From Wikipedia, the free encyclopedia
Cyber-collection refers to the use of cyber-warfare techniques in order to condu
ct espionage. Cyber-collection activities typically rely on the insertion of mal
ware into a targeted network or computer in order to scan for, collect and exfil
trate sensitive information.
Cyber-collection started as far back as 1996, when widespread deployment of Inte
rnet connectivity to government and corporate systems gained momentum. Since tha
t time, there have been numerous cases of such activity.[1][2][3]
In addition to the state sponsored examples, cyber-collection has also been used
by organized crime for identity and e-banking theft and by corporate spies. Ope
ration High Roller used cyber-collection agents in order to collect PC and smart
-phone information that was used to electronically raid bank accounts.[4] The Ro
cra, aka Red October, collection system is an "espionage for hire" operation by
organized criminals who sell the collected information to the highest bidder.[5]
Contents [hide]
1 Platforms and Functionality
2 Infiltration
3 Examples of Cyber-Collection Operations
4 References
5 See also
Platforms and Functionality[edit]
Cyber-collection tools have been developed by governments and private interests
for nearly every computer and smart-phone operating system. Tools are known to e
xist for Microsoft, Apple, and Linux computers and iPhone, Android, Blackberry,
and Windows phones.[7] Major manufacturers of Commercial off-the-shelf (COTS) cy
ber collection technology include Gamma Group from the UK[8] and Hacking Team fr
om Italy.[9] Bespoke cyber-collection tool companies, many offering COTS package
s of zero-day exploits, include Endgame, Inc. and Netragard of the United States
and Vupen from France.[10] State intelligence agencies often have their own tea
ms to develop cyber-collection tools, such as Stuxnet, but require a constant so
urce of zero-day exploits in order to insert their tools into newly targeted sys
tems. Specific technical details of these attack methods often sells for six fig
ure sums.[11]
Common functionality of cyber-collection systems include:
Data scan: local and network storage are scanned to find and copy files of inter
est, these are often documents, spreadsheets, design files such as Autocad files
and system files such as the passwd file.
Capture location: GPS, WiFi, network information and other attached sensors are
used to determine the location and movement of the infiltrated device
Bug: the device microphone can be activated in order to record audio. Likewise,
audio streams intended for the local speakers can be intercepted at the device l
evel and recorded.
Hidden Private Networks that bypass the corporate network security. A compute th
at is being spied upon can be plugged into a legitimate corporate network that i
s heavy monitored for malware activity and at same time belongs to a private wif
i network outside of the company network that is leaking confidential informatio
n off of an employee's computer. A computer like this is easily set up by a doub
le-agent working in the IT department by install a second Wireless card in a com
puter and special software to remotely monitor an employee's computer through th
is second interface card without them being aware of a side-band communication c
hannel pulling information off of his computer.
Camera: the device cameras can be activated in order to covertly capture images
or video.
Keylogger and Mouse Logger: the malware agent can capture each keystroke, mouse
movement and click that the target user makes. Combined with screen grabs, this
can be used to obtain passwords that are entered using a virtual on-screen keybo
Screen Grabber: the malware agent can take periodic screen capture images. In ad
dition to showing sensitive information that may not be stored on the machine, s
uch as e-banking balances and encrypted web mail, these can be used in combinati
on with the key and mouse logger data to determine access credentials for other
Internet resources.
Encryption: Collected data is usually encrypted at the time of capture and may b
e transmitted live or stored for later exfiltration. Likewise, it is common prac
tice for each specific operation to use specific encryption and poly-morphic cap
abilities of the cyber-collection agent in order to ensure that detection in one
location will not compromise others.
Bypass Encryption: Because the malware agent operates on the target system with
all the access and rights of the user account of the target or system administra
tor, encryption is bypassed. For example, interception of audio using the microp
hone and audio output devices enables the malware to capture to both sides of an
encrypted Skype call.[12]
Exfiltration: Cyber-collection agents usually exfiltrate the captured data in a
discrete manner, often waiting for high web traffic and disguising the transmiss
ion as secure web browsing. USB flash drives have been used to exfiltrate inform
ation from air gap protected systems. Exfiltration systems often involve the use
of reverse proxy systems that anonymize the receiver of the data.[13]
Replicate: Agents may replicate themselves onto other media or systems, for exam
ple an agent may infect files on a writable network share or install themselves
onto USB drives in order to infect computers protected by an air gap or otherwis
e not on the same network.
Manipulate Files and File Maintenance: Malware can be used to erase traces of it
self from log files. It can also download and install modules or updates as well
as data files. This function may also be used to place "evidence" on the target
system, e.g. to insert child pornography onto the computer of a politician or t
o manipulate votes on an electronic vote counting machine.
Combination Rules: Some agents are very complex and are able to combine the abov
e features in order to provide very targeted intelligence collection capabilitie
s. For example, the use of GPS bounding boxes and microphone activity can be use
d to turn a smart phone into a smart bug that intercepts conversations only with
in the office of a target.
Compromised cellphones. Since, modern cellphones are increasingly similar to gen
eral purpose computer, these cellphones are vulnerable to the same cyber-collect
attacks as computer systems, and are vulnerable to leak extremely sensitive con
versational and location information to an attackers.[14] Leaking of cellphone G
PS location and conversational information to an attacker has been reported in a
number of recent cyber stalking cases where the attacker was able to use the vi
ctim's GPS location to call nearby businesses and police authorities to make fal
se allegations against the victim depending on his location, this can range from
telling the restaurant staff information to tease the victim, or making false w
itness against the victim. For instance if the victim were parked in large parki
ng lot the attackers may call and state that they saw drug or violence activity
going on with a description of the victim and directions to their GPS location.
There are several common ways to infect or access the target:
An Injection Proxy is a system that is placed upstream from the target individua
l or company, usually at the Internet service provider, that injects malware int
o the targets system. For example, an innocent download made by the user can be
injected with the malware executable on the fly so that the target system then i
s accessible to the government agents.[15]
Spear Phishing: A carefully crafted e-mail is sent to the target in order to ent
ice them to install the malware via a Trojan document or a drive by attack hoste
d on a web server compromised or controlled by the malware owner.[16]
Surreptitious Entry may be used to infect a system. In other words, the spies ca
refully break into the target's residence or office and install the malware on t
he target's system.[17]
An Upstream monitor or sniffer is a device that can intercept and view the data
transmitted by a target system. Usually this device is placed at the Internet se
rvice provider. The Carnivore system developed by the U.S. FBI is a famous examp
le of this type of system. Based on the same logic as a telephone intercept, thi
s type of system is of limited use today due to the widespread use of encryption
during data transmission.
A wireless infiltration system can be used in proximity of the target when the t
arget is using wireless technology. This is usually a laptop based system that i
mpersonates a WiFi or 3G base station to capture the target systems and relay re
quests upstream to the Internet. Once the target systems are on the network, the
system then functions as an Injection Proxy or as an Upstream Monitor in order
to infiltrate or monitor the target system.
A USB Key preloaded with the malware infector may be given to or dropped at the
target site.
Cyber-collection agents are usually installed by payload delivery software const
ructed using zero-day attacks and delivered via infected USB drives, e-mail atta
chments or malicious web sites.[13][18] State sponsored cyber-collections effort
s have used official operating system certificates in place of relying on securi
ty vulnerabilities. In the Flame operation, Microsoft states that the Microsoft
certificate used to impersonate a Windows Update was forged;[19] however, some e
xperts believe that it may have been acquired through HUMINT efforts.[20]