Clear and Present: Cyber War Emerging From Infancy in 2011

Last week

But 2011 is the year that cyber warfare emerged from its infancy. It is now more than a threat – it is clear and present.

The latest hacking has already stirred up trouble between the US and Japan, sparked an international round of accusations against China, and left observers wondering who, and what, will be hit next. And a hit there will be.

The Mitsubishi Heavy hacking comes on the heels of a large assortment of breaches involving corporate espionage and military breaches in a landscape that rapidly escalated from distributed denial-of-service attempts to viral attacks involving sophisticated malware.

The first cyber-attacks supposedly involving governments occurred in August, 2009, when Russia reportedly engaged in a simultaneous, distributed denial of service attack against Google, LiveJournal and Facebook in an attempt to silence a Georgian Journalist going by the "Cyxymu" alias.

Operation Aurora is another notorious example of a cyber-attack allegedly originating from a government and aimed at high-profile companies in the “Internet, finance, technology, media and chemical sectors.”  The attack was carefully planned and carried out through a series of 0-day exploits identified by BitDefender as Exploit.Comele.A. Not only did it lead to theft of intellectual property, but the attack exposed some information pertaining to a group of Chinese dissidents.

Mid-2010 raised the bar in cyber-war between governments. The emergence and rapid spread of Stuxnet, one of the most sophisticated pieces of malware of the past decade, crippled Iran’s nuclear program by destroying approximately 1,000 centrifuges at the nuclear facility in Natanz. The worm took advantage of five 0-day exploits in the Windows operating system to spread unhindered from one computer to another. More than that, it was designed to update its malicious code in an environment with limited connectivity to the Internet, in order  to avoid raising suspicion.

As Stuxnet required in-depth knowledge of industrial processes in a nuclear facility, paired with even better knowledge of how SCADA systems operate, it’s clear that the worm was developed for military purposes rather than by cyber-criminals looking for money.

The Anonymous Era

Early 2011 brought another form of cyber-espionage in the shape of hacktivism initiated by a team of cyber-criminals, self-titled “Anonymous” or “Legion”. They have been active since 2004, when they attacked HBGary Federal, a technology security company that sells its products to the US Government. The hack resulted in a defacement of the website’s welcome page, but also in a massive data leak that allowed attackers to seize about 68,000 classified e-mails containing highly sensitive details about strategic civil plans, as well as military operations related to the development of “astro-turfing” software (an application that can create a huge amount of fake social media profiles to manipulate public opinion).

All fingers started pointing again at the Chinese government in June 2011, as Google shed light on an attack targeting Gmail accounts of senior U.S. and South Korean government officials as well as military personnel and Chinese journalists. Cyber-criminals behind the attack used advanced social engineering techniques and composed messages plausible enough to convince victims to open them and execute an attachment.

These specific attachments were nothing but phishing pages strikingly similar to the Gmail login page, but actually sending login credentials to the hacker. The compromised e-mail addresses were ransacked in search of classified information the inbox owner might have forwarded  from the work e-mail to the personal inbox. The extent of the data leak is yet to be determined.

Last week, China was again blamed after news about the Mitsubishi Heavy Industries erupted in the media. The Japanese weapons maker confirmed its network was compromised by currently unknown attackers seeking sensitive intelligence on products developed by MHI, including submarines, warships and missiles. The attack followed the same vectors as the one against the US and South Korean government officials: spear phishing messages aimed at tricking victims into installing spyware on work computers.

If hacking attacks against medium or large businesses have a huge impact (as happened in the case of the Sony PlayStation Network), the damage against militaries or governments is difficult to estimate. Once again, the weakest link proves to be the human factor that cracks under the right amount of social engineering. And, while corporate hacks have an impact on finances and individuals, military breaches affect whole nations and might shake the fragile balance of diplomatic relations.

The past two years have taught us that corporate and military-grade firewalls are unable to fully protect the valuable assets stored on the network. If, up until now, setting firewall rules to discard executable attachments would suffice, the sheer number of exploits in popular applications (such as the widely-popular Adobe Reader or Flash Player) has made it nearly impossible for system administrators to efficiently manage risks associated with e-mail attachments.

As technology develops, newer ways of protecting the user must be envisioned to keep pace with the cyber criminals’ developments. Social networking threats, malicious e-mail attachments or zero-day exploits that can wreak havoc on your computer by simply visiting a webpage are here already. Imposing restrictions on what websites to visit or which services can be accessed from the office are not applicable anymore, as they will only lead to users trying to circumvent them, even by passing their information via third-party, unverified proxy servers. The only viable solution is to continuously educate the end-user about the dangers of exposing the company or institution by ignoring IT department rules (such as setting weak or easy-to-guess passwords or by moving classified information outside the facility). Of course, state-of-the-art antivirus software also comes in handy by offloading the end-user the stress of getting infected through a drive-by web exploit.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.