[ISN] Net espionage stirs Cold-War tensions

From: InfoSec News (isnat_private)
Date: Thu Jun 28 2001 - 02:23:33 PDT

  • Next message: InfoSec News: "[ISN] Security Solution Providers Divided Over Microsoft Ruling"

    By Ted Bridis
    The Wall Street Journal Online 
    June 27, 2001 5:38 AM PT
    WASHINGTON -- Fears of Cold War tensions are finding new life in
    cyberspace, as the threat of Internet espionage shifts the nuclear-age
    doctrine of "mutually assured destruction" to that of mutually assured
    In one long-running operation, the subject of a U.S. spy investigation
    dubbed "Storm Cloud," hackers traced back to Russia were found to have
    been quietly downloading millions of pages of sensitive data,
    including one colonel's entire e-mail inbox. During three years, most
    recently in April, government computer operators have watched--often
    helplessly--as reams of electronic documents flowed from Defense
    Department computers, among others.
    The heist is "equivalent to a stack of printed copier paper three
    times the height of the Washington Monument," says Air Force Maj. Gen.
    Bruce Wright of the Air Intelligence Agency.
    China and Russia pose the deepest threats because their technology
    research is the most advanced, U.S. officials say. But some senior
    officials worry that it doesn't take a superpower to hack into a
    nation's sensitive computer networks. Moreover, there are complicated
    legal issues about how and when to launch counterstrikes.
    A teenager or a terrorist?
    It is often impossible for government or corporate victims to know
    whether an attacker is a teenager or terrorist, a rival company or a
    foreign government--and those distinctions make all the difference in
    how the U.S. government reacts. Even in the Storm Cloud case,
    officials can't answer for certain whether a foreign government or
    rogue hackers are involved.
    Both pose dangers. A federal advisory panel, the Defense Science
    Board, reported in March that the Pentagon "cannot today defend itself
    from an information operations attack by a sophisticated, nation-state
    adversary." Security testers at the Pentagon's National Security
    Agency routinely hack into U.S. military networks--and without the
    Pentagon noticing 99 percent of the time, the board found.
    But the Central Intelligence Agency says hacking by foreign
    governments, as opposed to individuals, is the biggest threat. "Only
    government-sponsored programs are developing capabilities with the
    future prospect of causing widespread, long-duration damage to U.S.
    critical infrastructures," says Lawrence Gershwin, head of the CIA's
    intelligence on technology. He calls terrorists, for example, a
    "limited" Internet threat. "Bombs still work better than bytes."
    The Storm Cloud case, which involved several military and
    law-enforcement agencies and descended from an FBI investigation
    called "Moonlight Maze," isn't the only illustration of the threat
    from overseas. After a U.S. spy plane collided with a Chinese jet in
    May, Chinese activists vandalized or shut hundreds of U.S. Web sites,
    including that of the White House. Last fall, a hacker accessed
    software blueprints at Microsoft Corp.; detectives believe the hacker
    used software from Asia and transferred data back to an anonymous
    e-mail account in Russia.
    So far, the government's response has been disjointed; cooperation has
    been slow to evolve among various U.S. agencies, corporations and
    foreign governments. A 1998 presidential order made the Federal Bureau
    of Investigation's National Infrastructure Protection Center the
    "focal point" for collecting data about threats. But the FBI center
    sometimes can't share information with the president's cyber-security
    adviser unless the Justice Department approves. Meanwhile, the White
    House budget office instructed agencies to report Internet attacks to
    the General Services Administration.
    The Storm Cloud case has highlighted all these issues. The attackers
    often covered their tracks using a modified software tool called
    "Loki," after a mischievous Nordic god; the software makes break-ins
    look like innocent Web browsing. Victims include the Defense
    Department's high-performance computer labs, where researchers use
    some of the world's fastest supercomputers to predict how air flows
    around a jet or how a missile penetrates armor. Weeks after the first
    attacks, an insider newsletter at one lab, the Aeronautical Systems
    Center at Wright-Patterson Air Force Base, conceded, "We accept that
    we can never be completely secure." Investigators insist nothing
    classified was stolen though the data were sensitive and commercially
    Suspicious file transfers tripped sensors at Wright-Patterson in early
    1998. But it wasn't until months later, after intrusions into other
    computer labs, that officials realized the attacks were connected. The
    hackers were particularly clever: Officials found software sensors
    inside federal computers that modified a private Web site in Britain
    whenever new documents were available. The hackers would view the Web
    site to see if it had changed and therefore didn't have to risk
    detection by checking themselves.
    Investigators believe hackers installed eavesdropping "sniffer"
    software as early as 1997 at universities, including Louisiana State
    University, in Baton Rouge, and the University of Cincinnati in Ohio,
    where professors working on defense projects connect via the Internet
    to military labs. The hackers then posed online as those professors to
    steal data and pilfer more passwords. Only after the attacks were
    noted were outside researchers instructed to use some encryption.
    The Pentagon then ordered all defense employees to change their
    computer passwords. The intruders even stole that memorandum,
    investigators suspect, and accordingly changed the passwords for the
    military accounts they had hacked.
    Investigators traced the break-ins to three commercial
    Internet-service providers in Moscow. But the riddle remained: Who was
    at the keyboard? Russia's government, or rogue hackers? The State
    Department last year formally pressed Russia--where laws subject
    almost all electronic communications to government monitoring--for
    help. A spokesman for Russia's intelligence service denies
    culpability, adding that if the government had organized the hacking,
    it would have done a better job hiding its tracks.
    How to respond to attacks?
    Such uncertainties raise crucial legal and diplomatic questions about
    how to respond. When does the U.S. hack back, and how? If the hackers
    are civilians, they are deemed "unlawful combatants" and criminals
    under U.S. law. But if a government is involved, the U.S. would weigh
    a retaliatory cyberstrike, says military spokesman Barry Venable.
    The agency that chiefly defends the military's computers changed its
    role this spring to include offensive attacks. It expects to triple
    its staff to nearly 150 in the next two years, and a draft Pentagon
    budget projects spending on computer warfare to increase by $400
    million next year, and by $3.5 billion over the next seven years.
    The FBI tried a similar hack-back approach. In April, a grand jury in
    Seattle indicted two Russian computer experts accused of hacking into
    dozens of U.S. banks and e-commerce sites, and then demanding money
    for not publicizing the break-ins. FBI agents, posing as potential
    customers from a mock company called Invita Computer Security, last
    November had lured the Russians to Seattle and asked the pair for a
    hacking demonstration. The agents secretly recorded every keystroke
    with commercial software available to anyone for $99.
    Days later, using one man's password, "cfvlevfq," the FBI connected to
    the Russians' own computers overseas and downloaded 781 megabytes of
    data. Only then did they obtain a search warrant for the files. A U.S.
    judge condoned the tactic in a pretrial ruling, partly because the
    searched computers were in Russia.
    Sen. Robert Bennett, a Utah Republican who is one of Congress's
    technology experts, says the ability to counterstrike should help
    discourage serious attacks from those who can be hit back. "The U.S.
    is the most vulnerable society because we're the most wired in the
    world," he said. "On the other hand, we're probably the most capable
    to wage this kind of warfare if someone were to provoke us."
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 03:10:51 PDT