JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

BIBLIOGRAPHY & SUGGESTED READINGS

Curle, Adam., and Trist, E. L. 1947

. “Transitional Communities and Social Reconnection.”

Human Relations

. Vol. 1:1/2.

Jaques, Elliott. 1949.

“Interpretive Group Discussion as a Method o Facilitating Social Change.”

Human Relations

, 2:3, 269-280.

O’Brien, R. 2001

. Um exame da abordagem metodológica da pesquisa ação [An Overview o the Methodological Approach o ActionResearch]. In Roberto Richardson (Ed.), Teoria e Prática da Pesquisa Ação [Theory and Practice o Action Research]. João Pessoa, Brazil:Universidade Federal da Paraíba,http://www.web.ca/~robrien/papers/arfnal.html(accessed 01 April 2010).

Contemporary Tibet

Barnett, Robert. 2010

. The Tibet Protests o Spring, 2008,

China Perspectives

, 2009:3, 6-24http://chinaperspectives.revues.org/document4836.html. (accessed April 1, 2010).

Jerryson, Michael, and Mark Juergensmeyer. 2010

Buddhist Warfare

, Oxord University Press: New York.

JR03-2010

Shadows in the Cloud

GLOSSARY

Glossary

0day

- is an exploit or which there is no fx rom the sotware vendor available.

Botnet

- reers to a collection o compromised networked computers that can be controlled remotely by an attacker.

Beacon / beaconing / check in

- attempts by a compromised computer to connect to a command and control server.

Blackhat

- generally reers to a person who attempts to compromise inormation technology systems or networks or malicious purposes.

Cloud computing

- is an emerging computing paradigm that generally reers to systems that enable network devices to access data,services, and applications on-demand.

Command and control server

- reers to the network server that sends commands to compromised computers in a botnet.

DNS

(

domain name system

) - is a hierarchical naming system or computers, services, or any resource participating in the Internet.

DoS Attack

(denial o service attack) - is an attempt to prevent users rom accessing a specifc computer resource, such as a Web site.DDoS, (distributed denial o service attacks) usually involve overwhelming the targeted computer with requests so that it is no longerable to communicate with its intended users.

HTTP

(

Hypertext Transfer Protocol

) - is a set o standards or exchanging text, images, sound and video by means o the Internet.

IP address

(

Internet protocol address

) - is a numerical identifcation assigned to devices participating in a computer network utlizing theInternet protocol.

Malware

(

malicious software

) - reers to sotware designed to carry out a malicious purpose. Varieties o malware include computerviruses, worms, trojan horses, and spyware.

OHHDL

- Ofce o His Holiness the Dalai Lama.

Phishing

- an attack in which an attacker attempts to obtain sensitive inormation rom an individual by masquerading as a trusted thirdparty. A common example o such an attack is a user receiving an email rom a source that appears to be a trustworthy entity, such asthe user’s bank. Such emails oten request the user to visit a website that appears to be the login page o a service they use, such asonline banking, and enter their username and password, which is then collected by the attackers and used or malicious purposes.

PRC

- People’s Republic o China.

Sinkhole

- Operating domain names ormerly used as command and control servers.

Spear phishing

- is a targeted orm o phishing in which a victim is typically sent an email that appears to be rom an individual ororganization they know. Usually the content o the email includes inormation that is relevant to the victim and includes a malicious fleattachment or link that when opened excecutes malicious code on the victim’s computer.

RiR

(

Regional Internet Registry

) - is an organization that manages the allocation and registration o Internet number resources within aspecifc geographic region.

TGIE

- Tibetan Government in Exile.

TPIE

- Tibetan Parliament in Exile.

Tor

- is an anonymity system that deends users rom trafc analysis attacks in which attackers attempt to monitor users’ onlinebehaviour.

JR03-2010

Shadows in the Cloud

GLOSSARY

Web 2.0

- typically reers to Web-based applications and services that enable user participation, collaboration, and data sharing.

WHOIS

- is a public database o all domain name registrations, which provides inormation on individuals who register domain names.

Whitehat

- generally reers to a person who attempts to infltrate inormation technology systems or networks in order to expose weaknessso they can be corrected by the system’s owners. Also known as an ethical hacker.

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,853

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)