Professional Documents
Culture Documents
in depth
the new
033
cyber
threat
By Brian Grow, Keith Epstein, and Chi-Chu Tschang
Illustrations by Jonathon Rosen
executive clicked on the attachment, the full force of the virus would
have been unleashed and his every keystroke reported back to a mys-
terious master at the Internet address cybersyndrome.3222.org.
The U.S. government, and its sprawl of defense contractors, have
been the target of an unprecedented rash of similar cyberattacks
over the last two years. “It’s espionage on a massive scale,” says Paul
B. Kurtz, a former high-ranking national security official. Govern-
ment agencies reported 12,986 cybersecurity incidents to the U.S.
Veer
bersecurity “Manhattan Project.” First, he said, the U.S. must The military and intelligence communities have fingered the
“get our own house in order.”
But many security experts worry the
Internet has become too unwieldy to be
tamed. New viruses appear every day, each AN EVOLVING THREAT Major attacks on the U.S. government and
defense industry over the years
seemingly more sophisticated than the pre-
vious one. The Defense Dept., whose Ad-
vanced Research Projects Agency (DARPA) Solar Sunrise Moonlight Maze
developed the Internet in the 1960s, is be- February, 1998. Air Force and Navy March, 1998, through 1999. At-
ginning to think it created a monster. “You computers are hit by malicious code tackers use scripts to gain access
don’t need an Army, a Navy, an Air Force that sniffed out a hole in Sun Micro- to Web sites at the Defense Dept.,
systems’ Solaris operating system, NASA, the Energy Dept., and weap-
to beat the U.S.,” says General William T. patched its own entry point—then ons labs across the country. Large
Lord, commander of the Air Force Cyber did nothing. Some attacks are packets of unclassified data are
Command, a unit formed in October, 2006, routed through the United Arab stolen. “At times, the end point [for
to upgrade Air Force computer defenses. Emirates while the U.S. is preparing the data] was inside Russia,” says a
“You can be a peer force for the price of the for military action in Iraq. Turns out source familiar with the investiga-
the attacks were launched by two tion. The sponsor of the attack has
PC on my desk.” Military officials have long teenagers in Cloverdale, Calif., and never been identified. The Russian
believed that “it’s cheaper, and we kill stuff an Israeli accomplice who called government denied any involve-
faster, when we use the Internet to enable himself the “Analyzer.” ment.
high-tech warfare,” says a top adviser to
Data: BusinessWeek
035
na’s military policy is “defensive in nature.
China would never do anything to harm
sovereignty or security of other countries.”
He added that “China also falls victim to
hacking” and urged the U.S. to “present
compelling evidence for its accusation.”
Some computer security specialists
doubt that China’s government is involved
in cyberattacks on U.S. defense targets.
Peter Sommer, an information systems se-
curity specialist at the London School of
Economics who helps companies secure
networks, says: “I suspect if it’s an offi-
cial part of the Chinese government, you
wouldn’t be spotting it.” Indeed, because
the Internet allows digital spies and thieves
to mask their identities, conceal their phys-
ical locations, and bounce malicious code to
and fro, it’s frequently impossible to pin-
point specific attackers. Network security
professionals call this digital masquerade
ball “the attribution problem.”
In written responses to questions from
BusinessWeek, officials in the office of
National Intelligence Director J. Michael
McConnell, a leading proponent of boost-
ing the government’s cybersecurity ef-
forts, would not comment “on specific
People’s Republic of China as the U.S.’s biggest cybermenace. code-word programs” such as Byzantine Foothold, nor on
“In the past year, numerous computer networks around the “specific intrusions or possible victims.” But the department
world, including those owned by the U.S. government, were adds that “computer intrusions have been successful against
subject to intrusions that appear to have originated within a wide range of government and corporate networks across
the PRC,” reads the Pentagon’s annual report to Congress on the critical infrastructure and defense industrial base.” The
Chinese military power, released on Mar. 3. The preamble of White House declined to address the contents of the Cyber
Bush’s Cyber Initiative focuses attention on China as well. Initiative, citing its classified nature.
“Those are groundless accusations and unwarranted alle-
gations,” says Wang Baodong, a spokesman for the Chinese A Credible Message
embassy in Washington. Qin Gang, a spokesman for China’s The Booz Allen e-mail, obtained by BusinessWeek and traced
Foreign Ministry, told reporters in Beijing on Mar. 4 that Chi- back to China, paints a vivid picture of the alarming new ca-
pabilities of America’s cyberenemies. On
Sept. 5, 2007, at 08:22:21 Eastern time, an
e-mail message appeared to be sent to John
F. “Jack” Mulhern, vice-president for in-
ternational military assistance programs at
Booz Allen. In the high-tech world of weap-
Titan Rain Byzantine Foothold ons sales, Mulhern’s specialty, the e-mail
2003. Hackers believed to be in 2007. A new form of attack, using looked authentic enough. “Integrate U.S.,
China access classified data stored sophisticated technology, deluges Russian, and Indian weapons and avion-
on computer networks of defense outfits from the State Dept. to Boe- ics,” the e-mail noted, describing the Indian
contractor Lockheed Martin, San- ing. Military cybersecurity specialists
dia National Labs, and NASA. The find the “resources of a nation-state
government’s expectations for its fighter
intrusions are identified by Sean behind it” and call the type of attack jets. “Source code given to India for indig-
Carpenter, a cyber security analyst an “advanced persistent threat.” The enous computer upgrade capability.” Such
at Sandia Labs. After he reports the breaches are detailed in a classified lingo could easily be understood by Mul-
breaches to the U.S. Army and FBI, document known as an Intelligence hern. The 62-year-old former U.S. Naval
Sandia fires him. Carpenter later Community Assessment. The
sues Sandia for wrongful termina- source of many of the attacks, say officer and 33-year veteran of Booz Allen’s
tion. In February, 2007, a jury awards U.S. military and government of- military and defense consulting business is
him $4.7 million. ficials, is China. an expert in helping to sell U.S. weapons to
foreign governments.
037
a unit of Defense Group, a leading consultant to U.S. defense of at least eight agencies—including the departments of De-
and intelligence agencies on China’s military and cyber strat- fense, State, Energy, Commerce, Health & Human Services,
egy. He maintains an Excel spreadsheet of suspect e-mails, Agriculture, and Treasury—and also defense contractors
malicious code, and hacker groups and passes them along Boeing, Lockheed Martin, General Electric, Raytheon, and
to the authorities. Suspicious of the note when he received General Dynamics, say current and former government se-
it, Mulvenon replied to Moree the next day. Was the e-mail curity experts.
“India spam?” Mulvenon asked. Laura Keehner, a spokeswoman for the Homeland Se-
“I apologize—this e-mail was sent in error—please curity Dept., which coordinates protection of government
delete,” Moree responded a few
hours later.
“No worries,” typed Mulve-
non. “I have been getting a lot of A BRILLIANT FAKE The bogus e-mail aimed at Booz Allen Hamilton
trojaned Access databases from
China lately and just wanted to
make sure.”
“Interesting—our network folks
are looking into some kind of ma-
licious intent behind this e-mail
snafu,” wrote Moree. Neither the
Air Force nor the Defense Dept.
would confirm with BusinessWeek
Sir,
whether an investigation was con-
ducted. A Pentagon spokesman This morning (28 Aug) we received the 211 page India Multi-Role Combat Aircraft
(MRCA) Request for Proposal (RFP). The major RFP points are:
says its procedure is to refer attacks
to law enforcement or counterin- - 126 aircraft (86 single seat/40 dual); 18 built by OEM, 108 co-produced in India
- 1 or 2 engines; 14k-30k kg (30.9k-66.1k lb) max weight
telligence agencies. He would not - Active AESA radar capable of targeting 5 m2 at 130km (80.8 miles)
disclose which, if any, is investi- - 24 month fixed price validity of offer; option for 63 aircraft good for 3 years (fixed
gating the Air Force e-mail. price)
- 50% Offset requirement
- Aircraft delivery to begin 36 months from contract, co-production begins 48
digital intruders
months from contract
By itself, the bid to steal digital se- - Tech transfer is broken into 5 categories, 60% is the highest percentage
crets from Booz Allen might not - Performance Based Logistics (Life Cycle costs) are addressed, but India may/
be deeply troubling. But Poison may not use as a final determiner
Ivy is part of a new type of digi- - Integrate US, Russian, and Indian weapons and avionics
- Source code given to India for indigenous computer upgrade capability
tal intruder rendering traditional IAW the Teaming Directive I’ve attached a copy of the complete RFP; however, we
defenses—firewalls and updated will provide a more detailed summary after our Teaming Meeting. We’ll include this
antivirus software—virtually use- development in the SAF/IA Update and Friday’s CSAF Update slide.
less. Sophisticated hackers, say vr
Pentagon officials, are develop- Steve
ing new ways to creep into com- Stephen J. Moree
puter networks sometimes before Northeast Asia Branch Chief
those vulnerabilities are known. SAF/IA Pacific Division
“The offense has a big advantage
CONFIDENTIALITY NOTICE: This electronic transmission is “For Official Use
over the defense right now,” says Only” and may contain information protected from disclosure under the Freedom
Colonel Ward E. Heinke, director of Information Act, 5 USC 552. Do not release outside of DoD channels without
of the Air Force Network Opera- prior authorization from the sender.
tions Center at Barksdale Air Force
Base. Only 10 of the top 35 antivi-
rus software programs identified
Poison Ivy when it was first tested
on behalf of BusinessWeek in February. Malware-sniffing computers, declined to comment on specific intrusions. In
software from several top security firms found “no virus” in written responses to questions from BusinessWeek, Keehner
the India fighter-jet RFP, the analysis showed. says: “We are aware of and have defended against malicious
Over the past two years thousands of highly customized cyberactivity directed at the U.S. Government over the past
e-mails akin to Stephen Moree’s have landed in the laptops few years. We take these threats seriously and continue to
and PCs of U.S. government employees and defense contract- remain concerned that this activity is growing more sophis-
ing executives. According to sources familiar with the matter, ticated, more targeted, and more prevalent.” Spokesmen for
the attacks targeted sensitive information on the networks Lockheed Martin, Boeing, Raytheon, General Dynamics, and
General Electric declined to comment. Several cited policies that a classified document called an intelligence community
of not discussing security-related matters. assessment, or ICA, details the Byzantine intrusions and as-
The rash of computer infections is the subject of Byzan- signs each a unique Byzantine-related name. The ICA has
tine Foothold, the classified operation designed to root out circulated in recent months among selected officials at U.S.
the perpetrators and protect systems in the future, accord- intelligence agencies, the Pentagon, and cybersecurity con-
ing to three people familiar with the matter. In some cases, sultants acting as outside reviewers. Until December the
the government’s own cybersecurity experts are engaged in ICA’s contents had not even been shared with congressional
“hack-backs”—following the malicious code to peer into the intelligence committees.
hackers’ own computer systems. BusinessWeek has learned Now, Senate Intelligence Committee Chairman John D.
and blogs–to build digital dossiers trick the victim into clicking on it. Com- malicious code hidden inside combs
about the jobs, responsibilities, and mon spear-phish topics include news document files, steals passwords,
personal networks of targets. events, earnings results, and Word and and sends the data to a “command
PowerPoint documents containing real and control” server, often in a foreign
info. The e-mail address is made to country, which collects the data for
look like it comes from a logical sender. study.
039
Rockefeller (D-W. Va.) is said to be discreetly informing fel-
BUSINESSWEEK TV For more on this story, including an interview
low senators of the Byzantine operation, in part to win their with writer Brian Grow, watch BusinessWeek
support for needed appropriations, many of which are part of TV. To see video clips or find your local station and airtime by Zip Code go
classified “black” budgets kept off official government books. to BusinessweekTV.com.
Rockefeller declined to comment. In January a Senate Intelli-
gence Committee staffer urged his boss, Missouri Republican BUSINESSWEEK.COM View a video describing the high-stakes
cyberwar waged against the U.S., government
Christopher “Kit” Bond, the committee’s vice-chairman, to documents warning of cyber attacks against public and private institu-
supplement closed-door testimony and classified documents tions, and starting on Apr. 14, our series on cyberespionage.
with a viewing of the movie Die Hard 4 on a flight the sena-
tor made to New Zealand. In the film, cyberterrorists breach
FBI networks, purloin financial data, and bring car traffic to a tion—proved so nettlesome that the White House shut off
halt in Washington. Hollywood, says Bond, doesn’t exagger- aides’ access to the Web site for more than six months, says a
ate as much as people might think. “I can’t discuss classified cybersecurity specialist familiar with the incident. The De-
matters,” he cautions. “But the movie illustrates the potential fense Dept. shut the door for even longer. Computer security
impact of a cyberconflict. Except for a few things, let me just investigators, one of whom spoke with BusinessWeek, identi-
tell you: It’s credible.” fied the culprit: a few lines of Java script buried in AEI’s home
page, www.aei.org, that activated as soon as someone visited
go phish the site. The script secretly redirected the user’s computer to
The technique used in the attacks, known as “phishing,” is a another server that attempted to load malware. The malware,
method of stealing information by posing as a trustworthy in turn, sent information from the visitor’s hard drive to a
entity in an online communication. The term started in the server in China. But the security specialist says cybersleuths
mid-1990s when hackers began “fishing” for information couldn’t get rid of the intruder. After each deletion, the fur-
(and tweaked the spelling). The e-mail attacks in the gov- tive code would reappear. AEI says that except for a brief ac-
ernment agency and defense contractor intrusions, called cidental recurrence caused by its own network personnel in
“spear-phish” because they target specific individuals, August, 2007, the devious Java script did not return and was
are the Web version of laser-guided missiles. Spear-phish not difficult to eradicate.
creators gather information about people’s jobs and social The government has yet to disclose the breaches related to
networks, often from publicly available information and data Byzantine Foothold. BusinessWeek has learned that intruders
stolen from other infected computers, and then trick them managed to wend their way into the State Dept.’s highly sensi-
into opening an e-mail. tive Bureau of Intelligence & Research—an important chan-
Spear-phish tap into a cyberespionage tactic that Internet nel between the work of intelligence agencies and the rest of
security experts call “net reconnaissance.” In the spear-phish the government. The intrusion posed a risk to CIA operatives
attack on Booz Allen, attackers had a wealth of information in embassies around the globe, say several network security
about Stephen J. Moree: his full name, title (Northeast Asia specialists familiar with the effort to cope with what became
Branch Chief), job responsibilities, and
e-mail address. Net reconnaissance can
be surprisingly simple, often starting the breach of a highly sensitive state dept.
with a Google search. (A lookup of the
Air Force’s Pentagon e-mail address, for bureau posed a risk to cia operatives in
instance, generated 8,680 hits for cur-
rent or former Air Force personnel and embassies around the globe
departments on Apr. 8.) The informa-
tion is woven into a fake e-mail, along
with a link to an infected Web site, or an attached document. regarded as an internal crisis. Teams worked around-the-
All attackers have to do is hit their send button. Once the clock in search of malware, they say, calling the White House
e-mail is opened, intruders are automatically ushered inside regularly with updates.
the walled perimeter of computer networks—and malicious The attack began in May, 2006, when an unwitting em-
code such as Poison Ivy can take over. ployee in the State Dept.’s East Asia Pacific region clicked
By mid-2007 analysts at the National Security Agency on an attachment in a seemingly authentic e-mail. Mali-
began to discern a pattern: personalized e-mails with cor- cious code embedded in the Word document, a congressional
rupted attachments such as PowerPoint presentations, Word speech, opened a Trojan “back door” for the code’s creators
documents, and Access database files had been turning up on to peer inside the State Dept.’s innermost networks. Soon,
computers connected to the networks of numerous agencies cybersecurity engineers began spotting more intrusions in
and defense contractors. State Dept. computers across the globe. The malware took
A previously undisclosed breach in the autumn of 2005 advantage of previously unknown vulnerabilities in the Mi-
at the American Enterprise Institute—a conservative think crosoft operating system. Unable to develop a patch quickly
tank whose former officials and corporate executive board enough, engineers watched helplessly as streams of State
members are closely connected to the Bush Administra- Dept. data slipped through the back door and into the Inter-
041
fiber-optic cables, [data transmis- from Homeland Security’s U.S.
sion technology] ADSL, these ways CERT obtained by BusinessWeek,
of getting on the Internet took off,” titled “Cyber Incidents Suspected
says Peng (whose MandarinCK of Impacting Private Sector Net-
was translated by BusinessWeek), works,” the federal cyberwatchdog
who wears half-rimmed glasses warned U.S. corporate information
and drives a black Lexus IS300 technology staff to update security
bought last year. software to block Internet traffic
His 3322.org has indeed be- from a dozen Web addresses after
come a hit. Peng says the service spear-phishing attacks. “The level
has registered more than 1 million of sophistication and scope of these
domain names, charging $14 per cybersecurity incidents indicate
year for “top-level” names ending in .com, .org, or .net. But they are coordinated and targeted at private-sector systems,”
cybersecurity experts and the Homeland Security Dept.’s says the report. Among the sites named: Peng’s 3322.org, as
U.S. Computer Emergency Readiness Team (CERT) say that well as 8800.org, 9966.org, and 8866.org. Homeland Secu-
3322.org is a hit with another group: hackers. That’s because rity and U.S. CERT declined to discuss the report.
3322.org and five sister sites controlled by Peng are dynam- Peng says he has no idea hackers are using his service to
ic DNS providers. Like an Internet phone book, dynamic send and control malicious code. “Are there a lot?” he says
DNS assigns names for the digits that mark a computer’s when asked why so many hackers use 3322.org. He says his
location on the Web. For example, 3322.org is the registrar business is not responsible for cyberattacks on U.S. comput-
for the name cybersyndrome.3322.org at Internet address ers. “It’s like we have paved a road and what sort of car [users]
61.234.4.28, the China-based computer that was contacted drive on it is their own business,” says Peng, who adds that he
by the malicious code in the Booz Allen attack, according to spends most of his time these days developing Internet te-
analyses reviewed by BusinessWeek. “Hackers started using lephony for his new software firm, Bitcomm Software Tech
sites like 3322.org so that the malware phones home to the Co. Peng says he was not aware that several of his Web sites
specific name. The reason? It is relatively difficult to have and Internet addresses registered through them were named
[Internet addresses] taken down in China,” says Maarten van in the U.S. CERT report. On Apr. 7, he said he planned to shut
Hoorenbeeck, a Belgium-based cybersleuth for the SANS the sites down and contact the U.S. agency. Asked by Busi-
Internet Storm Center. nessWeek to check his database for the person who registered
Peng’s 3322.org and sister sites have become a source of the computer at the domain name cybersyndrome.3322.org,
concern to the U.S. government and private firms. Cyberse- Peng says it is registered to Gansu Railway Communications,
curity firm Team Cymru sent a confidential report, reviewed a regional telecom subsidiary of China’s Railways Ministry.
by BusinessWeek, to clients on Mar. 7 that illustrates how He declined to provide the name of the registrant, citing a
3322.org has enabled many recent attacks. In early March, confidentiality agreement. “You can go through the police to
the report says, Team Cymru received “a spoofed e-mail mes- find out the user information,” says Peng.
sage from a U.S. military entity, and the PowerPoint attach- U.S. cybersecurity experts say it’s doubtful the Chinese
ment had a malware widget embedded
in it.” The e-mail was a spear-phish.
The computer that controlled the ma- britain’s mI5 intelligence agency sent a
licious code in the PowerPoint? Cyber-
syndrome.3322.org—the same China- warning in 2007 to 300 companies about thefts
registered computer in the attack
on Booz Allen. Although the cyber-
syndrome Internet address may not be
of corporate secrets by chinese hackers
located in China, the top five comput-
ers communicating directly with it were—and four were reg- government would allow the high volume of attacks on U.S.
istered with ChinaNet, a large state-owned Internet service entities from China-based computers if it didn’t want them
provider, according to the report. to happen. “China has one of the best-controlled Internets in
the world. Anything that happens on their Internet requires
target: private sector permission,” says Cyber Defense Group’s O. Sami Saydjari. A
A person familiar with Team Cymru’s research says the Chinese government spokesman says TK about 3322.org.
company has 10,710 distinct malware samples hosted by But Peng says there is little he can do if hackers exploit his
3322.org. Other groups that have reported attacks from com- goodwill—and there has been little incentive from the Chi-
puters hosted by 3322.org include activist group Students nese government to get tough. “Normally, we take care of
for a Free Tibet, the European Parliament, and U.S. Bancorp, these problems by shutting them down,” says Peng. “Because
according to security reports. Team Cymru declined to com- our laws do not have an extremely clear method to handle this
ment. The U.S. government has pinpointed Peng’s services problem, sometimes we are helpless to stop their services.”
as a problem, too. In a Nov. 28, 2007, confidential report And so, it seems, is the U.S. government. ^