not been adequately addressed or even considered in any of the legal arguments that I have read that make the case for a preemptive first strike or even a nuclear deterrent against the initiators of a cyber attack.

As you'll learn more about in Chapter 8, in 2008, 75% of the C&C servers controlling the world's largest botnets were hosted by a company in Northern California, which was formed by members of Russian organized crime. This is just one example of how cybers.p.a.ce is radically changing the threat environment into one never before seen by senior military leaders.h.i.+p in any nation.

BKIS concluded its report with an a.s.sessment of the size of the botnet, which was far larger than any other estimate issued since the attack began. Symantec estimated 50,000 bots, and the ROK government estimated 20,000. However, BKIS used its own formula and determined that this botnet consisted of 166,908 bots scattered across 74 different countries. The top 10 countries involved were, in order, the ROK, the United States, China, j.a.pan, Canada, Australia, Phillipines, New Zealand, the United Kingdom, and Vietnam.

The Botnet Versus the Malware.

Whereas the botnet showed a relatively high degree of sophistication, the malware was amateurish in comparison: It was based on the code base of a very old virus-MyDoom.

It appeared to be a patchwork of scripts rather than any custom coding, so it was most likey done by someone who is not a coder.

There was no attempt made to avoid AV signatures.

There is some evidence that either it was written to target Korean-language systems or the author used a Korean-language email template.

There was a lot of discussion within the PGG network about possible culprits, but a consensus was never reached. One thing that most investigators agreed on, however, was that the person who created the botnet was not the same person who cobbled together the virus.

Another hypothesis was the possible involvement of organized crime, at least on the botnet side. That theory fell out of favor once it was revealed that the botnet contained a self-destruct feature, suggesting it might have been specifically set up to perform only this task or modified after it was acquired.

PGG investigators also explored the possibility that the botnet was acquired by a state from members of organized crime in an exchange for favors. This would protect the state by maintaining plausible deniability and misdirection.

In this scenario, the state brings in its own technologists to make some modifications and deliver the payload, which was purposefully cobbled together from a five-year-old virus to propel the misdirection strategy even further.

How many states have the technical know-how and strategic connections with organized crime to pull this off? Probably all of the usual suspects. Possible motivations, however, are not clear.

In my opinion, the most likely scenario is a nonstate Korean hacker living in China or j.a.pan who saw an opportunity to embarra.s.s the United States and South Korea and took it.

I expanded the investigation from the purely technical aspects to include a geopolitical component and that is how I made the conclusion I did. That meant looking into the cyber warfare capabilities of the ROK's popular choice for a villain-the Democratic People's Republic of Korea (DPRK), also known as North Korean.

The DPRK's Capabilities in Cybers.p.a.ce.

North Korea is an interesting dichotomy. It is a society on the edge of disintegrating due to intense poverty, almost no infrastructure, a weak power grid, and a lack of natural resources. Forget about Internet access anywhere but within the DPRK military.

That's because it spends almost of all its money on its military, particularly on training its highly educated young people in one of seven research labs, according to a paper auth.o.r.ed by Christopher Brown while at the Naval Postgraduate School in September 2004, t.i.tled "Developing a Reliable methodology for a.s.sessing the Computer Network Operations Threat of North Korea."

The top three labs in 2004, as described by Brown, were: Pyongyang Informatics Center (PIC) "Today PIC employs over 200 qualified software engineers, whose average age is 28, with 1.5 computers per person (according to Chan-Mo Park's article 'Current Status of Software Development in DPRK and Collaboration between the South and North,' August 2001). The PIC primarily focuses on software development and is responsible for the development of the General Korean Electronic Publication Systems, 3D CAD, embedded Linux software, web applications, interactive programs, accounting software, and more recently virtual reality software. It is reported that the PIC is also responsible for developing the filters to be used between the Kw.a.n.g Myong Intranet and the Internet."

Korea Computer Center (KCC) "The KCC was established in 1990 by Kim Il Sung to promote computerization in the DPRK. At its inception, the KCC employed approximately 800 employees whose average age was 26. Today Kim Jong Il's son, Kim Jong Nam-who also heads North Korea's intelligence service, the State Security Agency (SSA)-heads the KCC. He is also the chairman of North Korea's Computer Committee. In May 2001, the South Korean newspaper the Chosun Ilbo reported that Kim Jong Nam had moved the SSA's overseas intelligence gathering unit, which operates primarily by hacking and monitoring foreign communications, into the KCC building. In 2001, the South Korean media reported that the KCC was nothing less than the command center for Pyongyang's cyber warfare industry, masquerading as an innocuous, computer-geek-filled software research facility."

Silver Star Laboratories (Unbyol) "Silver Star Laboratories (SSL) was established in 1995 under the Korean Unbyol General Trading Corporation. According to Kang Yong Jun, the director of SSL, the average age of the researchers at SSL is 26 years, with most graduating from Kim Il Sung University and other distinguished universities across the country. Prospective employees are usually graduates of the Pyongyang Senior Middle School No.1, a genius-training center.

"SSL has developed such programs as Silver Mirror, a remote control program, communications, and artificial intelligence software. SSL also produces several language recognition programs and multimedia software, in addition to taking special orders from foreign companies (Korean Central News Agency, 'Silver Star Laboratories of Korea,' http://www.kcna.co.jp/item/1998/9809/news09/23.htm, September 1998). SSL won at the fourth and fifth annual FOST Cup World Computer Go Champions.h.i.+p compet.i.tions, held in 1998 and 1999, respectively."

In other words, North Korea doesn't have the infrastructure to sustain a civilian hacker population. All of its money and all of its talent (meaning young people who show the requisite abilities) are part of its military establishment.

The payload portion of this botnet woudn't have pa.s.sed muster at any of the official IT research facilities a.s.sociated with the DPRK. These are well-educated individuals, some having attended the Indian Inst.i.tute of Technology (one of the world's top technology schools), and the quality of their work is high.

A Korean hacker who wasn't part of the DPRK military wouldn't have the resources inside the DPRK to run this attack. More likely, either he is a DPRK-approved student at an Indian, Chinese, or j.a.panese university, or he is living in another country as an illegal.

Another alternative would be a Russian or Chinese hacker who simply wanted to set up a scenario that would embarra.s.s the United States and throw suspicion onto a likely fall guy-the DPRK.

What were the consequences of this attack? It showed how vulnerable certain government websites still are, both in the United States and South Korea.

US sites that went down during the Independence Day weekend attack included the Department of Transportation, the Secret Service, and the Federal Trade Commission. The State Department website was attacked and experienced degraded service. The White House and Department of Defense sites were also attacked, but experienced no negative impact.

Clearly more work needs to be done by the National Security Agency (NSA), which has been tasked to protect US government websites under the new distribution of responsibilities between the NSA and the Department of Homeland Security (DHS), which will focus on the protection of our civilian networks.

Another consequence was the response from Rep. Pete Hoekstra (R-MI), former chair of the House Intelligence Committee and now senior Republican member, who called for the US military to attack North Korea. Wired magazine reported the story on July 10, 2008: Whether it is a counterattack on cyber, whether it is, you know, more international sanctions...but it is time for America and South Korea, j.a.pan and others to stand up to North Korea or the next time...they will go in and shut down a banking system or they will manipulate financial data or they will manipulate the electrical grid, either here or in South Korea. ... Or they will try to, and they may miscalculate, and people could be killed.

He also claimed that multiple experts who had been investigating the attack said that "most likely all the fingers" point to the North Koreans and this was a "state act" and not that of "some amateurs."

Of course, none of that is true. Why Hoekstra would make such claims is impossible to say, but it was reminiscent of other politically charged claims of imaginary threats coinciding with misstatements of intelligence findings and facts in evidence.

One Year After the RU-GE War, Social Networking Sites Fall to DDoS Attack.

On August 6, 2009, close to the one-year anniversary of the August 8 invasion of Georgia by Russian troops, the Georgian blogger known as Cyxymu became the focal point of a series of DDoS attacks that would end up taking Twitter offline and severely hampering Facebook and LiveJournal access, inconveniencing millions of users.

From the beginning, this seemed like overkill on the part of those launching the DDoS attacks. Then, as information began to come in regarding the small size of the botnets used, it became clear that Twitter's fragile infrastructure was also to blame.

Twitter has had bandwidth problems since its inception. Facebook has similar troubles, and LiveJournal has been operating with a skeleton staff ever since SUP acquired it from Six Apart in 2008. In other words, it didn't take too much to force the networks of these very popular services offline.

The DDoS attack consisted of a combination of email spam, a TCP-Syn attack, and a HTTP-query DDoS attack: The email spam (called a "joe-job") was sent by a 300-node botnet normally affiliated with sending out online casino spam.

The TCP-Syn attack was sent by a 3,000-node botnet. This type of attack interrupts the three-way handshake that must occur for packets to travel from an origination point to a destination point. Since the handshake never completes, the connection queue fills up and denies other users access to services.

An HTTP-query DDoS eats up a server's resources by sending more hits than it can process to its website.

The frailties of the networks involved didn't factor into Cyxymu's thinking on the subject. Cyxymu, a Georgian professor who blogs in Russian, is convinced that the impact of the attacks (knocking three large services offline) is evidence that the Russian government is behind it. According to an article in the Guardian on August 7, 2009, Cyxymu told the reporter: "Maybe it was carried out by ordinary hackers but I'm certain the order came from the Russian government," said the blogger, whose moniker is a Latin version of the Russian spelling of Sukhumi, the capital of Georgia's other breakaway republic, Abkhazia.

"An attack on such a scale that affected three worldwide services with numerous servers could only be organised by someone with huge resources."

To date, none of the individuals responsible has been identified, but there remains a great deal of animosity between the two countries.

There was a definite lack of chatter on Russian hacker forums about this incident-which is quite different from the Russia-Georgia cyber war of 2008-implying that this was more likely to be a locally contained feud orchestrated by a small group of individuals rather than the rallying call to cyber arms that was seen previously.

The lack of chatter and the virulent animosity that such an attack demonstrated led Project Grey Goose investigators to look at the possible involvement of Russian youth a.s.sociations, which have been linked to the Estonia and Georgia attacks, as well as attacks against anti-Kremlin websites, organizations, and individuals.

PGG research revealed that Georgia is still a highly volatile issue among some Nas.h.i.+ members. Eurasia.net reported that a motorcade of five vehicles containing approximately 20 Nas.h.i.+ members were stopped by Georgian authorities as they attempted to cross into the country on April 15, 2009. Nas.h.i.+ "commissar" Aleksandr Kuznetsov was detained and questioned about the group's plans. Kuznetsov produced a letter from Vasili Yakemenko, head of Russia's Committee for Youth Affairs, which endorsed the motorcade's mission and asked Russian officials who came into contact with Kuznetsov to a.s.sist him. Yakemenko is a former Nas.h.i.+ leader and the creator of another Russian youth group, Walking Together, established in May 2000.

This incident on the Georgian border was preceded by a Nas.h.i.+-organized protest at the Georgian emba.s.sy in Moscow on April 9, 2009, the day before the motorcade left Moscow for Tbilisi. In addition, according to Georgian authorities who interviewed Kuznetsov, some of the 20 Nas.h.i.+ members were armed with weapons and were prepared to engage Georgian authorities on the border if prevented from reaching their destination.

The animosity against Georgian blogger Cyxymu is longstanding, with the first DDoS attack occurring in October 2008, which also knocked LiveJournal offline. The fact that he has a wide readers.h.i.+p and blogs in Russian makes him a popular target for anti-Georgian factions within Russia.

By taking a closer look at the historical record, Project Grey Goose investigators were able to better refine the players involved and make a more informed a.s.sessment of who was behind the attacks and why. Investigators concluded that this was a likely Nas.h.i.+-orchestrated action against a highly visible and controversial blogger, symbolizing their anti-Georgian position on the anniversary of the Russia-Georgia war. The fact that it brought down two social networks in the process was more a reflection of Twitter and LiveJournal's fragile architecture than the power of the attack.

Ingushetia Conflict, August 2009.

Ingushetia is one of the poorest, most corrupt, and violent of the Russian Federation's outlying states. It neighbors Chechnya and, in recent months, has outdone its neighbor in terms of random killings and escalating levels of violence and desperation.

The latest conflict involves Jihadist radical groups attempting to unseat the military leaders.h.i.+p. The princ.i.p.al religion in the North Caucasus region is Islam, and young people in particular are becoming radicalized in the face of an oppressive and corrupt governing regime.

One of the loudest voices of the opposition movement is a website-Ingushetia.org, formerly Ingushetia.ru. One year ago, the owner of that website, Magomed Yevloyev, was arrested by police, ostensibly to answer some questions as part of an investigation. On the way to police headquarters, while seated in the back of a police car, Yevloyev was "accidentally" shot in the temple, according to the Interior Ministry of Ingushetia.

The Ingushetia.org website has experienced hacker attacks off and on since 2007, usually timed to its more controversial p.r.o.nouncements, such as the "I have not voted" campaign launched during the 2007 Russian elections.

In July and August of 2009, DDoS attacks were launched against this website, coinciding with increasing tensions between the government and the opposition. On August 17, 2009, a suicide bomber driving a truck packed with explosives blew himself up near the Ingushetia police station, leaving 20 dead and 130 injured.

Not surprisingly, at least one C&C server involved in the DDoS attacks against Ingushetia.org is hosted on an IP address that is affiliated with Russian organized crime (the Russian Business Network, or RBN).

Russian investigative journalist Andrei Soldatov wrote about suspected Federal Security Service (FSB) involvement in cyber attacks in the region dating back to 2002 in an article that was published in Novaya Gazeta on May 31, 2007. He was fired from the paper in November 2008, reportedly as the result of financial pressure. Alternatively, it may have been that the FSB tired of his ceaseless investigations into their operations.

The Ingushetia.org attacks begin to paint a picture of a more sophisticated attack framework being adopted by the Kremlin against its political opponents: The Kremlin, with the help of the FSB, targets opposition websites for attack.

Attack orders are pa.s.sed down through political channels to Russian youth organizations whose members initiate the attack, which gains further momentum through crowd-sourcing.

Russian organized crime provides its international platform of servers from which these attacks are launched, which in some cases are servers hosted by badware providers in the United States.

The Predictive Role of Intelligence.

The core responsibility of intelligence as a discipline is to provide state leaders.h.i.+p with insight into what the emerging threats are before they manifest into an attack on the state.

This was already a difficult task when the only threats were physical. Today, intelligence agencies must also consider emerging threats in an entirely new dimension-cybers.p.a.ce. To make it even more difficult, the generation of experts currently performing this mission are still trying to understand just what a threat in cybers.p.a.ce looks like, or, even worse, what cybers.p.a.ce is.

One approach-further addressed in Chapter 12-is to build a predictive model that depicts how most politically motivated cyber attacks develop.

Another is to mine the various forums, websites, chat rooms, and other channels where the cyber underground conducts its business. This is often a hit-and-miss proposition because the more experienced crews are aware that forums are being watched and use IRC chat or other more secure methods of communication. Sometimes, however, mistakes happen and astute intelligence-gathering operations can capitalize on those sources.

However, these are pa.s.sive approaches to intelligence collection and a.n.a.lysis, and are not nearly sufficient to meet the IC's responsibility to identify emerging threats before they occur.

What is needed in cybers.p.a.ce is the same time-tested approach that has been used by spies since before Sun Tzu was a general. Sun Tzu's advice still applies today (from Chapter 13 of The Art of War, "The Use of Spies"): Hostile armies may face each other for years, striving for the victory which is decided in a single day. This being so, to remain in ignorance of the enemy's condition simply because one grudges the outlay of a hundred ounces of silver in honors and emoluments, is the height of inhumanity.

One who acts thus is no leader of men, no present help to his sovereign, no master of victory.

Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge.