JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 1: BACKGROUND & CONTEXT

As was the case with

GhostNet,

dozens o high-level government networks, embassies, international organiza-tions and others have been penetrated, and condential, sensitive, and private documents stolen. The

Shadows

report underscores the interconnected and complex challenges o cyber security. In particular, it points to thepossibility o a perect storm that may result rom a lack o international consensus, ill-developed and imple-mented security practices, a paucity o notication mechanisms, and the growing confuence o cyber crime,traditional espionage, and the militarization o cyberspace.

1.2 About the

Shadows in the Cloud

Investigation:

Beyond

GhostNet

The

Tracking GhostNet

report revealed a small piece o the underground cyber espionage world. Ater thereport was published, several o the command and control servers listed in the report and part o the networkwent ofine. However, targeted cyber attacks against Tibetan interests and various governments did not sud-denly cease. The Shadowserver Foundation had also been looking into several similar cyber attacks both priorto and ater the

GhostNet

report was published. Approximately six months ater the report’s publication, theShadowserver Foundation and the Inormation Warare Monitor began a collaborative eort to urther investi-gate new and related attacks, as well as any remaining parts o

GhostNet

Shadows in the Cloud

thus departs rom

Tracking GhostNet

in several ways. Research on cyber security israpidly developing, and several groups with widely diering skill sets and experience are working on related areas.Inormation sharing, generally speaking, is immature and underdeveloped, oten hampered by proprietaryconcerns surrounding the commercial market or cyber security services. Progress on research in this area willonly stand to benet rom greater dialogue and inormation sharing among security researchers.

Shadows in theCloud

was thus undertaken jointly by the Inormation Warare Monitor, which itsel is a collaborative engage-ment between a public and private institution, and the Shadowserver Foundation, which is an all-volunteerwatchdog group o security proessionals who gather, track and report on malware, botnet activity, and elec-tronic raud. The Inormation Warare Monitor and the Shadowserver Foundation have several complementaryresources and data sets. Combining eorts in this way contributed to a much greater pool o knowledge andexpertise rom which to draw strategic choices along each step o the investigation, and or overall analysis.Lastly, the inormation sharing that went into

Shadows in the Cloud

extended to the Oce o His Holiness theDalai Lama (OHHDL), the Tibetan Government in Exile (TGIE) and Tibetan non-governmental organizations.Inormation sharing among victims o network intrusions and espionage is rare. The Tibetan organizations werewilling to provide access and share inormation with our investigation that proved to be invaluable.

Shadows in the Cloud

is also distinct rom

Tracking GhostNet

in terms o the type o data unearthed during thecourse o the investigation. With

GhostNet

, while we were able to monitor the exltration o sensitive documentsrom computers to which we had eld access, we were unable to otherwise determine which documents werestolen rom victims that we had identied, and thus could only iner intentionality on the part o the attackers. In

Shadows

, we were able to recover a signicant volume o stolen documents, some o which are highly sensitive,rom a drop zone connected to one o the malware networks under observation. Although not unprecedentedamong cyber security research, access to stolen documents such as those which are analysed here oers aunique but partial insight into the type o inormation that can be leaked out o compromised computers. It mayeven help answer some lingering questions about the intentionality and attribution o the attackers, althoughthat is not clear by any means. We pick up both o these threads in detail in our report below.

JR03-2010

Shadows in the Cloud

PART 1: BACKGROUND & CONTEXT

1.3

Research Framework

Although the research that we engage in is investigatory, it is not simply a report o the acts

per se

. Our aim isto engage the cyber security research community by building upon prior research in a structured, ocused mannerthrough a systematic research ramework. Several overarching research questions structure the

Shadow

investi-gation and our analysis. We outline these here, and pick up on them throughout our report.

Observation and Characterization o the Ecosystem o Malware

One o the aims o cyber security research is to observe and characterize the evolving nature and complexecosystem o today’s malware, botnets, cyber espionage and cyber crime networks. This is not a simple task,as the ecosystem o malware is very much like a complex adaptive system, only one that is dispersed acrossmultiple ecosystems, operated by clandestine actors with potential criminal and/or espionage motivations whohave shown a propensity to adapt their techniques to new sotware tools, social networking platorms and othertechnologies. Crimeware networks, which to some extent are the oldest and most widespread malware net-works, target generalized population sets in a mostly undiscriminating ashion. Alongside crimeware networks,however, there are other networks that are more discriminating, oten characterized by the use o custom-madesotware attacks, and which seek to exploit and inltrate not random pools o victims but rather deliberatelyselected targets. Within each o these two major types o malware networks are likely many sub-types, includ-ing networks that specialize in distributed denial o service (DDoS) attacks. Conusing matters urther is thattoolkits and techniques used in one instance are borrowed rom another, making classication dicult andincreasingly questionable. Being able to map the ecosystem o malware, however, is critical or research, policyand operational matters, and so is one o the primary aims o our research in

Shadows in the Cloud

(Adair 2010).

From Criminal Exploitation to Political Espionage?

Cyber crime is as old as cyberspace itsel, and criminal networks, as alluded to above, are longstanding charac-teristics o the dark side o the Internet. What is more novel is the use o criminal exploitation kits, techniquesand networks or purposes o political espionage (Villeneuve 2010). Debates about whether or not governmentsare actively involved in cyber espionage and computer network exploitation, either through agencies theycontrol directly or through some kind o privateering, now dominate the headlines and have become part o agrowing politicization o the cyber security arena. One o the aims o our research is to discern to what extentwe can impute motivations behind the attacks we document, to help understand whether in act the networksunder our observation are part o a criminal network, a political espionage network, an industrial espionagenetwork, an opportunistic network, or some combination o these. Such questions, it should be pointed out, areentirely distinct (though not unrelated) to the question o attribution (i.e., who is responsible?).We hypothesize that political espionage networks may be deliberately exploiting criminal kits, techniques andnetworks both to distance themselves rom attribution and strategically cultivate a climate o uncertainty. Toanswer these questions requires a high degree o nuance, as the inormation we have been able to obtain isincomplete, and so a great deal o our analysis rests on inerences made on the basis o multiple data sourcesand our usion methodology (See Box 2, page 3).

Collateral Compromise

Organizations rom around the world have moved switly to adopt new inormation and communicationtechnologies, and have become part o electronically linked communities in the commercial, government, and

JR03-2010

Shadows in the Cloud

PART 1: BACKGROUND & CONTEXT

military sectors. They exchange inormation as a matter o routine, across social networking and cloud comput-ing platorms, using fash drives and other portable devices, and thus become co-dependent on each others’inormation and computer and network security practices. The vulnerabilities o one actor can quickly andunintentionally compromise unwitting third parties, which in turn can become the basis or actionable intel-ligence against those third parties. We hypothesize that there is a high probability or collateral compromisein any malware network because o this mutual dependence. A key consideration, o course, is how to discernintended rom unintended victims, a problem that is dicult to solve.

Actionable Intelligence around Exfltrated Data

Related to collateral compromise is the issue o the strategic value o exltrated data. Access to this data canoer important clues about the motivation and attribution o the attackers. It can also provide insight aboutthe strategic value o the type o data that can be accessed through malware networks. In the course o ourinvestigation, we assumed that we would get, at best, only a partial picture o the exltrated data, but even thatpartial picture would provide some potentially meaningul inormation or those who acquire it. While each in-dividual data point may be o little value, when combined with other data acquired through other means (e.g.,open source searching) a very detailed operational picture can be assembled. We try to assess and evaluate theexltrated data we were able to access with these issues in mind.

Attribution

Examining attribution is an arduous but important component o any cyber security investigation and hasbecome a major political issue at the highest levels around several recent cyber attacks. In order to characterisethe attackers, a variety o technical indicators as well as behavioural indicators need to be analysed (Parker etal. 2004; Parker et al. 2003). These characteristics are interpreted in the context o the nature o the targets andthe objective o the attack. The nature and timing o the attack, the exploit, the malware, and the command andcontrol inrastructure, are just some o the components that go into determining attribution. Knowing the meth-ods and behaviour o the attackers as well as the character o the tools the attackers use once inside the target’snetwork, the data that the attackers exltrate and where that data goes, are also crucial parts o the overall as-sessment (Bejtlich 2010; Cloppert 2009; Mandiant 2010).Moreover, historical inormation and ongoing intelligence collection are crucial when trying to understand thescope o the threat (Deloitte & Touche LLP, 2010). It is dicult to assess attribution when examining an isolatedattack; it is the broader patterns, connections and contextual inormation that inorm the process. However, it isuncommon to have a complete data set covering all aspects o the attackers’ operations. Some may have accessto data regarding the attackers’ activities once inside a particular network. Others may have extensive collec-tions o malware samples and historical data on command and control inrastructure. Others may have inorma-tion on how the attackers use various exploits, or crat targeted

spear phishing

emails and other methods ocusedon compromising particular targets. Others may have data retrieved rom the attackers that indicate the identityo those who have been compromised. And nally still others may have the necessary geopolitical knowledge tointerpret the attacks within a broader context.Oten, investigations do not have the luxury o such a ull data set and must rely on incomplete inormation andpartial observations. Further complicating matters is that any o this inormation is oten dependent on mistakesmade by the attackers, which typically lead to slices o an overall network instead o a comprehensive view.Any questions concerning attribution must thereore always be set against a context o a complete considerationo alternative explanations and qualied observations.

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,797

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)