Cyber Espionage Otherwise Known As Cyber Spying Information Technology Essay

This paper aims to talk about Cyber Espionage otherwise known as Cyber Spying; it will be focusing on state sponsored cyber espionage, e.g. Government sponsored. The first part of this paper shall discuss the key topics of state sponsored Cyber espionage (section 2); such as methods used and key players. This will be followed by a critical analysis/evaluation of the state of the cyber espionage domain (section 3); and finally shall attempt to make a contribution or new suggestion to the cyber espionage domain (section 4).

Cyber Espionage – Key Topics

2.1 What is traditional espionage?

Espionage or spying in the traditional sense is something that is usually associated with human beings rather than computers, such as secret agents going on missions to retrieve information or sabotage their enemies; and is most often state or politically commissioned.

This traditional form of espionage can be formally defined as ‘the discovering of secrets, especially political or military information of another country or the industrial information of a business.’ (Cambridge University Press, 2010).

2.2 What is cyber espionage?

Cyber espionage has the same basic concept of traditional espionage except that it can be done via electronic or digital means, e.g. over the internet and against computer networks. One definition describes cyber espionage as:

‘…the act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary or of classified nature), from individuals, competitors, rivals, groups, governments and enemies for personal, economic, political or military advantage using illegal exploitation methods on the Internet, networks or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware ‘. (Wikipedia, 2010).

Particularly the section underlined, is the key differentiator between traditional and cyber espionage.

2.3 How does cyber facilitate espionage?

The cyber aspect of cyber espionage facilitates traditional espionage by taking out the element of human physical presence at the site of information retrieval or sabotage. In other words, what in the past may have involved a secret agent somehow infiltrating an enemies physical boundaries through deception or finding a physical way in to enemy lines undetected, has now become somewhat replaced with spies retrieving data or sabotaging their enemies with the comfort of knowing this can be done sitting in the safety of their own office protected by the commissioning government or state.

2.4 How do governments use cyber espionage to further national interests?

There are many reasons why a government would choose to conduct cyber espionage, some of which are outlined below.

Strategic Military Advantage

Cyber espionage can be used to obtain strategic military advantages over the enemy. Should command and control systems (C4i systems) in use by an adversary be compromised, all military planning can be obtained and acted upon to counteract the adversary’s advances. (Wikipedia, 2009).

Commercial advantage for government interests

State sponsored cyber espionage may also be performed against an adversary states’ commercial interests. This could be used to obtain coveted R&D to boost the national economy.

A recent example involves the network device manufacturer Cisco and the Chinese company Huawei Technologies Co., Ltd. In 2003, Cisco filed a lawsuit against Huawei on the basis that it has infringed patent and outright copied the source code information relating to Cisco’s market leading IOS operating system used in routers. (Cisco Systems Inc, 2003).

While the company Huawei is a privately owned company, a military report to congress in the United States cited security concerns over procuring devices manufactured by Huawei; it was reported that Huawei maintains extremely close relations with the People’s Liberation Army (i.e. the Chinese government). From this fact we can infer that by copying Cisco’s IOS the Peoples Liberation Army were ensuring national commercial best interests, because Huawei as a commercial company would not have the capability to perform such advanced cyber espionage activities themselves. (Office of the Secretary of Defence, 2008)

2.5 Some methods used for the purposes of Cyber Espionage

To explain the methods used in Cyber Espionage one must understand that cyber espionage utilises the same modus operandi as hacking but for the sole purposes of gaining secrets and performing sabotage to further national interests.

The most common hacking methods used involve exploiting vulnerabilities in software, sending an enemy Malware such as Trojan horses or rootkits and through social engineering/client side attacks. We will now delve further into each of these methods of attack.

Vulnerabilities – what are they?

Bugs in software more commonly known as software vulnerabilities, can be defined as “…an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways.” (Wikipedia, 2010).

There exists a large body of knowledge in the public domain relating to software vulnerabilities which affect various operating systems and applications. Web sites such as http://www.securityfocus.com are exclusively devoted to listing vulnerabilities.

Government agents target publicly known vulnerabilities and those discovered through their own internal R&D efforts in enemy software or systems, to exploit and gain access to potentially coveted information about enemy plans.

An example of a type of vulnerability is a buffer overflow. Inputting more characters than expected can cause a buffer overflow condition. Exploiting a buffer overflow, an attacker can direct the program to grant him access to the underlying operating system or, can direct the program to an invalid instruction resulting in the program crashing. (Emsi Software GmbH, 2010), (Owasp & Fortify Software, 2009), (Aleph One, 2010).

In the latter case, this can be used for sabotage purposes to disrupt a systems availability. In the former case, one gains full control over the system in question from which the attacker could obtain military or classified information.

Social Engineering

Social engineering is where naive users willingly give out information sometimes not realising the consequences of their actions and sometimes not even realising that they are doing it! This usually but not always involves some sort of human interaction with the user in a social sense. (Microsoft, 2010), (TechTarget, 2010).

One example of social engineering that comes to mind involves calling the IT helpdesk of a company armed with information such as an employee name and current site location; information which is easily harvested from email out of office replies.

Armed with this basic information, an attacker can claim that they are currently away from the office, at a client site and just about to deliver a critical presentation. They have forgotten their token and urgently require access to the company VPN. Through coercion and persuasion, it is very easy to convince the IT helpdesk staff to reset passwords and grant access to the VPN.

These attacks are very commonly used in a cyber espionage context in extremely targeted client-side attacks. (Naraine, R. & Danchev, D. 2010)

A client side attack is one that targets weaknesses in common programs an everyday user would use; such as email clients, browsers or even PDF readers, so that the user (client) will click on something or open a web page that has malicious intent and connects to a malicious server; and by so doing, they initiate or allow the attack to happen without their knowledge. (Riden, J. 2008), (Greene, T. 2007).

A recent example from a Malware reporting site called Contagio includes an email that was sent seemingly from the US Embassy in Bangkok discussing a 2010 Trade Policy Agenda. This email targeted governmental institutions and included a PDF attachment which when opened, exploited a vulnerability in Adobe Acrobat reader and granted whoever sent it (likely government affiliated hackers/spies) access to the systems that were targeted. (Parkour, 2010).

So again one can see how this can be especially useful in a cyber espionage context; intelligence agencies can use social engineering to gather important information and also access enemy systems.

One off access to an enemy system is good; however ideally, attackers prefer to have systematic on-demand or persistent access whenever they would like. This is because over time more intelligence (coveted information) collects on the compromised devices and also, the cyber spies can use the compromised system as a leverage point to delve further into the governmental network.

Malicious software or Malware – common types

Persistent access (as mentioned in the previous section) can be gained by installing backdoors, Trojan horses, and rootkits. These maintain access to the systems, and provide stealth cover to the agents/hackers so that their actions are not detected by any anti-virus, forensic or other countermeasures installed on the compromised computers.

Backdoors – Exist within legitimate applications which programmers intentionally leave so that they can gain access to a user’s PC. (Emsi Software GmbH, 2010).

Trojan horses – Trojan horses are programs that users think look innocent and safe enough to download however come packed with viruses and other malware which grant attackers access to the users system. (Emsi Software GmbH, 2010).

Rootkits – To properly understand what a rootkit is and what it does, the following definition can be used:

‘A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.’ (Johns Hopkins Institutions, 2010).

The above can all be especially useful to government agencies for the purpose of cyber espionage because of the fact that they are virtually undetectable due to usually having administrator level access, so that they can, in effect hide themselves from the users, real administrators and any virus/spyware detection software. (Soft Anti Malware, 2010)

Like the foot soldier on the front-line, cyber spies must operate within very hostile enemy environments. There exists a large plethora of countermeasures that nations install and use on their networks and computers to make sure that should the worst happen, the attacks/cyber espionage will be detected, contained and attributed to the individuals behind. Such countermeasures include, anti-virus, firewalls, Intrusion detection/prevention systems and data loss protection. (The SANSâ„¢ Institute, 2010).

2.6 Obfuscating attacks

The foot soldier utilises camouflage to remain undetected by the adversary, the cyber spy obfuscates his attacks so as to bypass the countermeasures mentioned above.

Obfuscation is a process that is applied to malicious code or attacks that helps to conceal them from applications such as anti-virus or spyware checkers. How it actually works is that anti-virus systems and intrusion detection/prevention systems look for attack fingerprints otherwise known as signatures. (Riden, 2008)

The code or attack that the attacker is using is altered i.e. obfuscated so it is unrecognisable by removing the signatures that the anti-virus systems or intrusion detection/prevention systems try to detect. This can be especially significant for cyber espionage because one government can conceal any malicious code it is using to attack another country or state without them realising and therefore collect any information needed or sabotage the country without anyone realising. (Riden, 2008)

Ultimately the end-result of the above techniques (exploiting vulnerabilities, social engineering, achieving persistent access, evading detection through obfuscation) is surveillance of the adversaries and long-term collection of intelligence information.

2.7 Computer surveillance

Computer surveillance is the monitoring of computer and internet activity of certain individuals or groups of individuals, usually by government intelligence agencies; computer surveillance can be performed by programs installed on a computer such as backdoors and rootkits to monitor activity or it can be surveillance of data sent/received and activities performed on the internet for the purposes of detecting illegal or suspicious acts. (Wikipedia, 2010).

A good example is the Communications Assistance for Law Enforcement Act – this allows US intelligence and government agencies to monitor telephone lines and internet traffic. Whilst this is legitimate wiretapping as it can be used for things such as the monitoring of high risk individuals or groups of individuals that may pose a threat to society and surveillance of internet traffic; it may be abused for espionage purposes also. (FBI, 2009).

2.8 Key players engaged in Cyber Espionage

There are many key players all over the world that are involved in Cyber Espionage, such as the US, the UK, China, and Russia; some of which are discussed below.

US

The US has numerous agencies that perform intelligence tasks on a daily basis; one of the most prominent is the NSA (the US’s National Security Agency) which is an agency that is in charge of cryptography, cyber security and investigating cyber threats to the US. The NSA also runs the Echelon surveillance network. (Britannica, 2010), (BBC, 2001).

The NSA has been historically engaged in collecting vast amounts of surveillance both within the borders of the US as well as internationally.

A famous example is the rumour that Microsoft allowed the NSA to create a backdoor in Windows 7 after a NSA member leaked to congress that the NSA worked with Microsoft on Windows 7. Having such backdoor access to one of the most widely deployed operating systems in the world has huge repercussions in that it would in effect allow the NSA to hack into any computer running Windows 7 belonging to adversary states. (Keizer, 2009).

UK

Just like the US, the UK has numerous agencies that perform intelligence tasks for security purposes and ensuring national interests; these include the obvious MI5, MI6, and GCHQ. Along with the NSA, the UK also has significant involvement with Echelon.

The UK has recently launched an offensive hacking arm at GCHQ called the Cyber Security Operations Centre and hired former malicious hackers to aid in its operations. Falling under the remit of GCHQ it is understood that the Cyber Security Operations Centre will also be actively engaged in cyber espionage activities. (Zetter, 2009).

China

The People’s Liberation Army otherwise known as the PLA (Chinese army) actively engages in cyber espionage activities, a recent case where the PLA hacked into computers in the Pentagon. (Sevastopulo, 2007).

One of the most significant recent stories to emerge of China’s involvement in cyber espionage is GhostNet; while the Chinese government denied their involvement, there are significant links between the Chinese government and GhostNet even if it appears that GhostNet is being run by Chinese cyber criminals. (The Times, 2009).

The significance of the GhostNet saga is that whoever was responsible (rumoured to be the Chinese government) had managed to silently without detection hack into and spy on over 1,000 computers of great importance belonging to various embassies, government systems and even prominent commercial companies all over the world; with access to classified information that could potentially one would imagine enable the hackers responsible to bring down possibly the whole infrastructure of many of the countries in question. (The Times, 2009), (BBC,2009).

2.8.1 Echelon – What is Echelon and why is it significant?

Echelon is a secret cyber espionage network comprising of some of the most powerful countries in the world; this includes America, Australia, Canada, UK and New Zealand. Its existence has been denied by some of the most significant members (America and the UK) but the Australian and New Zealand government have somewhat let down the collective and have let slip via various country officials of its existence. (Bomford, 1999)

Echelon is alleged to be able to monitor emails, telephone calls, mobile phone calls, satellite transmissions, fibre optic transmissions. Eavesdropping is possible if certain keywords are flagged if pertinent to national security. (BBC, 2001).

2.9 Attribution – what is it?

Attribution is basically the concept of discovering who the perpetrators of a cyber espionage attack are. Cyber spies go to great lengths to conceal their true origin; one such method involves bouncing their connections through various compromised computers dispersed across the globe especially in countries which have lax Computer Misuse laws. (Network Security Solutions Ltd, 1998), (Hunker, Hutchinson and Margulies, 2008).

One difficulty is that the methods of finding out where an attacker originated are not always legal, and you have to have some form of backing or power to be allowed to perform the relevant tasks needed to attribute an attack to the attacker. E.g. If the organisation being attacked is a government organisation like the NSA or MI5/MI6 etc then such large prominent organisations have much more power to bypass laws and attribute attacks or cyber espionage networks to individuals or groups. (Morrill, 2006), (Hunker, Hutchinson and Margulies, 2008).

Critical Analysis/Evaluation

3.1 Cyber espionage: What can we gain?

The current world order has the United States and other world powers exercising their immense military power and nuclear deterrent capabilities to muscle smaller states into submission. Cyber espionage, through its low cost and potential to retrieve high value intelligence which can feed into kinetic forms of military attack offers a real threat to the dominance of current superpowers from smaller nations and therefore offers a level playing field.

Cyber espionage campaigns can be advantageous as they can be launched from anywhere in the world, hiding the real perpetrators. Cyber espionage can also be outsourced to cyber criminal gangs further distancing the military and thus providing a buffer should the attacks very unlikely be traced back to their perpetrators. This was recently seen in the Google attacks (Paul, 2010) and offers plausible deniability.

3.2 Cyber espionage: What is at stake?

As humans we are extremely good at physical security to the point that anything which really needs protecting or fortification can be next to impossible for a traditional spy to break into.

Due to the current trend to put everything online; e-government, utilities, military, research institutes, one could argue that more is accessible over the Internet even information which may be securely guarded by physical means.

By exploiting vulnerabilities or via social engineering and client-side attacks all this information is at risk of disclosure to adversary states. This is one of the great advantages of cyber espionage.

3.3 What the future holds?

Over a long timeline all vulnerabilities are eventually patched by vendors. This decreases the available attack surface for attackers/rogue nation states and their operatives to exploit.

Therefore, eventually there will exist less capability to facilitate cyber espionage and as years go on this will become even more difficult. Nations will likely therefore resort to collusion with manufacturers to include vulnerabilities to allow them to hack into operating systems. We are already seeing this happening in e.g., Microsoft Windows and NSA. (Nuttall, 1999)

Contribution to the Cyber Espionage domain.

Currently when you wish to find out or obtain the information regarding the source behind a cyber espionage attack or any other network attack (just like the attempts to find out who was behind GhostNet); involves having to go back to the ISP to which the IP address belongs.

The ISP can then cross reference this data with their subscriber logs to arrive at a physical location; which is a great deal of trouble to go to in order to find out who is attacking you.

In the case that the ISP is nationalised as part of a national telecommunications provider, there may exist collusion with the government cyber espionage operatives, cover up and reluctance to reveal this information.

Therefore, a solution to this could be to include physical geographical location within IP address information. This would help in attribution and whilst attacks can still be bounced as mentioned previously, rules out the possibility of ISP collusion and cover-up. This would also act as deterrence to committing the crime, much like fingerprints act in the real physical world.