Black Code: Inside the Battle for Cyberspace (19 page)

The speed by which new cyberspace technologies are created far outstrips the capacity of governments to regulate them. As William Gibson argues, “In a world characterized by technologically driven change, we necessarily legislate after the fact, perpetually scrambling to catch up.” Our law enforcement is structured around a world of sovereign states, each separated from the other in territorially based pyramids of hierarchical authority. Cyber crime, on the other hand, is global, its victims distributed across political jurisdictions, and it cleverly avoids concentrations high enough in any one jurisdiction to warrant concerted law enforcement attention. As our Koobface experience showed, even armed with a blueprint of the group’s entire infrastructure, the RCMP faced a mountain of bureaucratic hurdles working with counterparts abroad.

•  •  •

An epidemiologist studying
such intense sharing and interaction introduced into a population with no prior immunity would predict the digital equivalent of a virulent disease outbreak. And that’s just what has happened. How big is cyber crime? Statistics are regularly thrown out by governments and security companies, but they are inherently unreliable. Still, as the
Economist
recently put it, “Big numbers and online crime go together.” The security firm McAfee estimates that they receive 80,000 new malicious software samples a day; that is, 80,000 new forms of malware that they have never registered before, newly created, every single day. But the reality is that no one really knows the full extent of the
maliciousness. As Misha Glenny, author of
DarkMarket
, puts it, figures like these could be “wildly exaggerated … by the cyber security industry in order to generate sales. Or it could be the result of some hyperactive algorithms. Or it could be true. But nobody can assert with any confidence which it is.” New major hacking attacks, data breaches, and other forms of cyber crime come to light almost daily.

Consider the last week of December 2011. As celebrants were revelling in the holiday season and looking forward to ushering in the New Year, two dramatic back-to-back breaches occurred in a span of two days.
First, a December 27, 2011, breach of the Chinese blogging site Tianya resulted in the exposure of 46 million users’ email addresses and passwords, with 4 million of the usernames and passwords published entirely in the clear; that is, not encrypted. Two days later, the hacking collective Anonymous breached
the website of the private security think tank Stratfor and dumped 860,000 accounts, including usernames, email addresses, and passwords, into the public domain. The hackers claimed to have used the credentials of thousands of credit cards collected during the hack to make fraudulent Christmas donations to human rights groups and other NGOS.

The Christmas donations made by Anonymous underscore another characteristic of cyber crime, and a final thought about the Koobface story that should give us pause. The ingenuity of online crime is often combined with humour and irony. After the security company Symantec issued a 2011 report that included details on
a particularly malignant backdoor trojan horse called Poison Ivy, used by attackers who had infiltrated more than fifty companies, the perpetrators, a group called Nitro, began sending out emails purporting to be from Symantec with the Symantec report attached. The report was infected with the Poison Ivy trojan itself! One hacker goes by the name “Google,” making it almost impossible to
locate him or her using open Internet searching methods. (Try searching for “Google” on Google.)

The Koobface group was notoriously humorous, often charming, and even had what might be considered a kind of ethical restraint: they openly mocked security researchers who tracked them, but in doing so also inadvertently exposed the limits of their desire
not
to do major harm. For example,
in 2009 Koobface left a Christmas greeting for security researchers that attempted to clarify their intentions: “As many people know, ‘virus’ is something awful, which crashes computers, steals credential information as good as [sic] all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER.” In other words, they restricted their crimes to petty fraud, albeit on a massive scale. The alarming thing is that they could have easily done otherwise.

Hundreds of thousands of compromised computers networked together through invisible strings controlled by a few individuals can be employed to extract pennies from unsuspecting victims, as it was with Koobface, or sensitive national security documents from government agencies, as GhostNet and Shadows proved. Such a system can be used to direct users to click on fake advertisements for Viagra, or be marshalled to attack a human rights website, as happens with increasing frequency from Iran and Kazakhstan to Burma and Vietnam.

Lurking in the background is another disturbing question: What happens when the world of cyber crime becomes militarized?

“Listen,”
said the Indian official, the connection echoing, crackling with static, “we would like to know whether you would join us.”

“Excuse me?”

“We want you to help us fight back. Is that something you would be prepared to do?”

“What do you mean, ‘fight back’?”

“Yes, yes, fight back. Join us to attack the Chinese.”

We looked at each other in stunned silence. Were we actually hearing this?

The Skype call had been hastily set up between the Citizen Lab and an obscure Indian state intelligence organ called NTRO in the spring of 2010. An Indian version of the U.S. National Security Agency, the National Technical Research Organisation might sound humdrum, but it is India’s highly secretive premier technical intelligence-gathering organization. NTRO stands at the apex of the Indian armed forces and secret services and, among other things, is responsible for satellite, electronic, and Internet monitoring activities. Judging by the offer extended to us over Skype, NTRO is not above asking for outside help, even outsourcing work necessary to getting to the root of attacks on the computer networks it polices, especially when it believes that counterattacks are required.

While dozens of embassies, prime ministers’ offices, and diplomatic missions around the world had been plundered by the Ghostnet attackers, the perpetrators described in
Shadows in the Cloud
instead focused like a laser beam on the Indian national security establishment. As in the past, mistakes made by the attackers gave us insight into their inner workings, but in this case we were able to recover copies of the data being removed, or “exfiltrated” as they say in the cyber intelligence world.

The Shadows attackers went to great lengths to obscure their trail, splitting the documents and other data stolen from unwitting computer owners into bits and pieces and hopscotching them across the Internet through “drop zones” set up on a spider’s web of free hosting sites, before reassembling them. Nart Villeneuve was able (again) to get partial access to one of these stepping stones – an open file transfer protocol (FTP) used by the attackers on an improperly secured computer – and once he found this window into their subterranean lair, he engineered a script that automatically copied anything that passed through the FTP site. As I told John Markoff of the
New York Times
(which gave front-page coverage to
Shadows in the Cloud
), we were going “behind the backs of the attackers and picking their pockets.”

As with the GhostNet investigation, we had privileged access to Tibetan computers, including those situated in the Office of His Holiness the Dalai Lama in India, which we had wiretapped with permission. Seeing it from both sides – from that of the victims (the Dalai Lama’s office and the Tibetan Government-in-Exile), and that of the attackers (through a backdoor left open into their networks) – allowed us to confirm that the data being exfiltrated was, in fact, stolen from the source. Part of the data was a folder called “Letters,” which contained a year’s supply of the Dalai Lama’s official correspondence. Replies and inquiries to numerous individuals, organizations, and world leaders, and to their governments
all silently stolen from the Dalai Lama’s office computers were now in our possession
and
that of the unknown attackers.

We also gained access to hundreds of other documents processed through the drop zone – spreadsheets, PowerPoint presentations, hotel reservations, expense reimbursement forms, and other letters and charts – that seemed unrelated to Tibet or the Dalai Lama. We reassembled what could be recovered, assigned a code to each piece of data, and tried to determine who, other than the Dalai Lama, the attackers were pilfering. Some of the documents appeared highly sensitive: two were stamped “Secret,” six “Restricted,” five “Confidential,” and one appeared to be diplomatic correspondence. By combining forensic analysis of the documents’ metadata with IP addresses and other open-source information, we determined that the sensitive information was stolen from at least one member of the Indian National Security Council Secretariat, probably the Indian Directorate of Military Intelligence, and others in Indian government consulates and embassies, including the Indian embassy in Washington.

Some of the documents were extraordinary: secret assessments of India’s security situation in flammable states like Assam, Manipur, Nagaland, and Tripura; security reports about insurgency groups threatening India, such as the Naxalites and Maoists; and confidential information taken from Indian embassies about the country’s relations with and strategy towards West Africa, Russia and the rest of the former Soviet Union, and the Middle East. We pieced together visa applications, passport office internal memos, and diplomatic correspondence. Among the stolen documents were visa applications made by Canadians at the Indian embassy in Kabul. Few Canadian tourists travel through Afghanistan en route to India these days, but in 2010 Canada was actively participating in the NATO mission there. Were the visa applications from Canadian military personnel?

Defence-oriented Indian academics and journals had also been compromised and, while none of the material obtained was classified, the documents we recovered pertaining to these individuals and organizations revealed information about very sensitive topics. (This suggested that the attackers had managed to compromise individuals knowledgeable about classified information.) We recovered documents relating to missile programs and artillery combat command-and-control systems. Ironically, some of the documents contained references to “network centric warfare,” including cyber espionage threats (and how to defend against them) made against the owners of the reports.

The highest intelligence and diplomatic organs of one of the world’s largest governments had been thoroughly exposed and penetrated by hackers, and only two groups of people knew about it: us and them – and the other guys, we presumed, were operating at the behest of the Chinese government.

•  •  •

In the days before
cyber espionage, acquiring this amount of detailed intelligence would have required risky, time-consuming, and laborious missions involving physically infiltrating buildings and compromising personnel with clearances and access to data. Even then, it is hard to imagine a single operation siphoning up (in one elegant electronic scoop) such a wide array of information. More remarkable still was that the cyber espionage was continuously occurring right under the noses of the victims. The perpetrators were able to receive minutes of Indian National Security Council meetings as they were transcribed into Word documents and saved on the compromised computer. In short, we witnessed an international spying operation as it unfolded, in real time.

Seeing first-hand evidence of what had been stolen added a
unique dimension to this investigation that was missing from the GhostNet probe. The latter was larger in scope, and perhaps more debilitating to the victims because of the Ghost RAT Trojan – which allowed the hackers to remotely turn on the audio and video capture systems of computers under their control and use them to silently eavesdrop – but we never saw what the GhostNet attackers actually stole from victims. Our conclusions were mostly based on inference. With Shadows we had tangible evidence of what was being removed.

As exciting (and unprecedented from a research perspective) as this was, it left us in an ethical quagmire. What should we do about possessing data of a foreign government that is marked classified, sensitive, and restricted? There is no training for this type of situation in academia, no textbook on the handling of a foreign government’s classified material silently recovered by a clandestine cyber espionage ring. As with the GhostNet and TOM–Skype reports, we found ourselves in
terra incognita
.

After debating several options, we felt obliged to present a detailed brief to the Indian government so that it could patch the gaping holes in its computer networks and prevent further exploitation by other cyber spies. The call was set up by Steven Adair of the Shadowserver Foundation, one of our partners in the investigation. Shadowserver consists of a group of U.S.-based volunteer computer security professionals, many with extensive contacts in the law enforcement and intelligence communities, and it was able to make contact with an official at NTRO. We sent the official a spreadsheet listing the IP addresses of the computers we knew were compromised and an overview of the documents we possessed, and asked him for guidance on how to dispose of them. Instead, to our astonishment he offered us a job: help NTRO “attack the Chinese.”

While the request to hack into Chinese government computer networks startled us, we weren’t surprised by the Indian government’s
instinct to “hack back,” or its willingness to outsource the job. Alongside other governments, India was groping with how to defend itself from persistent cyber attacks, and, like many of them, it followed the basic adage about “offence being the best defence.” (Indeed, by June 2012 the
Times of India
was reporting from unnamed sources that “the National Security Council (NSC) headed by Prime Minister Manmohan Singh would soon approve [a] comprehensive plan and designate the Defence Intelligence Agency and National Technical Research Organisation as agencies for carrying out offensive cyber operations, if necessary.”) But unlike the United States, Britain, and other Western democracies, the Indians, we sensed, were not going to follow a conventional playbook should they decide to fight back.