Fear The Night Hacking

admin

Correction appendedLying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said “2011 Recruitment Plan.” It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.The parent company disclosed the breach on March 17 in a filing with the Securities and Exchange Commission.

That first night, acutely aware that my sleep (or lack of it) would be tracked and scored, I tossed and turned, repeatedly thinking about the data that would be produced. Frustration, and fear.

The hack gravely undermined the reputation of RSA’s popular SecurID security service. As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA’s most powerful defense-contractor clients—among them, Lockheed Martin, Northrop Grumman, and L-3 Communications.

Few details of these episodes have been made public. The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. Government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty.

Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government. In some cases, the evidence suggests that government and military groups are executing the attacks themselves. In others, Chinese authorities are merely turning a blind eye to illegal activities that are good for China’s economy and bad for America’s. Last year Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit Intel, Morgan Stanley, and several dozen other corporations. (The attack was given that name because the word “aurora” appears in the malware that victims downloaded.) Earlier this year, details concerning the most sweeping intrusion since Operation Aurora were discovered by the cyber-security firm McAfee. Dubbed “Operation Shady rat,” the attacks (of which more later) are being reported here for the first time.

Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits—or for fear of offending the Chinese and jeopardizing their share of that country’s exploding markets. Government, for its part, has been fecklessly circumspect in calling out the Chinese. A scattered alliance of government insiders and cyber-security experts are working to bring attention to the threat, but because of the topic’s extreme sensitivity, much of their consciousness-raising activity must be covert. The result in at least one case, according to documents obtained by Vanity Fair, has been a surreal new creation of American bureaucracy: government-directed “hacktivism,” in which an intelligence agency secretly provides information to a group of private-sector hackers so that truths too sensitive for the government to tell will nevertheless come out. This unusual project began in March, when National Security Agency officials asked a private defense contractor to organize a cadre of elite non-government experts to study the RSA cyber-attacks. The experts constituted a SEAL Team Six of cyber-security and referred to their work as Operation Starlight. “This is the N.S.A.

Outsourcing the finger-pointing to the private sector,” says one person who was invited to join the group and has been privy to its e-mail logs. Provided Operation Starlight with the data it needed for its forensic analysis. Operation Starlight’s secret “Working Draft Version 0.2” report, dated April 4, 2011, has a cover page that bears a galactic image resembling a meteor-pockmarked moon.

The source who provided Vanity Fair with the document emphasized that the draft is just that—a draft—and said that Starlight’s provisional conclusions are subject to change. (The source also says that Operation Starlight’s analysis will continue for a matter of months, and possibly as long as a year.) As of April, however, the draft report argued that the RSA hacks represent an “organized, concerted campaign on behalf of China.” It also suggested that RSA had been under attack, perhaps by different groups, for months prior to the attack that the company acknowledged in March. In July, in the lengthiest interview that RSA officials have given since their troubles began, executive chairman Art Coviello and EMC chief security officer Dave Martin resisted those suggestions. Coviello admitted that the SecurID hack was preceded in March by “pretty heavy-duty reconnaissance.” He refused to say specifically when the attack began or ended, but described the duration as “a matter of days, not weeks.” He agreed that the evidence suggested that the SecurID attack had come from a nation-state, but declined to accuse a specific country. “The Adversary”If you were designing a new jetfighter for Lockheed Martin, sooner or later you would have to travel to an air-force base to talk to military personnel about what they want the new jetfighter to do. Meetings over, you’d go back to your hotel room, fire up your laptop, and log on to Lockheed’s remote network to get some work done. In order to log on, you’d have to glance down at an inch-long red-white-blue-and-gray plastic key-chain fob, shaped vaguely like a key, on which a little L.E.D.

Screen displays strings of six to eight digits that change every minute or so. Adding those numbers to the basic password that you’d memorized, you would type the whole hybrid string of characters into the Lockheed-network log-in box—and then you would be in. That key fob, called a SecurID token, is RSA’s best-known product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed.Each numeric string is called a “one-time password,” and, when entered in combination with your own chosen password, it bumps up your network’s security by means of “two-factor authentication.” As of March 2011, RSA commanded 70 percent of the market for this form of security.

More than 25 million of these tokens are in circulation, and for years they have been used by most U.S. On April 1, the RSA Web site published a blog posting titled “Anatomy of an Attack” by the company’s head of new technologies, Uri Rivner. Yesterday origins wiki. Chatty and anecdotal, it described the “2011 Recruitment Plan” e-mail, one of two e-mails sent to low-level employees. Body CountChina’s aggressive campaign of cyber-espionage began about a decade ago, with attacks on U.S. Government agencies.

(The details have still not been divulged.) Then China broadened the scope of its efforts, infiltrating the civilian sector in order to steal intellectual property and gain competitive advantage over Western companies. Dmitri Alperovitch, vice president of threat research at McAfee, who gave Aurora and Night Dragon their names and has written definitive studies of A.P.T.

Attacks, says that “today we see pretty much any company that has valuable intellectual property or trade secrets of any kind being pilfered continually, all day long, every day, relentlessly.”. Three people who visited Google’s Mountain View, California, headquarters while the attacks were in progress describe dramatic scenes of a company under siege. Google “built a physically separate area for the security team,” one of them says.

Sergey Brin, one of the company’s co-founders, was deeply involved in the cyber-defense. “He moved his desk to go sit with the Aurora responders every day. Because he grew up in the Soviet Union, he personally has a real hard-on for the Chinese now.

He is pissed.” Caught unawares and shorthanded, the company made a list of the world’s top security professionals, and Brin personally called to offer them jobs—with $100,000 signing bonuses for some, according to one person who received such an offer—and quickly built Google’s small, pre-Aurora security operation into a group of more than 200.Meanwhile, representatives of other companies hit by Aurora were invited to the Googleplex for private meetings with Adkins. She told two of the visitors that the attackers had made a beeline for Google’s “legal-discovery portals,” the system the company uses to evaluate requests for information from law-enforcement agencies and foreign governments. “The activity on those portals is closely monitored,” one visitor says. From the start, Google openly asserted its view that the attack originated in China, and Hillary Clinton, after being “briefed by Google on these allegations,” issued a statement that pointedly said, “We look to the Chinese government for an explanation.” A report by Verisign iDefense, a security-intelligence service based in Dulles, Virginia, went further, stating that Aurora was directed by “agents of the Chinese state or proxies thereof.” The Chinese government made no official, public response to Clinton’s statement. But shortly thereafter, a spokesman for China’s Ministry of Industry and Information Technology told Xinhua, the official news agency, about the allegations regarding Google, that the “accusation that the Chinese government participated in any cyber attack, either in an explicit or inexplicit way, is groundless and aims to denigrate China.”Yet, in the case of Aurora, there is evidence of involvement. After researchers found similarities between the tools used in the Aurora attacks and malware tools that were posted on open Chinese hacker forums, many analysts speculated that Beijing had employed civilian hackers as proxies to launch the attacks. A leading security-intelligence analyst says he received several dozen tips from sources in China suggesting that, “in point of fact, it was the P.R.C.

Government taking or demanding access to some of the research that the hackers had been doing, and then using it themselves.” The analyst goes on: “The Chinese government has employed this same tactic in numerous intrusions. Because their internal police and military have such a respected or feared voice among the hacking community, they can make use of the hackers’ research with their knowledge and still keep the hackers tight-lipped about it. The hackers know that if they step out of line they will find themselves quickly in a very unpleasant prison in western China, turning large rocks into smaller rocks.” In an undated cable made public by WikiLeaks, one American diplomat in Beijing reported to Washington that Aurora was an act of revenge ordered by a Chinese politburo member who had Googled himself and found a raft of unflattering articles.The SecurID hack used the same basic technique as Operation Aurora and many other recent intrusions, though it made use of different specific tools. The technique, called “spear-phishing,” begins with reconnaissance to find personal information about a company’s employees. The Adversary may troll social-networking sites, including Facebook and Twitter, or may research e-mail archives exfiltrated in previous attacks to diagram its victims’ social situations.

Then the Adversary writes e-mails or sends instant messages individually tailored to the recipients and sends them, with malicious attachments, from identities that the victim is likely to trust. If the recipient clicks on the attachment, the malware, called a remote-access tool, or “rat,” hooks itself into the user’s Windows operating system inside the company’s firewall.

The rat is manually operated by the Adversary—an actual person, sitting at a computer, waiting to take over the victim’s machine. “The initial machine is just a beachhead,” explains McAfee’s Dmitri Alperovitch. “From that point, the Adversary will move into document repositories, e-mail archive servers, proceed to take the data and ship it out of the company through another mechanism, typically by setting up a second, command-and-control server that they will exfiltrate data to. From the moment you’ve clicked on the malware, there is another individual on the other end adapting to your network eco-system, your security system, and trying various things until they succeed in getting what they want. It’s like a Predator drone in Pakistan that’s being controlled by a joystick in Nevada.”.

Some of the types of tools that the RSA hackers used—the rat, the command-and-control-server infrastructure, and the remote domains—had previously been employed in a persistent series of attacks on the Department of Defense and other U.S.-government systems. These attacks were originally code-named Titan Rain. After Titan Rain was made public, it was re-christened with the code name Byzantine Hades, and after that name, too, was made public, Byzantine Hades was re-dubbed with at least three more new classified code names, according to a former N.S.A. Some top intrusion specialists attribute this series of attacks to a group in China called the Red Hacker Alliance, which has suspected ties to the People’s Liberation Army.

(The particular malware and command-and-control servers used in the SecurID hack, however, were unique, and had not been used in previous attacks.)Act of War?On May 21, the computer systems of America’s largest military contractor, Lockheed Martin, detected an intruder. A week later, Lockheed acknowledged the breach in a statement. The company called the attack “significant and tenacious” but also said that it had been detected “almost immediately,” at which point the company took “aggressive” actions to stop it. “Our systems remain secure; no customer, program or employee personal data has been compromised,” the statement said—leaving open the questions of how an intrusion could be both “tenacious” and detected “almost immediately,” and how it could be “significant” without compromising any data.

The event was noteworthy enough that President Obama was briefed on the situation. An unnamed Lockheed executive told The New York Times that investigators “cannot rule out” a connection to the RSA breach.

RSA said that it was “premature to speculate” on the cause of the attack.On May 31, news broke that L-3 Communications, which provides intelligence, surveillance, and reconnaissance technology to the U.S. Government, had also been attacked, according to an e-mail to L-3 employees dated April 6. The e-mail said that L-3 had been “actively targeted with penetration attacks leveraging the compromised information” from the RSA breach. When asked whether intruders had gained the ability to clone SecurID key fobs, an RSA spokeswoman said, “That’s not something we had commented on and probably never will.”The next day, June 1, Fox News reported that Northrop Grumman had cut off remote access to its network without warning, resetting domain names and passwords, and causing “chaos” across the company, according to an unnamed Northrop executive. The company’s official response to Fox’s questions on the matter was, verbatim, the same as its response to my questions about previous reported hacks, going back several years: “We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions.”. That same day, Google made its first allegation of Chinese hacking since Operation Aurora, announcing that it had thwarted an attempt from China to steal the Gmail passwords of senior U.S. Government officials.

The next week, on June 7, RSA’s Art Coviello gave a mea culpa interview to The Wall Street Journal, admitting that the entire SecurID system was compromised, offering to replace practically all of the millions of tokens on the market—and infuriating many of its customers, some of whom were reported to be sundering their relationship with RSA and hiring new security companies. Coviello says that he made the replacement offer because, “post-Lockheed, customers had a lower tolerance for risk,” and he says that “less than 10 percent of our customers have requested replacement tokens.”This onslaught of revelations was all the more extraordinary because American industry has so few incentives to come clean about its losses, and so many incentives to cover them up. Was it a coincidence that, only hours before Northrop’s and Google’s alleged hacks became public, the Pentagon provided an element of its forthcoming cyber-war strategy to The Wall Street Journal, declaring that the U.S. Will consider some cyber-attacks to be the equivalent of physical acts of war?

Like so many Rip Van Winkles, most of Washington has been asleep while cyber-attacks proliferated. But a few voices have been trying to wake the town up.

One belongs to Scott Borg, director and chief economist of the U.S. Cyber-Consequences Unit, whose research indicates that China, to sustain economic growth, “is relying increasingly on large-scale information theft. This means that cyber attacks are now a basic part of China’s national development strategy.” Another voice is that of James A. Lewis, a former diplomat who now leads the Technology and Public Policy Program at the Center for Strategic and International Studies. He says, “The thing we have to work through is, how do we want to work with the Chinese on this issue? This administration has decided they want to cooperate, not have a confrontation.” A senior State Department official elaborates: “One of the core things we’re trying to do diplomatically is to build a consensus internationally to build norms of behavior, rules of the road,” as described in the president’s “International Strategy for Cyberspace.” (The norms include “Upholding Fundamental Freedoms,” “Respect for Property,” and “Right of Self-Defense.”) James A.

Lewis goes on: “This is what we did on missile proliferation. Our allies showed up and we all said, ‘Here are the norms.’ But how do we get a flow of countries to show up and say, ‘You’re crossing a line. Back off, or there will be consequences’?

What is the cost to the Chinese right now? Until there is some cost, they’re not going to stop.”Another White House document, the “Comprehensive National CyberSecurity Initiative,” as well as several bills in Congress, propose ways of protecting critical infrastructure, such as electrical grids, from cyber-intrusions. China has so thoroughly probed and mapped our power system that former director of national intelligence Dennis Blair once publicly admitted that “a number of nations, including Russia and China, can disrupt elements of the U.S.

Information infrastructure.”Still others are trying to address the economic impact of cyber-espionage. On May 11, Senator Jay Rockefeller and several of his colleagues sent a letter to Mary Schapiro, chair of the U.S. Securities and Exchange Commission, asking the S.E.C. To issue interpretive guidance for companies about disclosing material risk due to cyber-breaches. The morning Rockefeller sent his letter, Tom Kellermann, a former cyber-security specialist at the World Bank, told me that the S.E.C. Would force companies to make significant disclosures. “The dragon lady’s gonna rain down fire,” he said.The dragon lady has her work cut out for her.

One industrial-control-systems security specialist recalls a conversation with a chief financial officer and a chief information officer of a major corporation after finding 65 vulnerabilities in the company’s networks, which would have required a huge investment to fix. “What’s the worst that can happen if we don’t fix any of these?” the C.F.O. Asked.“We have large exposure,” answered the C.I.O. “We could potentially be attacked—”“No, no, no.

What is the financial impact if we don’t do any of these?”. “We’re not regulated or audited, so there won’t be any fines.”The C.F.O.

Answered, “You get no budget,” and the topic was closed.The persistent culture of secrecy surrounding all things cyber compounds the difficulty of taking practical steps against Chinese hacking. Much, perhaps most, information about cyber-conflict of all types is classified, which creates tremendous practical problems of communication. Sometimes, when the F.B.I. Learns of an intrusion through classified channels, the Bureau has to find other, unclassified evidence of the intrusion in order to be able to tell the victim what is happening.

“If it’s a defense contractor being hacked, then the victim company includes people with clearances, so communication is easy. But if you’re talking about a company where no one has clearances, that presents a significant problem”—and can create a significant time delay between the discovery of a hack and the victim’s awareness of exposure, according to one cyber-security analyst. Playing the FoolYet the deeper I delved into the Chinese hacking problem, the more I discovered a network of individuals in government and the private sector who are serving as a semi-official Resistance in this secret war. A handful of influential congressional staffers who shape Hill debate on these matters put me in touch with top intrusion specialists who are former hackers, military personnel, or National Security Agency officials. These analysts are the civilian, cyber-equivalent of special-ops forces.

When my phone rang very late one night this spring, I was surprised to see the name of one of these analysts on the screen. In the mood to talk, he spent most of an hour describing his work to me, naming names and counting losses with shocking precision, though forbidding me to repeat the details of his disclosures.In this conversation—the first of several that took place over the following months—the man said that he had started his career protecting government networks against foreign attacks. On that job, he became so preoccupied with the scale of Chinese hacking that a senior military officer told him to stop talking about it, with the gruff explanation that “the reason this is still going on is that the Chinese government now owns us.” Frustrated, the analyst eventually left government service for the private sector.The problem may be reaching a boil that will take significant willpower to ignore. In mid-July, the security firm McAfee shared exclusively with Vanity Fair the results of its latest cyber-espionage investigation. McAfee reports that, over a period of five years, a single Adversary penetrated more than 70 organizations, from giant multi-national corporations to tiny nonprofits, representing more than 30 industries around the world, and exfiltrated intellectual property—including e-mail archives, legal contracts, negotiation plans for business activities, design schematics, and government secrets—as soon as its spear-phishing victims clicked on a link to a Web page. One country’s Olympic committee was compromised for a full 28 months; many other organizations were compromised for two whole years.

His love of rhythmically-paced, wide-angle-lensed sequences shows just how much he's learned while working at To's Milkyway production company on recent hard-boiled collaborations like 'Motorway' and '.' You could easily ask the same question about the unusually well-developed sub-plot concerning Hung and his brother. But Cheang, a student/former collaborator of master action filmmaker, holds everything together admirably. But none of these narrative tangents really distract from the film's main narrative, since so much of the film's main thrust is discursive. In the wrong hands, 'discursive' would be a polite way of saying 'messy.' Killzone 2 full movie.

McAfee has given the name Operation Shady rat to this set of intrusions. Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”The full list of Operation Shady rat’s victims includes government agencies and corporations worldwide.

The vast majority of victims—more than two-thirds of the total—are in the U.S. Among the other countries targeted are Taiwan, South Korea, Japan, Hong Kong, Singapore, India, Germany, and the U.K. In 2007, the year before the Beijing Olympics, one international athletics organization and the Olympic committees of three different countries were breached by this intruder. Alperovitch believes the targeting of the Olympic committees and of American political nonprofits suggests the intrusions were state-sponsored, explaining, “There’s no economic gain to compromising them.” When asked if the People’s Republic of China was conceivably behind Shady rat—given that China was not itself attacked—Alperovitch noted that McAfee’s policy was not to comment on attribution. He added, “If others want to draw that conclusion, I certainly wouldn’t discourage them.”. Another security researcher who was on the front lines during Operation Aurora says, “Those of us who are hands-on-keyboard want this story to be told, because we feel like the top corporate managers—following the advice of their lawyers—are reflexively keeping breach information secret from other companies that are trying to defend themselves. In the big picture, a little bit of short-term embarrassment is worth it, to get the American people to understand that there’s a low-level Cold War going on.” Despite—and also because of—the extreme secrecy surrounding industrial cyber-espionage, this phenomenon is gradually effecting a fundamental re-arrangement of the relationship between state and corporate power.

Michael Hayden was the director of the N.S.A. And then the C.I.A. During the period when the problem of Chinese cyber-espionage developed. In a conversation with him about Operation Aurora, I asked what he believed to be the most significant fact about those intrusions.He answered, “You see Google acting in some ways as nation-states used to act, exercising to the best of their ability some attributes traditionally associated with sovereign states.

‘We’re going to break relationship’—cease doing business there, you know. It’s something I dwell on a lot.

The cyberworld is so new that the old structures, you know—state, non-state, public, private—they all break down The last time we had such a powerful discontinuity is probably the European discovery of the Western Hemisphere. At that point, we had some big, multi-national corporations—East India Company and Hudson’s Bay—that acted as states. And I see elements of that with the big Microsofts and Googles of the world. Because of their size, they actually are making decisions that have the impact of the kinds of decisions made in the halls of government. Google is not a state.

But what constitutes Google’s inherent right of self-defense in this new environment against this kind of attack? I’m not accusing anyone of doing anything wrong. These situations are just so different.

What do we believe would be legitimate for Google to do in response to this? Now, I don’t have answers.

I really don’t know, but it’s a really good question.”Operation Starlight has an old-fashioned answer to that question: Find the culprits and put them to shame. Its draft report declares: “The attacker’s name, telephone number records, and other pertinent information should be divulged to the public in order to support attacker attribution and assist in tracking back to the source.”But no one believes that this tactic by itself will solve the problem—or that corporations will embrace their long-term best interest anytime soon. Rather, so long as executives and politicians are guided by short-term self-interest, they will continue to play the fool to the country that would be king. “You need to consider: What are the subconscious assumptions that companies bring to the issue of foreign cyber-attacks on their networks?,” a senior Senate staffer who works on cyber-issues asked me. “They assume that if something bad happens government will take care of the losses. They act like they don’t really believe that a bank could get completely taken out, or that a tech giant could get its whole lunch eaten, because it sounds as fictional as 9/11 would have sounded before it happened.

But terrorism is not the best analogy here. Who could have imagined that people would have flown airplanes into buildings? The difference with cyber is there are people trying to fly planes into buildings every day now.

And everybody just looks the other way.”correction: The online version of this story reflects two developments that came to light since the magazine went to press. The number of athletics organizations breached in 2007 by the Shady rat intruder was one, not two. Additionally, American defense contractors were not among those whose systems were compromised for two whole years.