Reverse Deception: Organized Cyber Threat Counter-Exploitation (17 page)

Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online

Authors: Sean Bodmer

Tags: #General, #security, #Computers

BOOK: Reverse Deception: Organized Cyber Threat Counter-Exploitation
4.07Mb size Format: txt, pdf, ePub

Note that in many of these examples, the activity had been ongoing for more than a few years, and there had been little to no success by the defenders in publicly attributing any associated individuals or groups with the series of events, because the attackers did not need to follow any rules or laws.

NOTE
Some of you may sit back and freak out that we’re mentioning this information, but trust in knowing everything is either publicly available or has been properly reviewed prior to publication. Some of you may coyly smile, knowing you were behind one or more of the series of events discussed and regularly referred to in this book—just know that we’re watching you more than you think…
.

 

Moonlight Maze

The Moonlight Maze APT was reported as ongoing for well over two years. Numerous government, military, and academic networks were purportedly probed, and there was some pattern to the adversaries’ activities that was specific enough to generate a name for this course of events. According to publicly available information (public search engines), this event was traced back to a mainframe system in Russia. The actual perpetrators were never caught, nor was any additional information about the series of events released. This would be considered an APT
without a doubt
. Specific individuals or groups were targeting specific sensitive systems belonging to specific industries.

The overall ability to probe these networks for this period of time without detection or direct attribution illustrates a degree of expertise and resources. The devil always lies in the details. The observables of this event were never clear or publicly disclosed, but the overreaching capabilities and methods that were publicly disclosed are enough to review.

The following are some of the observables known about this event that illustrate some measurable details that were more than likely taken into consideration as a metric when gauging this adversary throughout the course of the investigation into this threat.

 

Moonlight Maze
Observables
Attack origination points
Unknown
Numbers involved in attack
Unknown
Risk tolerance
Unknown
Timeliness
Systems accessed for more than 2 years
Skills and methods
Unknown
Actions
Persistence and acquisition of foreign intelligence
Objectives
Espionage
Resources
Several years’ worth of code and infrastructure development and operations
Knowledge source
Not much available online

 

Stakkato

The Stakkato series of events was perpetrated by an individual or group by the name of Stakkato, which included a 16-year-old from Uppsala, Sweden. Several other supposed accomplices were searched, and several computers were seized. This threat was advanced from the perspective of the methods Stakkato used to operate and easily gain access to stolen data via remote exploits of Linux-based systems and compromised accounts and logins.

By using locally based kernel exploits (a sophisticated technique that requires a high knowledge level and advanced development skills), Stakkato managed to elevate its privileges and gain control of various systems within numerous government agencies and private sector enterprises. Stakkato infiltrated mostly US supercomputing laboratories and used their TeraGrid network, which is a high-speed international distributed network that connects numerous academic, military, and government systems. Via stolen login credentials Stakkato was able to gain access to these systems for well over two years. Finally, Stakkato was able to gain access to Cisco Corporation’s router internetwork operating system (IOS) source code, which enabled the attacker to develop custom exploits, rootkits (backdoors), and enhanced control of routers around the world.

Things got a little complicated when world government and military systems became involved in the incidents. The primary suspect was apprehended and is currently going through due process in the judicial system.

Stakkato was able to attack and move throughout global enterprises across numerous countries, hopping jurisdictions. This is one of the primary reasons behind the length in which Stakkato was able to operate. However, the following examples show how specific observables helped lead to the apprehension of Stakkato.

 

Stakkato
Observables
Objectives
Curious hacker turned cyber criminal entrepreneur
Timeliness
Operated at various times of the day
Resources
Unknown
Risk tolerance
Unknown
Skills and methods
In-depth knowledge of Linux kernel and router programming
Actions
Numerous compromised enterprises and data theft
Attack origination points
Unknown
Numbers involved in attack
Hundreds of systems and dozens of enterprises
Knowledge source
Online forums where the attacker lurked

 

Titan Rain

The Titan Rain APT was publicly disclosed in 2005 and is said to have continued for more than three years. This was a series of coordinated attacks against American computer systems that focused primarily on the sectors of industry where the US government had several sensitive interests. The threat was reported as being of Chinese origin, and to date, the true perpetrators remain unknown. Overall, the victims involved in the attack were targeted for their sensitive information. This can be considered a cyber espionage case, although the event was never officially labeled as a state-sponsored espionage or corporate-espionage-based series of events.

This APT has been a very regular topic of late, as international corporations and governments point fingers at the People’s Republic of China (PRC), accusing some of its citizens of stealing intellectual property for the purpose of societal, military, and/or monetary gain.

The only known pieces of this event are the observables, which provide the only way to work an event of this magnitude and length once it’s discovered. Investigators can learn from the mistakes that enabled the events to occur in the first place. In this case, some of the skills and methods used at various times were enough to allow the investigators to determine significant details that enabled attribution of the motives and intent of the threat. The following observables of this event illustrate some measurable details when gauging threats and adversaries.

 

Titan Rain
Observables
Objectives
Espionage
Timeliness
Precisioned and punctual
Resources
Several years’ worth of code and infrastructure development and operations
Risk tolerance
Depending on the objectives at hand
Skills and methods
Ranging from simple to sophisticated
Actions
Theft of sensitive information
Attack origination points
Global IP addresses (purportedly most from Chinese IP space)
Numbers involved in attack
Thousands
Knowledge source
Unknown

 

Stormworm

The Stormworm event was advanced in its use of peer-to-peer (P2P) command-and-control infrastructure (which is a network-based configuration for remote operational control of a botnet), and the precision in which its operators controlled, manipulated, and disrupted specific Internet communications throughout the world. The delivery of this bot agent was not overly advanced, as it primarily relied on the age-old technique of social engineering, via e-mail messages that contained attachments and/or embedded links to malicious exploit sites. This method is in use today, and has been defined as
phishing, spear phishing
, and
whaling
.

NOTE
Spear phishing relates to sending victims relevant information regarding their professional, organizational, or personal interests. This increases the level of assumed trust by the victims and increases the difficulty in identifying socially engineered e-mail
.

 

The execution and usage of Stormworm proved that the operators and controllers behind this APT were actively monitoring and countering security groups and vendors all around the world. The operators actively attacked network communications of several security vendors. Other security groups that attempted to infiltrate and shut down the botnet were themselves taken offline for hours to days at a time.

Some industry experts have estimated that at one point during its primary operating period of over three years, this botnet accounted for about 8 percent of all malware running on Microsoft Windows systems around the world. The Stormworm botnet worked across numerous industries and sectors, leading to criminal behaviors such as intellectual property theft, identity fraud, bank fraud, and espionage. In 2007, security experts reported that this botnet was large enough to knock an entire country offline for a period of time, which is also known as a
distributed denial-of-service
(DDOS) attack.

The following are some of the observables of this event.

 

Stormworm
Observables
Objectives
Espionage
Timeliness
Automated and manual operations
Resources
Several years’ worth of code and infrastructure development and operations
Risk tolerance
Very low; numerous updates made to ensure persistence
Skills and methods
First massive true peer-to-peer botnet
Actions
Operators regularly monitored and responded to threats
Attack origination points
Global IP addresses
Numbers involved in attack
Millions
Knowledge source
Numerous online resources regarding the threat

 

GhostNet

The GhostNet event was identified after an almost year-long investigation by the Information Warfare Monitor (IWM), a group of security industry researchers, experts, and analysts from around the world. This APT was discovered to be focusing its activity on international governments and their diplomatic systems.

Other books

Kerry Girls by Kay Moloney Caball
The Homecoming by Anne Marie Winston
Last Chance for Glory by Stephen Solomita
Her Only Desire by Gaelen Foley