Tag Archives | Espionage

Warning shots will only be fired so many times

The US-China Economics and Security Review Commission has just recently submitted its 2010 report to the US Congress (PDF) and the chapter on “China and the Internet” is a particularly interesting read. It touches on various topics including

  • Use of Internet as a ‘‘propaganda and ideological work’’ as well as to ‘‘guide public opinion’’
  • Regulations that provide unfair advantage to home-grown technology companies
  • Standoff between Google and China vis-vis Operation “Aurora”
  • Attack on Indian government
  • Internet traffic manipulation

While I hate fear mongering with a vengeance, it would be stupid to ignore the warning signs emanating from China. Information warfare has been absorbed into Chinese military thinking and philosophy and we will be sitting ducks if we do not take evasive, defensive and offensive actions.

Comments { 1 }

Why did GhostNet succeed?

The recent increase in attention given to cyber security is thanks in no small measures to the works published by Information Warfare Monitor and Shadowserver Foundation titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0” as well as the earlier report titled “Tracking GhostNet: Investigating a Cyber Espionage Network“.  Both detail the existence of cyber espionage operations targeted against Tibetan and Indian officials and institutions, allegedly run by the Chinese. If you haven’t read these reports yet, you should.

There is enough content in these reports to provide fodder for several posts at Vyuha ranging from technical discussions on how the espionage network was run to more higher level “what have we learnt” ones. This post looks at one of the factors that allowed this episode to play out – the effectiveness of the malware attacks that were used to set the exfiltration network up.

The reports identify that the attackers used Microsoft Office (DOC, XLS, PPT) and PDF files to deliver their malwares and that the information acquisition phase before the delivery must have been involved and meticulous.

What is surprising and frustrating  about the whole attack is that while the malwares were delivered using targeted effictiveness, there is no proof that they exploited any 0-day vulnerabilities in the applications and hence could have been caught and prevented from wrecking havoc on target machines. Why were the vulnerable applications not patched? Did the targeted machines have protective mechanisms in place like updated anti-virus  or HIPS software installed on it? If not, why were they not? Given the fact that the information leaked from the documents exfiltrated were of sensitive nature, it can be assumed that the people operating those machines had specific clearance. Why were their working environment not secured enough? In addition were network based Intrusion Prevention/Detections Systems installed on these networks and if so, why were they not effective in preventing or even detecting these attacks?

A lot of questions with few answers. But then that has been the case with all the questions raised by the public about this incident.

Comments { 5 }