Fatal System Error (31 page)

Read Fatal System Error Online

Authors: Joseph Menn

Tags: #Business & Economics, #General, #Computers, #Security, #Viruses & Malware, #Online Safety & Privacy, #Law, #Computer & Internet, #Social Science, #Criminology

BOOK: Fatal System Error
13.39Mb size Format: txt, pdf, ePub
In Georgia, the plausible deniability wore even thinner. The massive digital attacks began against government sites before the Russians tanks rolled in August 2008, eventually driving the prime minister’s site to safe haven in the U.S. Armin and others who spoke with network administrators in Georgia found that a lot of the malicious traffic came from servers controlled by the Russian Business Network. James McQuaid, who collaborated with Armin, traced much of the early attack to a swath of Internet addresses controlled by RBN operatives Alexander Boykov and Sergey Smirnov, whose previous schemes included a fake antivirus program and a faux Canadian pharmacy outlet, respectively. More intriguingly, some better-hidden machines directing the attack resided on Internet addresses belonging to state-owned telecommunications companies in Russia, according to Don Jackson of SecureWorks. The choice of targets is also telling. Denial-of-service attacks shut down official sites in the smaller Georgian city of Gori, along with local news sites, before the Russian planes got there. “How did they know that they were going to drop bombs on Gori and not the capital?” Jackson asked, adding that Boykov’s associates said he was a retired FSB agent. “From what I’ve seen first-hand, there was at some level actual coordination and/or direction [by the Russian government], especially in regard to the timing and the targets of some of the attacks.” This time it wasn’t just denial-of-service attacks: people also infiltrated Georgia’s government networks to steal information and deface websites, replacing the content with pro-Russia propaganda.
Theoretically, free-spending and spontaneously patriotic hackers could have done much of the damage to Georgia. But other, less-noticed attacks have mysteriously silenced critics of the Kremlin, and it’s hard to see why even patriotic hackers would have cared to help. Take
Compramat.ru
, a scandal site similar to The Smoking Gun in the U.S. It publishes dossiers on politicians and other prominent people. In mid-2006, it evidently offended the wrong people, and a denial-of-service attack downed it, Zenz said. Other scandal sites failed as well, and so have those belonging to opposition politicians including Garry Kasparov. DDoS assaults also pummeled mainstream news outlets, including the daily
Kommersant,
which was apparently hit for printing an interview with the exiled tycoon Boris Berezovsky.
The denial-of-service retributions finally came to Western attention in the summer of 2009, when one knocked the popular messaging site Twitter offline and slowed down Facebook on the anniversary of the Georgian war. Facebook discovered that it had been crippled by requests to view the page of a single user, a Georgian professor and Russia critic who blogged under the name Cyxymu. The attack was “directed at an individual who has a presence on a number of sites, rather than the sites themselves,” Facebook said.
The fate of
Ingushetia.ru
, an opposition news site in the strife-torn Caucusus region, was more serious. Moscow blocked access to the site for a time, and the local government sued to have it taken down. Then owner Magomed Evloev was arrested and “accidentally” shot in the head.
“Every time there are elections, we see DDoS attacks against political dissidents or independent media,” said Rafal Rohozinski, who worked in the Caucusus and co-founded the OpenNet Initiative, which tracks Web restrictions. He said the attacks formed a more subtle part of a broader Kremlin crackdown on media that includes the unsolved murders of many journalists. “With a DDoS attack, how do you actually prove that it’s happening, as opposed to the network failing? The plausible deniability becomes much more of a gray area, and for average users, the bottom line is the site is unavailable.”
Rohozinski concluded that the government has spared many criminal hackers on condition that they do some work for the country. “From the knowledge we have, it’s clear there’s a nod and wink that goes on: ‘We won’t prosecute you as long as you make yourself available for things like Estonia and Georgia.’” Zenz agreed. Cyberattacks “were better and more organized in Georgia, and that’s only going to continue,” she said. “It used to be people thought crime is one thing, politics and diplomacy are a second thing, but I think it’s going to continue to merge.”
Patriotic individuals do some damage by themselves. They helped go after Estonia and Georgia, and in January 2009 a group called Help Israel Win persuaded ordinary Israelis to volunteer their computers for a botnet launching DDoS attacks on Palestinian sites. Years before, patriotic Chinese defaced U.S. military sites and probably released the costly Code Red worm after a U.S. spy plane crashed into a Chinese jet and killed the pilot. U.S. hackers retaliated with their own defacements and may have launched the Code Blue worm, which reinfected Code Red machines and used them for denial-of-service attacks on Chinese sites.
But in Russia, the current model appears similar to the one the government uses with Nashi, a government-supported patriotic youth group that protests internal and external “fascists” and other Kremlin enemies. The authorities officially disapprove of any extralegal actions. But there is no way they would happen without guidance from above. Indeed, the FSB has implicitly drawn the parallel. The Moscow investigative journalist Andrei Soldatov reported in 2007 that the government’s National Antiterrorist Committee appeared to be taking the lead in coordinating citizen hacking attacks. Soldatov traced such attacks as far back as 2002, after hackers broke into the Sweden-based pro-Chechen rebel site Kavkaz-Tsentr. In a highly unusual move, the FSB issued a press release saying that no laws had been broken in the attacks and that the hackers were acting in a patriotic manner worthy of respect.
Three years later, Russian officials complained publicly that Sweden had refused to pull the plug on the site. The next day, the Russian site
Mediactivist.ru
coordinated another attack on the Chechen pages. The hackers have returned frequently, defacing the site and temporarily redirecting traffic to anti-Chechen sites. Since other governments have declined to shut down objectionable sites and will continue to do so, Moscow will continue to rely on such hackers, Soldatov said. A member of the Russian legislature went so far as to issue a proclamation thanking a hacking group for attacking sites in Israel. “A small force of hackers is stronger than multiple thousands of the current armed forces,” Duma deputy Nikolai Kuryanovich’s certificate read. “I hope that from now on your work will not become any less productive.”
Another ultra-nationalist member of the Duma was the source of a startling admission at a forum on cyber issues in 2009, when he said an assistant in his office dreamed up the attack on Estonia and said such “spontaneous” responses would likely continue. He was referring to Konstantin Goloshkov, a commissar of Nashi, who confirmed the story to the
Financial Times.
“It was cyber defense,” he said. “We taught the Estonian regime a lesson that if they act illegally, we will respond in an adequate way.” He denied Kremlin direction, saying: “We did everything based on our own initiative.” Even if that were true, such public statements show what little hold international norms of cyber behavior have on Russia.
The Russians are not alone in seeing cyberwarfare as a golden opportunity to catch up to the U.S. in military strength. The convicted Bali nightclub bomber used his autobiography to praise computer-assisted credit card fraud as a means of raising funds. And three British jihadists convicted in 2007 for inciting murder used access to a database with 37,000 stolen credit cards to buy 250 airline tickets, night-vision goggles, hundreds of prepaid cell phones, GPS devices, and more—some $3.5 million in total purchases—to assist others in the movement. Investigators said one of the men, Tariq al-Daour, was a regular on CarderPlanet and phished eBay customers. In one trick for laundering the proceeds, al-Daour set up more than a hundred gambling accounts at
AbsolutePoker.com
,
Canbet.com
, and other sites, bet often, and cashed out the winnings.
THE CHINESE, MEANWHILE, have been comparatively open about their cyber military aspirations. Chinese military analyst Wang Huacheng, in a 2000 paper, described U.S. reliance on information technology and space as “soft ribs and strategic weaknesses.” And the country’s efforts in the area have been extremely successful. For several years beginning in 2002, Chinese forces penetrated Sandia National Laboratories, the U.S. Army Information Systems Engineering Command, and other sites in an operation known as Titan Rain. Air Force Major General William Lord said the Chinese downloaded at least ten terabytes of data, the same amount contained in the Library of Congress. The Chinese also have accessed the Defense Department’s Internet-connected system for distributing unclassified information, including schedules for top commanders and troop movements.
A bipartisan commission on U.S.-China issues that reports to Congress annually said in November 2008 that major Chinese cyberspace and space initiatives could provide “capability enabling it to prevail in a conflict with U.S. forces.”The report concluded that “since China’s current cyber operations capability is so advanced, it can engage in forms of cyberwarfare so sophisticated that the United States may be unable to counteract or even detect the efforts.” Major targets might include Internet-linked financial networks and systems for controlling aircraft and distributing electrical power. The electric grid is so poorly defended, said one expert, that an enemy could knock it offline for months.
In a parallel with the situation in Russia, Western authorities can trace many cyberattacks only as far back as known hacker groups, while China denies spying. U.S. military experts said that one of the key attractions of cyber operations for the Chinese is that the difficulty proving responsibility hamstrings any reaction. In addition, Chinese authorities work so hard to monitor use of the Internet that it’s impossible to imagine a major international data-stealing operation being carried out without government support. The U.S.-China Economic and Security Review Commission reported that as many as 250 hacking groups “are tolerated and may even be encouraged by the government to enter and disrupt computer networks.” In contrast to the Russian experience, where profit predated patriotism, almost all of the early cyberattacks from within China expressed nationalistic sentiments. Numerous assaults on sites in Taiwan, Indonesia, and Japan followed some perceived insult against China. Such groups as the Red Hacker Alliance said they put patriotism first. Only after several years of pro-China activities did a profit motive emerge to such an extent that it splintered some of the most important organizations.
Again like the Russians, the Chinese have used cyberattacks to harass and silence civilian foes based outside the country’s borders. Proponents of the Falun Gang and Tibetan independence movements have been targeted, and at least one small Tibetan alliance disbanded rather than risk further electronic communications. Chinese hackers have hit virtually all the groups with “zero-day exploits,” those that use a vulnerability that has not been openly identified and patched. One especially clever email used a previously unknown flaw in Microsoft Word to try to infiltrate a pro-Taiwan group. Two weeks later, the same gambit was used against a big defense contractor in the U.K., according to Finnish expert Mikko Hypponen, strongly suggesting the hand of Chinese government.
Groups such as Students for a Free Tibet long ago switched to Macs, which are less vulnerable to viruses, stopped opening attachments, and barred sensitive topics from email. “The place where it got really disturbing was during the March 2008 uprising, when information was really hard to get out of Tibet and it was an awful time for people,” said Lhadon Tethong, director of the organization. Penetration attempts appeared in “messages coming in saying ‘Please help me, I’m in Tibet, I saw everything, I have photos,’” Tethong said. “It was really awful manipulation of emotions.” Despite precautions, the breaches have been constant and possibly deadly for some who have disappeared within Tibet. In one case, Tethong said, a virus sent data back to a machine in the mainland’s railway ministry. In another incident, everyone in Tethon’s inner circle got infected, and the only common link was emails from her. Security experts found that her machine had been compromised through the wireless network at the exiled Tibetan leadership’s main offices in India.
Similar email attacks penetrated dozens of U.S. defense contractors. A typical attempt came in an attachment to a credible 2007 email apparently from Air Force military sales official Stephen Moree to Booz Allen Hamilton military consultant Jack Mulhern. If Mulhern had opened the purported enumeration of India’s desired Pentagon gear, which echoed a recently released wish list, his every subsequent keystroke would have been sent off to someone relying on an infamous Chinese domain name registrar,
3322.org
. Another target of a Chinese Trojan was a client of security firm iDefense. That company, looking for the originating hacker, scanned Chinese-language sites and found that a man going by Wicked Rose (or, as translated by others, Withered Rose) claimed to have written the previously unknown remote-control technology installed by the Trojans. He also claimed responsibility for targeted email attacks using vulnerabilities in Word, which was the way the Trojans got in. A university student in Chengdu, Wicked Rose won two hacking competitions sponsored by the military and led what he called the Network Crack Program Hacker group, earning enough to leave school. His real name was Tan Dailin, according to
Time
magazine, which tracked him down for an interview in which he nervously denied hacking the Pentagon.

Other books

The Bone Flute by Patricia Bow
The Virgin at Goodrich Hall by Danielle Lisle
Snatched by Cullars, Sharon
What She Left Behind by Tracy Bilen
Gracie's Sin by Freda Lightfoot
Nemesis: Innocence Sold by Ross, Stefanie
Love Under Two Jessops by Covington, Cara
The Emperors Knife by Mazarkis Williams