Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve

More documents

Recommendations

Info

JR02-2009 Tracking GhostNet - INTRODUCTION 7 Introduction Computer network exploitation represents the leading edge of signals intelligence in the information age. The proliferation of computer systems throughout governments, businesses, and civic organizations represents a boon for would-be cyber spies. Awareness of cyber vulnerabilities, and even basic information security practices, is in its infancy, and largely absent in most organizations outside of the classified realm. Commercial computer systems, which represent most of the world’s installed base, are insecure. This lack of security consciousness is reflective of the infancy of the information age. The Internet was never designed for security and, for the most part, there has been little incentive for software manufacturers to make security a first priority in the design and development of products, many of which are destined for consumer and/or small business use. These challenges are present in advanced industrial societies, but are amplified many times over in developing countries. Ownership of computers is a relative rarity among many government departments. Where they exist, they often use grey market or pirated software. Resources are lacking to employ properly trained computer professionals, and many staff are barely computer literate. In this context, information security is often a distant priority. And yet, computers in the hands of individuals or at government offices, ministries, embassies, and civic and non-governmental organizations contain information that can be valuable. Files and e-mails with contact information, lists of meetings and attendees, draft position papers, internal PowerPoint presentations, organizational budgets, and lists of visitors can represent items of strategic value to rivals and enemies. Organizations, like individuals, can be subject to identity theft, leading to potentially serious breaches of security. Rise of the cyber spies Little is known of the sophistication of state-based cyber espionage capabilities, such as those of the United States, Israel, and the United Kingdom, all considered leaders in this field. They are assumed to be considerable as the security doctrines of these countries treat cyberspace as a strategic domain equivalent to that of land, air, sea, and space. 2 Other powers including China have made cyberspace a key pillar of their national security strategies. China is actively developing an operational capacity in cyberspace, correctly identifying it as the domain in which it can achieve strategic parity, if not superiority, over the military establishments of the United States and its allies. Chinese cyber warfare doctrine is well developed, and significant resources have been invested by the People’s Liberation Army and security services in developing defensive and offensive capabilities. 3 2 http://www.dod.mil/pubs/foi/ojcs/07-F-2105doc1.pdf ; http://www.afa.org/media/reports/victorycyberspace.pdf 3 http://findarticles.com/p/articles/mi_m0PBZ/is_6_88/ai_n31140190 ; http://www.infowar-monitor.net/modules.phpop=modload& name=Archive&file=index&req=viewarticle&artid=2&page=1
JR02-2009 Tracking GhostNet - INTRODUCTION 8 But the most significant actors in cyberspace are not states. The online engagements that accompanied the recent Russia-Georgia conflict in August 2008 4 and Israel’s January 2009 offensive in Gaza 5 were carried out by independent attackers. The May 2007 denial of service attacks against Estonia 6 resulted in a single conviction of a Russian living in Estonia. Likewise, previous high-profile investigations of hacking against strategic U.S. targets were never positively attributed to foreign intelligence services 7 , and in many cases were the work of individuals. 8 The contest in the shadows currently underway in cyberspace appears to rely largely on third parties. In numerous instances, including case studies conducted by the Information Warfare Monitor’s sister project, the OpenNet Initiative, third party attackers were responsible for triggering national-level cyber events. In Kyrgyzstan (2005) 9 , Belarus (2006) 10 , during the Russia Georgia war (2008), and Kyrgyzstan (2009), individuals and/or loose coalitions were responsible for publishing target lists and attack tools on semi-private websites. The ensuing “cyclones in cyberspace” were sufficient to precipitate events outside of cyberspace. 11 International cooperation has for the most part focused on establishing capabilities for counteracting the criminal use of cyberspace, and with good reason. In 2009, the FBI estimated that cybercrime is responsible for over $10 billion worth of losses each year. 12 Cybercrime is a relatively low cost, low threshold activity. Techniques such as phishing and targeted malware are easy to construct, and the chances of prosecution are minimal given a general lack of international coordination. This is slowly changing as national and international authorities become more aware of the threat. The attacks on Estonia, for example, led to the establishment of NATO’s Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. 13 The International Telecommunication Union has also established its own specialized agency, IMPACT, designed to aid intelligence sharing and tracking of 4 http://blog.wired.com/defense/2008/10/government-and.html ; http://www.slate.com/id/2197514 5 http://www.csmonitor.com/2009/0123/p04s03-wome.html 6 http://www.webpronews.com/topnews/2008/01/24/man-convicted-in-estonia-cyber-attack 7 For example, a US government investigation of systematic hacking of Department of Defense networks and defence laboratories dubbed ‘Titan Rain’ never provided conclusive evidence to substantiate allegations that the hacking was conducted at the behest of the Chinese government. http://www.time.com/time/magazine/article/0,9171,1098961,00.html 8 A good example is the 1998 ‘Solar Sunrise’ investigation. The evidence gathered by US authorities eventually led to the conviction of an Israeli citizen, Ehud Tenebaum, although the involvement of Israeli security services was never proven. http://www.sans.org/ resources/idfaq/solar_sunrise.php 9 http://opennet.net/special/kg/ 10 http://opennet.net/sites/opennet.net/files/ONI_Belarus_Country_Study.pdf 11 http://www.infowar-monitor.net/modules.phpop=modload&name=News&file=article&sid=2146 12 http://kn.theiet.org/magazine/issues/0903/hacking-goes-pro-0903.cfm 13 http://www.nato.int/docu/update/2008/05-may/e0514a.html
Page 1 and 2: JR02-2009 Tracking GhostNet: Invest
Page 3 and 4: JR02-2009 Tracking GhostNet - FOREW
Page 5 and 6: JR02-2009 Tracking GhostNet - TABLE
Page 7: JR02-2009 Tracking GhostNet - SUMMA
Page 11 and 12: PART ONE: Context and background
Page 13 and 14: JR02-2009 Tracking GhostNet - PART
Page 17 and 18: PART TWO: Tracking GhostNet
Page 47 and 48: PART THREE: Investigating GhostNet:
Page 51 and 52: PART FOUR: About Information Warfar
Page 53: 52 2. Open Source Trend Analysis. W

Tracking GhostNet: Investigating a Cyber ... - Nart Villeneuve

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?