Paul M. Joyal, NSI Managing Director,Public Safety & Homeland Security Practice

Cyber Espionage and Criminal Hacking: The New Threat Matrix

GovSec | US Law Conference March 23-24, 2010

Cyber Threat Actors

• “Cyber threats to federal information systems and cyber-based critical infrastructures… can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization.”

– Gregory C. Wilshusen,

Director, Information Security Issues

Government Accountability Office, 2009

Cyber Crime Increases in the Private Sector

• More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals

• The attack targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to NetWitness.

Cyber Crime and Espionage

• Ten government agencies were penetrated, none in the national security area, NetWitness said.

• The systems penetrated were mostly in the United States, Saudi Arabia, Egypt, Turkey and Mexico

• Some estimate the global cyber-crime business amounts to $100 billion-a-year.

Cyber Crime Cash is bigger than Narcotics Trade

• Cyber-crime, by some estimates, has outpaced the amount of illicit cash raked in by global drug trafficking.

• Hackers from Russia and China are among the chief culprits, and the threat they pose now extends far beyond spam, identity theft and bank heists.

• “The Internet can now be used to attack small countries,”. “There are Russian and Chinese hackers that have the power to do that.”

Yevgeny Kaspersky, chief executive of Moscow-based Kaspersky Lab

Criminals are spamming the Zeus banking Trojan to attack government computers

• According one state government security expert who received multiple copies of the message, the e-mail campaign —apparently designed to steal passwords from infected systems — was sent exclusively to government (.gov) and military (.mil) e-mail addresses.

• The messages appear to have been sent by the National Intelligence Council (address used was nic@nsa.gov), which serves as the center for midterm and long-range strategic thinking for the U.S. intelligence community and reports to the office of the Director of National Intelligence.

E-Mail spoofs the National Security Agency

• The e-mails urge recipients to download a copy of a report named “2020 Project.” Another variant is spoofed to make it look like the e-mail from admin@intelink.gov. The true sender, as pulled from information in the e-mail header, is nobody@sh16.ruskyhost.ru

8

Growth of Cyber Threats

1980 1985 1990 1995 2000 2009

Password guessing

Self-replicating codePassword cracking

Exploiting known vulnerabilities

Disabling audits

Burglaries

Back doors

Hijacking sessions

Sweepers

Sniffers

Packet spoofing

Network mngt. diagnostics

GUI

Automated probes/scans

Staging

www attacks

“Stealth”/advanced scanning techniques

Distributed attack tools

Cross site scripting / Phishing

Denial of Service

Sophisticated C2

Convergence

Estonia DoS

Russia invades Georgia

SophisticationRequired of Actors

Declining

Sophisticationof Available Tools

Growing

Sop

his

tica

tio

n

Low

High

The Vulnerability Matrix

Electric

Government

Natural Gas

26,000 FDIC institutions

2,800 power plants

104 commercial

nuclear plants

1,600 municipal wastewater facilities

2 million miles of pipelines

66,000 chemical plants

5,800 registered hospitals

E-commerce

2 billion miles of cable

5,000 airports

300 maritime ports

300,000 production sites

120,000 miles of major rails

3,000 govt. facilities

Home Users

Broadband Connections

Wireless

Viruses, Worms

Banking

Telecom

Emergency Services

Chemical

Rail

Natural GasWater

Waste Water

Transportation

Oil

80,000 Dams

Insiders

Configuration

Problems

150,000 miles transmission lines

130 overlapping grid controllers

CIA Report: Cyber Extortionists Attacked Foreign Power Grid, Disrupting Delivery

• Tom Donahue, the CIA's top cybersecurity analyst, said, "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge.

• We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States.

Could these probes come from China?

• According to Jian-Wei Wang and Li-Li Rong, Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology, have concluded in a published research journal a counter intuitive conclusion:

• that attacks on power grid nodes with the lowest loads is more harmful than an attack on the ones with the highest loads.

Cascade-Based Attack Vulnerability – US Power Grid

• They published these findings in a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S. electrical grid.

• While some maintain that the research promotes a defense posture, Mr. Wang’s research subject was particularly unfortunate because of the widespread perception, particularly among American military contractors and high-technology firms, that adversaries are planning to attack critical infrastructure like the United States electric grid.

The Cyber Threat

Operational Practicality

Behavioral Profile

Assessing the threat

(like a criminal threat)

Technical Feasibility

THREAT

14

Cyber Infrastructure

Russia’s NSA----FAPSI also Identified in Cyber theft

• In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington. The interloper sent information to computers in Moscow, NASA documents show.

• U.S. investigators fear the data ended up in the hands of a Russian spy agency.

Russia’s NSA----FAPSI also Identified in Cyber theft

• A team of agents from NASA, the FBI, and the U.S. Air Force Office of Special Investigations to follow the trail of what they concluded was a criminal hacking ring with dozens of Internet addresses associated with computers near Moscow.

• The investigators made an even more alarming discovery, according to people familiar with the probe: The cyber-crime ring had connections to a Russian electronic spy agency known by the initials FAPSI.

European Credit Card Crime Accelerates

• Card-related crime is the fastest-growing criminal activity in the United Kingdom, and, throughout Europe. Payment card systems are under unprecedented attack from well-organized and well-financed criminal gangs.

Card Fraud Plagues Europe some say its FAPSI

• The payments business is increasingly the subject of organized, methodical attacks by Russian criminals, characterized by high technical sophistication and even including access to systems designed by FAPSI, the Russian state cryptographic agency.

• "We've seen techniques that could only have come from FAPSI," says Jan Eivind Fondal, director of risk management at Europay Norge in Oslo, Norway. "It's beyond anything we've seen. It's a new breed of fraudster.“ "He had covered his tracks in a way only a security professional would."

Russian Viruses Attack Banks

• Russian hackers rely on viruses that record keystrokes as customers type log-ins and passwords. Russian-made viruses are believed to be behind several major online heists, including the theft of $1 million from Nordea Bank in Sweden in 2007 and $6 million from banks in the United States and Europe that same year.

• Viruses and other types of “malware” are bought and sold for as much as $15,000

• Rogue Internet service providers charge cyber-criminals $1,000 a month for police-proof server access.

Russian hacking flourishes as “a cyber-criminal ecosystem”

• Russian hacking flourishes as “a cyber-criminal ecosystem” of spammers, identity thieves and “botnets,” vast networks of infected computers controlled remotely and used to spread spam, denial-of-service attacks or other malicious programs. A denial-of-service attack floods a Web site with inquiries, forcing its shutdown.

• Yevgeny Kaspersky, chief executive of Moscow-based KasperskyLab, one of the world’s leading computer security firms.

RBN: First Cyber Strike on Georgia was not Hactivists

• "The individual, with direct responsibility for carrying out the cyber "first strike" on Georgia, is a RBN operative named Alexandr A. Boykov of Saint Petersburg, Russia. Also involved in the attack was a programmer and spammer from Saint Petersburg named Andrey Smirnov.

• These men are leaders of RBN sections and are not "script-kiddies" or "hacktivists," as some have maintained of the cyber attacks on Georgia – but senior operatives in positions of responsibility with vast background knowledge.

RBN-Prime Mover

• Intelligence can suggest further information about these individual cyber-terrorists. According to Spamhaus SBL64881, Mr. Boykov operates a hosting service in Class C Network 79.135.167.0/24.

• It should be noted that the pre-invasion attacks emanated from 79.135.167.22, clearly showing professional planning and not merely ‘hacktivism.’ Due to the degree of professionalism and the required massive costs to run such operations, a state-sponsor is suspected.

Known Russian Business Network routes identified

• The IP addresses of the range, 79.135.160.0/19 are assigned to Sistemnet Telecom to provide services to companies who are classified as engaging in illicit activities such as credit card fraud, malware and so on.

• • 79.135.160.0/19 Sistemnet Telecom and AS9121 TTNet(Turkey) are associated with AbdAllah_Internet which is linked with cybercrime hosting such as thecanadianmeds.com. These are known Russian Business Network routes. "

Hacking for Money and Politics in Russia

• And when it’s not money that drives Russian hackers, it’s politics—with the aim of accessing or disabling the computers, Web sites and security systems of governments opposed to Russian interests. That may have been the motive behind a recent attack on Pentagon computers.

• A new generation of Russian hacker is behind America’s latest criminal scourge. Young, intelligent and wealthy enough to zip down Moscow’s boulevards in shiny BMWs, they make their money in cyber-cubbyholes that police have found impossible to ferret out.

Proprietary . Confidential 25

RSA 2010 Conference: Malware industry getting increasingly professional, warn experts

• The Russian Business Network (RBN), one of the most powerful and extensive malware and hacking organisations, has been buying time on Amazon's EC2 platform to build malware and attack passwords, according to Ed Skoudis, founder of security consultancy InGuardians.

Russian Cyber Attack model: as seen in Estonia and Georgia attacks – Information Warfare

• The Kremlin, with the help of the FSB, targets opposition Web sites for attack.

• Attack orders are passed down through political channels to Russian youth organizations whose members initiate the attack, which gains further momentum through crowd-sourcing.

Russian Cyber Attack model – Information Warfare

• Russian organized crime provides its international platform of servers from which these attacks are launched, which in some cases are servers hosted by badware providers in the U.S.

• LESSON

• For DoD planners and policy makers, an awareness of this model should trigger a re-evaluation of the approach that is taken in our cyber security strategy.

Iranian Crackdown Goes Global: RBN supports Efforts to Track Dissidents

• Wall Street Journal investigation shows, Iran is extending its crackdown to Iranians abroad. Part of the effort involves tracking the Facebook, Twitter and YouTube activity of Iranians around the world, and identifying them at opposition protests abroad. People who criticize Iran's regime online or in public demonstrations are facing threats intended to silence them.“

• Caught by surprise with the power of social media during the disputed election, Tehran has commissioned white paper studies by the Research Center of Islamic Republic of Iran Broadcasting (crspa.ir) to "study the role of social capital in knowledge sharing".

• The crspa.ir web site has been assisted by the Russian Business Network at the well known RBN IP address 61.61.61.61, which is home to the many of the RBN's spam, scam, and malware DNS servers.

Local Governments are defrauded also

• The New York town of Poughkeepsie reported that thieves had broken into the town’s bank account and stolen $378,000 in municipality funds.

• Poughkeepsie officials said $95,000 was recovered from a Ukrainian bank.

China acquires US Rocket Engine designs

• Four years later, in 2002, an online intruder penetrated the computer network at the Marshall Space Flight Center in Huntsville, Ala., stealing secret data on rocket engine designs—information believed to have made its way to China, according to interviews and NASA documents.

Data flows to China

• Howard A. Schmidt, a technology consultant who served as a White House special adviser on cyber-security from 2001 to 2003, concurs.

• "All indications are that the attacks are coming in from China," he says, "and the data is being exfiltrated out to China."

Intelligence Chief on Cyber Challenge

• “But cybersecurity is the soft underbelly of this country.”

Mike McConnell told a group of reporters Jan. 16, 2009

• “If we were in a cyberwar today, the United States would lose.”

Mike McConnell testimony to Congress, February 23, 2010

"Cyber Shockwave,"Feb. 17, 2010

• Cyberattack Drill Shows U.S. Unprepared

• A group of high-ranking former federal officials scramble to react to mobile phone malware and the failure of the electricity grid in a staged exercise.

• Imagine what would happen if a massive cyber attack hit the U.S., crippling mobile phones and overwhelming both telephone infrastructure and the electricity grid.

RF’s Military Doctrine and Principles of state policy on nuclear deterrence to 2020, on Information Warfare:

• RF’s Military Doctrine and Principles of state policy on nuclear deterrence to 2020, the following sections relate to Information Warfare:

• 12. (d) Acknowledgment of the intensification of the role of information warfare in contemporary military conflict.

• 13. (d) The prior implementation of measures of information warfare in order to achieve political objectives without the utilization of military force and, subsequently, in the interest of shaping a favorable response from the world community to the utilization of military force.

• 41. The tasks of equipping the Armed Forces and other troops with armaments and military and specialized equipment are: (c) to develop forces and resources for information warfare

• But what if 41 (c) said “to develop state and non-state actors as forces in the use of information warfare”.

Can you imagine the uproar that would occur; that Russia has “outed” its own use of non-state actors? Well, that’s essentially what this document has done for the U.S. government.

From Russian Military Thought Leaders

• There is no need to declare war against one’s enemies and to actually unleash more or less large military operations using traditional means of armed struggle. This makes plans for “hidden war” considerably more workable and erodes the boundaries of organized violence, which is becoming more acceptable.

• Viruses are viewed as force multipliers that can turn the initial period of war into pure chaos if they are released in a timely manner. (See Russia-Georgia War)

Make No Mistake You and America Are the Target

• Protect your Computer

• You are only a click away from anywhere in the world

• Report to FBI or appropriate US Government Agencies any cyber attempts to compromise your identity or accounts.

• If you see something say something

• Get involved and stay vigillent

• It Takes a Network to Defeat a Network

• You are part of our network

NSI | Managing Director, Public safety and Homeland Security Practice1400 Eye Street NW Suite 900| Washington, DC 20005T 202 . 349 . 7005 (direct) | M 571 . 205 . 7126

pjoyal@nationalstrategies.comwww.nationalstrategies.com

Paul M. Joyal