Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Reverse Deception: Organized Cyber Threat Counter-Exploitation (17 page)
Note that in many of these examples, the activity had been ongoing for more than a few years, and there had been little to no success by the defenders in publicly attributing any associated individuals or groups with the series of events, because the attackers did not need to follow any rules or laws.
NOTE
Some of you may sit back and freak out that we’re mentioning this information, but trust in knowing everything is either publicly available or has been properly reviewed prior to publication. Some of you may coyly smile, knowing you were behind one or more of the series of events discussed and regularly referred to in this book—just know that we’re watching you more than you think…
.
Moonlight Maze
The Moonlight Maze APT was reported as ongoing for well over two years. Numerous government, military, and academic networks were purportedly probed, and there was some pattern to the adversaries’ activities that was specific enough to generate a name for this course of events. According to publicly available information (public search engines), this event was traced back to a mainframe system in Russia. The actual perpetrators were never caught, nor was any additional information about the series of events released. This would be considered an APT
without a doubt
. Specific individuals or groups were targeting specific sensitive systems belonging to specific industries.
The overall ability to probe these networks for this period of time without detection or direct attribution illustrates a degree of expertise and resources. The devil always lies in the details. The observables of this event were never clear or publicly disclosed, but the overreaching capabilities and methods that were publicly disclosed are enough to review.
The following are some of the observables known about this event that illustrate some measurable details that were more than likely taken into consideration as a metric when gauging this adversary throughout the course of the investigation into this threat.
| Moonlight Maze | Observables |
|---|---|
| Attack origination points | Unknown |
| Numbers involved in attack | Unknown |
| Risk tolerance | Unknown |
| Timeliness | Systems accessed for more than 2 years |
| Skills and methods | Unknown |
| Actions | Persistence and acquisition of foreign intelligence |
| Objectives | Espionage |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Knowledge source | Not much available online |
Stakkato
The Stakkato series of events was perpetrated by an individual or group by the name of Stakkato, which included a 16-year-old from Uppsala, Sweden. Several other supposed accomplices were searched, and several computers were seized. This threat was advanced from the perspective of the methods Stakkato used to operate and easily gain access to stolen data via remote exploits of Linux-based systems and compromised accounts and logins.
By using locally based kernel exploits (a sophisticated technique that requires a high knowledge level and advanced development skills), Stakkato managed to elevate its privileges and gain control of various systems within numerous government agencies and private sector enterprises. Stakkato infiltrated mostly US supercomputing laboratories and used their TeraGrid network, which is a high-speed international distributed network that connects numerous academic, military, and government systems. Via stolen login credentials Stakkato was able to gain access to these systems for well over two years. Finally, Stakkato was able to gain access to Cisco Corporation’s router internetwork operating system (IOS) source code, which enabled the attacker to develop custom exploits, rootkits (backdoors), and enhanced control of routers around the world.
Things got a little complicated when world government and military systems became involved in the incidents. The primary suspect was apprehended and is currently going through due process in the judicial system.
Stakkato was able to attack and move throughout global enterprises across numerous countries, hopping jurisdictions. This is one of the primary reasons behind the length in which Stakkato was able to operate. However, the following examples show how specific observables helped lead to the apprehension of Stakkato.
| Stakkato | Observables |
|---|---|
| Objectives | Curious hacker turned cyber criminal entrepreneur |
| Timeliness | Operated at various times of the day |
| Resources | Unknown |
| Risk tolerance | Unknown |
| Skills and methods | In-depth knowledge of Linux kernel and router programming |
| Actions | Numerous compromised enterprises and data theft |
| Attack origination points | Unknown |
| Numbers involved in attack | Hundreds of systems and dozens of enterprises |
| Knowledge source | Online forums where the attacker lurked |
Titan Rain
The Titan Rain APT was publicly disclosed in 2005 and is said to have continued for more than three years. This was a series of coordinated attacks against American computer systems that focused primarily on the sectors of industry where the US government had several sensitive interests. The threat was reported as being of Chinese origin, and to date, the true perpetrators remain unknown. Overall, the victims involved in the attack were targeted for their sensitive information. This can be considered a cyber espionage case, although the event was never officially labeled as a state-sponsored espionage or corporate-espionage-based series of events.
This APT has been a very regular topic of late, as international corporations and governments point fingers at the People’s Republic of China (PRC), accusing some of its citizens of stealing intellectual property for the purpose of societal, military, and/or monetary gain.
The only known pieces of this event are the observables, which provide the only way to work an event of this magnitude and length once it’s discovered. Investigators can learn from the mistakes that enabled the events to occur in the first place. In this case, some of the skills and methods used at various times were enough to allow the investigators to determine significant details that enabled attribution of the motives and intent of the threat. The following observables of this event illustrate some measurable details when gauging threats and adversaries.
| Titan Rain | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Precisioned and punctual |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Depending on the objectives at hand |
| Skills and methods | Ranging from simple to sophisticated |
| Actions | Theft of sensitive information |
| Attack origination points | Global IP addresses (purportedly most from Chinese IP space) |
| Numbers involved in attack | Thousands |
| Knowledge source | Unknown |
Stormworm
The Stormworm event was advanced in its use of peer-to-peer (P2P) command-and-control infrastructure (which is a network-based configuration for remote operational control of a botnet), and the precision in which its operators controlled, manipulated, and disrupted specific Internet communications throughout the world. The delivery of this bot agent was not overly advanced, as it primarily relied on the age-old technique of social engineering, via e-mail messages that contained attachments and/or embedded links to malicious exploit sites. This method is in use today, and has been defined as
phishing, spear phishing
, and
whaling
.
NOTE
Spear phishing relates to sending victims relevant information regarding their professional, organizational, or personal interests. This increases the level of assumed trust by the victims and increases the difficulty in identifying socially engineered e-mail
.
The execution and usage of Stormworm proved that the operators and controllers behind this APT were actively monitoring and countering security groups and vendors all around the world. The operators actively attacked network communications of several security vendors. Other security groups that attempted to infiltrate and shut down the botnet were themselves taken offline for hours to days at a time.
Some industry experts have estimated that at one point during its primary operating period of over three years, this botnet accounted for about 8 percent of all malware running on Microsoft Windows systems around the world. The Stormworm botnet worked across numerous industries and sectors, leading to criminal behaviors such as intellectual property theft, identity fraud, bank fraud, and espionage. In 2007, security experts reported that this botnet was large enough to knock an entire country offline for a period of time, which is also known as a
distributed denial-of-service
(DDOS) attack.
The following are some of the observables of this event.
| Stormworm | Observables |
|---|---|
| Objectives | Espionage |
| Timeliness | Automated and manual operations |
| Resources | Several years’ worth of code and infrastructure development and operations |
| Risk tolerance | Very low; numerous updates made to ensure persistence |
| Skills and methods | First massive true peer-to-peer botnet |
| Actions | Operators regularly monitored and responded to threats |
| Attack origination points | Global IP addresses |
| Numbers involved in attack | Millions |
| Knowledge source | Numerous online resources regarding the threat |
GhostNet
The GhostNet event was identified after an almost year-long investigation by the Information Warfare Monitor (IWM), a group of security industry researchers, experts, and analysts from around the world. This APT was discovered to be focusing its activity on international governments and their diplomatic systems.
