JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

PART 4:Targets and Effects

JR03-2010

Shadows in the Cloud

PART 4: TARGETS & EFFECTS

4.1 Compromised Victims:

The Evidence

Mistakes on the part o the attackers allowed us to view the attackers’ list o victims at our command andcontrol locations. In addition, we were able to recover exfltrated data rom two locations. This provided us witha snapshot o the computers that have been compromised by the attacks. Thus, this is not a complete list o allthose compromised by this attacker. Rather, it is simply those checking in with or uploading data to the portionso the network that we were able to view. Moreover, there was considerable overlap between dierent methodso command and control, with individual computers checking in at multiple locations. Thereore, we do nothave consistent data across all compromised computers. There are two categories o victims: those or whomwe only have technical identiying inormation, such as IP addresses; and those rom whom we have recoveredexfltrated data but or whom we do not have IP addresses. In cases where we do not have IP addresses, theidentity o the victim is determined rom the contextual inormation ound within the exfltrated data itsel.We obtained inormation on victims rom:a web-based interace that lists cursory inormation on compromised computers located on one command



and control server;text fles in web-accessible directories on three command and control servers that list detailed inormation



on compromised computers;inormation obtained rom email accounts used or command and control o compromised computers



inormation obtained rom one command and control server rom which we retrieved exfltrated documents



(but not necessarily technical identiying inormation);inormation obtained rom our DNS sinkhole.



The primary method o identifcation used in this section is based upon the IP address o the compromisedcomputer. We looked up the associated IP address in all fve Regional Internet Registries (RiR) in order to iden-tiy the country and network to which the IP address is assigned. We then perormed a reverse Domain NameSystem (DNS) look-up on each IP address. DNS is the system that translates domain names into IP addresses;reverse DNS is a system that translates an IP address into a domain name. This can potentially provide ad-ditional inormation about the entity that has been assigned a particular IP address. I we discovered a domainname, we then looked up its registration in WHOIS, which is a public database o all domain name registrationsand provides inormation about who registered the domain name.It was possible to identiy the geographic location o the compromised computer at the country level as well asthe network to which the IP address was assigned. However, in most cases there was little inormation in theRiRs pertaining to the exact identity o the compromised entity. Where possible, we note the entity identifed bydata obtained rom the RiRs.The ollowing list o compromised computers was generated by parsing inormation rom unique victims, notsolely IP addresses. The attackers assign the compromised computer a name based on the host name o the com-puter, which allows us to identiy unique victims rather than relying only on IP addresses. In act, several o theunique victims have multiple IP addresses associated with them, sometimes spanning multiple countries. Here wehave generated a geographic breakdown based on the frst IP addresses recorded or each compromised computer.

JR03-2010

Shadows in the Cloud

PART 4: TARGETS & EFFECTS

Figure 4: Locations o Compromised Computers in the Shadow Network

While there is considerable geographic diversity, there is a high concentration o compromised computerslocated in India. However, we were only able to identiy two o the compromised entities:Embassy o India, United States



Embassy o Pakistan, United States



4.1.1Sinkhole

A DNS sinkhole server is a system that is designed to take requests rom a botnet or inected systems and recordthe incoming inormation. The sinkhole server is not under the control o the malware authors and can be usedto gain an understanding o a botnet’s operation. There are a ew dierent techiques that are used to sinkholebotnet trafc. The easiest method is to simply register an expired domain that was previously used to controlvictim systems. Being able to do this generally indicates the botnet operator has lost control o the domain, or-gotten to renew it, or that the botnet has been abandoned. Another method ocuses on reverse-engineering themalware to determine i it has “ail over” command and control servers or special methods to compute uturedomains. This may require that a domain name generation algorithm be discovered and that one must registerthe domain names beore the attacker does (Stone-Gross et al. 2009).During the

GhostNet

investigation we ound that a computer at the OHHDL was compromised by both the

GhostNet

and what we are now calling the

Shadow

network. We had a list o serveral domains that wereexpiring that we had linked to attacks against OHHDL. We were able to register several o these domain namesin order to gather inormation about the network’s command and control inrastructure, communication methods,

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,868

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)