[ISN] Smash and grab, the hi-tech way

From: InfoSec News (isn@private)
Date: Thu Jan 19 2006 - 22:15:44 PST


Peter Warren
Thursday January 19, 2006
The Guardian 

As they packed their briefcases for the Christmas break, MPs in
Westminster were unaware they had been the targets of one of the most
audacious hacking attempts ever mounted.

The Guardian has learned that the oldest modern democracy came under a
sustained attack aimed at stealing sensitive information. It was
launched by cyber criminals almost certainly operating in the world's
next superpower, China.

The hi-tech industrial espionage involved a series of
innocuous-looking emails targeted at secretaries, researchers,
parliamentary staff and even MPs themselves. Each one was specifically
tailored to the individual who would receive it.

Once opened, these emails tried to download sophisticated spyware that
hunts through the recipient's computer and network for potentially
valuable documents, which would be automatically sent back to the
hackers without the user's knowledge.

Fortunately, the attack, which took place earlier in 2005, was
thwarted by parliament's sophisticated internet security system; no
sensitive data is thought to have been lost.

Instead, the Commons' IT security staff immediately alerted the UK's
National Infrastructure Security Co-ordination Centre (NISCC), a
powerful organisation linked to MI5 that is responsible for protecting
the UK's critical information systems. Security experts set up an
exercise to monitor the attacks, and immediately realised the hackers
were well resourced.

"These were not normal hackers," said a source close to the NISCC.  
"The degree of sophistication was extremely high. They were very
clever programmers."

A spokesman for the Home Office would only say: "We do not comment on
security matters, but have had discussions with many governments and
computer emergency response teams from around the world on this

According to research by US investigators, the hackers are thought to
have been based in the Guangdong province in southern China. British
and US security experts believe the hackers are working with the tacit
approval - or possibly even direct support - of authorities in the
People's Republic of China and are attempting to acquire western
technology in a massive hit and run raid on the world's intellectual
property to aid their booming economic growth.

A spokesman for the Chinese government said: "If there are such
allegations then it is subject to further investigation."

A wakeup call

Commodore Patrick Tyrrell, the UK's first director of information
warfare, warned about the likelihood of such an attack nearly 10 years
ago. He believes the attack is a wakeup call to the government.

"This could certainly be seen as a provocative act. Up until now,
governments have not set much store by information," says Commodore
Tyrrell, now managing director of the computer company Vale Atlantic.  
"The government has to take seriously the way [this kind of attack] is

The attack on the Commons may be the most eye-catching attack from
Chinese-based hackers, but is certainly not unique.

According to a spokesman for MessageLabs, the company responsible for
filtering malicious email from government networks, similar spy emails
- called "targeted Trojans' - were noticed about 18 months ago. "There
were not very many, maybe one every two months, but now they are
coming in at the rate of one to two a week," said Maksym Schipka,
MessageLab's senior anti-virus researcher.

Last June, the government sent out a warning in which Roger Cummings,
the head of NISCC, spoke about the threat of attacks from far eastern
gangs on the UK critical national infrastructure (CNI) - the key
network of transport, energy, financial, telecommunication and
government organisations. At the end of November, Cummings warned that
targeted Trojans from foreign powers were a significant threat.

In mid-December, the Cabinet Office - which has overall responsibility
for ministries - joined in the chorus at a conference at Glamorgan
University. Senior civil servant Harvey Mattison, the head of
accreditation for the Cabinet Office's Central Sponsor of Information
Assurance, the unit responsible for protecting communications between
government departments, gave a keynote address on the threat from the
far east. "We were given the impression it was coming from one ISP in
Guangdong," said a delegate.

Mattison declined to comment except to say that his address was based
on details from the NISCC alert.

Britain is not the only country targeted. Key parts of the US have
been targeted by far eastern hackers for up to five years. Some of the
attacks - codenamed Titan Rain - have been traced to just 20
workstations and three routers in Guangdong.

Alan Paller, head of the Sans Institute, the US's top computer crime
fighting organisation, has stated categorically that the attacks
emanate from the People's Republic. He points to attacks in November
2004, during which hackers grabbed thousands of sensitive documents.

The hackers stashed the stolen files in zombie servers in South Korea,
before sending them back to Guangdong. In one, a researcher found a
stockpile of aerospace documents with hundreds of detailed schematics
about propulsion systems, solar paneling and fuel tanks for the Mars
Reconnaissance Orbiter, the Nasa probe launched in August.

On one night alone they copied a huge collection of files that had
been stolen from the Redstone Arsenal, home to the US army's Aviation
and Missile Command in Alabama. The attackers had grabbed
specifications for the aviation mission-planning system for army
helicopters, as well as Falconview 3.2, the flight-planning software
used by the army and air force.

For six hours the gang skipped through the computers of Redstone, the
army's Information Systems Engineering Command in Arizona, the Defense
Information Systems Agency, Naval Ocean System Center in San Diego and
the Space and Missile Defense Acquisition Center in Alabama.

"Of course it's the [Chinese] government [that receives this
information]. Governments will pay anything for control of other
governments' computers," said Paller.

Other clues - such as the focus on economic espionage - suggest the
attacks are not the work of run-of-the-mill hackers.

Computer criminals usually seek a quick turnaround of funds and an
easy escape route. But economic secrets do not always have a ready
cash market.

Sources involved in tracking down the gang say the Chinese group is
just one of a number of organised groups around the world that are
involved in a hi-tech crime wave, some working for governments, others
highly organised criminal gangs.

"We have seen three attacks a day from this group in the past week and
there are a lot of other groups out there," said the source. "You
could say that the iceberg is now in view."

Privately, UK civil servants familiar with NISCC's investigation agree
that the attacks on the UK and US are coming from China. This almost
certainly means some state sanction or involvement - perhaps even a
"shopping list" of requirements.

Some of the attacks have been aimed at parts of the UK government
dealing with human rights issues - "a very odd target", according to
one UK security source.

There is another, more compelling reason. "Hacking in China carries
the death penalty," says Professor Neil Barrett, of the Royal Military
College at Shrivenham. "You also have to sign on with the police if
you want to use the internet. And then there is the Great Firewall of
China, which lets very little through - and lets [the Chinese
government] know exactly what is happening." The internet traffic to
the UK, and its origin, would all be visible to the Chinese
government. Finding the culprits would, in theory, be a simple

Sophisticated attacks

While the Chinese embassy confirmed that hacking carries the death
penalty, a spokesman denied that registration with the police was
necessary: "The same permission as for a telephone relates to the
internet. You simply have to apply to a service provider."

Another clue is the sophistication and cost of organising the attacks.  
MessageLab's Schipka thinks such a scale required the resources of a
very large company. "Either that, or a lot of small organisations are
cooperating to help someone but the way these are done is spotless."

"Whoever is doing this is well-funded," said Dr Andrew Blyth, head of
computer forensics at Glamorgan University. "They are not only able to
develop sophisticated software but have also been able to develop
websites that people are directed to by emails. These sites then
corrupt their web browsers - it is very sophisticated stuff and it
costs money to be able to mount an operation of this complexity."

In the attacks, each individual receiving the emails and the
organisation's IT structure are meticulously researched. The Trojan
emails are designed to appeal uniquely to victims. "One email was
targeted at one company in aviation. It was a Word document that had a
Math/cad component. If you did not have math/cad on your computer it
would not open," says Schipka. "The point was to find documents that
had been written in that particular program and then send them back."

Meanwhile, the Sans Institute has raised the idea that the Titan Rain
attacks might even have a military origin. In the two-and-a-half years
of investigation, the hackers never made a mistake. "It was like being
against a master chess player except he was running around between
different terminals in different locations," said Alan Paller, of
Sans. "There was a level of care and consistency behind this that has
to indicate a military operation."

Intriguingly, the Pentagon in its annual report of the military power
of the People's Republic of China, published on July 28 last year,
noted the development of computer attack systems by China's military,
adding that the People's Liberation army (PLA) regards computer
network operations as being "critical to seize the initiative" in
establishing "electromagnetic dominance" at the start of a battle.

The report added: "Although initial training efforts [by the PLA]
focused on increasing the PLA's proficiency in defensive measures,
recent exercises have incorporated offensive operations, primarily as
first strikes against enemy networks."

Industrial espionage via computers is not new. In 1989, for example,
German hackers from the Chaos Computer Club stole secrets from western
defence companies and sold them to the KGB.

However, the sheer scale of the recent attacks have set alarm bells
ringing in security circles around the western world; at the very
least they ought to give MPs something to think about when they switch
on their computers each morning.


If you'd like to comment on any aspect of Technology Guardian, send
your emails to tech at guardian.co.uk

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Thu Jan 19 2006 - 23:00:42 PST