JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 2: METHODOLOGY & INVESTIGATIVE TECHNIQUES

The

Tracking GhostNet

investigation revealed signicant compromises at Tibetan-exile and Indian targets. Itwas also ound that Indian government related entities, both in India proper and throughout the world, hadbeen thoroughly compromised. These included computers at Indian embassies in Belgium, Serbia, Germany,Italy, Kuwait, the United States, Zimbabwe, and the High Commissions o India in Cyprus and the UnitedKingdom. During the

GhostNet

investigation we had discovered evidence o multiple inections or which theinormation available was incomplete, and to which we wanted to return or ollow up. In particular, we oundone piece o malware uploading sensitive documents. Another report published soon ater

Tracking GhostNet

,entitled “The Gh0st in the Shell: Network Security in the Himalayas,” analysed the network trac o Air Jaldi,a community WiFi network in Dharamsala, India. It ound that computers in Dharamsala were connecting withtwo o the control servers documented in our report (Vallentin et al. 2009).With the aim o ocusing on both these wider pattern o compromises, and the hanging threads rom the previ-ous investigation, we worked with our existing approach, inormed by the view that collecting data as closeto the intended target as possible was likely to yield actionable evidence o breaches that could be ollowedthrough to their source, lead to wider pools o target sets, and yield inormation on the attackers.In conducting the eld research we were infuenced by the Action Research (AR) literature (Lewin 1946; Curle1947) that has evolved since the 1940s, as well as other eld-based investigation and research techniques. TheAR eld-based approach eeds into the usion methodology that guides our overall investigatory process. Itemploys ethical and participatory observations and structured ocused interviews. We combined this groundedresearch with technical interrogation, including network monitoring activities. As with

GhostNet

, we wereortunate to have the cooperation o Tibetan organizations, and beneted tremendously rom the willingness o His Holiness the Dalai Lama and other Tibetans to share inormation with our investigators. As a result, or the

Shadow

investigation we conducted primary eld research in Dharamsala, India rom August until December2009. (Dharamsala is the location o the OHHDL as well as the TGIE).The primary objectives o the eld investigations were to research the wider patterns o compromised Indianand Tibetan related targets, investigate the reports o targeted malware attacks that have emerged rom theTibetan community, and raise inormation and computer security awareness within the Tibetan communityand assist in their security planning and implementation. Throughout the eld investigation process, we alsoinvestigated the broader social, political, military, and intelligence context. We conducted extensive on-siteinterviews with ocials in the Tibetan Government-in-Exile, the Oce o the Dalai Lama and Tibetan NGOs.These interviews allowed us to gain an understanding o the security practices and network inrastructure o compromised locations. We also used network monitoring sotware during eld investigations in order to collecttechnical data rom compromised computer systems and perorm an initial analysis to conrm the existenceo malware and the transer o inormation between compromised computers and command and control serv-ers. The network monitoring tools allowed us to collect samples rom compromised computers and identiycommand and control servers used by the attackers. The network monitoring was undertaken with the explicitconsent o the Tibetan organizations.While monitoring the network trac o a local NGO, Common Ground, as part o an Internet security audit,trac rom a local WiFi mesh network, TennorNet was also captured, revealing malicious activity. An anomalywas detected when analyzing this trac: computers in Dharamsala were beaconing or checking in with a com-mand and control server (jdusnemsaz.com/119.84.4.43) located in Chongqing, PRC. The location o Chongqingis contextually interesting as it has a high concentration o Triads — well known Asian-based organized crimi-nal networks — who have signicant connections to the Chinese government and the Chinese Communist Party(Lam 2009). The Triads have extended their traditional criminal activities to include technology-enabled crime

JR03-2010

Shadows in the Cloud

PART 2: METHODOLOGY & INVESTIGATIVE TECHNIQUES

such as “computer sotware piracy and credit card orgery and raud” (Choo 2008).An investigation revealed that the computer on TennorNet generating the malicious trac belonged to Mr. SertaTsultrim, a Tibetan Member o Parliament, editor o o the weekly Tibetan language newspaper

Tibet Express

and the director o the Khawa Karpo Tibet Culture Centre. Tsultrim is also the coordinator o the Association o Tibetan Journalists (ATJ). We probed or his threat perception, and who he elt might be targeting him and why.We sought to establish his perception o what documents and correspondence might be particularly sensitive.Tsultrim was particularly concerned about this network being compromised.Following the discovery o this compromise, we approached the OHHDL and ormally requested permissionto audit network trac to determine whether we could identiy similar beacon packets associated with thecommand and control server (jdusnemsaz.com/119.84.4.43). A representative o OHHDL agreed that we couldaccess the oce network under an agreement similar to the initial

GhostNet

investigation. In consultation withOHHDL sta, we ocused our attention on the desktop machines that were most likely to be compromised, andcommenced a network tap o a number o workstations. Interestingly, it was one o these workstations thatwas the origin o the

GhostNet

investigation, where we had observed sensitive documents being exltrated inSeptember 2008. Almost immediately we identied malicious trac connecting with the command and controlserver (jdusnemsaz.com/119.84.4.43).Our next step was to reer to the management interace in the ICSA-certied Cyberoam rewall that the OHHDLhad installed in their network as part o their extensive upgrading o security procedures in the wake o the

GhostNet

breach. We isolated all outbound trac to the command and control server and identied any othermachines on the oce Local Area Network that were currently, or had recently, been communicating with thecommand and control server. From the Cyberoam interace we were able to identiy one other machine that wascompromised. We proceeded to tap the trac rom this machine and began to see domain names associatedwith the distributed social media command and control channels that we would later identiy in the lab as parto the command and control inrastructure. Similarly, the lab investigation was able to reconstruct the documentsthat were exltrated rom OHHDL machines and we were able to brie OHHDL on the extent o the breach.

2.3

Technical Investigative Activities

Our technical investigation was comprised o several interrelated components:

DNS Sinkholing



- Through registering expired domain names previously used in cyber espionage attacks ascommand and control servers, we were are able to observe incoming connections rom still-compromisedcomputers. This allowed us to collect inormation on the methods o the attackers as well as the nature o the victims.

Malware Analysis



- We collected malware samples rom a variety o attacks that allowed us to determinethe exploits the attackers used, the theme used to lure targets into executing the malware, as well as thecommand and control servers used by the attackers. We also analysed additional malware ound on serversunder the control o the attackers. Malware samples consisted primarily o the les with the PDF, DOC, PPTand EXE le extensions.

Command and Control Server Topography



- We were able to map out the command and control inrastruc-ture o the attackers by linking inormation rom the sinkhole, the eld investigations and the malware analy-sis. We collected the domain names, URL paths and IP addresses used by the attackers. This allowed us to ndlinks between our research and other command and control servers observed in other attacks in prior research.

JR03-2010

Shadows in the Cloud

PART 2: METHODOLOGY & INVESTIGATIVE TECHNIQUES

Victim Identifcation



- We were able to identiy victims that the attackers had compromised by analyzingsinkhole server connections, recovering documents that had been exltrated, and viewing control panelsused by the attackers to direct the compromised computers.

Data Recovery



- We were able to retrieve documents that had been sent to

drop zones

rom victim systemsand stolen by the attackers.We carried out this research careully, guided by principles rooted in the computer security eld (Burstein 2008;Cooke et al. 2005; Stone-Gross et al. 2009; Smith and Toppel 2009). Our aim was to understand and documentthe activities o the attackers as well as gather enough inormation to enable notication o those who had beencompromised. The principles that guided our eld and technical investigations include the ollowing:We collected network data in the eld rom computers that had been compromised by malware with the



consent o the owners o the computers.We monitored command and control inrastructure and recovered exltrated data in order to gather enough



inormation to understand the activities o the attackers and obtain enough inormation to enable notica-tion o the victims beore moving to notiy the service providers and hosting companies to seek to have thenetworks shut down.We worked with government authorities in multiple jurisdictions to notiy those who had been compro-



mised and to take down the attacker’s command and control inrastructure.We were careul to store and handle all o the data we collected in a secure manner.



SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,885

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)