Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
23 septembre 2013 1 23 /09 /septembre /2013 12:35
photo Symantec

photo Symantec

September 23, 2013: Strategy Page

 

Over the last decade Internet security firms (especially Kaspersky Labs and Symantec) have been increasingly successful at identifying the hacker organizations responsible for some of the large-scale hacker attacks on business and government networks. The latest group to be identified is from China and has been called Hidden Lynx. This group appears to contain 50-100 hackers (as identified by their coding style) and is believed to be largely responsible for a large scale espionage campaign (“Operation Aurora) in 2010 and is still active.

 

The security firms also identify and describe major malware (software created by hackers for penetrating and stealing from target systems. Earlier this year Kaspersky Labs discovered of a stealthy espionage program called NetTraveler. This bit of malware had been secretly planted in PCs used by diplomats and government officials in over 40 countries. Also hit were oil companies and political activists opposed to China. No samples of the NetTraveler from Israel were available for this analysis, but the program apparently did appear in Israel (but may have been prevented from stealing anything). Dissection of NetTraveler indicated it was created by about fifty different people, most of them Chinese speakers who knew how to program in English.

 

Kaspersky also discovered a similar bit of malware called Red October, because it appeared to have been created by Russian speaking programmers. Red October was a very elaborate and versatile malware system. Hundreds of different modules have been discovered and Red October had been customized for a larger number of specific targets. Red October was found to be in the PCs and smart phones of key military personnel in Eastern Europe, Central Asia, and dozens of other nations (U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan, and the UAE). The Red October Internet campaign has been going on for at least five years and has been seeking military and diplomatic secrets. As a result of this discovery Internet operators worldwide shut down the addresses Red October depended on.

 

Red October does not appear to be the product of some government intelligence agency and may be from one of several shadowy private hacker groups that specialize in seeking out military secrets and then selling them to the highest bidder. The buyers of this stuff prefer to remain quiet about obtaining secrets this way. In response to this publicity, the operators of Red October have apparently shut down the network. The Russian government ordered the security services to find out if Russians were involved with Red October and, if so, to arrest and prosecute them. Russia has long been a sanctuary for Internet criminals, largely because of poor policing and corruption. It may well turn out that the Red October crew is in Russia and has paid off a lot of Russian cops in order to avoid detection and prosecution. To date, the operators of Red October have not been found.

 

South Korea has been subjected to a growing number of Cyber War attacks over the last few years, some of them quite damaging. In the last year South Korean security researchers concluded that nearly all these attacks were the work of one group of 10-50 people called DarkSeoul. Given the extent of the attacks, the amount of work required to carry them out, and the lack of an economic component (no money was being stolen) it appeared to be the work of a national government. That coincides with earlier conclusions that North Korean, not Chinese, hackers were definitely responsible for several attacks on South Korean networks. The most compelling bit of evidence came from an incident where a North Korean hacker’s error briefly made it possible to trace back to where he was operating from. The location was in the North Korean capital at an IP address belonging to the North Korean government. Actually, very few North Korean IP addresses belong to private individuals and fewer still have access to anything outside North Korea.

 

Details of DarkSeoul were uncovered using pattern analysis of the hacker code left behind in damaged networks. This is a common technique for discovering who is behind an attack. There were patterns indicating the work of individual programmers and indications that there was only one organization involved in nearly all the attacks conducted since 2009. There was a lot of work involved in building all the software and assembling the resources (hacked South Korean PCs as well as hardware and network time required by the DarkSeoul team), and all this had to be paid for by someone. The likely culprit was North Korea, which has threatened Cyber War attacks but not taken credit for them. This is typical of most North Korean attacks, both conventional and now over the Internet.

 

Long believed to be nonexistent, North Korean cyberwarriors apparently do exist and are not the creation of South Korean intelligence agencies trying to obtain more money to upgrade government Information War defenses. North Korea has had personnel working on Internet issues for over 20 years, and their Mirim College program trained over a thousand Internet engineers and hackers. North Korea has a unit devoted to Internet based warfare and this unit is increasingly active.

 

What most of these large scale attacks have in common is the exploitation of human error. Case in point is the continued success of attacks via Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spear fishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. In the last year an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention.

 

The most recent example of the continued effectiveness of spear fishing can be seen in the repeated use of spear fishing by a group of Syrian hackers, calling themselves the Syrian Electronic Army (SEA). This group is loyal to the beleaguered Assad dictatorship in Syria. The SEA has been using spear fishing to hack into media sites. Despite most media companies having in place software and personnel rules to block spear fishing attacks, there are so many email accounts to attack and you only have to get one victim to respond for the SEA to get in (using the login data from the compromised account). The automated defenses are supposed to block the actions of the hacker software that is triggered when the victim clicks on the email attachment, but hackers keep finding exploitable vulnerabilities to the defenses and these make the defenses vulnerable, at least until the vulnerability is detected and patched.

 

China has been a major user of spear fishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spear fishing payloads. The methods, and source of many spear fishing attacks, have been traced back to China. In 2010 Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers, and all movement of command and stolen data led back to servers in China. Since China is an ally of the Assad government, the SEA has access to the best spear fishing tools. The Shadow Network had also hacked into PCs used by military and civilian personnel working for the Indian armed forces, and made off with huge quantities of data. This was done via Internet based attacks against specific military and government officials via "spear fishing" (or "phishing").

 

China's Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human readable text that programmers create and then turn into smaller binary code for computers to use) and techniques for using it in hacking software used against Tibetan independence groups and commercial software sold by some firms in China and known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this.

 

It's also been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

 

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect (when they are breaking in) and much more difficult to track down. Thus the East Europeans go after more difficult (and lucrative) targets. The Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents who often slip over to the dark side and scam Chinese. This is forbidden by the government and these hackers are sometimes caught and punished, or simply disappear. The Chinese hackers are, compared the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision (or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly).

 

For Chinese hackers that behave (don't do cybercrimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can't handle. This was seen recently when one group of hackers were caught trying to get into a high-security network in the White House (the one dealing with emergency communications with the military and nuclear forces). These amateurs are often caught and prosecuted. But the pros tend leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

Partager cet article

Repost 0

commentaires

Présentation

  • : RP Defense
  • RP Defense
  • : Web review defence industry - Revue du web industrie de défense - company information - news in France, Europe and elsewhere ...
  • Contact

Recherche

Articles Récents

  • ITW SDBR : général Vincent Desportes, Professeur des Universités associé à Sciences Po Paris, Ancien directeur de l’Ecole de Guerre
    23.01.2017 par Alain Establier - SECURITY DEFENSE Business Review N°164 SDBR : Quel regard portez-vous sur la Défense de la France ? Vincent Desportes* : A l'issue de cette mandature, nous voyons un empilement d'actions réactives, à vocations plus politiciennes...
  • Chronique culturelle 9 Janvier
    Hussards du régiment de Bercheny en 1776 09.01.2017 source JFP 9 janvier 1778 : mort du créateur des régiments de Hussards (Luzancy – près de Meaux). Emigré hongrois et excellent capitaine au service de la France, Ladislas Ignace de Bercheny , obtient...
  • Chronique culturelle 04 Jan.
    Insigne général des Troupes de Forteresse de la Ligne Maginot 04.01.2016 source JFP 4 janvier 1894 : signature de l’alliance franco-russe. Préparée par de nombreuses activités bilatérales dans les années précédentes, une convention militaire secrète est...
  • Chronique culturelle 03 Jan.
    Napoléon en Egypte par Jean-Léon Gérome 03.01.2017 source JFP 3 janvier : Sainte Geneviève, patronne de la gendarmerie. Issue de la noblesse gallo-romaine du IVe siècle, elle convainc les habitants de Lutèce de ne pas livrer leur ville à Attila, roi des...
  • Au Levant, contre Daech avec les Forces Spéciales
    photo Thomas Goisque www.thomasgoisque-photo.com Depuis plus de deux ans, les hommes du C.O.S (Commandement des Opérations Spéciales) sont déployés au Levant et mènent, en toute discrétion, des opérations contre l’Etat islamisque.Au nord de l’Irak, ils...
  • Les blessés en Opérations extérieures ne prennent pas de vacances !
    Source CTSA Pendant la période des fêtes de fin d'années, le nombre de donneurs diminue dangereusement. Le site de Clamart du Centre de transfusion sanguine des armées (CTSA) invite fortement les donneurs des communes proches à profiter des vacances de...
  • Interview SDBR de Gaël-Georges Moullec, Historien
    photo SDBR 20.12.2016 par Alain Establier - « SECURITY DEFENSE Business Review » n°162 SDBR: Comment va la Russie aujourd’hui? Gaël-Georges Moullec * : Il n’y a plus d’ascenseur social dans la Russie d’aujourd’hui, ce qui est un problème moins connu,...
  • Chronique culturelle - 16 Déc. 2016
    Regiment de la marine (1757) - Planche extraite des Troupes du roi, infanterie française et étrangère, 1757, tome 1. Musée Armée 16.12.2016 source JFP 16 décembre 1690 : création des compagnies franches de la Marine. Par ordonnance, 82 compagnies franches...
  • Externalisation de la Défense et de la Sécurité en France ? - 15 Décembre
    Le Comité directeur de l'ANAJ-IHEDN a le plaisir de vous inviter à la conférence : Vers une externalisation de la Défense et de la Sécurité en France ? Guillaume FARDE Maître de conférences à Sciences Po Paris, auteur de Externaliser la sécurité et la...
  • Chronique culturelle - 24 Nov.
    24 novembre 1977 : premier vol du Super Etendard de série 24.11.2016 source JFP 24 novembre 885 : début du siège de Paris par les Vikings. Très actifs durant le IXè siècle, les Vikings ont pris l’habitude de remonter les fleuves du Nord de la France pour...

Categories