JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

PART 1:Background and Context

JR03-2010

Shadows in the Cloud

PART 1: BACKGROUND & CONTEXT

1.1 Introduction

- Building upon

GhostNet

Research into computer network exploitation, cyber espionage, malware and botnets has expanded in recentyears rom a relatively small cottage industry involving primarily technical experts to a major global phenomenonwhich now includes academia, deence, intelligence, law enorcement, and the private sector. The rapid rise o this industry is in part a recognition o the signicant threat that these global criminal ecosystems represent tocritical inrastructure, government systems, personal privacy, commerce, and deense. Several high prole casesand events, including the attacks on Google and other American companies in December 2009, underscore thegrowing threat environment and suggest that these attacks are becoming the norm rather than an exception.Policymakers are responding with legislation, institutional reorms and new initiatives, and an already sizablemarket or cyber security services is mushrooming into a multi-billion dollar global industry.This report aims to contribute to research and debate in this domain. Its release is strategic, coming roughly oneyear ater the publication o

Tracking GhostNet

(See Box 1, below).

Box 1.

Tracking GhostNet

: Lessons Learned

Tracking Ghostnet: Investigating a Cyber Espionage Network

was the product of a ten-month investigation andanalysis focused on allegations of Chinese cyber espionage against the Tibetan community. The research entailedeld-based investigations in India, Europe and North America working directly with affected Tibetan organizations,including the Private Ofce of the Dalai Lama, the Tibetan Government-in-Exile, and several Tibetan NGOs in Europeand North America. The eldwork generated extensive data that allowed us to examine Tibetan information securitypractices, as well as capture evidence of malware that had penetrated Tibetan computer systems. We also engagedin extensive data analysis and technical investigation of web-based interfaces to command and control servers thatwere used by attackers to send instructions to, and receive data from compromised computers.The report documented a wide ranging network of compromised computers, including at least 1,295 spread across103 countries, 30 percent of which we identied and determined to be “high-value” targets, including ministriesof foreign affairs, embassies, international organizations, news organizations, and a computer located at NATOheadquarters. Although there was circumstantial evidence pointing to elements within the People’s Republic ofChina, our investigation concluded that there was not enough evidence to implicate the Chinese government itselfand attribution behind

GhostNet

remains a mystery.The report’s aftermath was a learning experience. The data that had been collected during the

GhostNet

investigationincluded sensitive information about compromised computers in over a hundred countries. Many of the victimswere understandably concerned about which of their computers were targeted and compromised, and came to usfor information. On our side, we felt unsure about the protocol around information sharing, and were in an awkwardposition to be able to give information over to governments and affected parties directly without being entirely clearabout whom would be responsible and whether or not our interlocutors were appropriate authorities. The noticationproblems around

Ghostnet

informed our approach to the

Shadows in the Cloud

investigation, including being moreconscious from the outset of documenting our notication procedures.

The title o the report —

Shadows in the Cloud: An Investigation into Cyber Espionage 2.0

— is suggestive o several threads that wind their way through the investigation. First, the malware networks we document andanalyze are to a large degree organized and operated through the misuse o social networking and cloud com-puting platorms, including Google, Baidu, Yahoo!, and Twitter, in addition to traditional command and controlservers. Second, although we are able to piece together circumstantial evidence that provides the location andpossible associations o the attackers, their actual identities and motivations remain illusory. We catch a glimpse

JR03-2010

Shadows in the Cloud

PART 1: BACKGROUND & CONTEXT

o a shadow o attribution in the cloud, in other words, but have no positive identication. The 2.0 designationalso contains a

double entendre

: it reers to a generational shit we believe is unolding in malware networks inmultiple dimensions, rom what were once primarily simple to increasingly complex, adaptive systems spreadacross redundant services and platorms, and rom criminal and industrial-based exploitation to political, mili-tary, and intelligence-ocused espionage. The 2.0 reerence is also meant to note how the

Shadow

investigationis both a re-engagement with, but also a departure rom, its predecessor: the

Tracking GhostNet

investigation.This report is a continuation o

Tracking GhostNet

, but also represents a signicantly new investigation yieldingdierent and more nuanced evidence and analysis o the evolving cybercrime and cyber espionage environ-ment. As with

GhostNet

, we are interested in better understanding the evolving nature and complex ecosystemo today’s malware networks and see this investigation as helping to build a knowledge base around cyber se-curity research. In this respect,

Shadows in the Cloud

is very much a work-in-progress, insoar as we began thisinvestigation by picking up several threads that were let open-ended or unanswered in the original

GhostNet

investigation, and expect to continue to examine threads that are let hanging in this report.The aim o this present investigation is to urther rene the methodologies used to investigate and analyzemalware networks through a

fusion methodology

, which combines network-based technical interrogation, dataanalysis and visualization, and eld-based contextual investigations (See Box 2, below). The combination o methods rom dierent disciplines is a critical and common eature o both the

GhostNet

and

Shadow

investiga-tions and analyses. Network-based technical interrogation, open source data mining and analysis (using toolssuch as Google), key inormant interviews and eld-based investigations on their own can accomplish a greatdeal, but it is through their usion that a more comprehensive and nuanced understanding can be achieved.

Box 2. Operationalizing the Fusion Methodology

Over the past decade we have been developing a

fusion methodology

for investigating the exercise of politicalpower in cyberspace. This approach combines quantitative, qualitative and technical data, and draws onmultidisciplinary analysis techniques to derive results. In our eld investigations, we conduct research amongaffected target audiences and employ techniques that include interviews, long-term

in situ

interaction with ourpartners, and technical data collection involving system monitoring, network reconnaissance, and interrogation.Data and

in situ

analysis from eld investigations are then taken to the lab where they are analysed using a varietyof data fusion and visualization methods, based around the Palantir data fusion system. Leads developed onthe basis of in-eld activities are pursued through technical investigations and the resulting data and analysisoutputs are shared with our in-eld teams and partners for verication and for generating additional entry pointsfor follow-on eld investigations. We then interpret results from these investigations through a variety of theoreticallenses drawing from disciplines of political science, international relations, sociology, risk analysis, and criminology(among others). We believe that through this mixed methods interdisciplinary approach we are able to develop aricher understanding than would be possible from studies that focus solely on technical analysis or that primarilyconsist of legal, policy or theoretical investigations.

The

Shadow

investigation began as a ollow-up o unexplored paths discovered during the

GhostNet

investiga-tion. It started in the oces o Tibetan organizations who suspected they were targets o cyber espionage, andbroadened to include a much wider list o victims. The investigation used a number o techniques, includinga

DNS sinkhole

we established by registering domains that had previously been used by the attackers target-ing Tibetan institutions, such as a computer system at the oces o the Dalai Lama. This reinorces our viewthat the combination o technical analysis and eld investigation orms a ruitul starting point o inquiry thatultimately leads to important insights into the attackers’ capabilities, the ability to investigate a much widerdomain o inected targets, and a contextual understanding o the attackers.

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,803

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)