17 August 2020

Information Warfare: Licensed To Ill


August 12, 2020: In July 2020 it was revealed that in 2018 the U.S. president secretly gave the CIA permission to take more aggressive action against hacker groups that have been responsible for attacks on the United States. This explained several mysterious incidents were anti-American hacker groups had details of their group and its membership revealed. Then there were incidents were these anti-American hackers had their operations sabotaged or otherwise disrupted. There were also cases where anti-American hackers had their identities and much personal information made public. For a while the victims didn’t realize they were under attack by a Cyber War opponent.

The CIA, NSA and Department of Defense had long been asking for this authority. Granting it to the CIA allowed the CIA to bring in NSA and Department of Defense experts for joint operations. Russian hackers have been responsible for a lot of the successful hacking operations inside the United States. Chinese, North Korean and Iranian hackers have also been very active and they are also on the CIA target list. The exact composition of the target list is secret as are the attack operations carried out against the major hacking groups.

Hacking has been around since the 1980s and with the growth of the Internet became big business. Hacking went from masses of individuals or small groups to larger, professional and longer-lasting groups. These came to be called APTs (Advanced Persistent Threat) organizations. APTs are well organized and very active hacker groups that are sometimes created and often sustained by governments or major criminal gangs. APTs exist all over the world, especially in larger nations that have large numbers of well-educated but unemployed technical people.


All APTs are given a number, as in APT23 or APT34, and often a name as well. Many APTs stick with criminal activities over a long period, concentrating on stealing money, or information they can sell. In some cases, APTs get involved in national rivalries that have already been going on for a long time. An example of this decades old online conflict between India and Pakistan. This conflict is unique and deemed a Cyber War for several reasons. First, it has involved numerous attacks on military and government networks to steal information or plant malware that can later be activated to crash the network temporarily. Many other attacks are against media to sway public opinion over issues like Pakistani efforts (since the late 1940s) to annex Indian Kashmir or accuse the other side of promoting terror and disorder. As the number of damaging incidents grew the victims began to notice they had something in common.

All this reflects trends in computer hacking, which have gone pro since the late 1990s. One side effect is the creation of many tools and techniques hackers created to carry out these Cyber War attacks. What this all means is that nations see Cyber War weapons as major components of their military power because the Cyber War weapons available keep getting more effective. This evolution came into focus since the Internet and the World Wide Web became widely used and truly international after 2000. Within a decade, researchers began to encounter major APTs. Since then the APTs have become scarier. Consider TajMahal and the White Company. These major malware producers and users came to be called APTs and that said it all. The White Company was discovered in 2017 by computer security companies as this new APT quietly tried to hack its way into Pakistani Air Force networks. White Company was deliberate, effective and discreet. It was called the “white” company because the group placed a premium on concealing its operations as well as its origins. This sort of thing was first noted in 2010 when Stuxnet was discovered and attributed to an Israeli-American state-level effort that produced a very elaborate, professional and stealthy bit of malware that did major damage to the Iranian nuclear program. In 2018 Iran was hit with a similar attack but this Stuxnet-like malware was even more elaborate, its source is still unknown and the Iranians would rather not talk about it. In 2020 there was another well publicized series of Cyber War battles between Israel and Iran.

Israel, like many other advanced tech nations, has the equivalent of APTs on the government payroll. As government employees these civil service hackers must be careful when working with black hats (criminal APTs) but sometimes such cooperation is the way to go. This tends to be classified top secret and rarely makes the news. In some countries government use of APTs is more frequent and open. Such use of gangsters by government is an ancient practice. The ancient Romans were quite adept at it and even the United States often does it, and not just to the extent of having CIs (Confidential Informants) within criminal organizations. In some countries, like Russia and China, the relationship between government and APTs is more open and formalized. Typically, the APT will make itself available to their government as needed and also give preference to their own government when seeking a buyer for some valuable commercial data they have stolen.

Western democracies must be more discreet about this sort of thing but there is an international market for items stolen and offered for sale by APTs. All major nations participate, for they cannot afford not to. Cryptocurrencies like bitcoin have made it easier for APTs and governments to do business with each other. Intelligence agencies often participate, not only to purchase choice items to also to collect information about what is being offered and by whom for whom. Intel agencies eventually get enough experience monitoring these transactions, and the Cyber War activities of other nations, to develop a good sense of who is selling what and who is buying.

Sometimes the secrecy is surprisingly effective. Such was the case with North Korea, which slowly developed state run APTs during the 1990s and quietly unleashed them on their enemies or any vulnerable victims. By 2017 it was clear that North Korean APTs were becoming a major threat. The North Koreans do it mainly for the money because North Korea is always broke and run by a ruthless but economically inept dictator. The North Korean Cyber War threat has been one of the many revelations in the last decade. Long believed to be nonexistent, North Korean cyberwarriors did exist. North Korea has had personnel working on Internet issues since the early 1990s, and their Mirim College program quietly trained a growing number of Internet engineers and hackers. North Korea has a unit devoted to Internet-based warfare and this unit is increasingly active. North Korea is now considered a major player and it not only maintains some major APTs but often hires foreign ones, usually Chinese.

China is a major user of APTs for economic, industrial and military espionage. This was a direct threat to India and an inspiration for Pakistan. Both these South Asian nations were slow to get into large scale and APT grade hacking but now they are both at it, mainly against each other. Both nations have a lot of local talent (software engineers and proficient amateurs) and for a long time, the attacks were unorganized and mostly directed at low-level activities like defacing websites and engaging in opinion manipulation on a larger and larger scale. Meanwhile, India was subject to more professional attacks by Chinese and North Korean APTs that led to the Indians mobilizing their own APTs, mainly to deal with Pakistan and, to a lesser extent, China. India sees China as the major threat and Pakistan as more a nuisance, but one with nuclear weapons.

India and Pakistan also noted that what most of these APT level efforts had in common was the exploitation of human error. A case in point is the continued success of attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This sort of thing is often carried out in the form of official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as "spearfishing" (or "phishing"), which is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. For the last few years an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention. This is what the White Company used on a large, and detailed, scale against the Pakistani Air Force. Since India and Pakistan share a similar culture and languages it is easier for both nations to create compelling spearfishing attacks using convincing cover letters.

China has been a major user of spearfishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spearfishing payloads. This has led to China becoming the home of nearly half the APTs known to exist. The methods, and source, of many spearfishing attacks, have been traced back to China. In 2010, Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers while all movement of command and stolen data led back to servers in China.

China's Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human-readable text that programmers create and then turn into smaller binary code for computers to use), and techniques for using it, in hacking software used against Tibetan independence groups and commercial software sold by some firms in China and known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this. The White Company is a good example of that.

It's also been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are tracked back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect when they are breaking in, and much more difficult to track down. Because of these characteristics the East Europeans go after more difficult (and lucrative) targets. Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents who often slip over to the dark side and scam Chinese. This is forbidden by the government and these hackers are sometimes caught and punished, or simply disappear. The Chinese hackers are, compared to the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly.

For Chinese hackers that behave (don't do cyber crimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can't handle. This was seen recently when a group of hackers were caught trying to get into a high-security network in the White House, the one dealing with emergency communications with the military and nuclear forces. Such amateurs are often caught and prosecuted. But the pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

India, which has always been a democracy since independence in 1948, cannot be as ruthless as dictatorships like China, Iran and North Korea. All the democracies are in the same situation although none have such dedicated and openly hostile foes like India and Israel do. The United States has a lot of enemies and was the largest user of the Internet in the world, although is being overtaken by China in that department. While much is heard about Chinese hackers and APTs plundering the U.S. via the Internet less is publicized about who is doing what to China via the Internet. China is suffering losses but, as a police state, can keep a lot of the details out of the global mass media.

It is believed that the CIA’s new authority to carry out offensive Cyber War operations includes going into Chinese networks to find out how much China has stolen, who uses the stolen data and how it was stolen. This sort of thing involves major hacks against the Chinese, who are known to be more vulnerable than many Western nations. It was because of all this that the CIA, NSA and Department of Defense were long asking for permission to fight, or “hack” back. Now they have it, or at least the CIA does. That makes sense because the CIA is in charge of overseas espionage while the NSA is more about security. The FBI, in cooperation with NSA, handles detecting and dealing with domestic threats. The Department of Defense is mainly about military threats but that now includes offensive and defensive Cyber War capabilities. The CIA has long handled peacetime paramilitary operations against American enemies, with the Department of Defense providing support and taking notes. Now those paramilitary operations include Cyber War operations, both to collect information as well as inflicting some pain and humiliation.

No comments: