Reverse Deception: Organized Cyber Threat Counter-Exploitation (18 page)

GhostNet had purportedly compromised the embassy systems of well over 20 countries across the world. The delivery again was the age-old technique of social engineering, based on e-mail messages that were considered targeted (also known as spear phishing).

Most security experts have pointed fingers at Chinese-based hackers, as almost all of the command-and-control servers that GhostNet used had IP addresses based in China, some even owned by the Chinese military. The Trojan itself was a simple customized remote administration tool (RAT) that provided the operators with the ability to remotely control the victims’ systems in real time without the victims’ knowledge. This type of access provided the attackers with the ability to enable several forms of logging, including video and audio recordings of the victims and those around them, if the appropriate hardware was available on the victim’s system.

When considering the following observables of this threat, you will see how advanced and persistent it truly was from an operational perspective.

Byzantine Hades/Foothold/Candor/Raptor

As you can see by the title of this section, there is more than one name for the Byzantine Hades series of events. This represents multiple cyber attacks on international and US systems for the primary purpose of espionage (among other things). It has been said this threat is related to ongoing efforts by Chinese hackers (purportedly state-sponsored) to steal sensitive information and advanced technologies in order to artificially advance their many sectors of technology and other industries where stealing information increases success. Although there are numerous publicly disclosed reports of this threat, and many fingers point to Chinese-based hackers, no public documents can be found that definitively attribute the APT to the People’s Liberation Army (for now).

It has been said that the US government sees this APT as the largest cyber-espionage effort in recorded history. Simply searching online will enlighten you to the many levels of US government agencies that have publicly admitted to having knowledge of this threat, yet there has been little to no direct attribution of the masterminds of this series of events. To date, no arrests have been made, and the reported victims have not filed any charges against any specific intruder. (Who would want to admit their entire network has been owned and there’s nothing they can do about it? Buhler…? Buhler…?)

It is estimated that private systems of US government, US military, and several Cleared Defense Contractors (CDCs) unclassified systems have also been compromised by this same threat. Not much has been made public beyond this threat being attributed to Chinese cyber activity with efforts to infiltrate and maintain a persistent backdoor into sensitive US government, financial, corporate, and academic enterprise networks. This event was also mentioned in several of the cables released by WikiLeaks, inferring the threat to be targeted, run, and sponsored by components of the Chinese government, but nothing definitive has stuck to date.

The following are some of the observables of this threat.

Operation Aurora

The Operation Aurora threat was discovered in late 2009, and was identified as operating undetected since mid-2009. The series of events surrounding Operation Aurora generated an ensuing “fog of war,” where multiple firms were bickering over whether this event was indeed advanced. In our professional (slightly unbiased) opinion, the overall tools and techniques of this event were not overly advanced. Only a slight portion of the events were actually advanced, specifically the Trojan Hydraq, which was proved to have been initially developed in a university in China (see a common theme?). This event has great historical significance, as giant international firms such as Google, Adobe, Juniper Networks, Northrop Grumman, Yahoo!, Symantec, Dow Chemical, and several others came forward and disclosed that they were victims of intrusions associated with Operation Aurora.

The most significant item to take away from this APT is that it was targeted specifically at private commercial corporations and CDCs,
not
a government agency. This APT tipped the scales for the security industry as a whole, as everyone thought that APTs were specific to the government and financial sectors. This proved everyone very wrong.

This was a persistent threat, in that it lasted for well over six months, using a standard command-and-control infrastructure, but only some of the tools and techniques were advanced. As noted, there was the advanced Trojan known as Hydraq, which was the backdoor that ran on the host machine and performed most of the host-level activity on the victim systems to steal the accessed information. The actual infection vectors were again those age-old techniques of socially engineered e-mail messages and drive-by-downloads (which occur when victims surf to a website and are exploited or socially engineered to download an initial Trojan).

What rattled the world throughout the media hype of this series of events was the victims involved. Without knowing the victimology (which is the analysis of the victim’s part in the criminal offense) of these incidents and the true nature of what occurred behind the monolithic walls of each of these firms, speculation is left to many and the actual knowledge to only a few. Albeit none of us can point fingers, it was leaked in one of the WikiLeaks cables that this was a PRC-sponsored espionage event. However, there are discernable observables even to an outsider without any knowledge of the events that occurred internally within each firm, as summarized in the following table.

Stuxnet

The Stuxnet series of events should definitely be considered an APT. Computer attacks against programmable logic controllers (PLCs) and human machine interfaces (HMIs), which are generally software platforms that enable humans to interact with supervisory control and data acquisition (SCADA) systems, are not anything new. This type of activity has been going on since SCADA systems began running from applications on x86-based operating systems, such as Microsoft Windows and various flavors of Linux. Most of the exploits seen to date have been associated with the base operating systems, and then from there, other more custom exploits have been crafted by various advanced threats. Stuxnet is one of the more recent and prominent evolutions of this series of threats.

Stuxnet has been another reportedly nation-state-level-supported family of malware, one of the first true examples of cyber warfare—the threat of having your national infrastructure brought to its knees within minutes or hours, and the weeks, months, and years it would take to recover and remediate all of the systems involved. Also, there is the risk of residual infections persisting within the hardware of a system that could reinfect the entire network once remediated (or so thought). The Trojan behind Stuxnet could propagate to a remote system repeatedly using the same zero-day remote exploit that enabled it to move throughout a network uninhibited. The possibilities are endless with the right resources for any environment operating within a modern national infrastructure. It was noted that Stuxnet could have operated for months, manipulating systems without the need to “phone home” (make contact with the remote command-and-control infrastructure). This means it was developed by a highly motivated attacker who had specific objectives in mind and the resources to back the time and investment in a tool as autonomous as this one.

The following are some of the observables of this threat.

Russian Business Network

Around 2005, investigations began into a web-hosting firm known to many as the Russian Business Network (RBN). This close-knit and almost untraceable mysterious group had been operating and maintaining what is better known as a bulletproof hosting (BPH) service, which provided all levels of criminal and objectionable activities to operate without fear of being shut down, attributed, and/or apprehended. This group of cyber-crime entrepreneurs is a good example for the topic of APTs, as it was a launchpad for numerous persistent and advanced threats over a period of a few years until it was taken down in late 2008. This series of networks was directly associated with numerous forms of cyber attacks against countries all over the world.

The RBN was composed of numerous criminal-hosting fronts that enabled cyber criminals to operate with impunity across all industries and sectors for years. It has been estimated that the RBN was earning up to more than $150 million a year in revenue by allowing criminals to actively operate throughout the network for a fee of around $600 per month per domain or IP address. Now if you do the math, that adds up to a lot of malicious activity occurring behind those digital walls. One of the most well-designed strategies used by the RBN was that it was never a wholly registered company. All of the organizations were shell firms that were owned and operated by numerous networks via false identities, addresses, and anonymous e-mail addresses.

The most prominent activity hosted by the RBN was delivery of a series of crimeware known as
rogue AV
- or
fake AV
-based products, which look to the casual computer user like true antivirus, anti-malware, or anti-spyware applications. After installation, injection occurs through social engineering, client-side exploitation (attacks against the victim applications), or fake applications with hidden Trojans. The application would install itself, and then modify and disable the operating system’s security settings, disable security products, attempt to get the user to fill in financial information, and finally steal as much information from the victim as was desired by the criminal.