Title: Paul M. Joyal, NSI Managing Director, Public Safety
1Paul M. Joyal, NSI Managing Director,Public
Safety Homeland Security Practice
- Cyber Espionage and Criminal Hacking The New
Threat Matrix
GovSec US Law Conference March 23-24, 2010
2Cyber Threat Actors
- Cyber threats to federal information systems and
cyber-based critical infrastructures can come
from a variety of sources, such as foreign
nations engaged in espionage and information
warfare, criminals, hackers, virus writers, and
disgruntled employees and contractors working
within an organization. -
- Gregory C. Wilshusen,
- Director, Information Security Issues
- Government Accountability Office, 2009
3Cyber Crime Increases in the Private Sector
- More than 75,000 computer systems at nearly 2,500
companies in the United States and around the
world have been hacked in what appears to be one
of the largest and most sophisticated attacks by
cyber criminals - The attack targeted proprietary corporate data,
e-mails, credit-card transaction data and login
credentials at companies in the health and
technology industries in 196 countries, according
to NetWitness.
4Cyber Crime and Espionage
- Ten government agencies were penetrated, none in
the national security area, NetWitness said. - The systems penetrated were mostly in the United
States, Saudi Arabia, Egypt, Turkey and Mexico - Some estimate the global cyber-crime business
amounts to 100 billion-a-year.
5Cyber Crime Cash is bigger than Narcotics Trade
- Cyber-crime, by some estimates, has outpaced the
amount of illicit cash raked in by global drug
trafficking. - Hackers from Russia and China are among the chief
culprits, and the threat they pose now extends
far beyond spam, identity theft and bank heists. - The Internet can now be used to attack small
countries,. There are Russian and Chinese
hackers that have the power to do that. Yevgeny
Kaspersky, chief executive of Moscow-based
Kaspersky Lab
6Criminals are spamming the Zeus banking Trojan to
attack government computers
- According one state government security expert
who received multiple copies of the message, the
e-mail campaign apparently designed to steal
passwords from infected systems was sent
exclusively to government (.gov) and military
(.mil) e-mail addresses. - The messages appear to have been sent by the
National Intelligence Council (address used was
nic_at_nsa.gov), which serves as the center for
midterm and long-range strategic thinking for the
U.S. intelligence community and reports to the
office of the Director of National Intelligence.
7E-Mail spoofs the National Security Agency
- The e-mails urge recipients to download a copy of
a report named 2020 Project. Another variant is
spoofed to make it look like the e-mail from
admin_at_intelink.gov. The true sender, as pulled
from information in the e-mail header, is
nobody_at_sh16.ruskyhost.ru
8Growth of Cyber Threats
Sophistication of Available Tools Growing
Convergence
High
Staging
Sophistication Required of Actors Declining
Stealth/advanced scanning techniques
Sophisticated C2
Cross site scripting / Phishing
Denial of Service
Distributed attack tools
Packet spoofing
www attacks
Sniffers
Automated probes/scans
Sweepers
GUI
Sophistication
Back doors
Network mngt. diagnostics
Disabling audits
Hijacking sessions
Burglaries
Exploiting known vulnerabilities
Russia invades Georgia
Password cracking
Estonia DoS
Self-replicating code
Password guessing
Low
1980
1990
1995
2000
2009
1985
9The Vulnerability Matrix
- 5,800 registered hospitals
Viruses, Worms
Home Users
5,000 airports 300 maritime ports
Wireless
3,000 govt. facilities
2,800 power plants 104 commercial nuclear
plants
Broadband Connections
26,000 FDIC institutions
Emergency Services
Government
Transportation
Insiders
66,000 chemical plants
Configuration Problems
150,000 miles transmission lines
Banking
Chemical
300,000 production sites
130 overlapping grid controllers
Rail
Oil
Natural Gas
Telecom
Water Waste Water
120,000 miles of major rails
E-commerce 2 billion miles of cable
Natural Gas
2 million miles of pipelines
1,600 municipal wastewater facilities
80,000 Dams
10CIA Report Cyber Extortionists Attacked Foreign
Power Grid, Disrupting Delivery
- Tom Donahue, the CIA's top cybersecurity
analyst, said, "We have information, from
multiple regions outside the United States, of
cyber intrusions into utilities, followed by
extortion demands. We suspect, but cannot
confirm, that some of these attackers had the
benefit of inside knowledge. - We have information that cyber attacks have been
used to disrupt power equipment in several
regions outside the United States.
11Could these probes come from China?
- According to Jian-Wei Wang and Li-Li Rong,
Chinese researchers at the Institute of Systems
Engineering of Dalian University of Technology,
have concluded in a published research journal a
counter intuitive conclusion - that attacks on power grid nodes with the lowest
loads is more harmful than an attack on the ones
with the highest loads.
12Cascade-Based Attack Vulnerability US Power Grid
- They published these findings in a paper on how
to attack a small U.S. power grid sub-network in
a way that would cause a cascading failure of the
entire U.S. electrical grid. - While some maintain that the research promotes a
defense posture, Mr. Wangs research subject was
particularly unfortunate because of the
widespread perception, particularly among
American military contractors and high-technology
firms, that adversaries are planning to attack
critical infrastructure like the United States
electric grid.
13The Cyber Threat
- Assessing the threat
- (like a criminal threat)
Behavioral Profile
Technical Feasibility
THREAT
Operational Practicality
14 Cyber Infrastructure
15Russias NSA----FAPSI also Identified in Cyber
theft
- In 1998 a U.S.-German satellite known as ROSAT,
used for peering into deep space, was rendered
useless after it turned suddenly toward the sun.
NASA investigators later determined that the
accident was linked to a cyber-intrusion at the
Goddard Space Flight Center in the Maryland
suburbs of Washington. The interloper sent
information to computers in Moscow, NASA
documents show. - U.S. investigators fear the data ended up in the
hands of a Russian spy agency.
16Russias NSA----FAPSI also Identified in Cyber
theft
- A team of agents from NASA, the FBI, and the U.S.
Air Force Office of Special Investigations to
follow the trail of what they concluded was a
criminal hacking ring with dozens of Internet
addresses associated with computers near Moscow. - The investigators made an even more alarming
discovery, according to people familiar with the
probe The cyber-crime ring had connections to a
Russian electronic spy agency known by the
initials FAPSI.
17European Credit Card Crime Accelerates
- Card-related crime is the fastest-growing
criminal activity in the United Kingdom, and,
throughout Europe. Payment card systems are under
unprecedented attack from well-organized and
well-financed criminal gangs.
18Card Fraud Plagues Europe some say its FAPSI
- The payments business is increasingly the subject
of organized, methodical attacks by Russian
criminals, characterized by high technical
sophistication and even including access to
systems designed by FAPSI, the Russian state
cryptographic agency. - "We've seen techniques that could only have come
from FAPSI," says Jan Eivind Fondal, director of
risk management at Europay Norge in Oslo, Norway.
"It's beyond anything we've seen. It's a new
breed of fraudster. "He had covered his tracks
in a way only a security professional would."
19Russian Viruses Attack Banks
- Russian hackers rely on viruses that record
keystrokes as customers type log-ins and
passwords. Russian-made viruses are believed to
be behind several major online heists, including
the theft of 1 million from Nordea Bank in
Sweden in 2007 and 6 million from banks in the
United States and Europe that same year. - Viruses and other types of malware are bought
and sold for as much as 15,000 - Rogue Internet service providers charge
cyber-criminals 1,000 a month for police-proof
server access.
20Russian hacking flourishes as a cyber-criminal
ecosystem
- Russian hacking flourishes as a cyber-criminal
ecosystem of spammers, identity thieves and
botnets, vast networks of infected computers
controlled remotely and used to spread spam,
denial-of-service attacks or other malicious
programs. A denial-of-service attack floods a Web
site with inquiries, forcing its shutdown. - Yevgeny Kaspersky, chief executive of
Moscow-based Kaspersky Lab, one of the worlds
leading computer security firms.
21RBN First Cyber Strike on Georgia was not
Hactivists
- "The individual, with direct responsibility for
carrying out the cyber "first strike" on Georgia,
is a RBN operative named Alexandr A. Boykov of
Saint Petersburg, Russia. Also involved in the
attack was a programmer and spammer from Saint
Petersburg named Andrey Smirnov. - These men are leaders of RBN sections and are not
"script-kiddies" or "hacktivists," as some have
maintained of the cyber attacks on Georgia but
senior operatives in positions of responsibility
with vast background knowledge.
22RBN-Prime Mover
- Intelligence can suggest further information
about these individual cyber-terrorists.
According to Spamhaus SBL64881, Mr. Boykov
operates a hosting service in Class C Network
79.135.167.0/24. - It should be noted that the pre-invasion attacks
emanated from 79.135.167.22, clearly showing
professional planning and not merely
hacktivism. Due to the degree of
professionalism and the required massive costs to
run such operations, a state-sponsor is suspected.
23Known Russian Business Network routes identified
- The IP addresses of the range, 79.135.160.0/19
are assigned to Sistemnet Telecom to provide
services to companies who are classified as
engaging in illicit activities such as credit
card fraud, malware and so on. - 79.135.160.0/19 Sistemnet Telecom and AS9121
TTNet (Turkey) are associated with
AbdAllah_Internet which is linked with cybercrime
hosting such as thecanadianmeds.com. These are
known Russian Business Network routes. "
24Hacking for Money and Politics in Russia
- And when its not money that drives Russian
hackers, its politicswith the aim of accessing
or disabling the computers, Web sites and
security systems of governments opposed to
Russian interests. That may have been the motive
behind a recent attack on Pentagon computers. - A new generation of Russian hacker is behind
Americas latest criminal scourge. Young,
intelligent and wealthy enough to zip down
Moscows boulevards in shiny BMWs, they make
their money in cyber-cubbyholes that police have
found impossible to ferret out.
25(No Transcript)
26RSA 2010 Conference Malware industry getting
increasingly professional, warn experts
- The Russian Business Network (RBN), one of the
most powerful and extensive malware and hacking
organisations, has been buying time on Amazon's
EC2 platform to build malware and attack
passwords, according to Ed Skoudis, founder of
security consultancy InGuardians.
27Russian Cyber Attack model as seen in Estonia
and Georgia attacks Information Warfare
- The Kremlin, with the help of the FSB, targets
opposition Web sites for attack. - Attack orders are passed down through political
channels to Russian youth organizations whose
members initiate the attack, which gains further
momentum through crowd-sourcing.
28Russian Cyber Attack model Information Warfare
- Russian organized crime provides its
international platform of servers from which
these attacks are launched, which in some cases
are servers hosted by badware providers in the
U.S. - LESSON
- For DoD planners and policy makers, an awareness
of this model should trigger a re-evaluation of
the approach that is taken in our cyber security
strategy.
29Iranian Crackdown Goes Global RBN supports
Efforts to Track Dissidents
- Wall Street Journal investigation shows, Iran is
extending its crackdown to Iranians abroad. Part
of the effort involves tracking the Facebook,
Twitter and YouTube activity of Iranians around
the world, and identifying them at opposition
protests abroad. People who criticize Iran's
regime online or in public demonstrations are
facing threats intended to silence them. - Caught by surprise with the power of social media
during the disputed election, Tehran has
commissioned white paper studies by the Research
Center of Islamic Republic of Iran Broadcasting
(crspa.ir) to "study the role of social capital
in knowledge sharing". - The crspa.ir web site has been assisted by the
Russian Business Network at the well known RBN IP
address 61.61.61.61, which is home to the many of
the RBN's spam, scam, and malware DNS servers.
30Local Governments are defrauded also
- The New York town of Poughkeepsie reported that
thieves had broken into the towns bank account
and stolen 378,000 in municipality funds. - Poughkeepsie officials said 95,000 was recovered
from a Ukrainian bank.
31China acquires US Rocket Engine designs
- Four years later, in 2002, an online intruder
penetrated the computer network at the Marshall
Space Flight Center in Huntsville, Ala., stealing
secret data on rocket engine designsinformation
believed to have made its way to China, according
to interviews and NASA documents.
32Data flows to China
- Howard A. Schmidt, a technology consultant who
served as a White House special adviser on
cyber-security from 2001 to 2003, concurs. - "All indications are that the attacks are coming
in from China," he says, "and the data is being
exfiltrated out to China."
33Intelligence Chief on Cyber Challenge
- But cybersecurity is the soft underbelly of this
country. - Mike McConnell told a group of reporters Jan.
16, 2009 - If we were in a cyberwar today, the United
States would lose. - Mike McConnell testimony to Congress, February
23, 2010
34"Cyber Shockwave," Feb. 17, 2010
- Cyberattack Drill Shows U.S. Unprepared
- A group of high-ranking former federal officials
scramble to react to mobile phone malware and the
failure of the electricity grid in a staged
exercise. - Imagine what would happen if a massive cyber
attack hit the U.S., crippling mobile phones and
overwhelming both telephone infrastructure and
the electricity grid.
35RFs Military Doctrine and Principles of state
policy on nuclear deterrence to 2020, on
Information Warfare
- RFs Military Doctrine and Principles of state
policy on nuclear deterrence to 2020, the
following sections relate to Information Warfare - 12. (d) Acknowledgment of the intensification of
the role of information warfare in contemporary
military conflict. - 13. (d) The prior implementation of measures of
information warfare in order to achieve political
objectives without the utilization of military
force and, subsequently, in the interest of
shaping a favorable response from the world
community to the utilization of military force. - 41. The tasks of equipping the Armed Forces and
other troops with armaments and military and
specialized equipment are (c) to develop forces
and resources for information warfare - But what if 41 (c) said to develop state and
non-state actors as forces in the use of
information warfare. - Can you imagine the uproar that would occur
that Russia has outed its own use of non-state
actors? Well, thats essentially what this
document has done for the U.S. government.
36From Russian Military Thought Leaders
- There is no need to declare war against ones
enemies and to actually unleash more or less
large military operations using traditional means
of armed struggle. This makes plans for hidden
war considerably more workable and erodes the
boundaries of organized violence, which is
becoming more acceptable. - Viruses are viewed as force multipliers that can
turn the initial period of war into pure chaos if
they are released in a timely manner. (See
Russia-Georgia War)
37Make No Mistake You and America Are the Target
- Protect your Computer
- You are only a click away from anywhere in the
world - Report to FBI or appropriate US Government
Agencies any cyber attempts to compromise your
identity or accounts. - If you see something say something
- Get involved and stay vigillent
- It Takes a Network to Defeat a Network
- You are part of our network
38NSI Managing Director, Public safety and
Homeland Security Practice1400 Eye Street NW
Suite 900 Washington, DC 20005T 202 . 349 .
7005 (direct) M 571 . 205 . 7126pjoyal_at_nationa
lstrategies.comwww.nationalstrategies.com