NightDragon Attacks Update

Six previously un-named energy companies targeted in a recent series of coordinated, covert and targeted attacks have now been identified, and could face legal liability for not disclosing the breaches to shareholders.  The victim list includes Exxon Mobil, Royal Dutch Shell, BP, Marathon Oil, Conoco Phillips, and Baker Hughes, according to articles now published on the web by The Register and TheAge, based on a report from McAfee. 

The attacks were ongoing for at least one full year, and possibly as long as four years.  The so far unknown attackers worked through servers located in China.  The targets of the attacks appears to have been topographical maps worth ‘millions of dollars’ containing locations of potential oil reserves. 

Researchers from McAfee had promised to withhold the identity of the affected companies in exchange for help in preparing a report to “educate the community.”  The public outing of the victims could cause companies to hesitate when asked to participate in anonymous studies in the future.  That is unfortunate, as this is exactly the kind of information that NEEDS to be gathered and shared in order to have any impact on incidents such as this in the future.

EU: Cyber Attacks “Acts Of War”

The BBC is reporting that Tony Blair’s former top national security adviser states an online attack by one state on another could be considered an “act of war”.  I couldn’t agree more, and in light of recent events that the CBC has reported, China has some explaining to do…

Sir Richard Mottram told a House of Lords inquiry new “laws of war” were needed to cope with this threat.  He also criticised the EU for the multi-million pound theft of carbon credits, saying its apparent lack of cyber security “took my breath away”.  Earlier this month, Foreign Secretary William Hague called for countries to come together to agree a set of rules to prevent “cyber war”.  He revealed that the Foreign Office IT system had come under attack from a ”hostile state intelligence agency” as recently as January.

All of these events come amid claims from Bruce Schneier that the threat of online war is being exaggerated.  I tend to collect the evidence, and look for patterns.  I don’t know what Bruce is seeing, but I sure don’t like what I am seeing, and someone either needs to patch the great wall, or answer for their actions.

BBC Report

Canadian Government Under Attack

The Canadian government is under attack, apparently from China, giving foreign hackers access to highly classified information and forcing at least two key departments off the internet, according to CBC reports.  The attack was first detected in early January.  Hackers took over control of government computers belonging to top officials, most likely through drive-by web attacks or Trojan horse programs.  A spear-phishing email campaign was launched targeting executives and their staff with provocative messages containing malicious links or attachments.  Social engineering attacks were also used once the email system was compromised, asking staff to reveal passwords to key networks.  Once the attack was detected, security officials shut down all internet access in both affected departments in an attempt to stop the information leakage.  The containment effort left thousands of public servants without internet access.  Service has slowly been returning to normal since the attack.

The attacks were traced back to computer servers in China, but there is no way of knowing for certain if the hackers are Chinese, or using China to cover their tracks.  The Canadian government initially issued a statement dismissing it all as an “attempt to access” federal networks.  It has refused to release any further information.

CBC has confirmed that the attackers successfully penetrated computer systems at two main economic nerve centres, the Finance Department and Treasury Board, apparently taking control of computers in the offices of senior executives as part of a scheme to steal passwords that unlock entire government data systems.  It is unclear whether the attackers were able to compromise other networks and sensitive data.  The government is trying to keep the security breach under tight wraps.

 CBC Report

Espionage & Information Engagement

Jart Armin posted recently regarding ‘Information Engagement’ or Espionage being a part of every nation’s security arsenal.  I wonder about the amount of trust that we afford our own operators in this field?

All governments are suffering from, experimenting with, or regularly using this form of intelligence gathering.   Information engagement experts provide the groundwork for informed military, information operations, and strategic communications decision-making and planning by creating and broadening situational awareness through the collection and analysis of cultural, social, political and economic data derived from an indigenous population and foreign media analytics.  

The process itself can involve a range of activities, like interviewing on the ground, profiling individuals through social networks, monitoring email traffic, collecting web surfing information from ISPs and DNS providers, or utilizing web-based robots, spiders, botnets, and other data gathering tools.  These intelligence gathering efforts help inform not only military planning, but the psychological operations, network defense, operational security and media development that make up the information operations/strategic communications disciplines.

Recent revelations about online spying from Ghostnet and Shadow network have led to news stories about researchers tracking operators from within China.  There are other reports recently of similar networks and even disposable botnets being observed intermittently.  There is a considerable lack of evidence to support the claims that the Chinese government or legitimate Chinese business is behind these networks. 

Espionage is considered a violation of law in most countries.  In the US, the National Clandestine Service is charged with balancing political correctness with covert espionage for the sake of national security, usually operating through seemingly legitimate, but expensive, contractors.  There is no doubt that China is a commercial empire, is knowledgeable in electronic warfare, and a skilled political opponent.  It would be foolish to assume that their clandestine operations and operators are inferior to those of North American or European forces, and that they would not also make use of contractors outside of their country to avoid finger-pointing.  When the tracks in the snow stop at a particular house, do you assume that the occupant is the person responsible for the tracks, or that the person responsible stopped making tracks in the snow at this location?

The evolution and wide adoption of social media by the masses and the corporate world as well, has enabled the building of cheap online espionage infrastructures.  These apparatus leverage sites such as Twitter, Facebook, LinkedIn, Blogspot, and Google Groups for building information collection and disinformation dissemination campaigns.  These new malicious networks often fly under the radar of most technologies, enabling elusive attacks and escaping attribution to any particular single source.  

Keystroke logging and forwarding, stored data theft, interception of transient data and voice communications, malware, and botnets are some of the tools for online espionage.  This is making the job of telling the good guys from the bad guys much more difficult when conducting reconnaissance of online crime groups and malware research.  Who are the spooks and who are the crooks?

Internet Evolution

‘Chinese Whispers’ Documentary Illuminates Espionage

ABC.Net.AU’s Four Corners program aired an investigation on April 19th in which it claims that the IT systems of 3 major mining operations; Rio Tinto, BHP Billiton and Fortescue Metals were all attacked and compromised from locations inside corporate China in the lead up to the sentencing of former Rio Tinto mining executive, Stern Hu for spying and accepting bribes.

In a documentary entitled ‘Chinese Whispers‘, sources from within all 3 mining companies claim their IT systems were targeted and hacked with the intent of espionage.  All 3 companies claimed to have upgraded IT security in response to these attacks.  Rio Tinto discovered that an intruder had launched an attack impacting Rio’s Perth office, forcing it to bring its Singapore office offline for 3 days “to upgrade security”.  Fortescue had reportedly uncovered “sophisticated, targeted” attacks on key employees, resulting in a “serious IT security upgrade” and a new set of  travel policies for employees.  Executives travelling to China are told to remove their Blackberry batteries to prevent interception, encrypt all communications, and not take laptops with sensitive data into the country.

The program was unable to pinpoint where in China the alleged attacks came from, and had no hard evidence directly implicating the Chinese State.


SC Magazine has a detailed write-up  SC