JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 4: TARGETS & EFFECTS

meetings or the

Journal of Defence Studies

, budgets and inormation on a variety o speakers, visitors, andconerence participants.

Defence-oriented publications, India



We assess that computers at the

India Strategic

deence magazine and

FORCE

magazine were compromisedbased on the documents exfltrated by the attackers. During the period in which we monitored the attackers,58 documents were exfltrated. While these documents include publicly accessible articles and previousdrats o those articles, there is also private inormation regarding the contact details o subscribers and con-erence participants. The documents also include interviews, documents, and PowerPoint presentations romconerences that detail national security topics, such as network data and monitoring or national security,and responses to combat cyber threats.

Corporations, India



We assess that computers at YKK India Private Limited, DLF Limited, and TATA were compromised basedon the documents exfltrated by the attackers. During the period in which we monitored the attackers, fvedocuments were exfltrated. These documents include rules overseeing busiiness travel, a presentation onroadmap and fnancial status, and an annual plan or a business partnership.

Maritime, India



We assess that computers at the National Maritime Foundation and the Gujarat Chemical Port TerminalCompany Limited were compromised based on the documents exfltrated by the attackers. During the periodin which we monitored the attackers, 53 documents were exfltrated. These documents include a summaryo a seminar as well as numerous documents relating to specifc shipping schedules, fnancial matters andpersonal medical inormation.

United Nations



The United Nations Economic and Social Commission or Asia and the Pacifc (UNESCAP) is based inThailand and acilitates development in the Asia-Pacifc region. We assess that a computer at UNESCAP hasbeen compromised based on the documents exfltrated by the attackers. In addition to inormation concern-ing a variety o conerences and presentations, there were also internal Mission Report documents regardingtravel and events in the region.

PART 5:Tackling Cyber Espionage

JR03-2010

Shadows in the Cloud

PART 5: TACKLING CYBER ESPIONAGE

5.1

Attribution and Cyber Crime / Cyber Espionage

During this investigation we collected malware samples used by the attackers, which were primarily PDFs thatexploited vulnerabilities in Adobe Acrobat and Adobe Reader. In addition, we collected malware used by the at-tackers ater successully compromising a targeted system as well as network trac captured rom the OHHDL.We were able to map out the command and control inrastructure o the attackers and in several cases viewdata that allowed us to identiy targets that had been compromised and recover exltrated documents. We didnot have access to data regarding specic attacks on any o the targets we have identied. In other words, wecannot denitely tell how any one individual target was compromised. And, more importantly, we do not havedata regarding the behaviour o the attackers once inside the target’s network.However, we do have two key pieces o inormation: the rst is an email address used in a document in theattackers’ possession that provided steps on how the attackers could use Yahoo! Mail as a command and controlserver; the second is the IP addresses used by the attackers to send emails rom Yahoo! Mail accounts used ascommand and control servers.Email addresses used by the attackers have proven to provide critical clues in past investigations. Following therelease o the

GhostNet

investigation,

The Dark Visitor

— a blog that researches Chinese hacking activities —investigated one o the email addresses we published that was used to register the domain names the attackersutilized as command and control servers. While these were not

GhostNet

domain names, one o them is thesame as one used by the attackers in this investigation: lookbytheway.net (Henderson 2009a).The email address used to register lookbytheway.net is losttemp33@hotmail.com. The

Dark Visitor

oundorum posts made by losttemp33@hotmail.com, who also used the alias “lost33.” Further searching revealed “anindividual who was associated with Xocus, Isbase,” two popular Chinese hacking orums, and “seems to havestudied under Glacier” (Henderson 2009b). Glacier is known as “Godather o the Chinese Trojan” (Henderson2007a), and an association with him indicates lost33’s connections to the hacking underground in the PRC. Usinginormation ound on lost33’s blog,

The Dark Visitor

was able to nd another blog used by lost33, now operatingunder the alias “damnootman”, and had a text chat conversation with him on the Chinese instant messengerservice QQ, where the individual admitted to being the owner o the email address losttemp33@hotmail.com.From this inormation,

The Dark Visitor

was able to determine this individual has connections to the orums o Xocus and Isbase (the Green Army), NSocus and Eviloctal, as well as connections to the hackers Glacier andSunwear. He was born on July 24, 1982, lives in Chengdu, Sichuan, and attended the University o ElectronicScience and Technology o China, which is also located in Chengdu.Our investigation also indicated strong links to Chengdu, Sichuan. The attacker used Yahoo! Mail accounts as com-mand and control servers, rom which the attacker sent emails containing new malware to the already compromisedtargets. All o the IP addresses the attacker used when sending these emails are located in Chengdu, Sichuan.We were able to retrieve a document rom the attackers that indicated the steps neccessary to use Yahoo! Mailaccounts as command and control servers. There was also an account used by the attackers in this documentor testing purposes. Searches or this email address returned several advertisements or apartment rentals inChengdu, Sichuan.

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,877

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)