JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 4: TARGETS & EFFECTS

What is more notable is the distribution o compromised computers across countries.

Figure 6:Locations o Compromised Computers in our Sinkhole

From the recovered IP addresses we were able to identiy the ollowing entities o interest:Honeywell, United States



New York University, United States



University o Western Ontario, Canada



High Commission o India, United Kingdom



Vytautas Magnus University, Lithuania



Kaunas University o Technology, Lithuania



National Inormatics Centre, India



New Delhi Railway station (*railnet.gov.in), India



Times of India



, IndiaPetro IT, (reserved123.petroitg.com), India



Federation o Indian Chambers o Commerce and Industry, India



Commission or Science and Technology or Sustainable Development in the South, Pakistan



JR03-2010

Shadows in the Cloud

PART 4: TARGETS & EFFECTS

4.2

Victim Analysis on the Basis of Recovered Documents

In total we recovered data rom 44 compromised computers. The documents recovered rom the OHHDL werereconstructed rom captured network trafc, while the remainder were retrieved rom an open directory onone command and control server. Only seven o the remaining 43 compromised computers (not counting theOHHDL computer) or which we were able to recover exfltrated data also checked in with the same controlserver. Thereore we can only identiy the IP addresses o these seven computers. Five o these seven computershave IP addresses that are assigned to India, while the remaining two are assigned to Thailand and the PRC. Asnoted below, the Chinese IP address represents the attacks on IP addresses along with two test (junk) text flesthat appear to have been used or testing the malware.We determined the country and entity rom which the documents were exfltrated based on the content o thedocuments themselves in cases where we did not obtain an IP address. In addition, we assigned two countrycodes to the compromised computers: one country code indicates the physical (IP) country in which the com-puter is located, and the second country code indicates the country o ownership. Thus a compromised com-puter at a oreign embassy would be assigned a country code based on its geographical region, and a secondbased on the home country to which the oreign mission belongs.Based on geographic location, the vast majority are in India.

Figure 7:Locations o Compromised Computers rom which Documents were Exfltrated

JR03-2010

Shadows in the Cloud

PART 4: TARGETS & EFFECTS

Based on the country o ownership, the results show an even higher number or India.

Figure 8: Locations o Ownership o Exfltrated Documents

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,828

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)