China May Have Conducted a Cyber Attack Against the Russian Military

Even though Russia has highly advanced cyber attack capabilities, this does not mean they are immune to operations designed to breach their networks. It would seem China may have conducted a cyber attack against the Russian military:

“There is a world market for classified data of any time,” said Epstein. “There are documented cases in the past where private hackers hacked into various institutions and then sold the data to nation states. The lines are increasingly blurred in the world of cybersecurity.”

The attack starts with a well-written Russian-language email that seems to come from someone else in the targeted military division or an analyst section from the same group of the military, he said.

It comes with an attached document, a Microsoft Word file with a published article about the history of military testing in Russia.

“It’s a decoy document,” said Epstein. “You double-click on it, you open it, you read it, you think, ‘Ah, that was kind of interesting.’ Then you close it and you don’t think about it again. But when it closes, it activates a macro, and the macro triggers a secondary file to take action, which is to download a third file, which is the nasty stuff.”

That’s when the malware takes over the computer and everything the user has access to, the attackers now have access to.

“Any anti-virus program wouldn’t see a virus in the document because there’s no virus in the document,” he said. “And the trigger on closing is a common anti-sandboxing technique because most sandboxes check for triggering when documents are opened, not when they are closed.”

This is a fairly standard, yet highly advanced, technique for confusing endpoint anti-virus. This is why layered defenses extend beyond the network and need to be implemented at the endpoint level too. Tools like application whitelisting, host intrusion prevention, and desktop firewalls, when used together, can severely minimize the possibility of these types of malware from successfully executing.

Who here wonders if this attack was actually perpetrated by the United States but made to appear as if China is responsible?

Seven Years of Malware Linked to Russian State-Backed Cyber-Espionage Group

An apparently state-backed cyber-espionage group based in Russia has conducted a targeted malware campaign targeting foreign governments over the course of the past seven years:

For the past seven years, a cyber-espionage group operating out of Russia—and apparently at the behest of the Russian government—has conducted a series of malware campaigns targeting governments, political think tanks, and other organizations. In a report issued today, researchers at F-Secure provided an in-depth look at an organization labelled by them as “the Dukes,” which has been active since at least 2008 and has evolved into a methodical developer of “zero-day” attacks, pulling together their own research with the published work of other security firms to provide a more detailed picture of the people behind a long-running family of malware.

Characterized by F-Secure researchers as a “well resourced, highly dedicated and organized cyberespionage group,” the Dukes have mixed wide-spanning, blatant “smash and grab” attacks on networks with more subtle, long-term intrusions that harvested massive amounts of data from their targets, which range from foreign governments to criminal organizations operating in the Russian Federation. “The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,” the F-Secure team wrote. “Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

The first known targets of the Dukes’ earliest-detected malware, known as PinchDuke, were some of the first known targets and were associated with the Chechen separatist movement. By 2009 the Dukes were going after Western governments and organizations in search of information about the diplomatic activities of the United States and the North Atlantic Treaty Organization. While most of the attacks have used spear phishing e-mails as the means of injecting malware onto targeted systems, one of their attacks has spread malware through a malicious Tor exit node in Russia, targeting users of the anonymizing network with malware injections into their downloads.

China-Based Cyber Attacks on US Military Are ‘Advanced, Persistent and Ongoing’

Another day, another news item about state-backed Chinese-based cyber attacks. This time Trend Micro has released a comprehensive report detailing how China-based cyber attacks on US military targets are “Advanced, Persistent And Ongoing”:

In its blog announcing the paper, Trend Micro stated that “Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of bytes of data from defense contractors in the U.S., including stolen emails, intellectual property, and strategic planning documents.” The report further details that targets of Iron Tiger included military defense contractors, intelligence agencies, FBI-based partners, and the U.S. government. The private entities were tech-based government contractors in the electric, aerospace, intelligence, telecommunications, energy, and nuclear engineering industries.

Iron Tiger was observed exfiltrating up to 58GB worth of data from a single target, more than was stolen in the Sony attack. It could have potentially stolen up to terabytes of data in total, Trend Micro reports. It is highly environmentally adaptive and otherwise sophisticated and well organized, potentially merely an arm of a larger, multi-teamed operation with various targets.

China is convincingly Iron Tiger’s home base

The primary situs of China as the operatives’ home base was convincingly evidenced by the facts that the operatives used virtual private network (VPN) servers that only accepted China-based registrants, used Chinese file names and passwords, and operated from China-registered domains, according to the report. Some of Iron Tiger’s actions were also attributed Iron to an individual physically located in China.

DoD CIO Says There Is a Need to Make It Cost Prohibitive for Hackers to Conduct Cyber Attacks

DoD CIO Terry Halvorson is talking tough on cyber, stating there is a need to make it cost prohibitive for hackers to conduct cyber attacks:

“We are on the wrong side of the cyber economic curve,” he said at the summit. “We need to raise barriers to attackers’ entry, making it more expensive to play.”

But how? The answer is multifold, but at least one aspect is automation, mechanizing some of the basic actions and response involved in cybersecurity maintenance, Halvorsen said.

Automation is key to turning around the economics and coping with the speed of the threat, he said at the summit and on the call.

“Automating eliminates the basic [adversarial] players, makes it so you have to raise your game to play,” Halvorsen said. “It reduces the benefit hackers will see and makes it more expensive for hackers to play.”

Another key part is establishing a pervasive, standard-operating-procedure culture of cybersecurity throughout entire enterprises and communities. It’s a worry that Halvorsen said keeps him up at night.

“How do I get a cyber discipline culture, how do I get a cyber economic culture and how do I get a cyber enterprise culture? I think those are the three things that if we got those, almost everything else comes after,” he said. “If I get to the cyber enterprise culture, I’ll start doing integrated, layered defenses, I’ll use automated tools — [joint regional security stacks are] the cornerstone for that — I’ll get the right level of accountability and I will understand the money.”

The only way DoD will get to where it needs to be in cyber security is through a cultural shift. Once senior DoD leaders recognize they are the biggest threat to the enterprise network, and thus stop asking for unnecessarily risky exceptions to DoD policy simply because they are who they are, then DoD may finally realize the type of discipline needed for the future.

US Cyber Command Designing System to Stay Ahead of Hackers but Will Require Manual Data Entry

United States Cyber Command is designing a system to stay ahead of hackers but apparently they are currently incapable of acquiring technology to automate this functionality:

U.S. Cyber Command is building a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons system and installations and help officials prioritize how to fix them, its deputy commander said on Thursday.

Lieutenant General Kevin McLaughlin told Reuters officials should reach agreement on the framework within months, turning the system into an automated “scorecard” in coming years.

McLaughlin said the effort grew out of a disturbing report released earlier this year by the Pentagon’s chief weapons tester, Michael Gilmore. The report warned that nearly every major U.S. weapons system was vulnerable to cyber attacks, and an escalating number of attacks on U.S. computer networks by Russia and China.

Cyber Command staff would do the initial data entry by hand, but the goal was to create a fully automated system that would help defense officials instantaneously detect and respond to any attacks, McLaughlin said after a speech at the annual Billington Cybersecurity Summit.

Here we are in 2015 and US Cyber Command is developing a program designed to perform initial data entry manually. Seriously?

China Following US Lead, Tells US Tech Companies Operating in China to Sign PRISM-Like Cyber-Loyalty Pact

The Chinese government is following the US lead and is now telling US tech companies operating in China to sign a PRISM-like cyber-loyalty pact:

Much of the pledge document is focused on user privacy rights, outlining policies that would give users the right to know where their data was stored, to control how much of their personal data was collected, to opt out of the collection of personal data, and to “choose to install, or uninstall non-essential components [and] to not restrict user selection of other products and services.” The pledge also asks companies to “guarantee product safety and trustworthiness” by taking measures to build security into products, rapidly patch vulnerabilities, and “not install any hidden functionalities or operations the user is unaware of in the product.”

As part of the requirements for “security of user information,” the pledge would require tech companies to “employ effective measures to guarantee that any user information collected isn’t illegally altered, leaked or used.” All data collected from Chinese customers would have to be stored in Chinese facilities and not be moved outside the country “without expressed permission of the user or approval from relevant authorities”—meaning the government would have oversight over what data could be exported for corporate use (and potentially accessed by foreign intelligence organizations).

Finally, the pledge would also require companies to agree to “accept the supervision of all parts of society”—including third-party evaluation of all products to determine they are “secure and controllable…to prove compliance with these commitments.” It is this clause that the Times’ industry sources suggested could be used by the Cyberspace Administration of China to demand access to encrypted data stored in cloud computing services and to provide source code for review.

National Counterintelligence Executive Claims, “Not Our Job to Warn OPM of Cyber Threat”

In response to questions posed by Senator Ron Wyden, National Counterintelligence Executive William Evanina claims it is not the intelligence community’s job to warn OPM of cyber threats:

National Counterintelligence Executive William Evanina wrote a letter to Sen. Ron Wyden answering the Oregon Democrat’s questions about the landmark cyberattack, which has been blamed on the Chinese.

In the response to Wyden’s question of whether the intelligence community assessed the vulnerabilities of a database OPM maintained of highly sensitive background check information that OPM maintained or whether it offered any advice to OPM, Evanina pointed to bureaucracy.

“Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS),” Evanina wrote. “The statutory authorities of the National Counterintelligence Executive … do not include either identifying information technology (IT) vulnerabilities to agencies or providing recommendations to them on how to secure their IT systems.”

In the short letter, Evanina also defended the decision to maintain a database of the background checks going back as far as 1985, saying it offers the advantage of being able to “assess the ‘whole person’ over a long period of time.”

Obama Warns China on Cyber Spying Ahead of Xi Visit

President Obama warns China on cyber spying ahead of Xi visit:

A person briefed on the White House’s thinking said on Tuesday the United States does not plan to impose sanctions on Chinese entities for economic cyber-attacks ahead of Xi’s visit to avoid what would be seen as a diplomatic disaster.

The United States has emphasized to China that industrial espionage by its government or its proxies in cyberspace goes beyond traditional intelligence gathering, Obama said.

“That we consider an act of aggression that has to stop,” Obama told the Business Roundtable, a lobbying group.

Obama said the United States is preparing measures to show the Chinese “this is not just a matter of us being mildly upset, but is something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.”

White House spokesman Josh Earnest later said Obama was “intentionally non-specific” in the comments and said the US government is “hopeful” that it will not need to use sanctions or other measures against China for cyber-attacks on US commercial targets.

“It is clear that the Chinese government is being responsive to those concerns by at least engaging in a candid discussion of those issues,” Earnest told reporters.

FBI Warns How to Keep Hackers From Causing Chaos at the Gas Pumps

The Federal Bureau of Investigation seems to be trying to get ahead of the so-called cyber attack business, and has issued some warnings about how to keep hackers from causing chaos at the gas pump and other similar tips:

The Defense Advanced Research Projects Agency in 2011 launched a program to help make “the code behind the physical control systems of an airplane or self-driving car,” for instance, “become mathematically, provably unhackable,” Carter said at a future technology forum hosted by the agency.

“DARPA’s already made some of that source code openly available online – it can give the Internet of Things a critical foundation of cybersecurity, which it’s going to need,” he said.

By 2020 there will be 250 million Internet-connected vehicles on the road, according to Gartner. A Wired journalist a few months ago had private researchers remotely kill the transmission of a Jeep on a St. Louis highway — while he was sitting in the driver’s seat.

Intel Establishes Automotive Security Review Board Possibly in Response to Recent Jeep Attack

Intel is attempting to take the industry lead in Internet of Things (IoT) cyber security, and as part of that effort has established a new automotive security review board:

The ASRB researchers will perform ongoing security tests and audits intended to codify best practices and design recommendations for advanced cyber-security solutions and products to benefit the automobile industry and drivers.

Gartner predicts there will be a 150 billion connected vehicles on the road by 2020. The transition to a more connected world is exciting and requires that cyber security be addressed.

“Just like with any connected system, there’s no perfect security. But we can raise the bar against cyber-attacks in automobiles,” said Chris Young, senior vice president and general manager of Intel Security. “With the help of the ASRB, Intel can establish security best practices and encourage that cyber-security is an essential ingredient in the design of every connected car. Together we can manage the complexity more quickly and deliver solid cyber-security solutions.”

Disclosure: I work for Intel Security.