Paul M. Joyal, NSI Managing Director, Public Safety

1
Paul M. Joyal, NSI Managing Director,Public
Safety Homeland Security Practice

• Cyber Espionage and Criminal Hacking The New
  Threat Matrix

GovSec US Law Conference March 23-24, 2010
2
Cyber Threat Actors

• Cyber threats to federal information systems and
  cyber-based critical infrastructures can come
  from a variety of sources, such as foreign
  nations engaged in espionage and information
  warfare, criminals, hackers, virus writers, and
  disgruntled employees and contractors working
  within an organization.
• Gregory C. Wilshusen,
• Director, Information Security Issues
• Government Accountability Office, 2009

3
Cyber Crime Increases in the Private Sector

• More than 75,000 computer systems at nearly 2,500
  companies in the United States and around the
  world have been hacked in what appears to be one
  of the largest and most sophisticated attacks by
  cyber criminals
• The attack targeted proprietary corporate data,
  e-mails, credit-card transaction data and login
  credentials at companies in the health and
  technology industries in 196 countries, according
  to NetWitness.

4
Cyber Crime and Espionage

• Ten government agencies were penetrated, none in
  the national security area, NetWitness said.
• The systems penetrated were mostly in the United
  States, Saudi Arabia, Egypt, Turkey and Mexico
• Some estimate the global cyber-crime business
  amounts to 100 billion-a-year.

5
Cyber Crime Cash is bigger than Narcotics Trade

• Cyber-crime, by some estimates, has outpaced the
  amount of illicit cash raked in by global drug
  trafficking.
• Hackers from Russia and China are among the chief
  culprits, and the threat they pose now extends
  far beyond spam, identity theft and bank heists.
• The Internet can now be used to attack small
  countries,. There are Russian and Chinese
  hackers that have the power to do that. Yevgeny
  Kaspersky, chief executive of Moscow-based
  Kaspersky Lab

6
Criminals are spamming the Zeus banking Trojan to
attack government computers

• According one state government security expert
  who received multiple copies of the message, the
  e-mail campaign apparently designed to steal
  passwords from infected systems was sent
  exclusively to government (.gov) and military
  (.mil) e-mail addresses.
• The messages appear to have been sent by the
  National Intelligence Council (address used was
  nic_at_nsa.gov), which serves as the center for
  midterm and long-range strategic thinking for the
  U.S. intelligence community and reports to the
  office of the Director of National Intelligence.

7
E-Mail spoofs the National Security Agency

• The e-mails urge recipients to download a copy of
  a report named 2020 Project. Another variant is
  spoofed to make it look like the e-mail from
  admin_at_intelink.gov. The true sender, as pulled
  from information in the e-mail header, is
  nobody_at_sh16.ruskyhost.ru

8
Growth of Cyber Threats
Sophistication of Available Tools Growing
Convergence
High
Staging
Sophistication Required of Actors Declining
Stealth/advanced scanning techniques
Sophisticated C2
Cross site scripting / Phishing
Denial of Service
Distributed attack tools
Packet spoofing
www attacks
Sniffers
Automated probes/scans
Sweepers
GUI
Sophistication
Back doors
Network mngt. diagnostics
Disabling audits
Hijacking sessions
Burglaries
Exploiting known vulnerabilities
Russia invades Georgia
Password cracking
Estonia DoS
Self-replicating code
Password guessing
Low
1980
1990
1995
2000
2009
1985
9
The Vulnerability Matrix

• 5,800 registered hospitals

Viruses, Worms
Home Users
5,000 airports 300 maritime ports
Wireless
3,000 govt. facilities
2,800 power plants 104 commercial nuclear
plants
Broadband Connections
26,000 FDIC institutions
Emergency Services
Government
Transportation
Insiders
66,000 chemical plants
Configuration Problems
150,000 miles transmission lines
Banking
Chemical
300,000 production sites
130 overlapping grid controllers
Rail
Oil
Natural Gas
Telecom
Water Waste Water
120,000 miles of major rails
E-commerce 2 billion miles of cable
Natural Gas
2 million miles of pipelines
1,600 municipal wastewater facilities
80,000 Dams
10
CIA Report Cyber Extortionists Attacked Foreign
Power Grid, Disrupting Delivery

•  Tom Donahue, the CIA's top cybersecurity
  analyst, said, "We have information, from
  multiple regions outside the United States, of
  cyber intrusions into utilities, followed by
  extortion demands. We suspect, but cannot
  confirm, that some of these attackers had the
  benefit of inside knowledge.
• We have information that cyber attacks have been
  used to disrupt power equipment in several
  regions outside the United States.

11
Could these probes come from China?

• According to Jian-Wei Wang and Li-Li Rong,
  Chinese researchers at the Institute of Systems
  Engineering of Dalian University of Technology,
  have concluded in a published research journal a
  counter intuitive conclusion
• that attacks on power grid nodes with the lowest
  loads is more harmful than an attack on the ones
  with the highest loads.

12
Cascade-Based Attack Vulnerability US Power Grid

• They published these findings in a paper on how
  to attack a small U.S. power grid sub-network in
  a way that would cause a cascading failure of the
  entire U.S. electrical grid.
• While some maintain that the research promotes a
  defense posture, Mr. Wangs research subject was
  particularly unfortunate because of the
  widespread perception, particularly among
  American military contractors and high-technology
  firms, that adversaries are planning to attack
  critical infrastructure like the United States
  electric grid.

13
The Cyber Threat

• Assessing the threat
• (like a criminal threat)

Behavioral Profile
Technical Feasibility
THREAT
Operational Practicality
14
Cyber Infrastructure
15
Russias NSA----FAPSI also Identified in Cyber
theft

• In 1998 a U.S.-German satellite known as ROSAT,
  used for peering into deep space, was rendered
  useless after it turned suddenly toward the sun.
  NASA investigators later determined that the
  accident was linked to a cyber-intrusion at the
  Goddard Space Flight Center in the Maryland
  suburbs of Washington. The interloper sent
  information to computers in Moscow, NASA
  documents show.
• U.S. investigators fear the data ended up in the
  hands of a Russian spy agency.

16
Russias NSA----FAPSI also Identified in Cyber
theft

• A team of agents from NASA, the FBI, and the U.S.
  Air Force Office of Special Investigations to
  follow the trail of what they concluded was a
  criminal hacking ring with dozens of Internet
  addresses associated with computers near Moscow.
• The investigators made an even more alarming
  discovery, according to people familiar with the
  probe The cyber-crime ring had connections to a
  Russian electronic spy agency known by the
  initials FAPSI.

17
European Credit Card Crime Accelerates

• Card-related crime is the fastest-growing
  criminal activity in the United Kingdom, and,
  throughout Europe. Payment card systems are under
  unprecedented attack from well-organized and
  well-financed criminal gangs.

18
Card Fraud Plagues Europe some say its FAPSI

• The payments business is increasingly the subject
  of organized, methodical attacks by Russian
  criminals, characterized by high technical
  sophistication and even including access to
  systems designed by FAPSI, the Russian state
  cryptographic agency.
• "We've seen techniques that could only have come
  from FAPSI," says Jan Eivind Fondal, director of
  risk management at Europay Norge in Oslo, Norway.
  "It's beyond anything we've seen. It's a new
  breed of fraudster. "He had covered his tracks
  in a way only a security professional would."

19
Russian Viruses Attack Banks

• Russian hackers rely on viruses that record
  keystrokes as customers type log-ins and
  passwords. Russian-made viruses are believed to
  be behind several major online heists, including
  the theft of 1 million from Nordea Bank in
  Sweden in 2007 and 6 million from banks in the
  United States and Europe that same year.
• Viruses and other types of malware are bought
  and sold for as much as 15,000
• Rogue Internet service providers charge
  cyber-criminals 1,000 a month for police-proof
  server access.

20
Russian hacking flourishes as a cyber-criminal
ecosystem

• Russian hacking flourishes as a cyber-criminal
  ecosystem of spammers, identity thieves and
  botnets, vast networks of infected computers
  controlled remotely and used to spread spam,
  denial-of-service attacks or other malicious
  programs. A denial-of-service attack floods a Web
  site with inquiries, forcing its shutdown.
• Yevgeny Kaspersky, chief executive of
  Moscow-based Kaspersky Lab, one of the worlds
  leading computer security firms.

21
RBN First Cyber Strike on Georgia was not
Hactivists

• "The individual, with direct responsibility for
  carrying out the cyber "first strike" on Georgia,
  is a RBN operative named Alexandr A. Boykov of
  Saint Petersburg, Russia. Also involved in the
  attack was a programmer and spammer from Saint
  Petersburg named Andrey Smirnov.
• These men are leaders of RBN sections and are not
  "script-kiddies" or "hacktivists," as some have
  maintained of the cyber attacks on Georgia but
  senior operatives in positions of responsibility
  with vast background knowledge.

22
RBN-Prime Mover

• Intelligence can suggest further information
  about these individual cyber-terrorists.
  According to Spamhaus SBL64881, Mr. Boykov
  operates a hosting service in Class C Network
  79.135.167.0/24.
• It should be noted that the pre-invasion attacks
  emanated from 79.135.167.22, clearly showing
  professional planning and not merely
  hacktivism. Due to the degree of
  professionalism and the required massive costs to
  run such operations, a state-sponsor is suspected.

23
Known Russian Business Network routes identified

• The IP addresses of the range, 79.135.160.0/19
  are assigned to Sistemnet Telecom to provide
  services to companies who are classified as
  engaging in illicit activities such as credit
  card fraud, malware and so on.
• 79.135.160.0/19 Sistemnet Telecom and AS9121
  TTNet (Turkey) are associated with
  AbdAllah_Internet which is linked with cybercrime
  hosting such as thecanadianmeds.com. These are
  known Russian Business Network routes. "

24
Hacking for Money and Politics in Russia

• And when its not money that drives Russian
  hackers, its politicswith the aim of accessing
  or disabling the computers, Web sites and
  security systems of governments opposed to
  Russian interests. That may have been the motive
  behind a recent attack on Pentagon computers.
• A new generation of Russian hacker is behind
  Americas latest criminal scourge. Young,
  intelligent and wealthy enough to zip down
  Moscows boulevards in shiny BMWs, they make
  their money in cyber-cubbyholes that police have
  found impossible to ferret out.

25
(No Transcript)
26
RSA 2010 Conference Malware industry getting
increasingly professional, warn experts

• The Russian Business Network (RBN), one of the
  most powerful and extensive malware and hacking
  organisations, has been buying time on Amazon's
  EC2 platform to build malware and attack
  passwords, according to Ed Skoudis, founder of
  security consultancy InGuardians.

27
Russian Cyber Attack model as seen in Estonia
and Georgia attacks Information Warfare

• The Kremlin, with the help of the FSB, targets
  opposition Web sites for attack.
• Attack orders are passed down through political
  channels to Russian youth organizations whose
  members initiate the attack, which gains further
  momentum through crowd-sourcing.

28
Russian Cyber Attack model Information Warfare

• Russian organized crime provides its
  international platform of servers from which
  these attacks are launched, which in some cases
  are servers hosted by badware providers in the
  U.S.
• LESSON
• For DoD planners and policy makers, an awareness
  of this model should trigger a re-evaluation of
  the approach that is taken in our cyber security
  strategy.

29
Iranian Crackdown Goes Global RBN supports
Efforts to Track Dissidents

• Wall Street Journal investigation shows, Iran is
  extending its crackdown to Iranians abroad. Part
  of the effort involves tracking the Facebook,
  Twitter and YouTube activity of Iranians around
  the world, and identifying them at opposition
  protests abroad. People who criticize Iran's
  regime online or in public demonstrations are
  facing threats intended to silence them.
• Caught by surprise with the power of social media
  during the disputed election, Tehran has
  commissioned white paper studies by the Research
  Center of Islamic Republic of Iran Broadcasting
  (crspa.ir) to "study the role of social capital
  in knowledge sharing".
• The crspa.ir web site has been assisted by the
  Russian Business Network at the well known RBN IP
  address 61.61.61.61, which is home to the many of
  the RBN's spam, scam, and malware DNS servers.

30
Local Governments are defrauded also

• The New York town of Poughkeepsie reported that
  thieves had broken into the towns bank account
  and stolen 378,000 in municipality funds.
• Poughkeepsie officials said 95,000 was recovered
  from a Ukrainian bank.

31
China acquires US Rocket Engine designs

• Four years later, in 2002, an online intruder
  penetrated the computer network at the Marshall
  Space Flight Center in Huntsville, Ala., stealing
  secret data on rocket engine designsinformation
  believed to have made its way to China, according
  to interviews and NASA documents.

32
Data flows to China

• Howard A. Schmidt, a technology consultant who
  served as a White House special adviser on
  cyber-security from 2001 to 2003, concurs.
• "All indications are that the attacks are coming
  in from China," he says, "and the data is being
  exfiltrated out to China."

33
Intelligence Chief on Cyber Challenge

• But cybersecurity is the soft underbelly of this
  country.
• Mike McConnell told a group of reporters Jan.
  16, 2009
• If we were in a cyberwar today, the United
  States would lose.
• Mike McConnell testimony to Congress, February
  23, 2010

34
"Cyber Shockwave," Feb. 17, 2010

• Cyberattack Drill Shows U.S. Unprepared
• A group of high-ranking former federal officials
  scramble to react to mobile phone malware and the
  failure of the electricity grid in a staged
  exercise.
• Imagine what would happen if a massive cyber
  attack hit the U.S., crippling mobile phones and
  overwhelming both telephone infrastructure and
  the electricity grid.

35
RFs Military Doctrine and Principles of state
policy on nuclear deterrence to 2020, on
Information Warfare

• RFs Military Doctrine and Principles of state
  policy on nuclear deterrence to 2020, the
  following sections relate to Information Warfare
• 12. (d) Acknowledgment of the intensification of
  the role of information warfare in contemporary
  military conflict.
• 13. (d) The prior implementation of measures of
  information warfare in order to achieve political
  objectives without the utilization of military
  force and, subsequently, in the interest of
  shaping a favorable response from the world
  community to the utilization of military force.
• 41. The tasks of equipping the Armed Forces and
  other troops with armaments and military and
  specialized equipment are (c) to develop forces
  and resources for information warfare
• But what if 41 (c) said to develop state and
  non-state actors as forces in the use of
  information warfare.
• Can you imagine the uproar that would occur
  that Russia has outed its own use of non-state
  actors? Well, thats essentially what this
  document has done for the U.S. government.

36
From Russian Military Thought Leaders

• There is no need to declare war against ones
  enemies and to actually unleash more or less
  large military operations using traditional means
  of armed struggle. This makes plans for hidden
  war considerably more workable and erodes the
  boundaries of organized violence, which is
  becoming more acceptable.
• Viruses are viewed as force multipliers that can
  turn the initial period of war into pure chaos if
  they are released in a timely manner. (See
  Russia-Georgia War)

37
Make No Mistake You and America Are the Target

• Protect your Computer
• You are only a click away from anywhere in the
  world
• Report to FBI or appropriate US Government
  Agencies any cyber attempts to compromise your
  identity or accounts.
• If you see something say something
• Get involved and stay vigillent
• It Takes a Network to Defeat a Network
• You are part of our network

38
NSI Managing Director, Public safety and
Homeland Security Practice1400 Eye Street NW 
Suite 900 Washington, DC 20005T  202 . 349 .
7005 (direct) M  571 . 205 . 7126pjoyal_at_nationa
lstrategies.comwww.nationalstrategies.com

• Paul M. Joyal