"

6
Personnel lVork cu rhe Air Force Space
Command Netll'ork Opera/iolls & Security
Cellfer til Peterson Air Force Base ill Colorado
Springs, Colorado July 20.1010. USACYBERJYARI
REUTERS/Rick fYi/king
he nature of cyberattacks
and cyberwarfare is
changing , gaining
sophistication , and
becoming more focused
in terms of mission and
objective.
While there will undoubtedly always be
attacks designed to interrupt service or
cause damage, a newer breed of attack
is being used to penetrate organizations,
exfiltrate sensitive data, and establish
remote lines of command and control.
In February 2011 , Intel security subsidiary
McAfee released a report, "Global Energy
Cyberattacks: 'Night Dragon"', that provides
a good example of this new level of
sophistication.
According to the report, actors
traced to China have conducted
a multi-year campaign to gai n
access to confidential in for-
mali on from oi l, energy, and
petrochemica l companies.
The attacks were staged, each
operation designed to gain fur-
ther access and tunnel furt her
into the systems of the vict im
companies.
These arc 1101 attacks by t eell-
agers going for the "' Iulz," in-
stead these are attacks planned
strategically. wi th each stage
actors traced
to China have
conducted a multi-
year campaign
to gain access
to confidential
information from
oil , energy, and
petrochemical
companies.
Seeking the Edge Thrr.)ugh Educal!on. TralnH1g. tlnd Tochr ology
GET
THIS
CD
BEFORE
YOU
TRAVEL!
The
IACSP High Risk
Environments
Survival Checklist CD
Seven years in the making, this
el ect ronic reference document
provides information, resources, and
inputs covering all of the key areas for
taking a trip overseas to a high risk
area. What you need to know, where to
get more information, what to train and
where, and what to bring are all covered
in this resource. Over 40 pages of
pertinent information culled from nearly
20 years of experience and research
from a variety of sources and lACS?
hands-on professionals (Tactical
Trainers, Special Forces Soldiers in
Afghanistan, Corporate Security
personnel, elc.).
IACSP Basic Members 539.99
Executive Members: $20
Corporate Members: $30
Non-Members: S75
Please send a check or money
order 10: IACSP HRES CD/PO Box
1006881Arlington, VA 22210 USA.
Make checks out to: IACSP
Credit cards (AmexlMCNisa).
Fax order to: 703-243-1197
Call in : 571-216-8205
Bulk orders: 571-216-8205
PDF VERSION AVAILABLE
de s igned to pee l
away another layer
of defense and each stage
establi shing what's essentiall y
a di gital staging ground for the
next phase of attack.
The global energy attacks, whi ch
McAfee nicknamed "Night
Dragon", are textbook examples
of this strategic approach.
Initi all y, the attackers had no
inside access. So they probed
the only outward facing com-
ponent s of their victims' IT
operat ions: the ir Web s it es.
They looked for and found se-
curity loophol es in the var ious
sites' public-facing Web fo rms
and used those loopholes to
" inject" powerful SQL code
into the servers.
Thi s, then, a ll owed remot e
commands to be executed on
the compromi sed victim serv-
ers. Effect ively, the attackers
now had an " in s ide man"
wit hin the IT ope ration. Once
inside, the attackers upl oaded
a suite of hacki ng tool s that
all owed them to jump from
publi c- fac ing Internet servers
to the various organi zat ions'
int ern al se rve rs and, then,
individ ual desktop computers.
Once ins ide the internal IT
network, the attackers scanned
what were assumed to be safe,
inside-the-firewa ll mac hines,
and by using re lat ive ly com-
pl ex but easy to obtain tools,
were able to capture and de-
crypt internal username and
password combinations . Thi s
gave the attackers unrestricted
internal access (and valid au-
thenti cation codes) to internal
IT systems, internal corporate
financial and energy data, and
the desktops
of key execu-
ti ves. At thi s point,
the attackers then loaded
further command and control
software onto compromi sed
sys t ems, co nnecting what
were once isolated systems
directl y to the Int ernet , and
through the I nt ernet , to the
attac ke rs own "' co ll ection "
computers.
By now, the attackers essen-
tially had a direct pipeline to
able to determine with a hi gh
degree of certai nty that a sub-
stantial porti on of the attack
originat ed from China, s pe-
cificall y Heze City in China 's
Shandong Province.
Anot he r curi ous factor was
that all of the data exfi ltration
ac tivit y occurred betwee n
9am and 5pm, Be ijing time
and all of the data was se nt
to mac hines us ing Beijing-
based I P addresses. Because
a ll the exfi ltrati on happened
during Beijing worki ng hours,
McAfee believes it 's hi ghl y
likely that the data theft was
Even more scary, the
attackers also gained
command and control
access to some of the
companies' SCADA
(supervisory control
and data acquisition)
systems, the computers
that monitor, operate,
and control actual
physical processes
throughout the energy
industry.
Seeking the Edge Through Education. Training, and Technology
mass ive amount s of sensiti ve
cor porat e informat ion, in-
c luding information relating
to oil and gas fi eld bids and
operations.
Even more scary, the attack-
ers al so gained command and
control access to some of the
compani es ' SCADA (supervi-
sory control and data acqui si-
tion) systems, the computers
that monitor, o perate, and
control actual physical pro-
cesses throughout the energy
industry.
Although it hasn' t ye t been
poss ibl e to identify the core
orga ni zation responsi ble fo r
the Night Dragon attacks ,
McA fee re sea rchers were
done by empl oyed " company
men" workers in China.
So thi s is what we're now
dea ling with. Sure, there will
a lways be the ne rdy hack-
ers out there and there will
alwa ys be more and more
fin a nc ia l-based organi zed
crime us ing botnet s and other
digital brute-force means to
se parate victims from their
money.
But we' re now see ing a much
more st rategic, much more
target e d, more wor ri some
level of cyber- attack. With the
new strategic attacks, instead
of just " making it up on vol-
ume," attackers are pinpoint-
ing spec i ti c targets and very
carefully and very effecti vely
ga ining entry.
Defen se against these pin-
point attacks can be more dif-
fic ult than defending agai nst
brute-forc e a tt acks. First ,
once th e attacke rs get far
e nou g h int o the sys tems ,
they' re often us ing va lid au-
thentication credenti als and
so their digital footprint s are
indi st ingui shable from those
of va l id users.
To better secure your systems,
cons ider us ing multi-factor
a uthe nti cation. One of the
best a pproaches is to aug-
ment use rname and password
with a phys ical device that
ge nerat es a keycode. Even
if an attacker can extract an
entire database of usernamel
password se ts , with out the
physical one-time key, the
attacker ca n' t get in.
These strategic, pinpoint at-
tacks are quite a chall enge.
Like all ar ms races, it 's time
for us to up our game in order
to keep at least one step ahead
of the enemy.
About the Author
David Gewirtz is the director of
the Us. Strategic Perspective
Institllle and editor- ill-chief oj
the ZATZ tec/mical magazines.
He regularly writes commentOl )!
and analysis/or CNNj' Anderson
Cooper 360, and has wrillen
more them 700 arric/es about
technology. David is a former
professor of computer science, has
lectured al Princeton. Berkeley,
UCLA , and Stanford, has been
awarded the prestigious Sigma Xi
Research Award in Engineering.
and was a candidale for the 2008
Pulitzer Prize in Leff ers. fi e is
the Cyberterrorism Advisor for
personal Web site
is at DavidGewirtz.colII Read his
blog at CNN Anderson Cooper
360 for polit ics, policy, alld
analysis. Read his blog at CBS
Imeractive s ZDNet Government
where tech meets politics
and government. Or
Follow him on Twitter
at @DavidGewirrz

Journal of Counterterrorism & Homeland Security International V01.17, No.2