In chilling detail, two just released reports detail the underground world of Cyber Espionage and the disturbing outlook for PC security.
The two reports, “Tracking GhostNet: Investigating a Cyber Espionage Network”, and “The Snooping Dragon: social-malware surveillance of the Tibetan Movement” (Go HERE for links), paint a chilling picture of how China is using the internet as a key facet its asymmetric warfare program. As I read through these reports, I felt like I was reading something that’s a cross between 1984 and Star Trek.
The Cyber Espionage arena is one that’s very active (per Ghost Net):
“Little is known of the sophistication of state-based cyber espionage capabilities, such as those of the United States, Israel, and the United Kingdom, all considered leaders in this field. They are assumed to be considerable as the security doctrines of these countries treat cyberspace as a strategic domain equivalent to that of land, air, sea, and space.
Other powers including China have made cyberspace a key pillar of their national security strategies. China is actively developing an operational capacity in cyberspace, correctly identifying it as the domain in which it can achieve strategic parity, if not superiority, over the military establishments of the United States and its allies. Chinese cyber warfare doctrine is well developed, and significant resources have been invested by the People’s Liberation Army and security services in developing defensive and offensive capabilities.”
The scope of activity outlined in the GhostNet Report is below:
“The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.”
This was no casual fly-by – the targets were extensive (per GhostNet):
“Significantly, close to 30% of the infected computers can be considered high-value and include the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan; embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan; the ASEAN (Association of Southeast Asian Nations) Secretariat, SAARC (South Asian Association for Regional Cooperation), and the Asian Development Bank; news organizations; and an unclassified computer located at NATO headquarters.”
The reports note, however, that Cyber Espionage is not limited to attacking government entities – attempts to infiltrate commercial and financial entities are well known to cyber sleuths and of real concern.
The method used to attack PCs was simple – email attachments (per Snooping Dragon):
“Email attachments appear to have been the favoured strategy to deliver malicious payloads. This worked because the attackers took the trouble to write emails that appeared to come from fellow Tibetans and indeed from co-workers. The use of carefully-written email lures based on social context to get people to visit bogus websites has been called `social phishing'; in this incident, such email was used to spread malware and we therefore call this strategy social malware.”
These emails are not the usual “I have funds to transfer” that we see from Nigeria. Once a PC is infiltrated, emails are sent as follows (per Snooping Dragon):
“…carrier emails have become more sophisticated in their targeting and content in order to trick their recipients into believing that they are receiving legitimate messages. This is also known as “social engineering.” It is common to see legitimate documents recycled for such attacks or the attacker injecting their message into an ongoing group conversation. There are also cases where it appears that content stolen from previously-infected machines was recycled to enhance the appearance of legitimacy.”
The capabilities found in this program are truly staggering (per Ghost Net):
“…we have witnessed machines being profiled and sensitive documents being removed. At our Laboratory, we have analysed our own infected “honey pot” computer and discovered that the capabilities of GhostNet are potent and wide ranging. Almost certainly, documents are being removed without the targets’ knowledge, keystrokes logged, web cameras are being silently triggered, and audio inputs surreptitiously activated.”
This raises the question, how many sensitive activities have been preemptively anticipated by intelligence gathered through this network? How many illegal transactions have been facilitated by information harvested through GhostNet? Worst of all, how many people may have been put at risk?”
Think about this – there is the possibility of actively seeing and listening to conversations through an infected PC. Makes my skin crawl to think of what can be mined by such espionage.
More worrisome is the outlook – (per Snooping Dragon):
“We have described this social malware attack here and considered its consequences. Although the attack we describe in this case study came from a major government, the techniques their agents used are available even to private individuals and are quite shockingly effective. In fact, neither of the two authors is confident that we could keep secrets on a network-connected machine that we used for our daily work in the face of determined interest from a capable motivated opponent. The necessary restrictions on online activity would not be consistent with effective academic work.
Organisations that maintain sensitive information on network-attached computers and that may have such opponents had better think long and hard. The implications are serious already for people and groups who may become the target of hostile state surveillance. In the medium term we predict that social malware will be used for fraud, and the typical company has really no defence against it. We expect that many crooks will get rich before effective countermeasures are widely deployed.”
Ouch! What this report lays out is a disturbing picture of active Cyber Espionage and further that things will get worse before organizations respond with some fairly sophisticated and aggressive security measures. If you work in IT and have security responsibilities, these reports are eye-openers.
For the average PC user, I’m more convinced than ever that any secure data I have should be on a Linux (I use Ubuntu) PC. At a minimum, take a hard look at running a dual boot PC with a Linux OS to contain any secure transactions, such as banking, to avoid potential cyber hijacking.