JOINT REPORT:

Information Warfare Monitor Shadowserver FoundationApril 6, 2010

SHADOWS IN THE CLOUD:

Investigating Cyber Espionage 2.0

INFOWARMONITOR

JR03-2010

WEB VERSION. Also found here:

http://shadows-in-the-cloud.net

JR03-2010

Shadows in the Cloud

FOREWORD

Foreword

Crime and espionage orm a dark underworld o cyberspace. Whereas crime is usually the rst to seek out newopportunities and methods, espionage usually ollows in its wake, borrowing techniques and tradecrat. The

Shadows in the Cloud

report illustrates the increasingly dangerous ecosystem o crime and espionage and itsembeddedness in the abric o global cyberspace.This ecosystem is the product o numerous actors. Attackers employ complex, adaptive attack techniques thatdemonstrate high-level ingenuity and opportunism. They take advantage o the cracks and ssures that open upin the ast-paced transormations o our technological world. Every new sotware program, social networkingsite, cloud computing, or cheap hosting service that is launched into our everyday digital lives creates anopportunity or this ecosystem to morph, adapt, and exploit.It has also emerged because o poor security practices o users, rom individuals to large organizations. Wetake or granted that the inormation and communications revolution is a relatively new phenomenon, stillvery much in the midst o unceasing epochal change. Public institutions have adopted these new technologiesaster than procedures and rules have been created to deal with the radical transparency and accompanyingvulnerabilities they introduce.Today, data is transerred rom laptops to USB sticks, over wireless networks at caé hot spots, and stored acrosscloud computing services whose servers are located in ar-o political jurisdictions. These new modalities o communicating de-concentrate and disperse the targets o exploitation, multiplying the points o exposureand potential compromise. Paradoxically, documents and data are probably saer in a le cabinet, behind thebureaucrat’s careul watch, than they are on the PC today.The ecosystem o crime and espionage is also emerging because o opportunism on the part o actors. Cyberespionage is the great equalizer. Countries no longer have to spend billions o dollars to build globe-spanningsatellites to pursue high-level intelligence gathering, when they can do so via the web. We have no evidence inthis report o the involvement o the People’s Republic o China (PRC) or any other government in the

Shadow

network. But an important question to be entertained is whether the PRC will take action to shut the

Shadow

network down. Doing so will help to address long-standing concerns that malware ecosystems are activelycultivated, or at the very least tolerated, by governments like the PRC who stand to benet rom their exploitsthough the black and grey markets or inormation and data.Finally, the ecosystem is emerging because o a propitious policy environment — or rather the absence o one — at a global level. Governments around the world are engaged in a rapid race to militarize cyber space,to develop tools and methods to ght and win wars in this domain. This arms race creates an opportunitystructure ripe or crime and espionage to fourish. In the absence o norms, principles and rules o mutualrestraint at a global level, a vacuum exists or subterranean exploits to ll.There is a real risk o a perect storm in cyberspace erupting out o this vacuum that threatens to subvertcyberspace itsel, either through over-reaction, a spiraling arms race, the imposition o heavy-handed controls,or through gradual irrelevance as people disconnect out o ear o insecurity.

JR03-2010

Shadows in the Cloud

FOREWORD

There is, thereore, an urgent need or a global convention on cyberspace that builds robust mechanisms o inormation sharing across borders and institutions, denes appropriate rules o the road or engagement in thecyber domain, puts the onus on states to not tolerate or encourage mischievous networks whose activitiesoperate rom within their jurisdictions, and protects and preserves this valuable global commons.Until such a normative and policy shit occurs, the shadows in the cloud may grow into a dark, threatening storm.

Ron Deibert

Director, the Citizen Lab, Munk School o Global AairsUniversity o Toronto

Rafal Rohozinski

CEO, The SecDev Group (Ottawa)

JR03-2010

Shadows in the Cloud

PART 3: MAPPING THE

SHADOWS IN THE CLOUD

In order or us to begin to map the

Shadows in the Cloud

, it was important or us to have clear starting points.The rst and easiest starting point that we identied was to look back at what was related to and still opera-tional rom the previous

Tracking GhostNet

report. We ocused primarily on the domains described in

GhostNet

and set out to see what we could learn rom them in their current state. The second was to continue collectingand analyzing inormation on attacks gleaned rom eld research and reports that were shared with us by third-parties. Each o these starting points branched o rom one another and crossed paths in various ways, reveal-ing at least two distinct cyber espionage networks.We previously mentioned that a large portion o the domain names mentioned in

Tracking GhostNet

went ofineollowing the initial report. As a result, several o the domain names described in it were abandoned. The do-mains ultimately expired and were available or re-registration. This gave us the opportunity to take over thesedomains and monitor any connections that might come to them. Doing this allowed us to see connections romvictims that were still inected, and learn more about how the command and control server was congured. TheShadowserver Foundation has utilized this technique or a long time (Higgins 2008).The investigation was broadened urther when eld research by the Inormation Warare Monitor crossed pathswith research being done by the Shadowserver Foundation. The eld research revealed that a computer systemin the OHHDL had been compromised by at least two dierent types o malware associated with targetedmalware intrusions. Based on our understanding o the malware, the domains and on-going research, we assessthat this compromise also involved at least two dierent cyber espionage groups and potentially even a thirdone. Analysis o several malware components and their associated command and control servers ultimately ledto the discovery o an accessible drop zone or documents being siphoned o compromised systems.The attackers’ command and control inrastructure is a critical component o maintaining persistent access tocompromised computers. Through this inrastructure, the attackers issue commands to the compromised ma-chines as well as exltrate data to drop zones or to the command and control servers themselves. By careullyexamining the relationships between command and control servers we were able to map out the extent o onesuch network and link it with other similar malware networks.This report ocuses on only one o these networks, one that we have named the

Shadow

network. This is acomplex network that leveraged social networking websites, webmail providers, ree hosting providers andservices rom some o the largest companies on the Internet as disposable command and control locations.The rst layer o control used blogs, newsgroups, and social networking services to maintain persistent controlas these system are unlikely to be detected as malicious. As compromised computers accessed these services,they received another command and control location, oten located on ree web hosting providers. The com-mand and control servers on the ree hosting services are oten disabled over time – most likely due to reportso malicious activity. When the command and control servers on ree web hosting services were disabled, thecompromised systems would receive commands rom the social networking layer and then beacon (i.e., attempta connection) to a more stable inner core o dedicated systems located in the PRC. Unlike the command andcontrol servers on ree web hosting services, these dedicated servers hosted in the PRC have proven to be quitestable over time.

JR03-2010

Shadows in the Cloud

PART 3: MAPPING THE

SHADOWS IN THE CLOUD

3.1

Analysis of Data while in the Field

During the eld investigation we collected samples o network trac rom computers at the OHHDL and otherTibetan-related locations. Inspection o network trac rom these computers revealed that at least three o themwere compromised and were communicating with the same set o command and control servers. The tracanalysis revealed that these systems were all connecting to the domain jdusnemsaz.com. At the time it resolvedto the IP address 119.84.4.43, which is assigned to China Telecom in the province o Chongqing, PRC. The com-mands sent by the command and control server were identical to malware we ound at the Tibetan NGO Drewlaand the OHHDL during our

GhostNet

investigation a year earlier, although were not part o the network thatwas described in that initial report.There is a similarity between the commands sent by the command and control server jdusnemsaz.com anda previously identied control server, lookbytheway.net. In both cases, the network trac captured rom thecompromised computers revealed that the malware was exltrating sensitive documents.

Table 1: Command and Control: Similarities with previous attacks

OHHDL (T)Nov 2009OHHDL (D)Nov 2009TIBETAN MPOct 2009DrewlaSep 2008

jdusnemsaz.com119.84.4.43jdusnemsaz.com119.84.4.43jdusnemsaz.com119.84.4.43lookbytheway.net221.5.250.98/two/zq2009/index.phpNQueryFileop/two/zq2009/index.phpNQueryFileop/two/zq2009/index.phpNQueryFileop/cgi-bin/NQueryFileopNQueryFileop

Further analysis o the network trac also revealed that at least one o the systems was inected with additionalmalware not associated with the aorementioned command and control servers. The system was attemptingDNS resolutions o multiple hostnames. Two o the hostnames resolved to IP addresses but were not availablewhen the system attempted to communicate to them. The other hostname did not resolve at all.The ailed DNS resolution was or www.assam2008.net, which is a domain that has been used by a dierentgroup o attackers in the past in conjunction with the Enal trojan, and suggests a limited connection betweenthe current malware under investigation and malware used in previous attacks on other targets. This domainname was available or registration and was added to our ongoing sinkhole project.While recording network trac in the eld, we observed the attackers removing two senstive documents romthe OHHDL (see g. 1, page 15). The data was compressed using CAB, split into 100kb chunks when neces-sary, encoded with base64, and then uploaded to a command and control server. In this case, data was beinguploaded to c2etejs.com, which is hosted on the same IP address (119.84.4.43) as jdusnemsaz.com.We reconstructed the documents that were exltrated rom the OHHDL: “letters - current.doc” and “letters - master2009.doc (see g. 2, page 15).” The documents contained over 1,500 letters sent rom the Dalai Lama’s ocebetween January and November 2009. While many o the letters are perunctory — responses to various invitationsand interview requests — they allow the attackers to collect inormation on anyone contacting the Dalai Lama’soce. Moreover, there are some communications contained within these documents that could be considered sensi-tive, such as communications between the OHHDL and Oces o Tibet around the world. Some communicationscontain generic inormation o the Dalai Lama’s travelling details including schedule o appearances – but verylittle that could not be established through open sources and publicly available inormation on the internet.

JR03-2010

Shadows in the Cloud

PART 3: MAPPING THE

SHADOWS IN THE CLOUD

Figure 1: A screen capture o a sensitive document being uploaded to a command and control server.Figure 2: The Word Documents Exfltrated rom the OHHDL

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Download this Document for Free Print Mobile Collections Report Document

This is a private document.

Info and Rating

Reads:

124,802

Uploaded:

04/05/2010

Category:

Research>Internet & Technology

Rated:

(8 Ratings)

Attribution Non-commercial No-derivs

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other co... (More)