Chimera: Know The Targets

In today's digital landscape, threats are expanding and your intellectual property and trade secrets are their targets. You may not know the threat actor, but you can know what they're targeting.

CHIMERA will launch in the summer of 2013.

Add to Cart View detail

China Operates the World's Most Successful HoneyPot

The Chinese government has been on a focused mission to increase its technological development for many years. One of the best and most efficient ways that it has of doing this is by making it attractive for foreign high tech companies to open R&D centers in China. In 2000 there were about 100 foreign R&D labs in China. By 2007 there were 1200. Today, Shanghai alone has over 300. In fact, many of the same companies that believe that China is responsible for the vast majority of APT attacks have helpfully delivered some of their own "crown jewels" (i.e., their R&D) inside China's borders including GE, Dell, Microsoft, HP, Intel, Boeing, and EADS to name just a few:

"General Electric Co. plans to invest more than $2 billion in China in technology and financial service ventures and research, adding 1,000 jobs in a country Chief Executive Officer Jeffrey Immelt is targeting for growth. (source)"

UPDATE 30 March 2013: General Electric Co's (NYSE: GE) healthcare unit, the world's biggest maker of medical imaging machines, plans to double its production capacity in China in the years through 2015, GE Healthcare Greater China CEO Duan Xiaoyin told Yicai.com (source via paid subscription).

"The Chicago-based aerospace giant (Boeing) recently partnered with Commercial Aircraft Corporation of China -- or Comac -- to invest in a research project aimed at energy conservation and fuel reduction. (source)" 

 "Dell will likely spend $250 billion in China on procurement and other investments over the next 10 years as it expands in the world's No 2 personal computer (PC) market, the head of its China operations said on Tuesday. (source)"

"Intel Corp. INTC -0.63%  said Tuesday it will form a joint innovation center with Chinese internet giant Tencent Holdings Ltd. (0700.HK) that will focus on developing new mobile computing products. (source)" 

"Hewlett-Packard (HPQ.NYSE) is tapping into China's engineering talent to develop global storage and networking products, as the computer maker prepares to open a research center in Beijing, Bloomberg reported. HP's CEO Leo Apotheker said the company wants to utilize China's R&D capabilities as it seeks to boost sales in other emerging markets. (source)" 

And this is just a tiny sampling. If you're wondering why companies are so willing to open research centers in China, it's because the Chinese government is making them an offer that's hard to refuse.

• A 50 percent R&D "super deduction" in addition to the actual expense deduction for R&D spending. So if a company spends 10 million yuan ($1.6 million; 1.26 million euros) on eligible R&D it will receive a net benefit of 1.25 million yuan (12.5 percent benefit for every eligible cost);
• A preferential corporate income tax rate of 15 percent (the standard rate is 25 percent) for companies recognized as a High New Technology Enterprise;
• A preferential corporate income tax rate of 15 percent for companies recognized as an Advanced Technology Service Enterprise, with qualified incomes exempt from business tax;
• Exemption from import customs duty and value-added tax on qualified R&D equipment imported by R&D centers.

Here are the industrial sectors that qualify for the above incentives:

• New techniques or methodologies to extract minerals from complex ore bodies.
• Improvements to water use and irrigation technologies.
• Development of innovative functionality and improved approaches to solving software problems.
• Application of engineering principles, previously developed in the aerospace industry, in, for example, the automotive industry.
• Computer-aided engineering and simulation software developed as part of a larger R&D project in any industry.
• Development of new processes and technologies to minimize adverse environmental impacts across all industries.
• Development of new compounds with improved therapeutic properties.
• Development of non-destructive testing techniques to analyze material fatigue with pharmaceutical products.
• Application of off-the-shelf software products in new and previously unproven ways.

Who Needs APT?

Basically China has successfully created the world's largest honeypot for acquiring foreign trade secrets and intellectual property. It's so successful at it that even companies who know better like GE (close ties with Mandiant), Dell (owns SecureWorks), and HP (owns McAfee Fortify) are still running R&D labs there. 

Legal Technology Transfer

Foreign companies who open offices in China hire Chinese engineers and other skilled employees who learn and work on their technologies and thenthey  take that knowledge with them when they leave to work at Chinese firms after a year or two. Additionally, these foreign companies must use China's telecommunications infrastructure for all of their communications (satellite, VoIP, landline, mobile, etc.), which means that all of their confidential communications traffic are subject to collection and monitoring under Chinese law. So while China certainly engages in other espionage-related activities, that isn't it's only means or even its best means to acquire high technology secrets. 

If Not China, Who?

There are many other nations who want the same technology that China wants but who don't have the same drawing power in terms of population density or cheap engineering labor to attract foreign R&D investment. For those countries, cyber espionage is a much more important option and one for which resources are available (i.e., indigenous hacker populations and freely available Chinese-made hacking tools). If companies really want to know who may be targeting their trade secrets, then they should demand to know how incident responders and/or Law Enforcement Organizations are distinguishing between the activities of different nation states; all of whom want to accelerate their technological development by raiding U.S. companies' networks.

Add to Cart View detail

Who Are The Players in China's Targeting of Foreign Technology IP?

The release of Mandiant's APT1 report claimed that the PLA's Third Directorate (3PLA) is the responsible State organization behind Comment Crew (aka APT1). One of the things that the report's authors didn't do was demonstrate how the other State agencies who engage in this type of activity were excluded in their analysis. For future reference, here's a more complete list of the possible organizations who conduct intelligence activities (including cyber) to consider or rule out in terms of possible Chinese attribution.

Traditional Channels

Civilian

• The Ministry of State Security (MSS) - Counterespionage and Counterintelligence; Foreign Intelligence; Domestic Intelligence
• Ministry of Public Security (MPS) - National Police; Domestic Intelligence

Military

• Second Department of the People's Liberation Army (PLA) General Staff Department (2PLA): engages in foreign intelligence, imagery intelligence, and tactical reconnaissance
• Third Department of the PLA General Staff Department (3PLA); engages in signals intelligence
• Fourth Department of the PLA General Staff Department (4PLA); engages in computer network operations
• Liaison Office of the PLA General Political Department
• Intelligence departments of the PLA Navy, PLA Air Force, and Second Artillery
• State Secrecy Bureau

Non-Traditional Channels

• Commission of Science, Technology and Industry for National Defense (COSTIND)
• Research Institutes
• PRC Military-Industrial Companies
• Organized Chinese hacker groups

Guidelines:

Failed operations. In Amy Elizabeth Brown's paper "Directed or diffuse?: Chinese human intelligence targeting of US defense technology", she makes the same point that I have made multiple times; e.g., that much of the information we have about Chinese espionage cases (cyber and otherwise) comes solely from failed operations - meaning covert operations that have been discovered. Therefore, we have to acknowledge the possibility that China also runs successful covert operations using more effective tradecraft but we don't know the scope or scale.
3PLA's distributed offices. It's important to note that 3PLA, which was identified in the Mandiant APT1 report has, according to Mattis, offices and technical reconnaissance bureaus in each of China’s seven military regions and several major cities (not only Shanghai).
OSINT is insufficient. Another important statement in Mattis' conclusions is that open sources are insufficient to understand the inner workings of these various intelligence agencies.
Lack of sound tradecraft. "One of the defining characteristics of China’s non-traditional techniques for obtaining technology, as observed in many of the cases noted here, is the lack of clandestine tradecraft, or even the most basic elements of operational security, involved in obtaining the information.  In general, it appears that little or no care is used to ensure that the operation goes undetected." - Amy Brown's "Directed or Diffuse" paper as referenced below.
Giving amateur operatives too much credit. "A belief that the Chinese rely on amateur operatives risks leading CI professionals to dismiss or be inattentive to the threat posed by China’s professional services." - Peter Mattis "The Analytic Challenge" paper as referenced below.
Distinguishing economic espionage from Chinese intelligence. "When economic espionage with no connection to the Chinese intelligence services is interpreted as “Chinese intelligence,” less attention will be paid to what those organizations actually do. The Chinese intelligence services and the Chinese defense industries are distinct entities, although they may sometimes work for mutual benefit." - Peter Mattis (Ibid)

Readers of the Mandiant report or any report that purports to reveal the inner workings of Chinese cyber espionage cases are encouraged to familiarize themselves with the papers referenced below as well as the above guidelines that I've extracted from them. 

For example, the lack of tradecraft by the three individuals mentioned in the Mandiant report is palpable, and was pointed out by the report's authors: "These actors have made poor operational security choices, facilitating our research and allowing us to track their activities. They are some of the authors of APT1's digital weapons and the registrants of APT1 FQDNs and email accounts. These actors have expressed interest in China's cyber warfare efforts, disclosed their locations to be the Pudong New Area of Shanghai, and have even used a Shanghai mobile phone number to register email accounts used in spear phishing campaigns." - Mandiant APT1 report, p. 51

Even if one assumes that the Chinese government is the customer for APT1's cyber espionage activities, it's important to consider all of the options before attempting to assign attribution. Such a lack of tradecraft involved deserves at least a mention in the report that non-traditional channels as defined above were considered. As this article points out, those options are plentiful within China, but also include other foreign intelligence services and professional hacker crews who run their operations from China and/or from Chinese servers in order to confound any efforts at attribution.

Reference Material:

The Analytic Challenge of Understanding Chinese Intelligence Services

Directed or diffuse?: Chinese human intelligence targeting of US defense technology

PRC Intelligence Apparatus - Implications for Foreign Firms

Related Posts:

"Mandiant APT1 Report has critical analytic flaws"

Add to Cart View detail

RBN Connection to Kaspersky's Red October Espionage Network

Kaspersky made an astonishing announcement today with its discovery of a sophisticated cyber espionage network (most likely Russian) that has been operating since May 2007 and continues to this day. It has successfully infiltrated embassies, research organizations, military and government agencies, energy facilities (including nuclear power plants) predominantly in the Commonwealth of Independent States, India and countries in Central Asia, among many others.

The developers behind this campaign have built a toolkit similar to Flame but more sophisticated which Kaspersky researchers have named ROCRA (short for Red October). Some of the key functionalities which make this toolkit stand out as unique are:

• The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.

• The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.

• Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.

According to Kaspersky's report, the oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012. The November, 2007 date immediately rang a bell in my memory as the date that the Russian Business Network went dark (November 4, 2007) and temporarily moved operations to China. Then, after a few weeks, they disappeared again.

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a 't'. I ran 13 IPs listed in Kaspersky's report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers
178.63.208.49  matches to 178.63.
188.40.19.247 matches to 188.40.
78.46.173.15 matches to 78.46.
88.198.30.44 matches to 88.198.

Mini-motherships
91.226.31.40 matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.

Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it's going to be one of the most important discoveries of the decade.

Add to Cart View detail

France Throws Cyber Stones From Its Glass House

Source: L'Expansion.L'Express.fr 20 NOV 2012

The government of France shouldn't be so quick to charge the U.S. with being responsible for the Flame malware found on President Sarkozy's computer. Kaspersky Lab had remarkably little evidence to support their charge that it was created by the team that created Stuxnet and Duqu, and CrySys Labs said that it probably wasn't created by the Stuxnet/DuQu team.

Further, France is in no position to throw stones. It's use of cyber espionage operations is well-known inside the U.S. Intelligence Community as well as by the German gov't who consider them a more severe risk to intellectual property theft than Russia or China. France's state-owned energy firm EDF also conducted cyber espionage attacks against Greenpeace.

Related:

Report: French officials accuse US of hacking Sarkozy's computers
Votre Secrets, Monsieur? "The idea of the French using their intelligence service to obtain scientific, economic, and technological information from friendly countries is not new."

Add to Cart View detail

BREACH ALERT: Putin Makes Unmanned Aerial Systems Development a National Priority

“Intelligence ... aims at supporting the process of modernization of our country and

creating the optimal conditions for the development of its science and technology.”

- Mikhail Fradkov, Director, SVR, December 2010

Source: Moscow Times

One of the easiest ways to determine what data is at risk is to know what the strategic imperatives are of  those countries who engage in "technology transfer" and industrial espionage. Russian president Vladimir Putin has made it clear that he's a supporter of espionage as a tool to be used in Russian technology development. A recent article in RIA Novosti discussed Putin's call for long range bombers and Unmanned Aerial Systems. Russia plans to spend US$13B on UAS development over the next eight years. Part of that technology development strategy is almost certainly going to be acquiring intellectual property on related technology from foreign firms.

Two good examples of companies at risk are Boeing and General Atomics. Boeing, which has a defense, space and security division alongside its civil aircraft division, has 170,000 employees in over 70 countries, including Russia. General Atomics, who makes the Predator drone, has an affiliate office in Moscow. In fact, GA was recently praised by Russian military analyst Konstantin Makiyenko.


Any foreign business operating inside of Russia which holds technology vital to Russia's national security interest will be contacted by the Russian Security Service (FSB). Under article 15 of the FSB law, those companies are obliged to provide assistance to the Federal Security Service in carrying out their assigned duties which could include a wide range of possibilities including the examination of source code. All communications emanating from those companies including landline, VOiP, mobile, and satellite will certainly be harvested electronically and entirely legally by the FSB.


While I'm using Russia and these two U.S. companies who do business there as examples, this same problem exists in many other nations which have active industrial espionage operations. It is a major part of a company's threat landscape and one that is frequently being ignored because (a) it doesn't involve a spear phishing email or a piece of malware and therefore doesn't fit the business model of most cyber security companies and (b) defending against it requires a specialized skill set.

Add to Cart View detail

Flame, Russia and the ITU: A Geopolitical Agenda?

Both the ITU and the Russian government have been united in their interest to secure a global cyber warfare treaty since at least 2010. In recent weeks, Evgeniy (Eugene) Kaspersky has been increasing his rhetoric regarding a future cyber catastrophe and most recently his company was chosen by the ITU to investigate the Flame attack. That attack prompted today's press release by the ITU calling for "greater international collaboration" on cyber security matters at their upcoming conference in Dubai; a conference sponsored by Kaspersky Labs and where CEO Kaspersky will deliver the keynote:

Cybersecurity will be a major agenda theme at ITU Telecom World 2012 (Dubai, 14-18 October 2012), supported by key partners, one of whom is Kaspersky Lab. This agenda will explore issues such as mitigating risks posed by major coordinated cyber-attacks at the national level, the threats posed by malware such as Flame, and strengthening international cooperation. Kaspersky Lab CEO Eugene Kaspersky will deliver a Visionary Keynote speech at the event, outlining the magnitude and global nature of cyberthreats today.

 The Russian government has long been an advocate of an Information Warfare treaty limiting the use of cyber weapons and other acts of IW because it serves the interests of the Russian government (which has other means of conducting IW) while restricting cyber weapons development in the West. An excellent overview of the ramifications of such a treaty is Tom Gjelton's "Shadow Wars: Debating Cyber Disarmament".

Evgeniy Kaspersky, Kaspersky Labs, and the Russian Security Service

In November 2009, the Duma Committee on Security met on “the legislative, organizational and technical security aspects of the national info-communications infrastructure.”  The meeting included the Experts Council and several additional experts.  The invited experts were primarily senior government officials—including two from the FSB--with two from industry.  One was the President of MFI-Soft—the company that provides internet intercept systems to the FSB ISC—and the other was Evgeniy Kaspersky, Director of JSC Kaspersky Labs.

The President of MFI-Soft Alexander Ivanov is a former senior military communications officer.  MFI-Soft’s bread and butter are lawful intercept systems including SORM-1, SORM-2, and SORM-3.  MFI-Soft holds numerous licenses from the FSB and FSTEC for work on state secret information and encryption systems.  JSC Kaspersky Labs does as well.  While the Duma Security Committee did not post the meetings minutes, both companies are now involved in pushing Russian standards for the Commonwealth of Independent States (CIS).

Kaspersky Labs holds numerous security clearances authorizing work on projects involving state secret information (current list is posted at http://www.kaspersky.ru/license). The FSB only licenses two antivirus companies for work with state secret information; JSC Kaspersky Labs and Dr. Web. The licensing requirements effectively give JSC Kaspersky Labs and Dr. Web a monopoly on the Russian market since the IT market is dominated by the Russian Government and large industry closely aligned with the government.  Indeed, in 2009, the Russian Federal Antimonopoly Service (FAS) initiated proceedings against Kaspersky for possible violations of Russian antitrust laws, but no action appears to have been taken. Russian government tenders posted at zakpuki.gov.ru frequently specify JSC Kaspersky Labs products as required based on their FSB/FSTEC licenses.  The licenses are almost certainly critical to Kaspersky’s future.  According to Interfax, Kaspersky sales totaled $538 million in 2010 (last year for full data).  However, the revenue breakdown was stated in such a way that it is impossible to identify specific sources.

Summary

Kaspersky's elevation of Flame to a status that it doesn't deserve (a "highly sophisticated cyber weapon") takes on a new meaning when you examine the close relationship between Kaspersky Labs and the Russian government along with their relationship with the ITU and their parallel interests in promoting international cyber security agreements and cyber warfare treaties. Is Flame a means to a geopolitical end that favors those players interests? I think it is.

RELATED:
"Kaspersky's Problematic Flame Analysis"

Add to Cart View detail

Kaspersky's Problematic "Flame" Analysis

Countries infected by Flame (SecureList 28MAY12)

I'm beginning to wonder what's going on over at Kaspersky Labs. Eugene Kaspersky has begun sounding like Richard Clarke with his warning about mega-cyber disasters during his keynote address at the AUSCERT IT security conference. Then there's his repeating of the Russian government mantra that a cyber weapons treaty is needed (it's not). Now Kaspersky Labs has called a virus whose only purpose is to steal data a "cyber weapon". Come on, guys. You've done some terrific research in the past with DuQu. Now all of a sudden, it seems like you've become evangelists for a Russian government strategy to raise the stakes in cyber war rhetoric. Espionage is not warfare and never has been. Hence a tool created solely to conduct cyber espionage cannot also be legitimately called a cyber weapon.

You've also wrongly simplified the scope of cyber actors out there to three when it has never been that cut and dried:

Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.

You've conveniently failed to mention an important fourth category: mercenary hacker crews - principally from Russia and the Commonwealth of Independent States - who steal IP and sell it to both corporations and governments. Crews that would love a tool like Flame and who, in my opinion, are the most likely actors involved in using such a tool. If you'd be forthcoming with more information - such as Flame's Command and Control server URLs - a lot more could be learned about who may be behind this virus.

UPDATE (31 MAY 2012): See my related article "Flame, Russia and the ITU: A Geopolitical Agenda?"

Add to Cart View detail

China's Intelligence Apparatus: Implications for Foreign Firms

While I've been quite vocal about my views on both the wrongness and potential blowback of blaming China for every breach committed against U.S. companies and Western governments, it's important to understand the precise role that the Chinese intelligence services play in the interception of valuable IP through network attacks, industrial espionage, and other methods both within its borders and around the world.

To that end, I've asked Taia Global's newest China Security analyst Matt Brazil to write a white paper on this topic. Before joining Taia Global, Matt was a  former commercial officer at the U.S. embassy in Beijing. Matt has done a terrific job with this paper and I'm proud to offer it for general distribution to those companies who do business in China and want solid, hype-free data on the threat landscape. Questions or comments are welcome via email. Firms interested in Taia Global's services may contact us at 855-777-TAIA (8242).

Matt Brazil will be speaking at Suits and Spooks LA on the subject "Protecting IP By Cultivating Employee Loyalty in China". Space is limited and the early bird rate will expire on May 31.

"The Peoples Republic of China Intelligence Apparatus: Implications for Foreign Firms"

Add to Cart View detail

Commerce Secretary John Bryson Doesn't Understand Cyber Espionage

U.S. Department of Commerce Secretary John Bryson wrote an editorial for Politco wherein he provides a high level overview of cyber espionage entitled "The New Face of Corporate Espionage". While his motive is laudable, his content reveals a not surprising lack of knowledge about the threat. I say "not surprising" because I can count on one hand the number of senior government officials that I've met who understand the complexities of this problem. The give-away in Secretary Bryson's editorial is this sentence: "many cyber-intrusions could be prevented by implementing sound cybersecurity practices."

That's absolutely false. While many companies can do much more than they're presently doing, we're talking about adversaries that are adaptive. If the targeted corporation implements poor security, the attack vector will take advantage of an obvious flaw which "sound cybersecurity (sic) practices" could have remedied. However that doesn't mean that the attack won't happen. It just means that the adversary will find a different attack vector, or build a customized one (aka a "Zero-day") to mount a successful breach. The solution to cyber espionage isn't in implementing "sound security practices", nor will it be found in the passage of any of the cyber security bills currently before Congress. The U.S. will only begin to save its intellectual property from cyber thieves when corporate boards of directors force CEOs to inventory, segregate and monitor their critical data in real time which usually means re-architecting their entire network.

If Secretary Bryson is truly committed to saving American jobs by reducing the amount of cyber espionage being conducted today, then he needs to hire someone who understands the reality of the threat to advise him on the realities of the threat landscape, and then the Secretary should go on the road, visiting board rooms and stressing the need for each corporation who's invested in high value technology R&D to do what it takes to address this problem in an informed, serious, and dedicated way.

Add to Cart View detail

USCC Commission Report On China Misses the Boat on Cyber Espionage

The US China Economic and Security Review Commission report “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations (CNO) and Cyber Espionage” only delivered the goods on the CNO side. It's severely lacking on the cyber espionage side; especially regarding corporate cyber espionage, which is the main reason that Washington is putting pressure on China. Part of the problem might be that there's a lot more information available about China's CNO and Electronic Warfare buildup then there is about cyber espionage. While the report authors did a great job surveying China's military writings for this area, is that really news? Of course China is building up its cyber warfare capabilities. So are 30+ other countries around the world. There's nothing new there.

On the other hand, the report failed to document the cyber espionage risk associated with over 1200 foreign R&D labs operating in China. It barely mentioned the Ministry of State Security except as the former employer of Huawei Chairwoman Sun YaFang. MSS plays a major role as both a foreign and sometimes domestic intelligence service and deserves a lot more attention in any report purporting to be about Chinese cyber espionage.

The report did a good job exploring part of the Supply Chain problem but only insofar as it had to do with chip development. It didn't cover the more common problem of U.S. companies who out-source their development work to Chinese firms or U.S. companies like Dell who do all of their manufacturing and R&D in China. This is as much a supply chain issue as the possibility of someone corrupting a microchip or selling counterfeit hardware. It's actually a worse problem because Dell is a large and trusted U.S. corporation which acquired the InfoSec firm SecureWorks last year. If anyone should write a report on the supply chain problems that come with buying Dell products (for example), it should be a U.S. government commission. Too bad that didn't happen this time around.

Add to Cart View detail

Cyber Threats Require An Expansion Of The Sensitive Countries List

The website Public Intelligence has released Sandia National Labs and the Department of Energy's Sensitive Countries List. This is a list of 26 countries where approval is required for a visit or an assignment by a DOE employee because the country is known to engage in activities which may be contrary to the interests of the U.S. Of those 26 countries, I've identified 11 who are also developing CNO (Cyber Network Operation capabilities including CNE (Cyber Network Exploitation):

• Democratic Peoples Republic of Korea (North Korea)
• Peoples Republic of China (including Hong Kong)
• Georgia
• India
• Iran
• Israel
• Kyrgyzstan
• Russian Federation
• Syria
• Republic of China (Taiwan)
• Ukraine

There's actually many more countries with these capabilities that do not appear on the Sensitive Countries list and I hopeful that that will change in the next few years. 

Add to Cart View detail

Just How Vulnerable To Attack Are U.S. Drone Operations?

GAO Reports Ongoing U.S. Air Force Vulnerabilities 

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture.  On Saturday another FOUO document appeared on PublicIntelligence.net regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):

• GAO, Defense Critical Infrastructure: DOD’s Evolving Assurance Program Has Made Progress but Leaves Critical Space, Intelligence, and Global Communications Assets at Risk, GAO-08-828NI (Washington, D.C.: Aug. 22, 2008)
• GAO, Defense Critical Infrastructure: Additional Air Force Actions Needed at Creech Air Force Base to Ensure Protection and Continuity of UAS Operations, GAO-08-469RNI (Washington, D.C.: Apr. 23, 2008)

Cyber Attacks Against Unmanned Aerial System Producers and Developers

The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: Boeing, Lockheed Martin, Northrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations. 

Add to Cart View detail

U.S. Air Force Study Reports Vulnerabilities in Drone C2 Systems

US Air Force Scientific Advisory Board graphic

Interesting timing. At some point after Iran captured a sophisticated RQ-170 RPA (Remotely Piloted Aircraft - UAV is a misnomer), the Public Intelligence website received an FOUO report entitled "Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare" published in April 2011 by the U.S. Air Force Scientific Advisory Board. One of the many issues that the panel was asked to investigate was electronic threats. Its related finding - "Limited communications systems result in communications latency, link vulnerabilities, and lost-link events."

Section 2.4.3 "Threat to Communication Links" expands on the state of vulnerabilities present for RPAs:

1. Jamming of commercial satellite communications (SATCOM) links is a widely available technology. It can provide an effective tool for adversaries against data links or as a way for command and control (C2) denial.
2. Operational needs may require the use of unencrypted data links to provide broadcast services to ground troops without security clearances. Eavesdropping on these links is a known exploit that is available to adversaries for extremely low cost.
3. Spoofing or hijacking links can lead to damaging missions, or even to platform loss.

Section 2.4.4 "Threat to Position, Navigation, and Guidance":

1. Small, simple GPS noise jammers can be easily constructed and employed by an unsophisticated adversary and would be effective over a limited RPA operating area.
2. GPS repeaters are also available for corrupting navigation capabilities of RPAs.
3. Cyber threats represent a major challenge for future RPA operations. Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.

These are just a few of the key findings that impact the mission of RPAs. With this report as background, the capture of the RQ-170 by Iranian forces needs to be evaluated fairly and not dismissed as some kind of Iranian scam for reasons that have more to do with embarrassment than a rational assessment of the facts. Remotely Piloted Aircraft are the future of Air combat, not just for the U.S. but for every military force in the world. Theft of this technology via cyber attacks against the companies doing R&D and manufacture of the aircraft is ongoing. Whether or not the Iranians got lucky or have acquired the ability to attack the C2 of the drone in question, there's obviously some serious errors in judgment being made at very high levels and secrecy about it is only serving the ones guilty of making those bad decisions.

UPDATE (1453 PST 14DEC11): I just confirmed with the Public Intelligence website that the Air Force document was provided to their site about one week ago which would make it the day after the news on the downed RQ-170 was announced. Clearly someone with FOUO access wanted this information to be made public to inform the controversy surrounding the incident.

Related:
Loss of the RQ-170. What Happens Next?
Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran
How Iran May Have Captured an RQ-170 Stealth Drone
Was Iran's Downing of the RQ-170 Related to the Malware Infection at Creech AFB?

Add to Cart View detail

General Cartwright's Inflammatory Remarks are Hurting, not Helping

General James E. "Hoss" Cartwright

Now that General Cartwright is free from the restrictions that he had to operate under as an employee of the U.S. government, his remarks regarding China are even more inflammatory than they were when he held the position of Vice Chairman, Joint Chiefs of Staff, at least according to this article in The Guardian.

"Right now we have the worst of worlds," said Cartwright. "If you want to attack me you can do it all you want, because I can't do anything about it. It's risk free, and you're willing to take almost any risk to come after me."
The US, he said, "needs to say, 'if you come after me, I'm going to find you, I'm going to do something about it.' It will be proportional, but I'm going to do something ... and if you're hiding in a third country, I'm going to tell that country you're there, if they don't stop you from doing it, I'm going to come and get you."

General Cartwright's opinion that the best cyber defense is a good offense is a throwback to his honorable career as a Marine waging war in on a physical battlefield. Unfortunately, that strategy doesn't work in cyberspace. It's ironic that Dell Secureworks has come out on Cartwright's side in this debate since Dell is heavily invested in its operations in China. Secureworks' engineers would make a better use of their time by creating a way to test Dell servers for backdoors than trying to get legal permission to attack Chinese hacker crews that they suspect are behind espionage attacks against U.S. corporations.

Calls to action are good and appropriate for a problem as serious as IP theft has become and the frustration at the lack of effectiveness of what we're currently doing is certainly understandable. The problem is that the outlet for that frustration is being directed in a harmful, not helpful, way. Giving the green light to U.S. industries to "go after" groups that they perceive as bad actors is akin to vigilantism and could easily trigger a war that spills over into actual bombs and bullets instead of bits and bytes. Further, any Information Security outfit that believes that the problem is solely China doesn't have a clue about the nature of the environment that they're supposed to be operating in. Besides Russia and North Korea, U.S. allies like France, Germany, and Israel are benefiting from acts of cyber espionage against the U.S. too and if they're smart about it (and they are), they'll leave evidence which implicates China. General Cartwright's calls for offensive action simply plays into the hands of those States' strategies of misdirection and obfuscation.

A smarter and more effective alternative is to switch from network-centric to data-centric protective mechanisms. If you want to keep your valuable data from being stolen, you first have to start monitoring it. Threatening China or any other country is just wasting valuable time and making the person doing the threatening look ineffective.

Related:
Attribution: Vital for Offense, Irrelevant for Defense

Add to Cart View detail

A Review of the NCIX Report on Foreign Economic Collection and Industrial Espionage

Although this is the 14th report on Foreign Economic Collection and Industrial Espionage, it's the first to be written by the Office of the National Counterintelligence Executive (ONCIX); a post created in 2009 under the Office of the Director of National Intelligence. It's also the first to include cyber espionage in its coverage which was a bit surprising to me considering how long cyber espionage has been around. Other firsts in this report are that the ONCIX expanded its traditional sources within the government to include the private sector as well as academic research in an effort to gain the broadest possible coverage of the problem. The report also mentioned but didn't specify "new sources of government information".

I liked this report very much. It's the first official report that I've seen which mentions Russia with China as a source of cyber espionage. I can't tell you how exhausting it's been to try to refute so-called experts who proclaim loudly and often the twin fallacies that only China engages in cyber espionage while only Russia engages in cyber crime. When confronted, some of these experts will fall back on the "if you only had a clearance" retort. Well, ONCIX is cleared, and they came up with essentially the same assessment that I usually give:

We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.

The report gets a lot of things right. While it mentions specific states like Russia and China, it also gives tangible examples of espionage that have nothing to do with cyberspace. This is important because it sets a precedent for Russia and China's past activities. Cyberspace has simply made it easier and more efficient for the collectors. For example:

Dongfan Chung was an engineer with Rockwell and Boeing who worked on the B-1 bomber, space shuttle, and other projects and was sentenced in early 2010 to 15 years in prison for economic espionage on behalf of the Chinese aviation industry. At the time of his arrest, 250,000 pages of sensitive documents were found in his house. This is suggestive of the volume of information Chung could have passed to his handlers between 1979 and 2006.a The logistics of handling the physical volume of these documents—which would fill nearly four 4-drawer filing cabinets— would have required considerable attention from Chung and his handlers. With current technology, all the data in the documents hidden in Chung’s house would fit onto one inexpensive CD.

Further, the report demonstrates motivation by identifying key technologies of interest to developing and developed nations:

• Information and communications technology (ICT), which forms the backbone of nearly every other technology.
• Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with US businesses or the US Government.
• Military technologies, particularly marine systems, unmanned aerial vehicles (UAVs), and other aerospace/ aeronautic technologies.
• Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and health care/pharmaceuticals.

Taia Global clients get a more specific assessment of various nation states' "shopping lists" which help us identify who our clients may have been attacked by, but I'm really happy to see this assessment included in the NCIX report.

While it has many positive points, this report falls short in a few areas. They could have included more information about how Russia is engaging in cyber espionage. Also, under Resources for Help in Appendix A, the report says to contact the NCIX or FBI for assistance in developing effective data protection strategies. I don't have any experience in working with the NCIX but I can tell you that the FBI is completely overwhelmed by cyber cases. We regularly hear from companies who have been contacted by the FBI about a breach in their network but who receive very little to no help at all after the initial contact. They just don't have the resources. Short of the FBI, there's no one else in government that the authors of this report could reasonably list as a point of contact for assistance. 

One might think that they could have listed US-CERT and DHS but neither organization has proven itself as particularly effective or competent in protecting civilian infrastructure. They couldn't list private information security companies for obvious reasons so this underscores a gap that may need filling by a non-profit public-private entity yet to be created.

Add to Cart View detail