JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 5: TACKLING CYBER ESPIONAGE

Moreover, the same study ound that there is nothing that “suggests that the PLA or state security bureaus intendto use hacktivist attacks as a component o a CNO campaign” (Northrop Grumman 2009). In addition, there area variety o actors, such as the lack o command and control, precision targeting and the inability to maintainsurprise and deception, that argue against the use o non-state hackers as part o the PLA’s CNO strategy.In act, the relations between the hacker community and the state is more likely to be a concern o the Ministryo Public Security (Northrop Grumman 2009; Henderson 2007b). Interestingly, the Ministry o Public Securityhas ocused primarily on internal security matters, which links with the emphasis on the Tibet-related targetsdocumented in this report. (the PRC views Tibet as an internal problem.)

5.2.2Cyber Crime

The activity o cyber criminals in the PRC parallels the activities o cyber criminals around the globe. TheChinese hacker community has been known to engage in criminal activities, primarily motivated by prot.Acting independently o state direction, they are involved in the buying and selling o malware, thet o intellectualproperty, thet o gaming credentials, raud, blackmail, music and video piracy, and pornography (Henderson2007b). This activity is complex and urther obuscated by the move o Eastern European-based criminalnetworks into Chinese cyberspace (Vass 2007). Researchers have identied several core components o thecyber crime ecosystem in the PRC:

Malware Authors



– motivated by prot and/or stature within the blackhat community, malware authors le-verage their technical skills to create and distribute exploits (including 0day vulnerabilities) as well as trojanhorse programs. Their services are oten advertised on discussion orums.

Website Masters/Crackers



– by maintaining malicious websites, exploiting vulnerable websites and provid-ing hosting or the command and control capabilities o trojans, the website masters/crackers provide theinrastructure or cybercrime in the PRC

“Envelopes” Stealers



– ocus on acquiring username and password pairs, known as envelopes, through theuse o malware kits, which are then sold. They operate and maintain networks o inected computers butpurchase services rom malware authors and website masters/crackers to compensate or their general lacko technical skill.

Virtual Asset Stealers/Sellers



– by exploiting their knowledge o the underground economy, virtual assetstealers/sellers purchase compromised credentials rom envelopes stealers and sell virtual assets to onlinegames players, QQ users and others who drive the demand or stolen virtual goods (Choo 2008; Thibodeau2010; Zhuge et al. 2009).In additional to politically sensitive inormation, we did nd that personal inormation, including bankinginormation, was exltrated by the attackers. It is possible that in addition to exploiting the politically sensitiveinormation the attacks may have also had an interest in exploiting the nancial data that was stolen althoughwe have no direct knowledge o such events occurring.

5.2.3Overall Assessment

Attribution concerning cyber espionage networks is a complex task, given the inherently obscure

modusoperandi

o the agents or groups under investigation. Cyber criminals aim to mask their identities, andthe networks investigated in this report are dispersed across multiple platorms and national jurisdictions.Complicating matters urther is the politicization o attribution questions, particularly concerning Chinese inten-

JR03-2010

Shadows in the Cloud

PART 5: TACKLING CYBER ESPIONAGE

tions around inormation warare. Clearly this investigation and our analysis tracks back directly to the PRC,and to known entities within the criminal underground o the PRC. There is also an obvious correlation to bedrawn between the victims, the nature o the documents stolen, and the strategic interests o the Chinese state.But correlations do not equal causation. It is certainly possible that the attackers were directed in some manner— either by sub-contract or privateering — by agents o the Chinese state, but we have no evidence to provethat assertion. It is also possible that the agents behind the

Shadow

network are operating or motives otherthan political espionage, as our investigation and analysis only uncovered a slice o what is undoubtedlya larger set o networks. Even more remote, but still at least within the realm o possibility, is the alse fagscenario, that another government altogether is masking a political espionage operation to appear as i it iscoming rom within the PRC.Drawing these dierent scenarios and alternative explanations together, the most plausible explanation, and theone supported by the evidence, is that the

Shadow

network is based out o the PRC by one or more individualswith strong connections to the Chinese criminal underground. Given the oten murky relationships that can existbetween this underground and elements o the state, the inormation collected by the

Shadow

network may endup in the possession o some entity o the Chinese government.

5.3Notifcation

Investigations o malware activity, such as that undertaken as part o the

Shadow

and

GhostNet

investigations,can yield inormation about the network inrastructure o the attackers, inormation about those who have beencompromised, and condential or private documents or other data that may have been exltrated without priorknowledge. Access to this inormation on all levels raises a number o practical, ethical and legal issues, manyo which are unclear given the embryonic nature o the eld o inquiry as a whole.Throughout this investigation, we have been conscious o these issues and have attempted to meet a proes-sional standard in terms o planning and documenting our steps taken in the process o notication. Thisentailed research into existing practices and principles, and engagement with the law enorcement, intelligenceand security communities in a number o countries. We were also conscious o the need to comply with the do-mestic laws in whose context this investigation was undertaken — namely those o India, the United States andCanada — as well as principles governing all academic research at the University o Toronto, where the CitizenLab is located.Notication itsel can be broken down into several categories, each o which entails complicating actors.First, there is notication that is required to takedown the command and control inrastructure, typically to thehosting and service provider companies through which the malware networks operate and on which they arehosted. Complicating matters, these services can be located in numerous national jurisdictions and subject to avariety o privacy laws and norms. Second, there are issues around notication o victims, such as governments,businesses, NGOs and individuals. This type o notication is perhaps the most challenging on ethical, practicaland legal grounds. Notication o governments, or example, can be a very sensitive matter, especially i classi-ed documents are involved or inormation is retrieved that is relevant to national security concerns. The sameholds true o notication to individuals or businesses. At what point should a researcher notiy a victim? Whowithin the organization, whether it is a government, a business or an NGO, is the appropriate point o contactor the notication? What i the notication jeopardizes a third party’s security, or leads to some kind o retalia-tion or retribution? Should researchers notiy law enorcement and intelligence agencies in their own countriesbeore reaching out to oreign governments?

JR03-2010

Shadows in the Cloud

PART 5: TACKLING CYBER ESPIONAGE

Existing practices in this area are underdeveloped and largely inormal. In part, this refects the act that globalcyber security is still an embryonic eld. But it also speaks to the very real problem o competitive powerpolitics at the highest levels o national security, which tend to restrict inormation sharing in sensitive areasaround cyber crime and espionage. Generally speaking, inormation sharing among law enorcement and intel-ligence agencies across borders is tentative at best, with the exception o that which occurs among close allieswith deeply entrenched and long-standing links. Outside o those security communities, notication o servicesand governments tends to be restricted to specialist technical communities, telecommunications operators, andnetwork administrators, i it occurs at all. Consequently, notication o the types reerred to above can be adhoc and inconsistent, largely contingent on the inormal connections among proessional communities.All o these issues were grappled with in the atermath o the

Tracking GhostNet

report, and throughout thecourse o the

Shadow

investigation. Our experiences in the atermath o

GhostNet

, where notication was letincomplete, prompted a more deliberate and sel-conscious approach with the

Shadow

investigation. We werealso ortunate to have within our collaboration the experiences o the Shadowserver Foundation, whose counselon notication helped in making decisions about timing and contacts.By the end o November 2009, we were condent in our access to the basic command and control inrastructureand identication o some o the key documents at hand. Upon the realization that some inormation aboutindividual Canadians was compromised, we notied Canadian authorities in December 2009 about the investi-gation, the compromise o Canadian-related inormation, and requested assistance on outreach with one o thevictims, namely the Indian government. At the same time, we independently explored whom we might contactin the Indian government, including making inquiries with Canada’s Department o Foreign Aairs. By February2010, we were able to nd on our own what we thought was an appropriate contact in the Indian government, andgave a detailed notication to the National Technology Research Organization. Our notication or takedown o the command and control inrastructure came later in the investigation, ater we had collected and analyzed allo the inormation related to this report, but prior to its release.Our experiences illustrate the intricate, nuanced and oten conusing landscape o global cyber security notica-tion practices. The notication process will continue ater the publication o this report.

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,865

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)