Inside Cyber Warfare

Jeffrey Carr

Part 9

Report Chapter

The advent of a netcentric world has changed the threat environment dramatically and, as a result, governments and private corporations need to rea.s.sess how they collect and a.n.a.lyze intelligence on the emerging threats that will impact them.

The recent and as yet unsourced attacks against US and South Korean government websites that began over the Independence Day weekend in July 2009 is an interesting case in point.

Another is the August 2009 DDoS attacks that were launched against one Georgian blogger and that knocked Twitter offline and substantially degraded access to Facebook and LiveJournal.

Project Grey Goose (PGG) investigators looked at both incidents, along with established Internet security companies, US-CERT, and the usual collection of government agencies charged with such tasks. This chapter focuses on how PGG research was done and the conclusions that were reached. It also presents the findings of other agencies and proposes some ideas about how and why radically different findings can emerge from the same set of facts.

Finally, this chapter suggests a new approach to conducting cyber intelligence that takes into account the unique problem set a.s.sociated with cybers.p.a.ce in general and cyber attacks in particular.

The Korean DDoS Attacks (July 2009).

The first set of information that came into the hands of Project Grey Goose investigators was the technical characteristics of the attacks. This information is typically shared between Internet security firms and is fairly objective and noncontroversial.

The best technical a.n.a.lysis came from the Vietnamese security firm BKIS. Figure 5-1 shows a breakdown of what was known about the attacks after BKIS gained control of two of the command and control (C&C) servers.

Figure 5-1. BKIS diagram of the MyDoom attack program Thanks to information shared between KR CERT and AP CERT (of which BKIS is a member), BKIS researchers were able to gain access to two of the C&C servers and determined that the botnet was controlled by a total of eight C&C servers. The zombie PCs in this botnet were instructed to log onto a different, randomly chosen server every three minutes.

More importantly, the researchers discovered the existence of a yet another server, located in the UK, which acted as a master server by controlling the eight C&C servers. This prompted BKIS to name the UK as the source of the attacks.

If the South Korean government (ROK) had wished to retaliate against the botnet authors, and failing that, against the government of the country from which the attack originated, it would have found itself in a very awkward position indeed. Members of the Republic of Korea government, as well as their National Intelligence Service and particularly the ROK press, all levied blame at the North Koreans (DPRK). Not only did the attack not come from the North, it came from an allied nation. But the situation quickly became even more complicated.

The master server was owned by a legitimate British company, Global Digital Broadcast. When it was contacted by its Internet provider, CRI, as well as the UK's Serious Organized Crime Agency, it investigated further and discovered that the master server was not in the UK after all. It was in Miami, Florida, on a server that belonged to Global Digital's partner, Digital Latin America (DLA).

The DLA Miami office connects with Global Digital's Brighton office by way of a virtual private network (VPN), which made it appear as though the master server was in Britain instead of in the United States. An official statement from DLA said that viruses were found on the Miami server, but details on what kind of viruses were not forthcoming.

So once again, as was seen in the case of the forum, a key component of a malicious attack was hosted not inside the borders of a known adversary but within the United States itself.

This phenomenon has not been adequately addressed or even considered in any of the legal arguments that I have read that make the case for a preemptive first strike or even a nuclear deterrent against the initiators of a cyber attack.

As you'll learn more about in Chapter 8, in 2008, 75% of the C&C servers controlling the world's largest botnets were hosted by a company in Northern California, which was formed by members of Russian organized crime. This is just one example of how cybers.p.a.ce is radically changing the threat environment into one never before seen by senior military leadership in any nation.

BKIS concluded its report with an a.s.sessment of the size of the botnet, which was far larger than any other estimate issued since the attack began. Symantec estimated 50,000 bots, and the ROK government estimated 20,000. However, BKIS used its own formula and determined that this botnet consisted of 166,908 bots scattered across 74 different countries. The top 10 countries involved were, in order, the ROK, the United States, China, j.a.pan, Canada, Australia, Phillipines, New Zealand, the United Kingdom, and Vietnam.

The Botnet Versus the Malware.

Whereas the botnet showed a relatively high degree of sophistication, the malware was amateurish in comparison: It was based on the code base of a very old virus-MyDoom.

It appeared to be a patchwork of scripts rather than any custom coding, so it was most likey done by someone who is not a coder.

There was no attempt made to avoid AV signatures.

There is some evidence that either it was written to target Korean-language systems or the author used a Korean-language email template.

There was a lot of discussion within the PGG network about possible culprits, but a consensus was never reached. One thing that most investigators agreed on, however, was that the person who created the botnet was not the same person who cobbled together the virus.

Another hypothesis was the possible involvement of organized crime, at least on the botnet side. That theory fell out of favor once it was revealed that the botnet contained a self-destruct feature, suggesting it might have been specifically set up to perform only this task or modified after it was acquired.

PGG investigators also explored the possibility that the botnet was acquired by a state from members of organized crime in an exchange for favors. This would protect the state by maintaining plausible deniability and misdirection.

In this scenario, the state brings in its own technologists to make some modifications and deliver the payload, which was purposefully cobbled together from a five-year-old virus to propel the misdirection strategy even further.

How many states have the technical know-how and strategic connections with organized crime to pull this off? Probably all of the usual suspects. Possible motivations, however, are not clear.

In my opinion, the most likely scenario is a nonstate Korean hacker living in China or j.a.pan who saw an opportunity to embarra.s.s the United States and South Korea and took it.

I expanded the investigation from the purely technical aspects to include a geopolitical component and that is how I made the conclusion I did. That meant looking into the cyber warfare capabilities of the ROK's popular choice for a villain-the Democratic People's Republic of Korea (DPRK), also known as North Korean.

The DPRK's Capabilities in Cybers.p.a.ce.

North Korea is an interesting dichotomy. It is a society on the edge of disintegrating due to intense poverty, almost no infrastructure, a weak power grid, and a lack of natural resources. Forget about Internet access anywhere but within the DPRK military.

That's because it spends almost of all its money on its military, particularly on training its highly educated young people in one of seven research labs, according to a paper auth.o.r.ed by Christopher Brown while at the Naval Postgraduate School in September 2004, t.i.tled "Developing a Reliable methodology for a.s.sessing the Computer Network Operations Threat of North Korea."

The top three labs in 2004, as described by Brown, were: Pyongyang Informatics Center (PIC) "Today PIC employs over 200 qualified software engineers, whose average age is 28, with 1.5 computers per person (according to Chan-Mo Park's article 'Current Status of Software Development in DPRK and Collaboration between the South and North,' August 2001). The PIC primarily focuses on software development and is responsible for the development of the General Korean Electronic Publication Systems, 3D CAD, embedded Linux software, web applications, interactive programs, accounting software, and more recently virtual reality software. It is reported that the PIC is also responsible for developing the filters to be used between the Kw.a.n.g Myong Intranet and the Internet."

Korea Computer Center (KCC) "The KCC was established in 1990 by Kim Il Sung to promote computerization in the DPRK. At its inception, the KCC employed approximately 800 employees whose average age was 26. Today Kim Jong Il's son, Kim Jong Nam-who also heads North Korea's intelligence service, the State Security Agency (SSA)-heads the KCC. He is also the chairman of North Korea's Computer Committee. In May 2001, the South Korean newspaper the Chosun Ilbo reported that Kim Jong Nam had moved the SSA's overseas intelligence gathering unit, which operates primarily by hacking and monitoring foreign communications, into the KCC building. In 2001, the South Korean media reported that the KCC was nothing less than the command center for Pyongyang's cyber warfare industry, masquerading as an innocuous, computer-geek-filled software research facility."

Silver Star Laboratories (Unbyol) "Silver Star Laboratories (SSL) was established in 1995 under the Korean Unbyol General Trading Corporation. According to Kang Yong Jun, the director of SSL, the average age of the researchers at SSL is 26 years, with most graduating from Kim Il Sung University and other distinguished universities across the country. Prospective employees are usually graduates of the Pyongyang Senior Middle School No.1, a genius-training center.

"SSL has developed such programs as Silver Mirror, a remote control program, communications, and artificial intelligence software. SSL also produces several language recognition programs and multimedia software, in addition to taking special orders from foreign companies (Korean Central News Agency, 'Silver Star Laboratories of Korea,', September 1998). SSL won at the fourth and fifth annual FOST Cup World Computer Go Championship compet.i.tions, held in 1998 and 1999, respectively."

In other words, North Korea doesn't have the infrastructure to sustain a civilian hacker population. All of its money and all of its talent (meaning young people who show the requisite abilities) are part of its military establishment.

The payload portion of this botnet woudn't have pa.s.sed muster at any of the official IT research facilities a.s.sociated with the DPRK. These are well-educated individuals, some having attended the Indian Inst.i.tute of Technology (one of the world's top technology schools), and the quality of their work is high.

A Korean hacker who wasn't part of the DPRK military wouldn't have the resources inside the DPRK to run this attack. More likely, either he is a DPRK-approved student at an Indian, Chinese, or j.a.panese university, or he is living in another country as an illegal.

Another alternative would be a Russian or Chinese hacker who simply wanted to set up a scenario that would embarra.s.s the United States and throw suspicion onto a likely fall guy-the DPRK.

What were the consequences of this attack? It showed how vulnerable certain government websites still are, both in the United States and South Korea.

*** You are reading on ***

US sites that went down during the Independence Day weekend attack included the Department of Transportation, the Secret Service, and the Federal Trade Commission. The State Department website was attacked and experienced degraded service. The White House and Department of Defense sites were also attacked, but experienced no negative impact.

Ingushetia Conflict, August 2009.

Ingushetia is one of the poorest, most corrupt, and violent of the Russian Federation's outlying states. It neighbors Chechnya and, in recent months, has outdone its neighbor in terms of random killings and escalating levels of violence and desperation.

The latest conflict involves Jihadist radical groups attempting to unseat the military leadership. The religion in the North Caucasus region is Islam, and young people in particular are becoming radicalized in the face of an oppressive and corrupt governing regime.

One of the loudest voices of the opposition movement is a, formerly One year ago, the owner of that website, Magomed Yevloyev, was arrested by police, ostensibly to answer some questions as part of an investigation. On the way to police headquarters, while seated in the back of a police car, Yevloyev was "accidentally" shot in the temple, according to the Interior Ministry of Ingushetia.

The website has experienced hacker attacks off and on since 2007, usually timed to its more controversial p.r.o.nouncements, such as the "I have not voted" campaign launched during the 2007 Russian elections.

In July and August of 2009, DDoS attacks were launched against this website, coinciding with increasing tensions between the government and the opposition. On August 17, 2009, a suicide bomber driving a truck packed with explosives blew himself up near the Ingushetia police station, leaving 20 dead and 130 injured.

Not surprisingly, at least one C&C server involved in the DDoS attacks against is hosted on an IP address that is affiliated with Russian organized crime (the Russian Business Network, or RBN).

Russian investigative journalist Andrei Soldatov wrote about suspected Federal Security Service (FSB) involvement in cyber attacks in the region dating back to 2002 in an article that was published in Novaya Gazeta on May 31, 2007. He was fired from the paper in November 2008, reportedly as the result of financial pressure. Alternatively, it may have been that the FSB tired of his ceaseless investigations into their operations.

The attacks begin to paint a picture of a more sophisticated attack framework being adopted by the Kremlin against its political opponents: The Kremlin, with the help of the FSB, targets opposition websites for attack.

Attack orders are pa.s.sed down through political channels to Russian youth organizations whose members initiate the attack, which gains further momentum through crowd-sourcing.

Russian organized crime provides its international platform of servers from which these attacks are launched, which in some cases are servers hosted by badware providers in the United States.

The Predictive Role of Intelligence.

The core responsibility of intelligence as a discipline is to provide state leadership with insight into what the emerging threats are before they manifest into an attack on the state.

This was already a difficult task when the only threats were physical. Today, intelligence agencies must also consider emerging threats in an entirely new dimension-cybers.p.a.ce. To make it even more difficult, the generation of experts currently performing this mission are still trying to understand just what a threat in cybers.p.a.ce looks like, or, even worse, what cybers.p.a.ce is.

One approach-further addressed in Chapter 12-is to build a predictive model that depicts how most politically motivated cyber attacks develop.

Another is to mine the various forums, websites, chat rooms, and other channels where the cyber underground conducts its business. This is often a hit-and-miss proposition because the more experienced crews are aware that forums are being watched and use IRC chat or other more secure methods of communication. Sometimes, however, mistakes happen and astute intelligence-gathering operations can capitalize on those sources.

However, these are pa.s.sive approaches to intelligence collection and a.n.a.lysis, and are not nearly sufficient to meet the IC's responsibility to identify emerging threats before they occur.

What is needed in cybers.p.a.ce is the same time-tested approach that has been used by spies since before Sun Tzu was a general. Sun Tzu's advice still applies today (from Chapter 13 of The Art of War, "The Use of Spies"): Hostile armies may face each other for years, striving for the victory which is decided in a single day. This being so, to remain in ignorance of the enemy's condition simply because one grudges the outlay of a hundred ounces of silver in honors and emoluments, is the height of inhumanity.

One who acts thus is no leader of men, no present help to his sovereign, no master of victory.

Thus, what enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge.

*** You are reading on ***

Popular Novel