Cyberwar, Espionage, and APTs:
Military and intelligence applications
of network attack and defense
The term cyberwar has been misused to promote various agendas. The often abused term "Digital Pearl Harbor" usually indicates that the speaker or writer is hyping something for political reasons, often with little to no understanding of the technology. However, cyberwar is going on, with the U.S., China, and Russia as major players. Denial-of-service attacks have played roles in parallel with physical attacks, and espionage attempts are constant. Let's look at some meaningful information on cyberwar.
The term Remote Access Trojan or RAT was initially popular for describing the advanced threats of the mid 1990s through maybe 2010. The term Advanced Persistent Threat or APT is cited as first being used by USAF Colonel Greg Rattray in 2006, it soon became common for describing precisely targeted threats using advanced techniques and typically lurking unseen for an extended time to extract data, gather intelligence for later attacks, or sabotage systems.
A true APT is very advanced and persistent. They are complex and sophisticated, especially the nation-state-sponsored ones. And they are persistent: analysis has shown that some have been in place undetected for several years.
Some cybersecurity vendors have become very sloppy with the term! Some vendors say "APT" to refer malware that affects a server instead of just desktops. Or, to ransomware that hits a file server instead of just one desktop. Or, worse yet, to anything at all that's more complicated than the standard Windows trojan. Let's not make the cybersecurity jargon any sloppier than it already is!
Lists of APT and major threat groups
Some organizations and individuals are trying to keep track of the names assigned to major threat groups:
Mitre Florian Roth's list MISP Galaxy Adversary Groups
International Conflict on the Internet
National Security Archive
at George Washington University maintains
The Cyber Vault,
a large and growing archive of documents
on various aspects of cyber activities
from the U.S. and foreign governments,
international organizations, and cybersecurity firms.
The Cyber Vault
The RAND Corporation wrote what looks like a good analysis of cyberwar for the U.S. Air Force.
Seymour Hersh wrote a good article for The New Yorker, "The Online Threat: Should we be worried about a cyber war?"
At the 2013 RSA conference a senior PLA colonel said "In the U.S., military espionage is heroic and economic espionage is a crime, but in China the line is not so clear."
I haven't tried to distinguish between conflicts directly between governments (e.g., Stuxnet), between supporters of a government against another government (e.g., Estonia in 2007), and between what might be spinoffs of the PLA conducting espionage against U.S. defense contractors.
As a general trend, attacks out of eastern Europe (Russia, Ukraine, Romania, and Bulgaria are prominent sources) tend to be criminal in nature — stealing financial information, extortion through DDoS or crypto-locker software, and stealing corporate information. Attacks out of China tend to be more focused on industrial and national espionage.
I have tried to divide things by country and put them in time order, as that is complicated enough.
As for things like nation-state threats attacking banks, I don't know how to put that into a category. But it happens!
The People's Republic of China
During the NATO attacks on Serbia in the spring of 1999, including the accidental bombing of the Chinese embassy, there were retaliatory attacks against NATO's public web server (instigated from Belgrade) and against a number of U.S. government sites, including Dept of Interior, Dept of Energy, the National Park Service (!), and the U.S. embassy in China (instigated from Beijing and from groups supporting the Beijing government).
There were also attacks against U.S. and NATO systems from China. Federal Computer Week, 1 Sep 1999.
April-May 2001 — A US Navy EP3 intelligence gathering aircraft landed on Hainan Island after a mid-air collision with a Chinese fighter, leading to scattered attacks using "Kill USA" and "China Killer" programs. New Scientist, 23 Feb 2008 pp 24-25.
2003 — The "Titan Rain" coordinated attacks from China on U.S. computer systems were announced. Systems were compromised at Lockheed Martin, Sandia National Laboratories, Redstone Arsenal and NASA. It had been going on at least since 2000. This was an early example of an advanced persistent threat.
October 2007 — The US Department of Homeland Security's U.S. Immigration and Customs Enforcement agency reported that it had launched more than 540 investigations into illegal exports of controlled U.S. technology to China since 2000. Homeland Security Affairs, (Journal of the Naval Postgraduate School Center for Homeland Defense and Security), vol V, No 1, Jan 2009.
2007 to present —
A group of entities sometimes called the
seems to be associated with the state intelligence apparatus.
Several state intelligence operations from 2009 at least
through 2018 are linked to it, and there are signs of some
activity as early as 2007.
Analysts have given several names to this
collection of operations.
ProtectWise 401TRG May 2018 Overview Grugq analyzes Winnt operation Kaspersky initial report on Winnti (2013) Kaspersky Winnti technical analysis Kaspersky Winnti honeypot analysis Novetta on "Operation SMN" Winnti compromise of Bit9 FireEye on "Operation DeputyDog" Mandiant on APT1 Cylance on "PassCV" TrendMicro on Winnti Citizen Lab on attacks on media Palo Alto Unit 42 on attacks against Thailand ProtectWise 401TRG July 2017 report ProtectWise 401TRG October 2017 update Kaspersky on ShadowPad Kaspersky on Winnti-APT17 connections Intezer on Winnti-APT17 connections
January 2008 — The US Air Force said, "China has been positively identified as a source of campaign-style cyber attacks on Department of Defense systems."
January 2008 — The US Air Force said that papers in Chinese military journals and textbooks discuss ideas for war against the US in a confrontation over Taiwan, including communication jamming and computer malware.
February 2008 — The Australian government announced that Chinese hackers were launching targeted attacks to gather information from sensitive military secrets to the prices Australian companies will seek for resources such as coal. The Age, 10 Feb 2008.
11 February 2008 — US officials arrested a former Boeing engineer on charges of stealing trade secrets from the space-shuttle program, Delta IV rocket and other projects and sending them to agents of the Chinese government. Orlando Sentinel, 12 Feb 2008.
12 February 2008 — The Washington Times had a story on Chinese espionage.
15 February 2008 — The Washington Post had a story on Chinese espionage:
3 March 2008 —
The US Defense Department said that attacks in 2007 against
computer networks operated by governments and commercial
institutions around the world "appear" to have originated
story Government Executive,
4 Dec 2007 Government Executive,
3 Mar 2008 Government Executive,
6 Mar 2008 Federal Computer Week,
4 Mar 2008 2007 Report To Congress of the U.S.-China
Economic and Security Review Commission
24 March 2008 — Tibet protest groups have been targeted for attack with hostile e-mail attachments sent from Chinese servers. BBC World News, 24 Mar 2008.
25 March 2008 — "A Chinese-born engineer convicted of conspiring to pass U.S. military secrets to the People's Republic of China was sentenced Monday to 24 years and five months in federal prison." Information Week, 25 Mar 2008.
10 April 2008 — Business Week ran a cover story "The New E-spionage". Summary: many prolific sources based in PRC launch spear-phishing attacks on government workers and contractors. The To: and From: fields look relevant, content is relevant. Message has spyware attachment that will capture keystrokes and harvest data files, sending product back to PRC. Plus capability for remote access of the system. BYZANTINE FOOTHOLD has been a US project to detect, track, and disarm intrusions on critical government networks. "Poison Ivy" was the name given to PRC code by commercial infosec companies.
6 May 2008 — "Over the past one and a half years, officials said, China has mounted almost daily attacks on Indian computer networks, both government and private, showing its intent and capability." Times of India, 6 May 2008.
3 Nov 2008 —
Diplomatic Security Daily
publication of the U.S. Department of State reported the
sophisticated threat assigned code word Byzantine Candor,
with a subset of that known as Byzantine Hades.
BC = Byzantine Candor,
CNE = Computer Network Exploitation,
USG = United States Government,
DoS = Department of State (and not Denial of Service!), and
CTAD = Cyber Threat Analysis Division. As millions of copies of the WikiLeaks file contain, that report said:
¶39 (S//NF) Worldwide - BC conducting CNE on USG systems:
¶40. (S//NF) Key highlights:
BC actively targets USG and other organizations via
socially engineered e-mail messages.
BC actors recently compromised the systems of a U.S. ISP
to carry out CNE on a USG network.
Additional IP addresses were identified this month as
compromised and used for BC activity.
BC has targeted DoS networks in the past and may again in
the future via spoofed e-mail.
¶41. (S//REL TO USA, FVEY) Source paragraph: Byzantine
Candor (BC) actors have compromised multiple systems located
at a U.S. Internet service provider (ISP) and have used the
systems as part of BC's U.S.-based attack infrastructure
since at least March, targeting multiple victims including at
least one USG agency.8
¶42. (S//NF) CTAD comment: Since late 2002, USG organizations
have been targeted with social-engineering online attacks by
BC actors. BC, an intrusion subset of Byzantine Hades
activity, is a series of related computer network intrusions
affecting U.S. and foreign systems and is believed to
originate from the PRC. BC intruders have relied on
techniques including exploiting Windows system
vulnerabilities and stealing login credentials to gain access
to hundreds of USG and cleared defense contractor systems
over the years. In the U.S., the majority of the systems BC
actors have targeted belong to the U.S. Army, but targets
also include other DoD services as well as DoS, Department of
Energy, additional USG entities, and commercial systems and
networks. BC actors typically gain initial access with the
use of highly targeted socially engineered e-mail messages,
which fool recipients into inadvertently compromising their
systems. The intruders then install malware such as
customized keystroke-logging software and command-and-control
(C&C) utilities onto the compromised systems and exfiltrate
massive amounts of sensitive data from the networks. This
month, BC actors attempted to compromise the network of a
U.S. political organization via socially engineered e-mail
messages (see CTAD Daily Read File dated October 16).
¶43. (S//REL TO USA, ACGU) CTAD comment: Also discovered this
month by USG analysts was the compromise of several computer
systems located at a commercial ISP within the United States.
According to Air Force Office of Special Investigations
(AFOSI) reporting, hackers based in Shanghai and linked to
the PRC's People's Liberation Army (PLA) Third Department
have been using these compromised systems as part of the
larger BC attack infrastructure to facilitate computer
network exploitation (CNE) of U.S. and foreign information
systems. Since March, the responsible actors have used at
least three separate systems at the unnamed ISP in multiple
network intrusions and have exfiltrated data via these
systems, including data from at least one USG agency. AFOSI
reporting indicates, on March 11, BC actors gained access to
one system at the ISP, onto which the actors transferred
multiple files, including several C&C tools. From here, the
intruders used the tools to obtain a list of usernames and
password hashes for the system. Next, on April 22, BC actors
accessed a second system at the ISP, where they transferred
additional software tools. From April through October 13, the
BC actors used this computer system to conduct CNE on
multiple victims. During this time period, the actors
exfiltrated at least 50 megabytes of e-mail messages and
attached documents, as well as a complete list of usernames
and passwords from an unspecified USG agency. Additionally,
multiple files were transferred to the compromised ISP system
from other BC-associated systems that have been previously
identified collecting e-mail messages from additional
victims. The third system at the U.S. ISP was identified as
compromised on August 14, when BC actors transferred a
malicious file onto it named
"salaryincrease-surveyandforecast.zip." According to AFOSI
analysis, BC actors use this system to host multiple webpages
that allow other BC-compromised systems to download malicious
files or be redirected to BC C&C servers.
¶44. (S//REL TO USA, FVEY) CTAD comment: Additional DoD
reporting this month indicates BC actors have used multiple
other systems to conduct CNE against U.S. and foreign systems
from February through September. A October 23 DoD cable
states Shanghai-based hackers associated with BC activity and
linked to the PLA have successfully targeted multiple U.S.
entities during this time period. The cable details dozens of
identified Internet Protocol (IP) addresses associated with
BC activity as well as the dates of their activity. All of
the IP addresses listed resolve to the CNC Group Shanghai
Province Network in Shanghai, and all the host names of the
addresses contained Asian keyboard settings as well as China
time zone settings. Most of these IP addresses were
identified as responsible for direct CNE of U.S. entities,
including unspecified USG organizations, systems and
networks. Interestingly, although the actors using each IP
address practiced some degree of operational security to
obfuscate their identities, one particular actor was
identified as lacking in these security measures. On June 7,
the BC actor, using an identified IP address, was observed
using a Taiwan-based online bulletin board service for
¶45. (S//NF) CTAD comment: BC actors have targeted the DoS in
the past on multiple occasions with socially engineered
e-mail messages containing malicious attached files and have
successfully exfiltrated sensitive information from DoS
unclassified networks. As such, it is possible these actors
will attempt to compromise DoS networks in the future. As BC
activity continues across the DoD and U.S., DoS personnel
should practice conscientious Internet and e-mail use and
should remain informed on BH activity. (Appendix sources
I do not understand what is meant by:
and all the host names of
the addresses contained Asian keyboard settings
as well as China time zone settings.
Yes, the DNS PTR records might contain non-ASCII characters in the host names, and "Asian keyboard settings" might be a clumsy way of saying that. But "China time zone settings"? That says to me that they were looking at e-mail headers.
20 Nov 2008 — A U.S. Congressional advisory committee releases a report warning that Chinese attacks on civilian, government, and military networks are rising. This was also reported in Information Week.
18 Apr 2009 — Newsweek magazine reports on "Ghostnet". It was politically oriented, compromising systems belonging to the Dalai Lama's Tibetan exile centers in India, London and New York, along with embassies, foreign ministries and other government offices. See the reports from the SecDev Group and the Munk Centre for International Studies, and the University of Cambridge. Also see the McAfee—Foundstone detailed analysis Know Your Digital Enemy: Anatomy of a Gh0st RAT.
Some calm thinking on the Chinese hacking threat — Bruce Schneier's essay for the Discovery Channel pointed out that the truth is a lot more complicated. Much is from patriotic Chinese citizens, plus a lot of automated attacks run on compromised systems that just happen to be located in China.
Mid-2009 — China began "Operation Aurora" in the middle of the year, continuing through December. It was aimed at stealing intellectual property from dozens of technical corporations, including Google (the first to publicly disclose it, in December), Rackspace, Adobe Systems and Juniper Networks, all of whom publicly confirmed being targeted, plus Northrop Grumman, Dow Chemical, Morgan Stanley, Yahoo and Symantec.
Nov 2009 — The "Night Dragon" attacks began, launched against several global petrochemical and energy companies. These evolved into sophisticated attacks, advanced persistent threats as they're now known. McAfee has a good overview and detailed white paper describing these.
Jan 12-13 2010 — Google announced that they detected "a highly sophisticated and targeted attack" originating from China. Reuters reported on this. Dark Reading had a summary mentioning that Adobe was also a victim.
Feb 11 2011 — Dark Reading reported that McAfee had detected the "Night Dragon" series of APT attacks on major energy firms beginning as early as 2008, saying that they had "identified tools, techniques, and network activities utilized ... that point to individuals in China as the primary source", saying the hackers appear to be based in Beijing and working standard local business hours. Paris Match reported, and the French government subsequently confirmed, that over 150 computers in the Ministry of Economy and Finances had been penetrated for months leading up to the French-hosted G20 summit in February 2011.
May 8 2012 — Dark Reading reported that Cyber Squared had infiltrated the attackers' communications channel and gathered information on a widespread series of attacks dating back to 2011 against over twenty private firms, government organizations, and think tanks linked to Chinese strategic interests.
Sep 7 2012 — Symantec reported on the Elderwood Project, which includes the Aurora Trojan horse and other related attacks re-using components of a shared attack infrastructure. The primary targets are primarily members of the defense supply chain. Dark Reading has a summary.
Sep 25 2012 — Dark Reading reported on the "VOHO" attack campaign with ties to China. RSA's report is The VOHO Campaign: An In Depth Analysis. The VOHO attack is reported to share components of the Elderwood Project.
Sep 2012 — Peter the Great Versus Sun Tzu is an interesting analysis and comparison of Chinese and Russian hackers. Eastern European hackers tend to develop and use far more sophisticated malware running on their own fairly bulletproof hosting infrastructure, while East Asian hackers use simpler techniques running on cheap infrastructure at mass-hosting ISPs. Eastern European hackers work in small elite teams to steal credentials and directly derive profit, while East Asian hackers work in large groups at the direction of large institutions to steal sensitive corporate data.
Oct 2012 — The House Intelligence Committee warned U.S. companies to avoid Chinese telecommunications companies Huawei and ZTE See the Dark Reading report or the full investigative report.
January 2013 — The New York Times announced that an advanced persistent threat with suspected ties to the People's Republic of China, called APT12, had compromised its networks over the preceding four months. "Hackers in China Attacked the Times for Last 4 Months" The New York Times, 30 January 2013.
February 2013 — Mandiant released a detailed report on APT1, their label for a very sophisticated multi-year cyber espionage operation of the Chinese government. They provide evidence linking APT1 to the 2nd Bureau of the People's Liberation Army (PLA) General Staff Department's (GSD's) 3rd Department, using Military Unit Cover Designator Unit 61398. APT1 conducted economic espionage since 2006 against 141 victims in multiple industries in English-speaking countries, stealing hundreds of terabytes of data. The Washington Post reported on the story.
March 7 2013 — A Foreign Policy article reports: "Cyber-warfare directed against American companies is reducing the gross domestic product by as much as $100 billion per year, according to a recent National Intelligence Estimate." And: "In the coming weeks, the NSA, working with a Department of Homeland Security joint task force and the FBI, will release to select American telecommunication companies a wealth of information about China's cyber-espionage program, according to a U.S. intelligence official and two government consultants who work on cyber projects. Included: sophisticated tools that China uses, countermeasures developed by the NSA, and unique signature-detection software that previously had been used only to protect government networks."
March 11 2013 — The Australian Financial Review reported that Chinese-developed malicious software had repeatedly penetrated the Reserve Bank of Australia's networks and extracted sensitive internal information.
March 14 2013 — Cyber Squared published a report Medical Industry — A Cyber Victim: Billions Stolen and Lives At Risk describing three APT attacks out of China against the medical industry. Mandiant reports at least five active Chinese hacker groups targeting the medical industry. A Dark Reading report summarizes this trend.
The same day, International Business Times reported that China launched a probe against Coca-Cola for alleged spying activities especially "collecting classified geographic information using handheld GPS devices".
Mar 2013 — The journal Science had an article "A Call to Cyber Arms" (vol 339 pp 1026-1027) discussing Mandiant's APT1 discussion and reporting: "In the academic world, a leader in cyber defense research is Shanghai Jiao Tong University's School of Information Security Engineering. In the past several years, its scientists have published openly on the injection of Trojan Horses into the Windows platform, for instance, and on the pros and cons of Rootkit, a program for hijacking a computer system. In Changsha, the National University of Defense Technology has a research program in electronic and information warfare. And at Dalian University of Technology in northeast China, a pair of researchers funded by the science ministry and the National Natural Science Foundation of china published a report in Safety Science in July 2011 on vulnerabilities in the western U.S. power grid.
Apr 2013 — FireEye released their Advanced Threat Report detailing 2,000 incidents involving Gh0st RAT, a remote-access tool and APT believed to have been developed in and deployed from China.
May 2013 — China was accused of high-profile cyber-espionage, stealing information on U.S. weapons systems including the FF-35, PAC-3, THAAD, Aegis, F/A-18, V-22 Osprey, Black Hawk helicopter, and the Littoral combat ship, in addition to more mundane business information. See "Plans for More Than Two Dozen U.S. Weapons Systems — Including an F-35 Fighter — Have Been Stolen by Chinese Hackers, Claims Pentagon", The Daily Mail, 28 May 2013.
June 14 2013 — Kaspersky Lab announced the analysis of the Red Star or NetTraveler APT. They had samples going back to 2005, although it seems to have been active at least since 2004. It's also known as TravNet and Netfile. Targets include Tibetan and Uyghur activists, oil industry companies, governments and government institutions including embassies, and military contractors. Their analysis of the malware indicates that it was developed by a team of about 50 people, most of which speak Chinese natively and have working knowledge of English. See Kaspersky's detailed report for more.
12 Nov 2013 — FireEye concluded that a number of Chinese APT campaigns may be more connected than previously thought. Eleven Chinese APTs shared malware tools, code, and digital certificates. See FireEye's report Supply Chain Analysis: From Quartermaster to Sunshop
19 May 2014 — The U.S. Department of Justice issued an indictment of five Chinese military officers "for computer hacking, economic espionage, and other offenses directed at six American victims in the U.S. nuclear power, metals, and solar products industries." Time and CNN reported on this. Wired covered the indictment and also ran a story "How a Chinese Tech Firm Became the NSA's Surveillance Nightmare". The Lawfare blog discussed why the indictment was made. The five defendants were Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, members of Unit 61398 of the Third Department of the People's Liberation Army.
It had been clear for some time that the NSA had been attacking Chinese networks, see reports from CNN, Wired, and Bruce Schneier here and here. NSA had also been intercepting Cisco equipment shipments and modifying the contents to install their "implants". And, the Washington Post reported in 2013 that U.S. spy agencies had mounted 231 offensive cyber operations in 2011. China complained about what they saw as the hair-splitting distinction between NSA hacking China for purely national security reasons versus China hacking the US for economic reasons. See reports in the New York Times and DailyTech. Chinese retaliation was described by Reuters and Bloomberg and in Foreign Policy and The Los Angeles Times.
Foreign Policy ran a story "Exclusive: Inside the FBI's Fight Against Chinese Cyber-Espionage".
Xinhua reported "A spokesperson for China's State Internet Information Office on Monday published the latest data of U.S. cyber attack, saying that China is a solid defender of cyber security. The U.S. is the biggest attacker of China's cyber space, the spokesperson said, adding that the U.S. charges of hacking against five Chinese military officers on Monday are 'groundless'. Latest data from the National Computer Network Emergency Response Technical Team Coordination Center of China (NCNERTTCC) showed that from March 19 to May 18, a total of 2,077 Trojan horse networks or botnet servers in the U.S. directly controlled 1.18 million host computers in China."
July 2014 — CrowdStrike reported on what they called Deep Panda, a Chinese government cyber-operation against national security think tanks and human rights organizations. The think tanks in particular are staffed by former senior government officials with lots of insight of interest to the Chinese government and its military. CrowdStrike had noticed a sudden shift in interest by the Deep Panda operation, moving from Southeast Asia policy information to Iraq and related Middle East issues. This seems to be because of sudden advances in which the Islamic State of Iraq and the Levant group took control of large regions of Iraq, a country providing 20% of China's oil. See the CrowdStrike Deep Panda report for details on the shift in focus and the technology used in the continuing penetrations. The same group is thought to be behind the massive Anthem breach discovered in early 2015.
March 2015 — China explicitly acknowledged the existence of their cyber-warfare forces in The Science of Military Strategy, published by the top research institute in the People's Liberation Army and analyzed in the U.S. by the Center for Intelligence Research and Analysis and described in the book China's Evolving Military Strategy. See the story in The Daily Beast.
April 2015 — FireEye reported on what they called APT30, an advanced and very persistent operation against government and commercial entities across southeast Asia and India for over ten years. It was aimed at stealing information on political, economic, and military topics. FireEye concluded that it was a Chinese government operation.
June 2015 — The U.S. Government announced a data breach at the Office of Personnel Management or OPM that will likely have long-term geopolitical repercussions as it seems to have included a huge archive of background investigations used to grant security clearances. As the Washington Post described the data in July, 2014, when Chinese intrusion into OPM data was first noticed:
In those files are huge treasure troves of personal data, including "applicants' financial histories and investment records, children's and relatives' names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers."
See the nice overview at Krebs on Security, here is further summarization of that:
- March 2014 — Breach of OPM networks from China.
- July 2014 — OPM investigates the March breach.
- August 2014 — Investigators announce that USIS, a contractor doing background checks for DHS, was hacked.
- November 2014 — OPM's Office of the Inspector General publishes a report listing "significant" deficiencies in OPM's IT security. No comprehensive inventory of servers, databases, and network devices, no sign of a vulnerability scanning program. The report concluded, "We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency's IT security program."
- December 2014 — Keypoint had taken over the USIS contract, now Keypoint is hacked.
- February 2015 — Insurance company Anthem is hacked. Later analysis suggests it's the same group of Chinese hackers. A private firm, not a government or military agency.
- May 2015 — Premara Blue Cross and Carefirst Blue Cross are hacked, affecting 11 million and 1.1 million customers, respectively. Again, the same attack infrastructure and methods seems to have been used.
- June 2015 — OPM discloses their breach, initial reports said it affects "up to 4 million federal employees" but later reports add that it may be many, if not all, applicants for security clearances over decades.
- 9 July 2015 — OPM concludes its investigation of the breach discovered in June 2015, revealing that 19.7 million individuals (plus 1.8 million non-applicants such as spouses and partners) were affected by the intrusion. This is in addition to the 4.2 million whose personal information was compromised in April 2015.
November 2016 — The Citizen Lab group at the University of Toronto reported on a malware operating targeting members of the Tibetan Parliament in exile over August through October 2016. It's a good, detailed report describing a combination of social engineering and customized malware known as KeyBoy.
April 2007 — The "Bronze Soldier" statue was moved from central Tallinn to a military cemetery. To Estonians, the statue was a symbol of almost 50 years of Soviet occupation. To Russia and to Estonians of Russian descent (about 25% of population of 1,300,000) the move was an insult to the memory of soldiers who fought the Nazis in WWII. There was street violence 26-28 April. The Sydney Morning Herald covered this.
9 May 2007 — Government web sites lost external connectivity due to a massive DDOS atack. Many of the attacking hosts were in Russia, some belonged to the Russian government. Official government involvement, support, or even awareness was kept obscure at the time. The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported, 10 years later, "It is widely accepted that Russia, via patriotic hackers, conducted a cyber attack on Estonia in 2007." That report cited "The Rise of Hacktivism" by Dorothy Denning in the Journal of International Affairs, 8 September 2015.
24 Jan 2008 — Dmitri Galushkevich, an ethnic Russian, was convicted Jan 2008 for his involvement. Fined 17,500 kroons (1120 Euros, 1620 US$) for his part in attack against website of Reform Party of Prime Minister Andrus Ansip, one of many DDOS attacks on Estonian government and businesses. The Sydney Morning Herald covered this.
2 April 2008 — "Almost a year after falling victim to a "cyber-war" blamed on Russian hackers, the Baltic state of Estonia is now piloting NATO's efforts to ward off future online attacks on alliance members. After this week's NATO's summit in Romania, Estonia and seven other alliance partners will set up the "Cyber Defence Centre of Excellence" in Tallinn next month. The United States, Germany, Italy, Spain and Estonia's fellow ex-communist NATO member states Latvia, Lithuania and Slovakia will spearhead the project." The Age covered this.
11 March 2009 — The pro-Kremlin youth group Наши, or Nashi, meaning Ours, claimed responsibility for making the attack on behalf of the Kremlin. Wired and The Register covered this.
As reported by RFE/RL, a State Duma Deputy from the pro-Kremlin Unified Russia party said, "About the cyberattack on Estonia... don't worry, that attack was carried out by my assistant. I won't tell you his name, because then he might not be able to get visas."
2014 — Estonia quickly grew from being a small republic within the Soviet Union to one of the most technologically advanced nations. Skype was developed in Estonia. Most of citizens' interaction with the national government has moved onto the Internet. For details see:
- Taavi Kotka, Estonia's CIO, Is Putting the 'E' in Estonia, OZY.com
- Lessons from the World's Most Tech-Savvy Government, The Atlantic
- How Estonia became E-stonia, BBC
In early 2014, while Russia was forcably annexing Ukraine's Crimean Peninsula and threatening an invasion of eastern Ukraine, Estonia's CIO Taavi Kotka announced a plan to establish "data embassies". The Estonian government would upload all their data to cloud servers distributed around the world. If Estonia were invaded either physically or electronically, the government and its functions would be preserved. See "Concerned About Russian Invasion, Estonia Plans 'Data Embassies' in Allied Countries" from the Atlantic Council.
27 May 2009 — The Finnish military announced plans to establish "a cyberwar unit charged with protecting government data communications". It sounds more like pure defense and threat monitoring, made to sound more exciting with the buzzword "cyberwar"....
August 2008 — Russian military forces move into Georgia, citing requests for help from ethnic Russian communities in Georgian breakaway regions of South Ossetia and elsewhere. At the same time, DDOS attacks orchestrated out of Russia blocked access to Georgian government web sites. I don't know everyone's feeling on this, but if armored vehicles are rolling down the street in front of my home, and I see combat aircraft overhead and hear incoming artillery rounds, my inability to look at the Georgian equivalent of whitehouse.gov is going to be of relatively little concern...
This seemed to be another case of "Russian patriotic citizens rise up" and do the attack on their own, where the government does not direct them but neither does it stop them or even disapprove. Wired.com described how a Russian coder took credit for hacking Georgian sites including www.parliament.ge, the Georgian parliament's site.
Also see "Russian Hacker Forums Fueled Georgia Cyber Attacks", Washington Post, 16 Nov 2008.
October-November 2008 — Major news organizations started seriously questioning the accepted view of the military action is nothing but Russian aggression and Georgian self-defense, as Georgian targeting of civilians and other details come to light. See these reports:
See the "Russian Cyberwar on Georgia" report for lots of details on the military action, the Internet attacks, and the coverage: http://hostexploit.com/
September 2009 — Aviation Week and Space Technology ran an article (14 Sep 14 2009 pp 54-55) titled: "Cyberwar is Official" and subtitled: "Network attack, digital time bombs and information exploitation are now combat standards", quoting an analysis from the U.S. Cyber Consequences Unit (US-CCU), "only parts of which are available to the public". The article describes US-CCU as "an independent organization that does cyber-forensics and analysis for private organizations and government, including the National Security Agency and CIA." It's a non-profit research group with some affiliation to the Tufts University law school, the domain is registered to a guy in Vermont with an AOL e-mail address:
% whois usccu.us Domain Name: USCCU.US Domain ID: D7129910-US [....] Registrar URL (registration services): whois.schlund.de Domain Status: ok Registrant ID: SPAG-33246501 Registrant Name: Scott Borg Registrant Address1: PO BOX 1390 Registrant City: NORWICH Registrant State/Province: VT Registrant Postal Code: 05055 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.8026493849 Registrant Email: firstname.lastname@example.org
August 2012 — Iran was suspected to be behind attacks on Saudi Aramco and Qatar-based RasGas. The New York Times covered the story when a US Department of Homeland Security warning appeared the following year.
May 2014 — FireEye releases their report Operation Saffron Rose, in which they describe the Ajax Security Team as a hacker group that formed in 2010, doing DDoS and web site defacements. FireEye says they have transitioned formed in 2010, doing DDoS and web site defacements. FireEye says they have transitioned into malware-based espionage against the U.S. Military-Industrial Complex and Iranian dissidents. However, Krypt3ia disparages the report as mostly hype "on a slow news day at FireEye".
May 2014 — iSIGHT reported on the Newscaster threat from Iran, underway at least since 2011. It targets US and Israeli military, government, and defense contractors by posing as journalists on Facebook, Twitter, YouTube, and LinkedIn. They have built a bogus journalism website newsonair.org on which they simple copy and paste content from actual news sites. They then use social media to make contact and then send spear-phishing attacks to their targets. A New York Times story also covered this.
March 2016 — the U.S. Department of Justice indicted seven hackers operating on behalf of the Iranian government for running DDoS attacks against 46 organizations, most of them U.S. financial institutions, from late 2011 through mid 2013. At its peak in September 2012, the attack reached 140 Gbps directed at the banks' networks. Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan (a.k.a. Nitr0jen26), Omid Ghaffarinia (a.k.a. PLuS), Sina Keissar, and Nader Saedi (a.k.a. Turk Server) were employed by ITSecTeam (a.k.a. ITSEC) and Mersad Company, both of which were working for the Iranian government and the Islamic Revolutionary Guard. See the stories in the New York Times and Dark Reading.
The DDoS targets included JPMorgan Chase, Bank of America, the New York Stock Exchange, Capital One, ING Bank, BB&T, Fidelity, US Bank, PNC Bank, and AT&T.
Firoozi is accused of accessing a Windows XP system serving as a SCADA controller for the Bowman Dam in Rye, New York, between August 23 and September 18 of 2013. It was read-only access of water levels, temperature, and the status of a sluice gate as the dam was under repair and offline. But seriously: In 2013 there was a Windows XP system serving as a dam's SCADA system while it was exposed to the Internet. Who thought that was a reasonable plan?
Earlier the same week, the D.O.J. charged three Syrian Electronic Army hackers for targeting U.S. government and media websites and social media accounts.Al Arabiya on
Iran's Cyber Army,
January 2017 Al Arabiya on
Iran's Cyber Army,
December 2016, January 2017 — Al Arabiya published reports on Iran's Cyber Army, including the Khaybar center for information technology.
Caveat lector, or Reader beware — the source is Saudi-based and funded, so the reports are seen through the lens of the House of Saud.Iran's Cyber Threat: Espionage, Sabotage, and Revenge
Carnegie Endowment for International Peace
2017 — 2018 The people who research, describe, and give names to other countries' malware have settled on "Kitten" as the metaphorical animal for Iran, versus "Bear" for Russia.APT33
APT33 is reported to be active since 2013, operating at the behest of the Iranian government targeting multiple aerospace and oil companies in the U.S., Saudi Arabia, and South Korea.APT34
APT34, also called OilRig and Helix Kitten, appeared in late 2017, targeting another government in the Middle East. They are now thought to have been active at least since 2014, with a range of government, financial, and industry targets.
APT35, also called Charming Kitten, Newscaster, and NewsBeef, created fake journalist identities on social media. In February 2017 they were observed running a fake aerospace company website, presumably targeting the U.S. defense industry.
Also see U.S. versus Iran Also see Saudia Arabia
September 2000 — Israeli hackers launch DDOS and deface Hezbollah and Palestinian National Authority's websites. Palestinian authorities respond with call for a "cyber holy war", Israeli government and financial website attacked. [New Scientist, 23 Feb 2008 pp 24-25]
September 2007 — Israeli air strike on suspected nuclear facility in northern Syria reportedly aided by cyber-attack against Syrian radar air defenses. "Non-stealth Israeli fighters slip in and out of Syrian airspace virtually undetected." Yes, but I doubt that Syrian air defense systems were on publicly routable networks.... [New Scientist, 23 Feb 2008 pp 24-25]
2010–2016 — In early 2016 Cylance released an analysis of what they call Operation Dust Storm. That's a series of Advanced Persistent Threats that have been operating since before 2013, when RATs or Remote Access Trojans started to be called APTs. Attacks are known from 2010, starting with spear phishing with Word documents containing zero-day Flash exploits. A variety of vulnerabilities were used to implant a series of malware with different forms and capabilities.
The targets included Japanese critical infrastructure and resources — power, fuel, construction, finance, and transportation industries. So far they haven't been disruptive or destructive, and seem to be focused on long-term reconaissance and espionage.
Also see North Korea
January 2009 — A "russian cybermilitia" launched a distributed denial of service attack against the two biggest Internet service providers in Kyrgyzstan, largely cutting the country off the Internet. A few days later, Kyrgyzstan announced that the U.S. military would have to vacate Manas Air Base. Apparently the DDOS attack was part of the Russian pressure. Click here to see the story at computerworld.com.
2012 — See the Gauss malware deployed against Middle Eastern banking, primarily in Lebanon.
March 2015 — A spying attack was detected, primarily against Israel but also detected in Turkey and Lebanon and to lesser extents in the US, Canada, UK, Japan, Peru, and elsewhere. Checkpoint concluded that the attack, which they named Volatile Cedar, was by a nation-state group operating in Lebanon. The attack seemed to have been underway since 2012. It includes custom-written software to steal files, keystrokes, and screenshots, stealing sensitive information for political or intelligence purposes.
January 2018 — The Electronic Frontier Foundation and the mobile security company Lookout revealed that GDGS, the General Directorate of General Security, the internal intelligence agency in Lebanon, has been spying on thousands of people in 21 countries including the U.S., China, Russia, India, Germany, Saudi Arabia, South Korea, and Lebanon. The targets include journalists, activists, military personnel, government officials, and employees of defense contractors and financial institutions. The malware exploited Android mobile devices and desktop machines running Windows, MacOS, and Linux.
November 2008 — The websites of al-Anba' al-Ikhbari and Sahara Media, two news agencies in Maurtiania, are taken down in DDOS attacks. This is after the August 6 military coup replacing the democratically elected president, Sidi Mohamed Ould Cheikh Abdallahi, with a military junta. "Sahara Media has accused "national and foreign parties" of aiming to muzzle the site. Al-Anba', for its part, was far more specific in assigning blame. It said "some parties in the military regime in Nouakchott" are responsible or the sabotage." Menassat covered this.
November 2010 — Just before the closest thing to an election in over 20 years, Burma's primary Internet service provider, the Ministry of Post and Telecommunication, was taken down with a massive distributed denial of service attack.
|Maximum||14.58 Gbps||4.89 Mpps|
|Average||1.09 Gbps||576.96 Kpps|
|Duration||2 days, starting 0120 Tue 2 Nov UTC|
|Attack vectors||85% TCP SYN/RST, 15% flooding|
Burma's MPT was limited at the time to one 45 Mbps T3 connection to the outside world, mostly via IPTel (AS 45419). The November 2010 attack was estimated at almost 15 Gbps, a few hundred times the available capacity.
This is much larger than the 2007 DDoS attacks against Georgia (estimated at 814 Mbps) and Estonia.
Arbor Networks' report summarizes it as in the table at right.
February 2008 — "Russian agents in Norway have reached levels as high as during the Cold War, warns the Norwegian Police Security Service (PST). Many other countries also have spies in Norway, climbing to a record number following a quiet period during the 1990s. [PST chief] Holme said unnamed sources indicate that Russian espionage activity is at an "all-time high", and other countries have also stepped up their activities in Norway. Russia and other countries are said to be interested in Norway because of its strategic geographical position and its offshore technological expertise." http://www.aftenposten.no/english/local/article2244756.ece
North KoreaAnalysis of North Korean behavior Analysis of North Korean Internet activity
According to a 2009 article in The Daily NK, a South Korean publication focused on the DPRK, North Korea's Moranbong University, directly managed by the Operations Department of the Workers' Party, is that country's leader in technical developments in computer warfare. Moranbong is said to have been founded in 1997 to train experts in data processing, cryptanalysis, hacking, and other skills, along with martial arts and shooting. It's a five-year university that only selects 30 freshmen per year, each of which is made a military first lieutenant. Moranbong is supposed to have taken the place of Mirim University. Moranbong is in Jung district, just across from the Number 3 Government Building housing the United Front Department, Liason Department, and Operations Department. The article has a dateline of 13 July 2009, Shenyang, China, presumably where they contacted their North Korean source by telephone.
Meanwhile, in 2012 Bloomburg reported that Fox "News" owner Rupert Murdoch was helping the North Korean government make money: "Programmers from North Korea's General Federation of Science and Technology developed a 2007 mobile-phone bowling game based on the 1998 film [The Big Lebowski], as well as Men in Black: Alien Assault, according to two executives at Nosotek Joint Venture Company, which markets software from North Korea for foreign clients. Both games were published by a unit of News Corp., the New York-based media company, a spokeswoman for the unit said."
See the North Korea Tech web site for updates on hacking from the DPRK.
March 2013 — South Korea suffered a significant cyber attack against banking and media networks, damaging tens of thousands of systems. The systems were infected with malware and files were erased. North Korea was blamed for this attack, along with similar attacks in 2009 and 2011. A New York Times article described the attack as paralyzing three major South Korean banks and the countries two largest broadcasters, shutting down ATM transactions and rendering the targeted computers unusable.
11 Sep 2013 —
Kaspersky Lab reported on the
a North Korean cyber-espionage campaign against
South Koreans think tanks.
It was developed in a Korean language environment but
mail.bg, a Bulgarian public email server,
for command and control.
It does keylogging and
steals HWP (Hangul Word Processor) files,
HWP being part of the Hancom Office bundle widely
used in South Korea.
It also does remote control access and
download and execution of additional programs.
25 Sep 2013 — Kaspersky Lab reported on Icefog, a cyber-espionage campaign active at least since 2011. It targets government institutions and military contractors, maritime and ship-building industries, telecom and satellite operators, and other industry, high technology, and media mostly in South Korea and Japan. It provides an interactive backdoor for the operators, who again concentrate on the HWP files used almost exclusively in South Korea. It initially targeted both Windows and OS X. See Kaspersky's Icefog APT FAQ and their detailed report for more. CrowdStrike called the attack campaign Dagger Panda and said it was being run from China. In January a Java based variant called Javafog appeared. See the report from Kaspersky Lab and an overview from Information Week.
August 2014 — HP released a security briefing Profiling an enigma: The mystery of North Korea's cyber threat landscale. It opens by describing the DPRK as "a unique country with a military-focused society and an unconventional technology infrastructure." Their constitution states that songun, the "military-first" doctrine, defines life there. At least according to South Korea, Unit 121 is "North Korea's premier hacking unit" and is the world's third largest cyber warfare force behind Russia and the U.S. It and Lab 110 maintain technical reconnaissance teams that infiltrate computer networks to obtain intelligence and plant malware on enemy networks. Unit 35 does technical education and training of cyberwarfare personnel. Unit 204 does cyber-psychological operations. University-level training in cyber intelligence and warfare is done at Kim Il-sung University, Kim Chaek University of Technology, and the Command Automation University, traditionally called Mirim University.
As of a June 2011 report, North Korea is assigned the IP block 184.108.40.206/22 and is the registered user of China Unicom's 220.127.116.11/24. China Unicom is North Korea's connection to the rest of the Internet. Several of the nominally North Korean web sites known to the outside world are hosted in China.
I have installed Red Star OS, the DPRK-customized Linux distribution, on a test system and found that it expects to be able to reach IP addresses in the 10/8 block. It appears that much of North Korea is their Kwangmyong, a nationwide intranet behind NAT routers with little to no access to the outside world. Update: there is a Red Star 3.0 Server ISO image available via BitTorrent.
HP reported that North Korea is still making money from computer games (presumably still with help from Rupert Murdoch). They raise hard currency through MMORPG or massively multiplayer online role-playing games, and also use the games to infect systems and launch cyber attacks.
A timeline in the HP report includes:
- North Korea gains access to 33 South Korean military wireless communications networks.
- U.S. State Department systems are attacked from the East Asia-Pacific region during its negotiations with North Korea over its nuclear missile tests.
- The following month, the South Korean military says North Korea's Unit 121 breached military entities of South Korea and the U.S.
- North Korea tests a logic bomb.
- "Dark Seoul" DDoS and kisk wiping malware targets South Korean and U.S. government, media, and financial web sites.
- "Operation Troy" malware was probably planted.
- "Dark Seoul Backdoor.Prioxer" was detected.
- Korean Central News Agency website became the first known direct connection from North Korea to the Internet.
- "10 Days of Rain" attack in March, DarkSeoul DDoS and disk-wiping malware hits South Korean media, financial, and critical infrastructure targets.
- North Korea disrupts GPS signals in South Korea.
- Nonghyup bank in South Korea suffers a DDoS attack.
- JoongAng Ilbo newspaper in South Korean attacked.
- "DarkSeoul Downloader.Castov" malware is detected.
- North Korea and Iran sign a treaty agreeing to combat "common enemies" in cyberspace.
- "March 20" disk-wiping attacks against South Korean media and financial institutions. attacked.
- Two claims are made for online "teams" attacking South Korean LG+U website with defacement and data wiping.
- "DarkSeoul" DDoS attacks on South Korean financial institution and the government's DNS server.
- Details released on Kimsuky malware which targeted South Korean think tanks.
- North Korean jammed South Korean military satellite communications through KoreaSat 5.
November-December 2014 — A group calling itself the "Guardians of Peace" or "GOP" released a large collection of data stolen from Sony Pictures Entertainment, including e-mails between employees, personally identifiable information about employees and dependants, copies of unreleased films, and other data. They claim to have taken over 100 terabytes of data, a claim that was largely accepted despite the unlikelihood of moving that much data unnoticed. See this great step-by-step detailed analysis.
The data was released on November 24. After media reports kept speculating about some connection to the upcoming comedy film The Interview, featuring an assassination plot against North Korea's leader, only on December 16 did GOP mention that film for the first time. They threatened terrorist action against theatres showing the film, and Sony pulled the film from release.
Many security researchers and analysts have commented (for example, Bruce Schneier, Marc Rogers, and in a Wired article) that the episode seems very unlikely to be the act of a national government. To begin with, the taunting messages from a group with a catchy name scolding the victim for having bad security. Then a e-mail from the attackers to Sony executives sent on November 21, three days before the public release, was signed not "GOP" but "God'sApstls". National governments, even insane ones like North Korea, don't usually behave this way.
Going deeper, the use of language seems like an English speaker pretending to be bad at English. More specifically, not someone actually from North Korea. See analyses of North Korean language use characteristics and its diversion from the language of South Korea here, here, here, and here. Also see the adept use of social media. The people doing the communicating aren't North Koreans.
The motive is clearly revenge against Sony. The information could have been used to directly extract money from Sony's accounts, or to extort enormous payments. But the data was simply released to embarrass Sony and greatly reduce the value of some products. Sony only helped that by (at least initially) entirely discarding a finished movie. This looks like the work of disgruntled insiders.
On December 21-22 North Korea's very limited connection to the Internet was down. North Korea has only 1024 routable IP addresses, the 18.104.22.168/22 CIDR block. Those four /8 networks are run by Star Joint Ventures, the state-run Internet provider, and most of them are routed through China Unicom, China's state-owned telecommunications company. It might have been DDoS on North Korea's border routers, or it might simply be that China Unicom disconnected them.
- Grugq on the hackers' savvy use of social media
- The hackers said "we worked with other [Sony] staff to get in"
- Krypt3ia's analysis of motivations and winners versus losers in this episode
February 2016 — An analysis was released by the "Operation Blockbuster group," was led by Novetta and also including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber. They discovered 47 different malware families and matched the malware and MO to Operation Troy in 2009. That used the hacktivist DDOS and data-wiping attack on South Korean banks and media outlets as distraction while quietly exfiltrating South Korean and U.S. military secrets. Another round of this in 2013 was called Operation DarkSeoul. The analysts have named the attackers the Lazarus Group and remain unsure of the size and structure of the group.
2015-2017 — The Lazarus Group used vulnerabilities in bank server systems to steal the banks' credentials in SWIFT, an international banking network. They issued transfer requests to other banks, sending the funds to accounts controlled by the hackers. $101 million was stolen from the Bangladesh central bank, and other thefts began to be reported.
Britain's National Cyber Security Centre attributes WannaCry ransomware attack to Lazarus group of North Korea
May 2017 — The WannaCry ransomware attack spread worldwide, hitting healthcare and major corporations. It used an exploit developed by the NSA and published by the Shadow Brokers group a month before. Microsoft had issued a patch to the vulnerabilities in Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, presumably after being informed by the NSA, who had seen earlier releases of NSA code by the Shadow Brokers. Microsoft released patches for Windows XP and Windows Server 2003 the day after the attack started spreading.
June 2017 — US-CERT Alert TA17-164A was based on analysis by FBI and the Department of Homeland Security. It describes software called DeltaCharlie, used to manage North Korea's destributed denial-of-service infrastructure. The U.S. Government refers to malicious cyber activity by North Korea as HIDDEN COBRA. The report mentions that earlier commercial analysis referred to the activity as the Lazarus Group and Guardians of Peace.
The report describes HIDDEN COBRA activity taking advantage of rather old systems widely spread across the Internet: unpatched and now unsupported older versions of Windows, unpatched Adobe Flash software, and systems running the antiquated CHARGEN protocol. It also takes advantage of poorly configured DNS and NTP servers as traffic amplifiers.
April—May 2013 — A series of targeted attacks began, using the Bitterbug malware family and later to be named Operation Arachniphobia. See the detailed reports from FireEye and ThreatConnect, and the overview from Security Affairs.
May 2013 — At the same time, a targeted attack out of India was trying to steal information from Pakistan, using phishing emails with Word and PDF files apparently containing Indian military information. It was a rather simple attack, although it seems to have had some success. Read the overview or the more detailed report.
June 2017 The New York Times reported on events from the preceding month. News reports appeared on the official Qatari new agency's web site, designed to alienate the U.S. and Gulf Arab nations. A few days later, emails from the U.A.E.'s ambassador to the U.S. began to appear in Western news media and the Qatari news network Al Jazeera. Saudi Arabia and the U.A.E. led smaller Arab nations in cutting off diplomatic relations, travel, and trade with Qatar.
The U.S. F.B.I. and U.K law enforcement agreed that the official Qatari news agency was hacked. Qatari officials blamed the Saudis and Emiratis. The F.B.I. and some industry analysts said that it was probably done by Russian hackers for hire. Also see the report Bahamut, Pursuing a Cyber Espionage Actor in the Middle East.
The United Arab Emirates
leaked emails, issued propaganda, and otherwise used
information to influence U.S. policy on Iran and the
UAE and Saudi blockade of Qatar.
"How Two Persian Gulf Nations Turned The US Media Into Their Battleground"
January 14 2014 —
Kaspersky Lab reported
that the Red October campaign had
infiltrated computer networks over the past five years
at diplomatic, government, and scientific research
It can steal data from the traditional target of workstations,
but also mobile devices including smartphones,
Cisco enterprise network equipment,
stealing data from USB devices and also recovering and
stealing their deleted files,
and from internal servers.
The attacks are under the control of center C&C servers
and are carefully customized for each victim.
that its exploits were written by Chinese hackers
while some modules were created by Russian speakers;
the C&C server domains were registered by identities
*.ru email addresses.
The target organizations are mostly in Eastern Europe,
the former USSR, and central Asia, but are also in
Western Europe and North America.
Targets include Tibetan activists and Asian
military and energy sector targets.
However, Kaspersky saw no evidence linking this to a
nation-state sponsored attack, the information would be
valuable to a nation-state but might be traded in the
underground and sold to the highest bidder.
In December of the same year the security firm Blue Coat reported what they called The Inception Framework, a sophisticated cyber espionage system directed at companies and other organizations operating in Russia. The companies are from Russia itself, Romania, Venezuela, and Mozambique. Embassies and other diplomatic offices in Romania, Paraguay, and Turkey have also been hit. Kaspersky Labs says that this is a variant of the Red October APT, and called it after a more recent movie, Cloud Atlas.
March-May 2014 — BAE Systems reported on a large-scale cyber espionage by Russia targeting systems around the world, predominantly Ukrainian government systems at first and then including NATO systems. The Atlantic Council reported in May "Russian Cyber Campaign Continues to Penetrate NATO Ministries".
July 2014 — Sentinel Labs reported and issued a more detailed analysis on what they named "Gyges", an advanced persistent threat that appeared to come from Russia and target government orgranizations. They had spotted it back in March. As they said, "Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime." They believe "it was used as a "bus" or "carrier" for much more sophisticated attacks such as government data exfiltration. So we started digging, and eventually recovered government traces inside the "carrier" code, which we later connected to previous targeted attacks that used the same characteristics. At this point it became clear that the "carrier" code was originally developed as part of an espionage campaign." It exfiltrated its data by an SSL connection to a C&C (command and control) server in Russia, part of IP block 22.214.171.124/24. That was part of the SevStar Network AS35816, Lancom Ltd., Sevastopol, Russia.
November 2014 — Recorded Future reported on Russian governmental cyber-espionage against companies involved in industrial control systems, pharmaceuticals, defense, aviation, and petroleum. They identified Uroburous, Energetic Bear, and APT28 as three main advanced malware families being used by Russia for espionage. They are used in a coordinated fashion — while all three are used aggressively, you seldom find more than one on a target system.
Uroburous was named by GData, Kaspersky calls it Epic Turla, BAE Systems calls it Snake and SnakeNet. It has been around since 2008 and targets governments, embassies, the defence and pharmaceutical industries, and research and education. Kaspersky has analyzed a Linux backdoor component. Also see this analysis.
Energetic Bear was named by CrowdStrike, Kaspersky calls it Crouching Yeti, iSIGHT Partners calls it Koala Team, and Symatec calls it Dragonfly. It targets aviation, defense, energy, industrial control systems and petroleum pipelines.
APT28 was named by FireEye/Mandiant, iSIGHT Partners calls it Tsar Team, Eset calls it Sednet, CrowdStrike calls it Fancy Bear, Trend Micro calls it Operation Pawn Storm, and others call it Sofacy and Sednit and STRONTIUM and APT28. It targets NATO and Eastern European governments and military agencies, the defense industry, and "Russian adversaries" as the report puts it.
FireEye/Mandiant also named APT29 and its backdoor component HAMMERTOSS. They suspect that it is sponsored by the Russian government.
January 2015 — A group calling itself "CyberCaliphate", posing as associated with ISIS, hacked the French television broadcaster TV5 Monde. The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported this, attributing it to an article on channelregister.co.uk.
June–July 2016 — A group posing as a hacker calling himself "Guccifer 2.0" claimed in early 2016 to have broken into Hillary Clinton's private e-mail server, and in June 2016 claimed to have broken into the Democratic National Committee's computer network. The messages claimed that Guccifer was Romanian, but several analysts pointed to inconsistencies within the writing, saying that it appeared to be from multiple people, some of them Russian.
CrowdStrike's analysis is that Fancy Bear is affiliated with the GRU, Главное Разведывательное Управление or Main Intelligence Department, the primary military intelligence service, while Cozy Bear is affiliated with FSB, Федеральная Служба Безопасности, the foreign intelligence service formerly known as KGB.
On 22 July 2016 WikiLeaks published 20,000 Democratic National Committee emails. Analysis immediately pointed to Russian involvement, an attempt by Russian to influence the coming U.S. election and make Donald Trump the U.S. President. The intrusions were further operations of Fancy Bear (see above) and another known Russian operation called Cozy Bear. It wasn't collaboration, both groups independently broke into DNC systems and stole the same data. The intrusions had been happening since the summer of 2015, and both were expelled from the system on 11-12 June. The emails were released at the end of the week before the Democratic National Convention.
13 August 2016 — A group calling itself the ShadowBrokers dumped an archive onto PasteBin containing what seemed to be NSA exploits used to attack systems from Cisco, Fortinet, and others. Securelist showed how an unusual implementation of RC5 and RC6 links that archive to the Equation Group (see more on that group below). According to a Reuters story, NSA believes that an employee or contractor left them on a publicly exposed computer. Investigators were assuming that the Shadow Brokers were affiliated with the Russian government.
30 September 2016 — Newsweek magazine published a story reporting on Donald Trump's violation of the U.S. trade embargo against Cuba. The magazine's web site was then hit with a DDoS attack linked to Russia. See the stories in the Talking Points Memo and in Dark Reading.
October 2016 — The U.S. Office of the Director of National Intelligence and the Department of Homeland Security announced that they were confident that the Russian government was behind intrusions into "U.S. political organizations", a reference to breaches at the Democratic National Committee and the Democratic Congressional Campaign Committee.
"U.S. government officially accuses Russia of
hacking campaign to interfere with elections"
Washington Post, October 7 2016
At the Wall Street Journal CEO Summit on 15 Nov 2016, Admiral Mike Rogers, the director of the National Security Agency, said: "There shouldn't be any doubt in anybody's mind. This was not something that was done casually. This was not something done by chance. This was not a target that was selected purely arbitrarily. [...] This was a conscious effort by a nation-state to attempt to achieve a specific effect." See reports in The Hill, The Washington Post, and The Wall Street Journal.
December 2016 — The Washington Post published a story about CrowdStrike's analysis of the link between the malware used in the DNC intrusion and that used to track an Android phone app used by the Ukrainian army during its fight against pro-Russian separatists in eastern Ukraine in 2014-2016.
CrowdStrike determined that the attackers were they group that they had initially called "Fancy Bear", which turned out to be the GRU, Russian military intelligence. The FBI is reported to have privately concluded that the GRU was behind the DNC hack, but to have said nothing publicly.
Washington Post, 22 Dec 2016
Russian interference in 2016 U.S. Presidential election
The U.S. intelligence community and the Department of Homeland Security concluded that Russian civilian and military intelligence services had attacked and penetrated U.S. government and private sector entities. They broke into Democratic National Committee servers in 2015 and 2016, and published stolen data on the Internet. Details from these documents dominated news coverage for several days immediately before the November 8th election, which Hillary Clinton appeared to be leading by a wide margin until the final week. U.S. intelligence and DHS labeled the activity as GRIZZLY STEPPE. On 29 December, President Obama announced sanctions against Russia. President-Elect Donald Trump, the beneficiary of the Russian hacking, first tried to dismiss and later downplayed the reports.
U.S. Office of the Director of National Intelligence
August 2017 — News stories were reporting on automated "bots" affecting opinion through blogs, Twitter, and Facebook, refining techniques for the 2018 U.S. elections.
In 2017 we started seeing reports of
GPS spoofing by Russia
in central Moscow and in the Black Sea.
The U.S. Department of Transportation
issued a global maritime advisory.
New Scientist USA Today CNN Wired UK
July 2018 — USA Today reported that Russia had been meddling in 27 countries in Europe and North America since 2004. The action ranged from active cyberattacks to disinformation.
August 2012 — Shamoon, also known as DistTrack, was a denial of service attack against the Saudi Arabian national oil company Saudi Aramco. The attack, on 15 August 2012, wiped 30,000 to 35,000 disk drives. CNET and the BBC reported that the same malware was used to attack RasGas, a major liquefied natural gas firm in Qatar. Pastebin postings claimed credit for the "Arab Youth Group" and the "Cutting Sword of Justice" protesting the repressive rule of the al-Saud regime, although some suspect Iranian backing. Dark Reading and Symantec had some good early reporting. U.S. Secretary of Defense Leon Panetta described the attack as "the most destructive cyberattack on the private sector to date."
Aramco used its fleet of private aircraft to fly employees directly to factories throughout southeast Asia and buy all the available disk drives, some 50,000, at inflated prices. This temporarily halted shipments to other buyers and drove up prices, meaning that everyone who bought a disk drive or a computer between September 2012 and January 2013 paid a slightly higher price because of the Aramco hack.
September 2012 — A hacker group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" took credit for a series of DDOS attacks against American banks starting in mid to late September. See the New York Times reports on Sep 26 2012 and Sep 27 2012 and CSO Online on Sep 27 2012. Later analysis by Dark Reading and RSA show that the DDOS wasn't the grass-roots uprising it was first portrayed as, but it included serious attackers.Bloomberg story
on Nov 2016
November 2016 — Hackers sponsored by Iran conducted a series of destructive attacks on Saudi Arabian government systems over the last two weeks of November. They used the same Shamoon malware used in 2012, wiping data and the boot blocks from computers, erasing data and rendering the computers unable to boot.
Thousands of comupters at the General Authority of Civil Aviation were wiped. Two other government ministries were attacked.
South America — Argentina, Brazil, Ecuador, Venezuela
2008–2015 — An extensive campaign of malware, phishing, and disinformation was active across South America. Its range and nature suggests a sponsor (or sponsors) with regional political interests. The campaign was named Packrat by analysts, who first noticed it as a wave of attacks in Ecuador in 2015 but later tracked its activities back to 2008. See the detailed analysis by the Munk School of Global Affairs at the University of Toronto.
February 2014 — Kaspersky Lab announced discovery and analysis of The Mask, a sophisticated spying operation running at least since 2007 using technique and code surpassing any nation-state spyware previously seen in the wild. It targeted government agencies, diplomatic offices and embassies, companies in the petrochemical and energy industries, and research organizations and activists. They found at least 380 victims in more than 24 countries, the majority in Morocco and Brazil. The very impressive software includes snippets in Spanish. The spear-phishing used for initial infection tricked victims into thinking they were viewing web pages from top newspapers in Spain plus the Guardian and the Washington Post. Kaspersky believes The Mask is a nation-state project because of its sophistication and because it uses an exploit they think Vupen sold to the attackers. Vupen is a French company that sells zero-day exploits to law enforcement and intelligence agencies. Wired and Ars Technica ran stories on The Mask.
Syria / Islamic State
2011-2014 — The Syrian Electronic Army appeared in 2011, propagandizing on behalf of Bashar al-Assad and attacking media outlets and opposition groups. Victims include Reuters, New York Times, Al Jazeera NPR GlobalPost, CNN, Facebook, the RSA Conference, and many others. Security researcher Ira Winkler described his run-in with them after giving a presentation at the 2014 RSA Conference detailing their tactics and some of their methods.
December 2013 — Researchers found that the Assad regime was gathering intelligence through spyware. The malicious software gathered information which the government used to plan raids, attacks, and arrests. The military can round up and question suspected rebels and interrogate them about activities they conducted on their computers without have physically seized those computers. See the EFF overview, the Wired overview, and the full report from EFF.
February 2015 — FireEye (which had merged with Mandiant) published its Behind the Syrian Conflict's Digital Frontlines report that between at least November 2013 and January 2014, hackers stole a large collection of sensitive documents and Skype conversations revealing the strategies, tactical battle plans, supply details, and large volumes of personal information from the Syrian opposition fighting President Bashar al-Assad's forces. Media activists and humanitarian aid workers were also targeted. The PDF report is here.
July 2016 — The Peace at Home Council, a faction within the Turkish Armed Forces, attempted a coup d'état on 15 July 2016. Plotters used a WhatsApp group to communicate and tried to block access to sites including Facebook, YouTube, and Twitter. President Recep Tayyip Erdoğan used Internet social media tools to rally popular opposition to the coup. Mass arrests followed, and over 45,000 military officials, police officers, judges, governors, and civil servants were arrested or suspended. This included 2,700 judges, 15,000 teachers, and every university dean in the country. Also, the licenses of 21,000 private-sector teachers were cancelled. 626 educational institutions, most of them private, were shut down immediately. Another 1,043 private schools were closed a week later, along with 1,229 charities, 19 trade unions, 35 medical institutions, and 15 universities.
A week later, WikiLeaks published nearly 300,000 emails from Erdoğan's Justice and Development Party, and the government blocked access to the site.
December 2015 – 2017 — A blackout across the Ivano-Frankivsk region in western Ukraine killed power for 700,000 people on December 23. The blackout was attributed to a cyberattack on Ukrainian electrical power company Prykarpattya Oblenergo. Ukraine's state security service SBU officially blamed Russian-linked hackers.
ESET analyzed the attacks,
reporting January 3
that a cybercriminal group had used the BlackEnergy malware
family to attack the Ukrainian electrical power industry
and news media companies.
They used both denial-of-service attacks, overwriting
document files with random data and making the operating
system non-bootable, plus an SSH back door they labeled.
It listens for an SSH client providing the hard-coded password
ESET issued another report on January 4. Other energy companies in Ukraine were targeted at the same time. The infections came in through Microsoft Office files with malicious macros. The malware also had some additional functions targeting industrial control systems.
Kaspersky provided more details in their report on January 28. Cyc Centrum has a report on BlackEnergy attacks in Ukraine through 2014 and 2015.
SentinalOne released a nice detailed analysis of BlackEnergy 3 in late January, see the announcement and the detailed report.
SANS published a detailed analysis in mid-March 2016, summarizing the incident itself, the reporting in the media, and then analyzing the attack techniques. They concluded that it started with a phishing email with Word and Excel documents with macro-based malware. That dropped BlackEnergy3 malware into place, which stole legitimate user credentials. The stolen VPN credentials allowed attackers to access the industrial control systems network.
This was widely reported, including by Dark Reading on January 5 2016, January 14, and January 27; Foreign Policy on January 8; Reuters on January 27; The Register on January 28, and Wired with more detail on March 3.
The U.S. Defense Intelligence Agency's Russia Military Power Report 2017 reported "CyberBerkut is a front organization for Russian state-sponsored cyber activity, supporting Russia's military operations and strategic objectives in Ukraine", citing "Russia's Use of Disinformation in the Ukraine Conflict. Russian strategy analysis", 18 Feb 2015, in Eurasia Review. They say that CyberBerkut "has been implicated in multiple incidents of cyber espionage and attack, including distributed denial of service attacks against NATO, Ukraine, and German government websites." More recently, CyberBerkut has been stealing and publishing documents from Ukrainian government and political figures in order to discredit, demoralize, embarrass, and create distrust of those figures.
Russia's "Troll Army", also known as the Internet Research Agency, is described in the DIA report as "a state-funded organization that blogs and tweets on behalf of the Kremlin. The New York Times reported on the Troll Army in June 2015.
December 2016 – 2017 — On December 17, 2016, malicious software tripped circuit breakers and shut off electrical power to part of western Kiev, cutting off about 20% of the city's electrical supply. About 700,000 people in the Ivano-Frankivsk region, half the homes there, were left without electricity for several hours. That seems to have been just a test of sophisticated malware, since labeled Crash Override and Industroyer by investigators.
The malware has a modular design, with support for various SCADA protocols commonly used in Europe. Unlike earlier attacks against infrastructure which required interactive control by several operators, this malware seems to be largely automated. It can map the network where it is inserted, observing and logging traffic patterns.
It exploits a known vulnerability in a Siemens digital relay. There is speculation that it is intended to do more than just cut off power, but to damage equipment in the process, overloading lines and transformers.
Honeywell and the Kiev-based Information System Security Partners have said that the 2016 blackout was likely caused by the same attackers as the 2015 attack, which has been widely attributed to a hacker group called Sandworm, and that it likely originated in Russia.
The Dragos report says, "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team."
Technical reports and analysis:
Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
Industrial Control Systems CERT, updated 9 Dec 2016
The Daily Beast, 12 June 2017
June 2017 — Malicious software targeted Ukraine on 27 June 2017. It spread quickly in Ukraine through government ministries, energy companies, the power grid, banks, and transportation. 80% of the infections happened in Ukraine, with 9% in Germany and others in France, Italy, Poland, the U.K. and the U.S.
The malware claimed to be ransomware, but it was actually a "wiper", overwriting data. It was a variant of Petya, which propagates via the NSA's EternalBlue exploit. This variant is being called Petya, NotPetya, Pnyetya, ExPetr, GoldenEye, and more.
Initial spread was through an update to M.E. Doc, a Ukrainian tax accounting package. All tax accounts in Ukraine are required by law to use M.E. Doc, and it is the de facto standard accounting package for businesses there. A similar attack had happened on 18 May 2017 when ransomware called XData was carried out via M.E. Doc. [see the report in Russian]
The site with M.E. Doc software updates was served on one host at the WNet hosting company. On 1 June 2017 the Ukrainian security agency SBU raided the WNet offices. The SBU said that WNet had turned over control to the FSB, Russia's intelligence service. [see the reports at ain.ua and politolog.net] On July 1 "the head of Ukraine's CyberPolice suggested" in an Associated Press report that M.E. Doc knew of the intrusion and malware planting and "For this neglect, the people in this case will face criminal responsibility."
In January 2018, the CIA concluded that the Russian military's GTsST or Main Center for Special Technology was behind NotPetya.
A.P. Møller-Maersk, the world's largest container shipping company, reported that it recovered by reinstalling over 4,000 servers, 45,000 PCs, and 2,500 applications in late June and early July 2017. For 10 days they had no computers, but meanwhile another ship with 20,000 containers would enter a port every 15 minutes.
Reuters New York Times Washington Post (June 2017) BBC Ars Technica Wired Bloomberg ain.ua politolog.net Associated Press Washington Post (January 2018)
Technical reports and analysis:
Matt Suiche Kaspersky Labs, #1 Kaspersky Labs, #2 the grugq Brian Krebs Lesley Carhart On the Wire Talos and Cisco detailed analysis ESET detailed analysis Wired US-CERT Alert TA17-181A
July 2018 — Ukraine's SBU federal security service detected and shut down a cyberattack that used VPNFilter malware against equipment in the LLC Aulska chlorine station that supplies water and sewage treatment plants. The Russian military hacker team called Fancy Bear and APT28 is believed to be behind the attack.
Interfax Ukraine News Agency
In March 2018 Kaspersky Lab published analysis of an APT they called "Slingshot", after a cleartext string in a commonly used module. Some of their customers had been hit with this. As far as Kaspersky could tell, it had been active at least since 2012 and it was still active in February 2018.
Victims were primarily individuals but also government organizations. 47% of the victims were in Kenya, 13% in Yemen, 7% in Libya, and 6% in Afghanistan. Smaller numbers, presumably in decreasing order, were in Iraq, Tanzania, Greece, Jordan, Mauritius, Somalia, Tunisia, Turkey, and the U.A.E.
The attack came in through a previously unknown vulnerability in Mikrotik routers, which are manufactured in Latvia.
Kaspersky's overview says:
The malicious samples investigated by the researchers were
marked as 'version 6.x', which suggests the threat has existed
for a considerable length of time. The development time,
skill and cost involved in creating Slingshot's complex
toolset is likely to have been extremely high.
Taken together, these clues suggest that the group behind
Slingshot is likely to be highly organized and professional
and probably state-sponsored.
Text clues in the code suggest it is English-speaking. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as White and Grey Lambert. However, accurate attribution is always hard, if not impossible to determine, and increasingly prone to manipulation and error.
Kaspersky's detailed analysis says:
The malware is highly advanced, solving all sort of problems
from a technical perspective and often in a very elegant way,
combining older and newer components in a thoroughly
thought-through, long-term operation, something to expect
from a top-notch well-resourced actor.
In terms of attribution, we have not been able to find any definitive links to any previously known APTs. Some of the techniques used by Slingshot, such as the exploitation of legitimate, yet vulnerable drivers has been seen before in other malware, such as Turla, Equation's Grayfish platform and White Lambert. Most of the debug messages found throughout the platform are written in perfect English. The references to Tolkien's Lord of the Rings (Gollum, Smeagol) could suggest the authors are fans of Tolkien's work.
Then there were reports that Slingshot was run by JSOC or Joint Special Operations Command, part of the U.S. SOCOM or Special Operations Command. Cyberscoop reported that "current and former U.S. intelligence officials" told them that is was a U.S. military operation "used to target ISIS and al-Qaeda members". These officials said that it targeted computers in Internet cafés in developing countries, where ISIS and al-Qaeda targets used those computers to send and receive messages.
Kaspersky Lab overview Kaspersky Lab detailed analysis Cyberscoop announcment that Kaspersky exposed sensitive information, which itself exposes sensitive information
U.S.A versus Iran
Stuxnet, Duqu, Flame and Gauss are sophisticated threats, the first three deployed against Iran and the fourth against Middle Eastern banking. Top analysts have shown that they share many modules, and have concluded that they must have been created by a group with nation-state level resources.
In February 2016 the documentary film Zero Days premiered at the Berlin Film Festival. It's now available on YouTube.
The documentary claimed that Stuxnet was just a small part
of a vast set of U.S. hacking programs covered by
the code name NITRO ZEUS.
U.S. hackers at the Remote Operations Center (or ROC)
at Fort Meade had penetrated a wide range of Iranian
infrastructure, including military command-and-control
facilities, the air defense grid, industrial plants,
the electrical grid, and transportation systems.
A source said that there were hundreds of thousands
of implants in Iranian targets.
The ROC was ready to launch disabling attacks
in parallel with any military operation.
Hundreds of personnel had worked over several years at a
cost of hundreds of millions of dollars.
The New York Times on NITRO ZEUS Business Insider on NITRO ZEUS
OLYMPIC GAMES was a long collaboration between the U.S. and Israel, working to frustrate Iran's nuclear program without the airstrikes and assassinations that Israel had deployed. That gave Israel access to the Stuxnet worm. Israel modified Stuxnet, making it far more aggressive, and unilaterily launched the new version. It was the Israeli modification that escaped into the wild to be discovered and analyzed by security researchers.
A U.S. source said, "Our friends in Israel took a weapon that we jointly developed — in part to keep Israel from doing something crazy — and then used it on their own in a way that blew the cover of the operation and could've led to war."
A 2011 video created to celebrate the retirement of Gabi Ashkenazi, head of the Israeli Defense Forces, listed Stuxnet as one of his successes.
The Stuxnet worm was detected in June, 2010. In September, 2010, analysts announced that it seems to have been designed specifically to take control of a real-world industrial target, the SCADA software running chemical plants, factories, and electrical power generation and transmission systems. Its infections have been concentrated in Iran, Pakistan, India, and Indonesia, although systems have been infected world-wide. It was targeted at a specific facility — Iran's Bushehr nuclear plant. The Christian Science Monitor had a good report on this story, with more technical details than typically found in newspapers. Dark Reading goes deeper into the technical details and the analysis. Ars Technica and the New York Times describe how Stuxnet was a US-Israel operation, described in detail in David Sanger's book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. Symantec reported in February 2013 that what they call Stuxnet 0.5, a less aggressive version that used an alternative attack strategy of closing valves within the Natanz uranium enrichment facility, was in development as early as November 2005 and was out in the wild by November 2007.
Duqu was discovered on 1 Sep 2011, and is related to Stuxnet. It has been analyzed in detail by CrySyS, the Laboratory of Cryptography and System Security at the Budapest University of Technology and Economics, Kaspersky Lab, and Symantec. The Intercept has an overview. Unlike Stuxnet, which causes industrial controllers to drive centrifuges so they destroy themselves, Duqu gathers data for future attacks. The newer Duqu 2.0 attacks seem to be from Israel.
CrySyS Lab, Budapest University of Technology and Economics
Flame, first deployed in March 2012, is an impressively complex system. It gathers data from the local disk, screenshots, keylogging, and data captured from the camera and microphone if they exist. The collected data is compressed and encrypted, and then exfiltrated by enabling the Bluetooth interface and transferring the data to a mobile phone. It also involved a world-class cryptographic breakthrough in its collision-based digital signature forgery used to make it appear to be a legitimate Microsoft Windows update. Microsoft has explained the use of an MD5 collision to forge digital signatures based on one of their weaker code-signing certificates.
Gauss was discovered in early August, 2012, and is believed to have been deployed since August or September of 2011. It combines the cyber-surveillance of Flame with a Trojan targeting online banking. It moves via USB memory sticks. The majority of the infected systems have been detected in Lebanon. Kaspersky has an overview and a detailed analysis. Other descriptions appeared in CNN Money, Wired The Register, and Ars Technica.
February 2015 — Kaspersky Labs released a report describing what they call the Equation Group. This seems to be their discovery of NSA TAO software and firmware in some of their customers' systems. Software and firmware, as it includes the ability to modify the firmware within more than a dozen brands of disk drives including Maxtor, Seagate, Hitachi, and Toshiba. Kaspersky describes this as the most sophisticated attack group of the approximately 60 such groups they track. The Equation Group software and firmware has ties to both Stuxnet and Flame among others, and goes back at least to 2001, possibly to 1996. Kaspersky has detected it in their customers' systems in at least 30 countries, concentrated in Iran, Russia, and Pakistan. It can travel on its own as a worm, or embedded in an email message or a hostile web page, or moved via USB devices.
August 2016 — Kaspersky Labs announced the discover of what they call "ProjectSauron", a cyber-espionage system designed to steal encryption keys and other sensitive data, a system of complexity adequate for them to credit it with national backing.
See their announcement and their research paper in which they show probable American UNIX-centric authorship.
Also see Symantec's analysis in which they dub the group "Strider".
These analyses brag on the attacks' sophistication, but they also describe some unexpected design choices like the use of RC4 and RC6, plus encryption by XOR with 8-bit and 16-bit patterns. So which is it, NSA origin or 8-bit XOR?
Also see Iran versus the world
U.S.A. / South Korea / "North Korea" — July 2009
4 July 2009 —
Distributed Denial-of-Service (DDOS) attacks against
U.S. government servers including
on the U.S. national holiday, the same day that
North Korea launches a series of medium-range missiles,
are blamed on North Korea.
7 July 2009 — The same DDOS attacks move to South Korean servers, including the Ministry of Defense and the presidential Blue House, increasing the baseless theorizing that North Korea must be behind it.
8 July 2009 — Widespread coverage in Wired magazine and elsewhere reports that the DDOS seems to have been run by a sloppy hacker using five-year-old worm code.
10 July 2009 — Typically clueless U.S. legislator Peter Hoekstra of Michigan insists that the U.S. should conduct a "show of force or strength" against North Korea for its supposed role.
Lesson: Many legislators are idiots.
See Bruce Schneier's calm analysis that this is nothing new, just "kids playing politics".
U.S.A. Power Grid Panic
Yes, Russia has intruded into the U.S. power grid, but before that there were several years of silliness.
Dark Reading reported that after a million-dollar study by the Federal Energy Regulatory Commission in 2013, using confidential and private information, a group of research decided to research a related question in 2015. Spending just $15,000 for 250 man-hours, investigated what a small group of domestic terrorists could discover about the most critical U.S. power substations.
Meanwhile, news-reader and interviewer Ted Koppel wrote a rather silly book capitalizing on the worry over the power grid. It's an entire book about how hackers will take down the power grid, but he didn't bother talking to any information security experts.
Several U.S. cybersecurity companies have concluded that
APT32 or OceanLotus
is a threat actor controlled by the government of
They stole and leaked the transcript of a telephone
conversation between U.S. President Donald Trump
and Philippine President Rodrigo Duterte.
They also stole and leaked documents relating to conversations
between other Philippine officials and other national
"A stolen Trump-Duterte transcript appears to be just one part of a larger hacking story"
The Office of the National Counterintelligence Executive warned of Internet activity by foreign intelligence entities back in 1997. BNA Daily Report for Executives, 6 January 1997, pg A15.
|Major US Y2K
The CIA named countries thought in 1999 to be involved in industrial espionage or offensive information warfare, and noted that several had been providers of Y2K fixes to U.S. firms (Network World 13 Sep 1999 pg 10), see the table at right.
For details of recent events and trends, see the country-specific timelines above.
Viruses and Hacking
NATO revealed that the Anti-Smyser-1 virus infected systems at its Pristina, Kosovo facility early in 2000. Affected systems mailed copies of a nine-page classified document detailing NATO rules of engagement for land operations in Kosovo to "random Internet users' mailboxes" — SC Magazine, Aug 2000, pg 18. Well, I doubt they were really random, but instead were entries in someone's address list. Who put classified documents on Internet-connected PCs susceptible to viruses??
A group of hackers broke into U.S. Department of Defense computers in the fall of 1997. It was well-publicized, they claimed to have stolen GPS controlling software to sell to terrorists, but DOD said it was just some administrative data.
During the 1991 Persian Gulf War, a group in Eindhoven, Netherlands broke into computers at 34 U.S. military sites and stole information about troop movements, missile capabilities, etc. They offered it to the Iraqis, but they figured it had to be a hoax. London Telegraph, 23 Mar 97.
Government / Military Threat Reports and Warnings
The DOD urged the naming of an "information czar" and an "information warfare" center within the U.S. intelligence community back in 1997. WSJ, 6 January 1997, pg B2.
Some people in DOD, or working for the defense/intel community, think future conflicts will be the domain of digital terrorists. Mafia-based states (like many in the ex-USSR), quasi-governmental organizations (IRA, ETA, HAMAS), or followers of warlords (Somalia, Chechnya, Myanmar) could launch highly disruptive attacks in which modern states would be at a disadvantage. AWST, 27 Apr 1998, 54-56.
As early as 1997:
- "The U.S. military's growing dependance on a closely linked web of computers is a 'recipe for a national security disaster'." Only one of 150 attacks against DOD computer systems is detected. NSA says more than 120 countries have or are developing computer attacks. AWST, 20 January 1997, pp 60-61.
- The director of the NSA warned (again) of threats of "cyber attacks" from foreign governments and quasi-governmental organizations. AWST, 10 Feb 1997, pg 20-21, plus a series of reports on CNN in March 1997.
The article, "Nation's 'Infosec Gaps' Given New Scrutiny Post-Sept 11", is quite realistic and practical as information warfare material goes, AWST, 28 Jan 2002, pg 59.
Offensive Information Warfare / Information Operations
The USAF formed the 609th Information Warfare Squadron in early 1996 — AWST, 29 April 1996, pg 52.
The USAF Information Warfare Team was formed at Rome AFB in 1996. Director of CIA John Deutch said, "We have evidence that a number of countries around the world are developing the doctrine, strategies, and tools to conduct information attacks." AWST, 12 Aug 1996, pg 65-66.
In 2007-2008 the USAF made all sorts of conflicting claims about what it was going to do. Looks like political turf battles...
- September 2007 — U.S. Air Force Cyber Command (AFCYBER) is set up, due to become fully operational in the autumn as part of the U.S. 8th Air Force. See the ZDnet article.
24 June 2008 —
No, not based at Barksdale AFB, but spread across
- Barksdale AFB, LA, 36 billets
- Scott AFB, IL, 69
- Langley AFB, VA, 58
- Lackland AFB, TX, 43, also the location of AF Information Operations Center and the 67th Network Warfare Wing
- Tinker AFB, OK, 5
- Davis-Monthan AFB, AZ, 20
- Wright-Patterson AFB, OH, 13
- Hanscom AFB, MA, 7
- Griffiss ANGB (Rome Labs), NY, 2
- Peterson AFB, CO, 7
- 11 February 2008 — "... the Cyber Command is dedicated to the proposition that the next war will be fought in the electromagnetic spectrum, and that computers are military weapons." General William Lord, Barksdale AFB, provisional chief of USAF Cyber Command. See the Wired story.
- 4 March 2008 — "Air Force Gen. Kevin Chilton, commander of U.S. Strategic Command, told lawmakers last week that his office is working with the Joint Task Force for Global Network Operations, the Joint Functional Component Command for Network Warfare and the Joint Staff to develop the National Military Strategy for Cyberspace Operations." See the Federal Computer Week story.
- 13 August 2008 — No, wait, no Cyber Command after all. Several governors had been trying to get it based in their states, but it seems to have died a victim of vagueness of mission. See the Wired story, or the Information Week story.
- 7 October 2008 — No, wait, there will a Cyber Command. "Top Air Force leadership has decided to pursue forming Cyber Command to defend Defense Department networks and to launch cyberattacks against foes after putting the project on hold in August." [....] "Last month, sources said the Pentagon decided that the U.S. Strategic Command in Omaha, Nebraska, should create and run a joint Cyber Command, a move that seemingly dashed any hopes the Air Force had to own Defense's cyber responsibilities." See the NextGov story.
- 7 November 2008 — No, wait, no USAF leadership: "For a while, there, the Air Force was selling itself as the only service that could lead the military through a cyber war. Now, the Pentagon chiefs have made it clear: They're not buying. All of the military services are going to have a role in fighting online. 'It rebuffs the Air Force grab for predominance in cyber operations,' a Pentagon official tells Inside Defense. Last fall, the Office of Secretary of Defense pushed back an even more intense effort by the Air Force to grab control of the military's unmanned air force." See the Wired story.
- 13 November 2008 — "The general in charge of the U.S. Air Force's cyberwarfare effort says plans for his unit have been scaled back because staff who would have been used to set up a cybercommand will be allocated to the service's new nuclear command instead. Air Force Cyber Command was to be established as a major command alongside the service's space, air-combat and other commands — last month. However, those plans were suspended over the summer after Defense Secretary Robert M. Gates fired the Air Force's civilian and military leaders because of lapses in the security of the nation's nuclear arsenal. Last month, plans for a full-fledged major command for cyberwarfare were scrapped." See the Washington Times story.
4 December 2008 —
Inside the Pentagon,
4 Dec 2008:
"Defense Secretary Robert Gates has placed
operational control over the entire range
of military cyberspace activities in the hands
of the Pentagon's premiere offensive
cyberwarfare unit, according to a Nov. 12
memo obtained by InsideDefense.com.
The move, effective immediately, puts the Ft. Meade, MD-based Joint Functional Component Command-Network Warfare in charge of the Joint Task Force-Global Network Operations. The Arlington, VA-based JTF-GNO is tasked with defending the military?s networks.
Both organizations are part of U.S. Strategic Command. National Security Agency Director Army Lt. Gen. Keith Alexander is also the JFCC-NW commander. Similarly, the JTF-GNO chief serves as the director of the Defense Information Systems Agency."
22, 24 April 2009 —
Plans are announced to create a new military
command for Pentagon computer network defense
and U.S. offensive capabilities, NSA Director
to head this "Pentagon Cyber Command" and
direct U.S. information operations.
Story 1 and story 2 from the Wall Street Journal.
- Shortly thereafter — I gave up trying to keep this up to date. It has been a long series of excited announcements leading to nothing. A Cyber Command was formed, headquartered at the NSA's Fort Meade, but then it was announced just a day or two before it was become operational on 1 October 2010 that no, that wasn't going to happen after all. The Register reported: "Issues responsible for the delay include difficulties finding suitably qualified staff among America's uniformed legions, and also the fact that it isn't even clear what 'operational' means for a cyberforce."
What they call information warfare (IW) or information operations (IO) is out there, but good luck finding much in the open literature. Just a few brief mentions, like a few sentences in AWST 12 May 2003 pp 62-63. Also be aware that the U.S. Department of Defense uses "information operations" to mean offensive information warfare, including denial of service attacks against data and network connectivity, and more subtly, rendering data or network connectivity worthless by degrading the other side's confidence on it. But at the same time, the Central Intelligence Agency instead uses "information operations" to mean obtaining data statically stored on systems or transiting networks, in order to analyze it and obtain an understanding of the other side's plans.
More recently, see Digits of Doom, in AWST, 24 Sep 2007, pg 74, suggesting that the U.S. military had started attacking jihadist web sites in the preceding few months. The article mentions:
- USAF Cyberspace Command, including the 67th Network Warfare Wing
- US Army's 1st Information Operations Command and its Information Dominance Center
Joint Functional Component Command for
Network Warfare (JFCC-NW),
a part of U.S. Strategic Command and a joint operation
with the National Security Agency.
"Some of its missions include disrupting and invading networks, mining computer bases for intelligence, manipulating data as an element of information warfare and monitoring enemy command-and-control systems."
- "Even with that resume, 'these aren't the only groups involved,' says a senior electronic attack specialist. 'Some are less obvious, but more capable.' In fact, the staff of Deputy Defense Secretary Gordon England has, for some time, been studying the use of deception operations against terrorist networks."
In other stories:
AWST reported that IW/IO was successfully
used by the USAF against Iraq during 1991 and
against Yugoslavia during the Kosovo conflict of
- AWST, 26 Feb 2001, pp 52-53. "The first attack was limited to reading the e-mail of Iraqi commanders. But by the next conflict the tools were much more sophisticated. False messages and targets were injected into Yugoslavia's complex computer-integrated air defense system."
- AWST, 12 April 1999, pp 24-26. "'We shut their eyes [radar] down through jamming,' [an Air Force official] said. 'Also, Air Combat Command has been conducting a lot of information warfare activity. By that I mean getting into their computer system and screwing it up. We're trying to use that capability. By getting into the microwave net, you can insert viruses and deceptive computer communications.'"
- AWST, 23 Aug 1999, 31-32. That article describes attacks on radar and military messaging systems. There were other reports about U.S. attack on Yugoslav banks holding Slobodan Milosovic's deposits.
- AWST, 30 Oct 2000, pp 67-68. EC-130H Compass Call systems intended to penetrate air defense computer systems, planting false messages and targets, did quite well as per a USAF/USN analysis. But the EC-138E Commando Solo TV/radio broadcast aircraft are of decreasing relevance now that direct-broadcast satellite TV systems are common throughout the world.
has had several articles, including series of articles
in some issues:
- There was an overview, several articles in the 19 Jan 1998 issue, pp 52-60.
- A series of articles in late 1999: 8 Nov 1999, pp 81-83; 15 Nov 1999, pp 93-96; 15 Nov 1999, pp 102-103.
- A series of articles in an issue concentrating on information warfare: 26 Feb 2001, pp 50-64.
- In a discussion of the 1 Oct 2002 transition of U.S. Space Command into the new Strategic Command (StratCom), "Command officials are advocating StratCom be designated the IO integrator for regional info operations, providing a global perspective and coordinating with other government agencies." 14 Oct 2002, pg 63.
- Also see AWST 4 Nov 2002 pg 30, and 25 Nov 2002 pg 58.
- Network World repeated some info found in AWST and elsewhere, v17, no47 (20 Nov 2000), pp 1, 16.
- The USAF Fact Sheet.
- The U.S. Air Force Information Operations Center.
- The U.S. Navy Naval Network Warfare Command.
- The USAF formed the 609th Information Warfare Squadron in early 1996, basing it at Shaw AFB, SC. AWST, 29 April 1996, pg 52; AWST, 3 Aug 1998, pg 23. A second squadron is being formed in California by the Air National Guard. AWST, 21 Sep 1998, pg 65.
- In July 1998, the U.S. DOD and intelligence community are interested, but at least as far as anyone is saying, ethical and operational problems remain. Could disinformation turn against us? Where is the line between "prepping the battlefield" and an act of war? What about peacetime uses? The Director of the CIA director said don't worry, "we're not asleep at the switch in this regard," and a Senate staff member on an oversight community says, "The Defense Department has next to nothing to say about this in an unclassified form." See the Washington Post, 8 July 1998, A1, A10, there may still be on-line copies at:
- U.S. News had something 13 July 1998.
- Offensive information operations were part of an exercise in 1998, involving NSA, DISA, and the Air Intelligence Agency. AWST, 21 Sep 1998, pg 65.
- China and other countries were already doing it in 1998, according to the directors of the CIA and NSA. Information Week, 6 Jul 1998.
- The National Infrastructure Protection Center (NIPC) is intended to detect and analyze attacks. Housed within the FBI, staffed by FBI, CIA, NSA, Secret Service, DOT, and other agencies. Network World, 14 Sep 1998, pp 8,74.
- In July 2002 President Bush signed National Security Presidential Directive 16, ordering the government to develop rules for information warfare — establish when and how to attack enemy computer networks, select targets, define who should authorize and launch the attacks. Washington Post, 6 Feb 2003.
- In Feb 2003 the U.S. DOD Strategic Command Joint Task Force - Computer Network Operations (JTF-CNO) was being reororganized into two task forces. One for network defense, the other for computer network attack (CNA). Federal Computer World, 7 Feb 2003.
- Nonsense has happened in the past, and will continue. A 1991 InfoWorld magazine joke turned into an urban legend, reported seriously by U.S. News and World Report, regarding the NSA sending virus-laden printers to Iraq. Nonsense: http://www.vmyths.com/hmul/7/3/
"Network-Centric Warfare" — Terminology with a Convoluted History
Much depends on just what you mean by "network-centric warfare".
Initially (maybe 1996-2000) it seemed to be used recklessly, and was the domain of much wild speculation (science fiction analogies) and dangerous enthusiasm (controlling warships with Windows NT).
After maybe 2000 or so it seems to have really been working, but by then it really should have been called something more like "information-centric" or "communication-centric" warfare.
The point is the sharing of information and how that information is used, not just the fact that there's a networked graphical interface.
The Yorktown Failure — The Blue-Water Blue Screen of Death
september 1997 yorktown windows
Also see the Military and Aerospace Electronics article: "Navy Postmortem Tries to Pinpoint What Went Wrong With the 'Smart Ship'", in Military and Aerospace Electronics, March 2001, pp 1,5.
Early enthusiasm for "Network-Centric Warfare"
"What is Information Warfare" is available from the Government Printing Office (by Martin C. Libicki, August 1995, National Defense University series, G.P.O. 1996-405-201:40005). Much enthusiasm and anecdotes, light on technical facts and realism. Note the section where he discusses William Gibson's science-fiction novels and the movie "TRON" as possible models! Well, it's out there, and some people may consider it important.
Two government references that look better are NIST Special Publication 800-12 and NIST Special Publication 800-14.
"Network-Centric Warfare", Vice Adm Arthur K. Cebrowski and John J. Garstka, U.S. Naval Institute Proceedings, Jan 1998, pp 28-35. At least for the USNI publications, this seems to be the article that kicked off the craze.
"IT-21 Intranet Provides Big 'Reachbacks'", Rear Adm Robert M. Nutwell, U.S. Naval Institute Proceedings, Jan 1998, pp 36-38. A pretty good overview.
"Moving the Navy Into the Information Age", Cmdr Michael S. Loescher, U.S. Naval Institute Proceedings, Jan 1999, pp 40-44. He seems to have watched way too much "Star Trek", as the article actually suggests working on "cloaking" and "shielding" as in that sci-fi TV show, plus "omniscience" and "telepathy".
"The Power of e-Sailors", Vice Adm James R. Fitzgerald, U.S. Naval Institute Proceedings, Jul 1999, pp 62-63. A decent overview, at the expense of yet another unneeded neologism...
Early Skepticism and Caution Regarding "Network-Centric Warfare"
"Beware of Geeks Bearing Gifts", Lt Cmdr Eric Johns, U.S. Naval Institute Proceedings, Apr 1998, pp 74-76.
"The Seven Deadly Sins of Network-Centric Warfare", Thomas P. M. Barnett, U.S. Naval Institute Proceedings, Jun 1999, pp 36-39.
"The Smart Ship is Not the Answer", U.S. Naval Institute Proceedings, Jun 1998, pp 61-64. "Using Windows NT, which is known to have some failure modes, on a warship is similar to hoping that luck will be in our favor."
"Network-Centric: Is It Worth the Risk?", Cmdr William K. Lescher, U.S. Naval Institute Proceedings, Jul 1999, pp 58-63.
A very useful and more recent overview of NCW in its broader and more mature sense is a series of articles in AWST, 27 Jan 2003, pp 37-59.