Tag Archives: cyberwarfare

A Worldwide Web that Kills with Success

Doubts are growing about the satellites, warships and other big pieces of hardware involved in the command and control of America’s military might. For the past couple of decades the country’s generals and admirals have focused their attention on defeating various forms of irregular warfare. For this, these castles in the sky and at sea have worked well. In the meantime, however, America’s rivals have been upgrading their regular forces—including weapons that can destroy such nodes of power. Both China and Russia have successfully blown up orbiting satellites. And both have developed, or are developing, sophisticated long-range anti-aircraft and anti-ship missiles.

As a result, America is trying to devise a different approach to C2, as command and control is known in military jargon. The Department of Defense has dubbed this idea “Joint All-Domain Command and Control”, or JADC2. It aims to eliminate vulnerable nodes in the system (e.g., satellites) by multiplying the number of peer-to-peer data links that connect pieces of military hardware directly to one another, rather than via a control center that might be eliminated by a single, well-aimed missile.

The goal, officials say, is to create a network that links “every sensor and every shooter”. When complete, this will encompass sensors as small as soldiers’ night-vision gear and sonar buoys drifting at sea, and shooters as potent as ground-based artillery and aerial drones armed with Hellfire missiles.

One likely beneficiary of the jadc2 approach is Anduril Industries, a Californian firm…Its products include small spy helicopter drones; radar, infrared and optical systems constructed as solar-powered towers; and paperback-sized ground sensors that can be disguised as rocks

Sensors come in still-more-diverse forms than Anduril’s, though. An autonomous doglike robot made by Ghost Robotics of Philadelphia offers a hint of things to come. In addition to infrared and video systems, this quadruped, dubbed v60 q-ugv, can be equipped with acoustic sensors (to recognise, among other things, animal and human footsteps), a millimetre-wave scanner (to see through walls) and “sniffers” that identify radiation, chemicals and electromagnetic signals. Thanks to navigation systems developed for self-driving cars, v60 q-ugv can scamper across rough terrain, climb stairs and hide from people. In a test by the air force this robot was able to spot a mobile missile launcher and pass its location on directly to an artillery team…

Applying Artificial Intelligence (AI) to more C2 processes should cut the time required to hit a target. In a demonstration in September 2020, army artillery controlled by AI and fed instructions by air-force sensors shot down a cruise missile in a response described as “blistering”…

There are, however, numerous obstacles to the success of all this. For a start, developing unhackable software for the purpose will be hard. Legions of machines containing proprietary and classified technologies, new and old, will have to be connected seamlessly, often without adding antennae or other equipment that would spoil their stealthiness…America’s technologists must, then, link the country’s military equipment into a “kill web” so robust that attempts to cripple it will amount to “trying to pop a balloon with one finger”, as Timothy Grayson, head of strategic technologies at DARPA, the defense department’s main research agency, puts it…

Excerpts from The future of armed conflict: Warfare’s worldwide web, Economist,  Jan. 9, 2021

Who is the Boss? Cyber-War

A new National Cyber Power Index by the Belfer Centre at Harvard University ranks 30 countries on their level of ambition and capability…That America stands at the top of the list is not surprising. Its cyber-security budget for fiscal year 2020 stood at over $17bn and the National Security Agency (NSA) probably gets well over $10bn. The awesome scale of America’s digital espionage was laid bare in leaks by Edward Snowden, a former NSA contractor, in 2013, which showed the agency hoovering up vast amounts of the world’s internet traffic and trying to weaken encryption standards.

China, in second place, has demonstrated a voracious appetite for commercial cyber-espionage abroad and an iron grip on the internet at home. Britain, whose National Cyber Security Centre has parried over 1,800 cyber-attacks since its creation in 2016, is third. Russia, whose spies interfered with America’s last election, is in fourth place. The big surprise is the Netherlands in fifth place, ahead of France, Germany and Canada. Dutch expertise in analyzing malware is particularly sharp…

Many countries outsource the dirtiest work to deniable proxies, like “hacktivists” and criminals….But while stealing things and disrupting networks is important, what matters most over the longer term is control of digital infrastructure, such as the hardware that runs mobile telecommunications and key apps. Dominance there will be crucial to economic strength and national security.

Excerpt from Digital dominance: A new global ranking of cyber-power throws up some surprises, Economist, Sept. 19, 2020

Algorithms as Weapons –Tracking,Targeting Nuclear Weapons

 
New and unproved technologies—this time computer systems capable of performing superhuman tasks using machine learning and other forms of artificial intelligence (AI)—threaten to destabilise the global “strategic balance”, by seeming to offer ways to launch a knockout blow against a nuclear-armed adversary, without triggering an all-out war.

A report issued in November by America’s National Security Commission on Artificial Intelligence, a body created by Congress and chaired by Eric Schmidt, a former boss of Google, and Robert Work, who was deputy defence secretary from 2014-17, ponders how AI systems may reshape global balances of power, as dramatically as electricity changed warfare and society in the 19th century. Notably, it focuses on the ability of AI to “find the needle in the haystack”, by spotting patterns and anomalies in vast pools of data…In a military context, it may one day find the stealthiest nuclear-armed submarines, wherever they lurk. The commission is blunt. Nuclear deterrence could be undermined if AI-equipped systems succeed in tracking and targeting previously invulnerable military assets. That in turn could increase incentives for states, in a crisis, to launch a devastating pre-emptive strike. China’s rise as an AI power represents the most complex strategic challenge that America faces, the commission adds, because the two rivals’ tech sectors are so entangled by commercial, academic and investment ties.

Some Chinese officials sound gung-ho about AI as a path to prosperity and development, with few qualms about privacy or lost jobs. Still, other Chinese fret about AI that might put winning a war ahead of global stability, like some game-playing doomsday machine. Chinese officials have studied initiatives such as the “Digital Geneva Convention” drafted by Microsoft, a technology giant. This would require states to forswear cyber-attacks on such critical infrastructure as power grids, hospitals and international financial systems.  AI would make it easier to locate and exploit vulnerabilities in these…

One obstacle is physical. Warheads or missile defences can be counted by weapons inspectors. In contrast, rival powers cannot safely show off their most potent algorithms, or even describe AI capabilities in a verifiable way….Westerners worry especially about so-called “black box” algorithms, powerful systems that generate seemingly accurate results but whose reasoning is a mystery even to their designers.

Excerpts from Chaguan: The Digital Divide, Economist, Jan 18, 2019

The Repressive Digital Technologies of the West

A growing, multi-billion-dollar industry exports “intrusion software” designed to snoop on smartphones, desktop computers and servers. There is compelling evidence that such software is being used by oppressive regimes to spy on and harass their critics. The same tools could also proliferate and be turned back against the West. Governments need to ensure that this new kind of arms export does not slip through the net.

A recent lawsuit brought by WhatsApp, for instance, alleges that more than 1,400 users of its messaging app were targeted using software made by NSO Group, an Israeli firm. Many of the alleged victims were lawyers, journalists and campaigners. (NSO denies the allegations and says its technology is not designed or licensed for use against human-rights activists and journalists.) Other firms’ hacking tools were used by the blood-soaked regime of Omar al-Bashir in Sudan. These technologies can be used across borders. Some victims of oppressive governments have been dissidents or lawyers living as exiles in rich countries.

Western governments should tighten the rules for moral, economic and strategic reasons. The moral case is obvious. It makes no sense for rich democracies to complain about China’s export of repressive digital technologies if Western tools can be used to the same ends. The economic case is clear, too: unlike conventional arms sales, a reduction in spyware exports would not lead to big manufacturing-job losses at home.

The strategic case revolves around the risk of proliferation. Software can be reverse-engineered, copied indefinitely and—potentially—used to attack anyone in the world…. There is a risk that oppressive regimes acquire capabilities that can then be used against not just their own citizens, but Western citizens, firms and allies, too. It would be in the West’s collective self-interest to limit the spread of such technology.

A starting-point would be to enforce existing export-licensing more tightly… Rich countries should make it harder for ex-spooks to pursue second careers as digital mercenaries in the service of autocrats. The arms trade used to be about rifles, explosives and jets. Now it is about software and information, too. Time for the regime governing the export of weapons to catch up

The spying business: Western firms should not sell spyware to tyrants, Economist, Dec. 14, 2019

Cyber-Attacking Nuclear Plants: the 3 000 cyber bugs

In the first half of 2019 , no country endured more cyber-attacks on its Internet of Things—the web of internet-connected devices and infrastructure—than India did. So asserts Subex, an Indian telecommunications firm, which produces regular reports on cyber-security. Between April and June of 2019, it said, recorded cyber-attacks jumped by 22%, with 2,550 unique samples of malware discovered. Some of that malicious code is turning up in hair-raising places.

On October 28, 2019 reports indicated that malware had been found on the computer systems of Kudankulam Nuclear Power Plant in Tamil Nadu, the newest and largest such power station in India. Pukhraj Singh, a cybersecurity researcher who formerly worked for the National Technical Research Organisation (NTRO), India’s signals-intelligence agency, says he was informed of the malware by an undisclosed third party in September, and notified the government.The attackers, he said, had acquired high-level access and struck “extremely mission-critical targets”…. On October 30, 2019 the body that operates nuclear power plants acknowledged, sheepishly, that a computer had indeed been infected, but it was only an “administrative” one.

Sensitive sites such as power plants typically isolate the industrial-control systems (those that control the workings of a plant) from those connected to the wider internet. They do so using air-gaps (which involve disconnecting the system from the wider world), firewalls (which monitor data-flows for suspicious traffic) or data diodes (which allow information to flow out but not in).

But breaching a computer on the outside of these digital moats is nevertheless troubling. It could have given the attackers access to sensitive emails, personnel records and other details which would, in turn, make it easier to gain access to the more isolated operational part of the plant. America and Israel are thought to have sneaked the devastating Stuxnet virus into Iran’s air-gapped uranium-enrichment plant at Natanz around 2007 by planting a USB stick on a worker, who carried it inside and plugged it in.

The culprit behind the Kudankulam attack is unknown, but left some clues. The malware in question is from a family known as DTrack, which gives attackers an intimate look at what victims are doing—down to their keystrokes. It is typically used to monitor a target, making it easier to deliver further malware. DTrack was originally developed by a group of hackers known as the Lazarus Group, who are widely assumed to be controlled or directed by North Korea.

Excerpts from On the DTrack: A cyber-attack on an Indian nuclear plant raises worrying questions, Economist, Nov. 1, 2019

Firing Back with Vengeance: the NSA Weapons

The strike on IDT, a conglomerate,… was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.  But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines….Were it not for a digital black box that recorded everything on IDT’s network, …the attack might have gone unnoticed.

Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Mr. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities…

Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours… hackers had spread their ransomware to more than 200,000 servers around the globe. The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.

In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses…

But the attack struck Mr. Ben-Oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. on Saturday on the dot, two and a half hours before the Sabbath would end and when most of IDT’s employees — 40 percent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.

The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.

A month earlier, Microsoft had issued a software patch to defend against the N.S.A. hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster. Later, when the WannaCry attack hit hundreds of thousands of Microsoft customers, Microsoft’s president, Brad Smith, slammed the government in a blog post for hoarding and stockpiling security vulnerabilities.  For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.

There are now YouTube videos showing criminals how to attack systems using the very same N.S.A. tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button….

“Once DoublePulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Mr. Dillon said.More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it.  “We’ve seen the same computers infected with DoublePulsar for two months and there is no telling how much malware is on those systems,” Mr. Dillon said. “Right now we have no idea what’s gotten into these organizations.”..

Could that attack be coming? The Shadow Brokers resurfaced last month, promising a fresh load of N.S.A. attack tools, even offering to supply them for monthly paying subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.

Excerpts from NICOLE PERLROTHJUNE, A Cyberattack ‘the World Isn’t Ready For’,  New York Times, June 20, 2017

Biometrics: Behavioral and Physical

From DARPA pdf document available at  FedBizOpps. Gov Enhanced Attribution
Solicitation Number: DARPA-BAA-16-34

Malicious actors in cyberspace currently operate with little fear of being caught due to the fact that it is extremely difficult, in some cases perhaps even impossible, to reliably and confidently attribute actions in cyberspace to individuals. The reason cyber attribution is difficult stems at least in part from a lack of end-to-end accountability in the current Internet infrastructure…..The identities of malicious cyber operators are largely obstructed by the use of multiple layers of indirection… The lack of detailed information about the actions and identities of the adversary cyber operators inhibits policymaker considerations and decisions for both cyber and non-cyber response options (e.g., economic sanctions under EO-13694).

The DARPA’s Enhanced Attribution program aims to make currently opaque malicious cyber adversary actions and individual cyber operator attribution transparent by providing high-fidelity visibility into all aspects of malicious cyber operator actions and to increase the Government’s ability to publicly reveal the actions of individual malicious cyber operators without damaging sources and methods….

The program seeks to develop:

–technologies to extract behavioral and physical biometrics from a range of devices and
vantage points to consistently identify virtual personas and individual malicious cyber
operators over time and across different endpoint devices and C2 infrastructures;
–techniques to decompose the software tools and actions of malicious cyber operators into semantically rich and compressed knowledge representations;
–scalable techniques to fuse, manage, and project such ground-truth information over time,toward developing a full historical and current picture of malicious activity;

–algorithms for developing predictive behavioral profiles within the context of cyber campaigns; and
–technologies for validating and perhaps enriching this knowledge base with other sources of data, including public and commercial sources of information.

Excerpts from Enhanced Attribution, Solicitation Number: DARPA-BAA-16-34, April 22, 2016

Hacking the Power Grid

In Ukraine on Dec. 23, 2015 the power suddenly went out for thousands of people in the capital, Kiev, and western parts of the country. While technicians struggled for several hours to turn the lights back on, frustrated customers got nothing but busy signals at their utilities’ call centers….Hackers had taken down almost a quarter of the country’s power grid, claimed Ukrainian officials.  Specifically, the officials blamed Russians for tampering with the utilities’ software, then jamming the power companies’ phone lines to keep customers from alerting anyone….Several of the firms researching the attack say signs point to Russians as the culprits. The malware found in the Ukrainian grid’s computers, BlackEnergy3, is a known weapon of only one hacking group—dubbed Sandworm by researcher ISight Partners—whose attacks closely align with the interests of the Russian government. The group carried out attacks against the Ukrainian government and NATO in 2014…

The more automated U.S. and European power grids are much tougher targets. To cloak Manhattan in darkness, hackers would likely need to discover flaws in the systems the utilities themselves don’t know exist before they could exploit them. In the Ukrainian attack, leading security experts believe the hackers simply located the grid controls and delivered a command that shut the power off. Older systems may be more vulnerable to such attacks, as modern industrial control software is better at recognizing and rejecting unauthorized commands, says IOActive’s Larsen.

That said, a successful hack of more advanced U.S. or European systems would be a lot harder to fix. Ukrainian utility workers restored power by rushing to each disabled substation and resetting circuit breakers manually. Hackers capable of scrambling New York’s power plant software would probably have to bypass safety mechanisms to run a generator or transformer hotter than normal, physically damaging the equipment. That could keep a substation offline for days or weeks, says Michael Assante, former chief security officer for the nonprofit North American Electric Reliability.

Hackers may have targeted Ukraine’s grid for the same reason NATO jets bombed Serbian power plants in 1999: to show the citizenry that its government was too weak to keep the lights on. The hackers may even have seen the attack as in-kind retaliation after sabotage left 1.2 million people in Kremlin-controlled Crimea without lights in November 2015. In that case, saboteurs blew up pylons with explosives, then attacked the repair crews that came to fix them, creating a blackout that lasted for days. Researchers will continue to study the cyber attack in Ukraine, but the lesson may be that when it comes to war, a bomb still beats a keyboard.

Excerpts How Hackers Took Down a Power Grid, Bloomberg Business Week, Jan. 14, 2016

Forecast a CyberAtttack: IARPA

From the website of IARPA (Intelligence Advanced Research Projects Activity (IARPA) — a US research agency under the Director of National Intelligence.

“Approaches to cyber defense typically focus on post-mortem analysis of the various attack vectors utilized by adversaries. As attacks have evolved and increased over the years, established approaches (e.g., signature-based detection, anomaly detection) have not adequately enabled cybersecurity practitioners to get ahead of these threats. This has led to an industry that has invested heavily in analyzing the effects of cyber-attacks instead of analyzing and mitigating the “cause” of cyber-attacks,

The CAUSE   (Cyber-attack Automated Unconventional Sensor Environment)Program seeks to develop cyber-attack forecasting methods and detect emerging cyber phenomena to assist cyber defenders with the earliest detection of a cyber-attack (e.g., Distributed Denial of Service (DDoS), successful spearphishing, successful drive-by, remote exploitation, unauthorized access, reconnaissance). T

he CAUSE Program aims to develop and validate unconventional multi-disciplined sensor technology (e.g., actor behavior models, black market sales) that will forecast cyber-attacks and complement existing advanced intrusion detection capabilities. Anticipated innovations include: methods to manage and extract huge amounts of streaming and batch data, the application and introduction of new and existing features from other disciplines to the cyber domain, and the development of models to generate probabilistic warnings for future cyber events. Successful proposers will combine cutting-edge research with the ability to develop robust forecasting capabilities from multiple sensors not typically used in the cyber domain…”

Excerpt from IARPA website

 

Hacked to be Framed: N. Korea – Wapomi Worm

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

CyberWeapons: Regin Malware

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report .  The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software…

The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases….

The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India. [ Regin have been identified also in Afghanistan, Algeria, Belgium, Brazil, Fiji, Germany,Indonesia, Iran, Kiribati, Malaysia, Pakistan, Syria]

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.  The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.  Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.  “Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

Excerpt from Steven Musil Stealthy Regin malware is a ‘top-tier espionage tool’, CNET, Nov. 23, 2014

Cyber-Warriors: US and China

On May 19th, 2014 the Justice Department unveiled 31 charges against five members of China’s People’s Liberation Army (PLA), involving breaking six laws, from relatively minor counts of identity theft to economic espionage, which carries a maximum sentence of 15 years. This is the first time the government has charged employees of a foreign government with cybercrime. The accused are unlikely ever to stand trial. Even so, the Justice Department produced posters with mugshots of the men beneath the legend “wanted by the FBI”. They may never be punished, but that is not the point. Google any of their names and the mugshots now appear, the online equivalent of a perp walk.

That China’s government spies on the commercial activities of companies in America is not news in itself. Last year Mandiant, a cyber-security firm based in Virginia, released a report that identified Unit 61398 of the PLA as the source of cyber-attacks against 140 companies since 2006. But the indictment does reveal more details about what sorts of things the Chinese cybersnoops have been snaffling.

Hackers stole designs for pipes from Westinghouse, an American firm, when it was building four nuclear power stations in China, and also took e-mails from executives who were negotiating with a state-owned company. They took financial information from SolarWorld, a maker of solar panels; gained access to computers owned by US Steel while it was in a trade dispute with a state-owned company; and took files from Alcoa, an aluminium producer, while it was in a joint venture with another Chinese government-backed firm. ATI, another metal firm, and the United Steelworkers union were hacked, too.

American firms that do business in China have long lobbied behind closed doors for Uncle Sam to do something about Chinese hackers. America’s government has hitherto followed a similar logic, pressing China in private. The decision to make a fuss reflects the failure of that approach. When the existence of Unit 61398 became public its troops paused for a while, then continued as before.

Confronting the PLA’s hackers comes at a cost. China has pulled out of a bilateral working group on cyber-security in response to the indictments. Global Times, a Chinese English-language daily, denounced America as: “a mincing rascal”. But doing nothing has a cost, too. Companies like Westinghouse and US Steel have a hard enough time competing with Chinese firms, without having their business plans and designs pinched by thieves in uniform. Nor is the spying limited to manufacturers: tech companies have been targeted by the same group…

Second, America’s spying on Huawei, a Chinese maker of telecoms and networking equipment, makes China’s government doubt that America follows its own rules.

Chinese spying: Cybersnoops and mincing rascals,  Economist, May 24, at 28

Cyber-Attacks on South Korea 2009-2013

The massive cyber attacks on South Korean banks and broadcasters earlier this year were part of a broad campaign of cyber espionage which dates back at least to 2009, a US security firm has concluded. The study by the firm McAfee  (Dissecting Operation Troy: Cyberespionage in South Korea) stopped short of blaming specific entities for the March 20 onslaught but said it found a pattern of sophisticated attacks, including efforts to wipe away traces that could lead to detection.  “The level of sophistication would indicate it is above and beyond your average individual or run-of-the mill hacktivism group,” said James Walter, a McAfee researcher and co-author of the study.

An official South Korean investigation in April determined North Korea’s military intelligence agency was responsible for the attacks which shut down the networks of TV broadcasters KBS, MBC and YTN, halted financial services and crippled operations at three banks….

But McAfee said the attacks represented only a small portion of the cyber campaign being carried out since 2009.  “One of the primary activities going on here is theft of intellectual property, data exfiltration, essentially stealing of secrets,” Walter said.  The report said the attacks, known first as Dark Seoul and now as Operation Troy were “more than cybervandalism… South Korean targets were actually the conclusion of a covert espionage campaign.”  McAfee concluded that two groups claiming responsibility for the attack were not credible.  “The clues left behind confirm that the two groups claiming responsibility were a fabrication to throw investigators off the trail and to mask the true source,” the report said.

Walter said that it is possible that with the campaign nearing detection, the hackers launched these attacks to distract the public and then sought to blame them on little-known entities, the NewRomanic Cyber Army Team, and the Whois Hacking Team.  He added that up to now, the cyber espionage effort “has been very successful in being under the radar” and that “what we see now was a more visible activity that is coupled with a distraction campaign.”

McAfee concluded that the remote-access Trojan was compiled January 26, and a component to wipe the records of numerous systems was compiled January 31.”The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools,” the report said.  “Our investigation into Dark Seoul has found a long-term domestic spying operation underway since at least 2009… We call this Operation Troy, based on the frequent use of the word ‘Troy’ in the compile path strings in the malware.”  McAfee carried out the study as part of its research into cybersecurity issues, Walter said.

The attack came days after North Korea had accused South Korea and the United States of being behind a “persistent and intensive” hacking assault that temporarily took a number of its official websites offline.  It also coincided with heightened military tensions on the Korean peninsula, following Pyongyang’s nuclear test in February.

South Korean cyber attacks tip of the iceberg: McAfee, Associated Press, Agence France Press, July 10, 2013

Cyberwar: Attacking the Pipelines

The vast U.S. network of natural gas and hazardous liquid pipelines is integral to U.S. energy supply and has vital links to other critical infrastructure. While an efficient and fundamentally safe means of transport, this network is vulnerable to cyber attacks. In particular, cyberinfiltration of supervisory control and data acquisition (SCADA) systems could allow successful “hackers” to disrupt pipeline service and cause spills, explosions, or fires—all from remote locations.

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. These intrusions have heightened congressional concern about cybersecurity in the U.S. pipelines sector. The Transportation Security Administration (TSA) is authorized by federal statute to promulgate pipeline physical security and cybersecurity regulations, if necessary, but the agency has not issued such regulations. TSA officials assert that security regulations could be counterproductive because they could establish a general standard below the level of security already in place for many pipelines…. While the pipelines sector has many cybersecurity issues in common with other critical infrastructure sectors, it is somewhat distinct in several ways:

• Pipelines in the United States have been the target of several confirmed terrorist plots and attempted physical attacks since September 11, 2001.

• Changes to pipeline computer networks over the past 20 years, more sophisticated hackers, and the emergence of specialized malicious software have made pipeline SCADA operations increasingly vulnerable to cyber attacks.

• There recently has been a coordinated series of cyber intrusions specifically targeting U.S. pipeline computer systems.

• TSA already has statutory authority to issue cybersecurity regulations for pipelines if the agency chooses to do so, but it may not have the resources to develop, implement, and enforce such regulations if they are mandated….

In March 2012, the Department of Homeland Security (DHS) reported ongoing cyber intrusions among U.S. natural gas pipeline operators. The incidents drew new attention to an Al Qaeda video obtained in 2011 by the Federal Bureau of Investigation (FBI) reportedly calling for “electronic jihad” against U.S. critical infrastructure.  These cybersecurity events coupled with serious consequences from recent pipeline accidents have heightened congressional concern about cybersecurity measures in the U.S. pipelines sector.

Excerpt, Paul W. Parfomak, Pipeline Cybersecurity: Federal Policy, CRS Report for Congress, Aug. 16, 2012

US Cyberattacks against Enemies: Afghanistan

The U.S. military has been launching cyberattacks against its opponents in Afghanistan, a senior officer says, making an unusually explicit acknowledgment of the oft-hidden world of electronic warfare.  Marine Lt. Gen. Richard P. Mills’ comments came last week at a conference in Baltimore during which he explained how U.S. commanders considered cyber weapons an important part of their arsenal.  “I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyber operations against my adversary with great impact,” Mills said. “I was able to get inside his nets, infect his command-and-control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”

Mills, now a deputy commandant with the Marine Corps, was in charge of international forces in southwestern Afghanistan between 2010 and 2011, according to his official biography. He didn’t go into any further detail as to the nature or scope of his forces’ attacks, but experts said that such a public admission that they were being carried out was itself striking.  “This is news,” said James Lewis, a cyber-security analyst with the Washington-based Center for Strategic and International Studies. He said that while it was generally known in defense circles that cyberattacks had been carried out by U.S. forces in Afghanistan, he had never seen a senior officer take credit for them in such a way.  “It’s not secret,” Lewis said in a telephone interview, but he added: “I haven’t seen as explicit a statement on this as the one” Mills made.  The Pentagon did not immediately respond to an email seeking comment on Mills’ speech.

U.S. defense planners have spent the past few years wondering aloud about how and under what circumstances the Pentagon would launch a cyber attack against its enemies, but it’s only recently become apparent that a sophisticated program of U.S.-backed cyberattacks is already under way.  A book by The New York Times reporter David Sanger recently recounted how President Barack Obama ordered a wave of electronic incursions aimed at physically sabotaging Iran’s disputed atomic energy program. Subsequent reports have linked the program to a virus dubbed Flame, which prompted a temporary Internet blackout across Iran’s oil industry in April, and another virus called Gauss, which appeared to have been aimed at stealing information from customers of Lebanese banks. An earlier report alleged that U.S. forces in Iraq had hacked into a terrorist group’s computer there to lure its members into an ambush.

Herbert Lin, a cyber expert at the National Research Council, agreed that Mills’ comments were unusual in terms of the fact that they were made publicly. But Lin said that the United States was, little by little, opening up about the fact that its military was launching attacks across the Internet.  “The U.S. military is starting to talk more and more in terms of what it’s doing and how it’s doing it,” he said. “A couple of years ago it was hard to get them to acknowledge that they were doing offense at all — even as a matter of policy, let alone in specific theaters or specific operations.”

Mills’ brief comments about cyberattacks in Afghanistan were delivered to the TechNet Land Forces East conference in Baltimore on Aug. 15, but they did not appear to have attracted much attention at the time. Footage of the speech was only recently posted to the Internet by conference organizers

Marine General: We Launched Cyberattacks Against Afghanistan, CBS News, Aug. 24, 2012