The New Cyber Threat
-
Upload
chi-chu-tschang -
Category
Documents
-
view
230 -
download
0
Transcript of The New Cyber Threat
-
8/8/2019 The New Cyber Threat
1/10
032
-
8/8/2019 The New Cyber Threat
2/10
the new
cyber
threat
RobeRtLLeweLLyn/JupiteRimages
033
in depth
By Bra Grow, K es, a C-Cu tscag
illusraos by Joao Ros
how sa ar our scrs? Mor a mor
ra ros ar brakg o Amrcas
mos ssv comur works
The e-mail message addressed to a Booz Allen Hamilton execu-
tive was mundanea list sent over by the Pentagon o weaponry
on order by India. But the missive turned out to be a brilliant
ake. Lurking beneath the description o aircrat, engines,
and radar equipment was an insidious piece o computer code
known as Poison Ivy designed to suck sensitive and classifed
data out o the $4 billion consulting frms computer network.
It turns out the Pentagon hadnt sent the e-mail at allthe ma-licious code was launched rom network servers in a nondescript
building on the banks o Chinas Yangtze River. Whoever authoredthe e-mail knew enough about the sender and recipient to cra a
message that was unlikely to arouse suspicion. Had the Booz Allenexecutive clicked on the attachment, the ull orce o the virus would
have been unleashed and his every keystroke reported back to a mys-terious master at the Internet address cybersyndrome.3222.org.
The U.S. government, and its sprawl o deense contractors, havebeen the target o an unprecedented rash o similar cyberattacks
over the last two years. Its espionage on a massive scale, says PaulB. Kurtz, a ormer high-ranking national security ocial. Govern-
ment agencies reported 12,986 cybersecurity incidents to the U.S.
APRIL 21, 2008 I BUSineSSWeeK
-
8/8/2019 The New Cyber Threat
3/10
the U.S. government on the overhaul o its computer security
strategy. Now theyre saying, Oh, s--t.Adding to Washingtons anxiety, U.S. intelligence oi-
cials say many o the new attackers are trained proession-als backed by oreign governments. The new breed o threat
that has evolved is nation-state-sponsored stu, says AmitYoran, a ormer director o Homeland Securitys National
Cyber Security Div. Adds one o the nations most senior mil-itary ocers: Weve got to gure out how to get at it beore
our regrets exceed our ability to react.The military and intelligence communities have ngered the V e
e R
034
BUSineSSWeeK I APRIL 21, 2008
Homeland Security Dept. last scal year,
triple the number rom two years earlier.Incursions on the militarys networks were
up 55% last year, says Lieutenant GeneralCharles E. Croom, head o the Pentagons
Joint Task Force or Global Network Op-erations. Private rms like Booz Allen are
just as vulnerableand pose just as muchsecurity risk. They have our inormation
on their networks. Theyre building ourweapon systems. You wouldnt want that in
enemy hands, Croom says. Cyberattackersare not denying, disrupting, or destroy-
ing operationsyet. But that doesnt meanthey dont have the capability.
shutting down ports
When the deluge began in 2006, ocialsscurried to come up with soware patch-
es, wraps, and other bits o triage. The
eort got serious last summer when topmilitary brass quietly summoned the chieexecutives or their representatives rom
the 20 largest U.S. deense contracts tothe Pentagon or a threat brieng. Since
then, BusinessWeek has learned, the U.S.government has launched a classied op-
eration called Byzantine Foothold to detect,track, and disarm intrusions on the governments most criti-
cal networks. And President George W. Bush on Jan. 8 quietlysigned an order to overhaul U.S. cyberdeenses, establishing
12 distinct goals, according to people brieed on its contents.One goal in particular illustrates the urgency and scope o
the problem: By June all government agencies must cut thenumber o tiny communication channels, or ports, through
which their networks connect to the Internet rom more than4,000 to ewer than 100. On Apr. 9, Homeland Security Dept.
Secretary Michael Cherto called the Presidents order a cy-bersecurity Manhattan Project. First, he said, the U.S. must
get our own house in order.But many security experts worry the
Internet has become too unwieldy to betamed. New viruses appear every day, each
seemingly more sophisticated than the pre-vious one. The Deense Dept., whose Ad-
vanced Research Projects Agency (DARPA)developed the Internet in the 1960s, is be-
ginning to think it created a monster. Youdont need an Army, a Navy, an Air Force
to beat the U.S., says General William T.Lord, commander o the Air Force Cyber
Command, a unit ormed in October, 2006,to upgrade Air Force computer deenses.
You can be a peer orce or the price o thePC on my desk. Military ocials have long
believed that its cheaper, and we kill stuaster, when we use the Internet to enable
high-tech warare, says a top adviser to
an eVOLVInG threatMajor aacks o U.S. govrm as usry ovr yars
SOLar SunrISe
Fa, 1998. Ar Forc a navycomurs ar by malcous coa s ou a ol Su Mcro-sysms Solars orag sysm,ac s ow ry o og. Som aacks arrou roug U Arabemras wl U.S. s rargor mlary aco iraq. turs ou aacks wr lauc by woagrs Clovral, Cal., aa isral accomlc wo callmsl Aalyzr.
MOOnLIGht Maze
Mac, 1998, 1999. A-ackrs us scrs o ga accsso Wb ss a ds d.,nASA, ergy d., a wa-os labs across coury. Largacks o uclassf aa arsol. A ms, o [or aa] was s Russa, says asourc amlar w vsga-o. t sosor o aack asvr b f. t Russagovrm ay volv-m.
D: BusinessWeek
-
8/8/2019 The New Cyber Threat
4/10
nas military policy is deensive in nature.
China would never do anything to harmsovereignty or security o other countries.
He added that China also alls victim tohacking and urged the U.S. to present
compelling evidence or its accusation.Some computer security specialists
doubt that Chinas government is involvedin cyberattacks on U.S. deense targets.
Peter Sommer, an inormation systems se-curity specialist at the London School o
Economics who helps companies securenetworks, says: I suspect i its an oi-
cial part o the Chinese government, youwouldnt be spotting it. Indeed, because
the Internet allows digital spies and thievesto mask their identities, conceal their phys-
ical locations, and bounce malicious code toand ro, its requently impossible to pin-
point specic attackers. Network security
proessionals call this digital masqueradeball the attribution problem.
In written responses to questions romBusinessWeek, oicials in the oice oNational Intelligence Director J. Michael
McConnell, a leading proponent o boost-ing the governments cybersecurity e-
orts, would not comment on speciiccode-word programs such as Byzantine Foothold, nor on
specic intrusions or possible victims. But the departmentadds that computer intrusions have been successul against
a wide range o government and corporate networks acrossthe critical inrastructure and deense industrial base. The
White House declined to address the contents o the CyberInitiative, citing its classied nature.
A Credible MessAge
The Booz Allen e-mail, obtained byBusinessWeek and tracedback to China, paints a vivid picture o the alarming new ca-
pabilities o Americas cyberenemies. OnSept. 5, 2007, at 08:22:21 Eastern time, an
e-mail message appeared to be sent to JohnF. Jack Mulhern, vice-president or in-
ternational military assistance programs atBooz Allen. In the high-tech world o weap-
ons sales, Mulherns specialty, the e-maillooked authentic enough. Integrate U.S.,
Russian, and Indian weapons and avion-ics, the e-mail noted, describing the Indian
governments expectations or its ghterjets. Source code given to India or indig-
enous computer upgrade capability. Suchlingo could easily be understood by Mul-
hern. The 62-year-old ormer U.S. Navalocer and 33-year veteran o Booz Allens
military and deense consulting business isan expert in helping to sell U.S. weapons to
oreign governments.
Peoples Republic o China as the U.S.s biggest cybermenace.
In the past year, numerous computer networks around theworld, including those owned by the U.S. government, were
subject to intrusions that appear to have originated withinthe PRC, reads the Pentagons annual report to Congress on
Chinese military power, released on Mar. 3. The preamble oBushs Cyber Initiative ocuses attention on China as well.
Those are groundless accusations and unwarranted alle-gations, says Wang Baodong, a spokesman or the Chinese
embassy in Washington. Qin Gang, a spokesman or ChinasForeign Ministry, told reporters in Beijing on Mar. 4 that Chi-
035
in depth
APRIL 21, 2008 I BUSineSSWeeK
tItan raIn
2003. hackrs blv o b Ca accss classf aa soro comur works o scoracor Lock Mar, Sa-a naoal Labs, a nASA. trusos ar f by SaCarr, a cybr scury aalysa Saa Labs. Ar rors bracs o U.S. Army a FBi,Saa frs m. Carr larsus Saa or wrogul rma-o. i Fbruary, 2007, a jury awarsm $4.7 mllo.
byzantIne FOOthOLd
2007. A w orm o aack, usgsosca cology, lugsoufs rom Sa d. o Bo-g. Mlary cybrscury scalssf rsourcs o a ao-sab a call y o aacka avac rss ra. tbracs ar al a classfocum kow as a illgcCommuy Assssm. tsourc o may o aacks, sayU.S. mlary a govrm o-fcals, s Ca.
-
8/8/2019 The New Cyber Threat
5/10
browsers while users sur the Web.
Then it phones home to its mas-ter at an Internet address cur-
rently registered under the namecybersyndrome.3322.org.
The digital trail to cyber-syndrome.3322.org, ollowed by
analysts atBusinessWeeks request,leads to one o Chinas largest ree
domain-name-registration ande-mail services. Called 3322.org,
it is registered to a company calledBentium in the city o Changzhou, a technology industry
hub outside Shanghai. A range o security experts say that3322.org hosts computers and servers that act as the com-
mand and control centers or more than 10,000 pieces o ma-licious code launched at government and corporate networks
in recent years. Many o those PCs are in China; the rest couldbe anywhere.
The ounder o 3322.org, a 37-year-old technology entre-
preneur named Peng Yong, says his company merely allowsusers to register domain names. As or what our users do, wecannot completely control it, says Peng. The bottom line: I
Poison Ivy inected Jack Mulherns computer at Booz Allen,any secrets inside could be seen in China. And i it spread to
other computers, as malware oen does, the inection openswindows on potentially sensitive inormation there, too.
Its not clear whether Mulhern received the e-mail, but theaddress was accurate. Inormed byBusinessWeek on Mar. 20
o the ake message, Booz Allen spokesman George Farrar saysthe company launched a search to nd it. As o Apr. 8, says
Farrar, the company had not discovered the e-mail or PoisonIvy in Booz Allens networks, but the investigation is ongo-
ing. Farrar says Booz Allen computer security executives areexamining the computers o Mulhern and an assistant who
received his e-mail. We take this very seriously, says Farrar.(Mulhern, who retired in March, did not respond to e-mailed
requests or comment and declined a request, through BoozAllen, or an interview.)
Air Force ocials reerred requests or comment to U.S.Deense Secretary Robert M. Gates oce. In an e-mailed
response toBusinessWeek, Gates oceacknowledges being the target o cyber-
attacks rom a variety o state and non-state-sponsored organizations to gain
unauthorized access to, or otherwisedegrade, [Deense Dept.] inormation
systems. But the Pentagon declined todiscuss the attempted Booz Allen break-
in. The Air Force, meanwhile, declinedto make Stephen Moree available or comment.
The e-mail, however, seemed to cause a stir inside the AirForce, correspondence reviewed by BusinessWeek shows.
On Sept. 4, James Mulvenon also received the message withMoree and Mulherns names on it. Security experts believe
Mulvenons e-mail address was secretly included in theblind copy line o a version o the message. Mulvenon is
director o the Center or Intelligence Analysis & Research,
The e-mail was more convinc-
ing because o its apparent sender:Stephen J. Moree, a civilian who
works or a group that reports tothe oce o Air Force Secretary Mi-
chael W. Wynne. Among its duties,Morees unit evaluates the security
o selling U.S. military aircra toother countries. There would be
little reason to suspect anythingseriously amiss in Moree passing
along the highly technical docu-ment with India MRCA Request or Proposal in the subject
line. The Indian government had just released the requesta week earlier, on Aug. 28. And the language in the e-mail
tracked the request. Making the message appear more cred-ible still: It reerred to upcoming Air Force communiqus and
a Teaming Meeting to discuss the deal.
An e-MAils journey
But the missive rom Steve Moree to Jack Mulhern was aake, Booz Allen later discovered. An analysis o the e-mailspath and attachment, conducted orBusinessWeek by three
cybersecurity specialists, shows it was sent by an unknownattacker, bounced through an Internet address in South
Korea, was relayed through a Yahoo! server in New York, andnally made its way toward Mulherns Booz Allen in-box.
The analysis also shows that the codeknown as malware,or malicious sowaretracks keystrokes on the computers
o people who open it. A separate program disables securitymeasures such as password protection on Microso Access
database les, a program requently used by large organi-zations such as the U.S. deense industry to manage large
batches o data.While hardly the most sophisticated technique employed
by electronic thieves these days, i you have any kind o sen-sitive documents on Access databases, this [virus] is getting
in there and getting them out, says a senior executive at aleading cybersecurity rm that conducted an analysis o the
e-mail. (The person requested anonymity because his rmprovides security consulting to U.S. military departments,
deense contractors, and nancial institutions.) Commer-
cial computer security rms have dubbed the malicious codePoison Ivy.
But the malware attached to the ake Air Force e-mail hasa more deviousand worrisomecapability. Known as a re-
mote administration tool, or RAT, it gives the attacker con-trol over the host PC, capturing screen shots and perusing
les. It lurks in the background o Microso Internet Explorer
036
BUSineSSWeeK I APRIL 21, 2008
POISOn IVy IS Part OF a new tyPe OF dIGItaL
Intruder renderInG tradItIOnaL deFenSeS LIke
FIrewaLLS VIrtuaLLy uSeLeSS
-
8/8/2019 The New Cyber Threat
6/10
o at least eight agenciesincluding the departments o De-
ense, State, Energy, Commerce, Health & Human Services,Agriculture, and Treasuryand also deense contractors
Boeing, Lockheed Martin, General Electric, Raytheon, andGeneral Dynamics, say current and ormer government se-
curity experts.Laura Keehner, a spokeswoman or the Homeland Se-
curity Dept., which coordinates protection o government
computers, declined to comment on specic intrusions. In
written responses to questions romBusinessWeek, Keehnersays: We are aware o and have deended against malicious
cyberactivity directed at the U.S. Government over the pastew years. We take these threats seriously and continue to
remain concerned that this activity is growing more sophis-ticated, more targeted, and more prevalent. Spokesmen or
Lockheed Martin, Boeing, Raytheon, General Dynamics, and
a unit o Deense Group, a leading consultant to U.S. deense
and intelligence agencies on Chinas military and cyber strat-egy. He maintains an Excel spreadsheet o suspect e-mails,
malicious code, and hacker groups and passes them alongto the authorities. Suspicious o the note when he received
it, Mulvenon replied to Moree the next day. Was the e-mailIndia spam? Mulvenon asked.
I apologizethis e-mail was sent in errorpleasedelete, Moree responded a ew
hours later.No worries, typed Mulve-
non. I have been getting a lot otrojaned Access databases rom
China lately and just wanted tomake sure.
Interestingour network olksare looking into some kind o ma-
licious intent behind this e-mailsnau, wrote Moree. Neither the
Air Force nor the Deense Dept.
would conrm withBusinessWeekwhether an investigation was con-ducted. A Pentagon spokesman
says its procedure is to reer attacksto law enorcement or counterin-
telligence agencies. He would notdisclose which, i any, is investi-
gating the Air Force e-mail.
digitAl intruders
By itsel, the bid to steal digital se-
crets rom Booz Allen might notbe deeply troubling. But Poison
Ivy is part o a new type o digi-tal intruder rendering traditional
deensesirewalls and updatedantivirus sowarevirtually use-
less. Sophisticated hackers, sayPentagon oicials, are develop-
ing new ways to creep into com-puter networks sometimes beore
those vulnerabilities are known.The oense has a big advantage
over the deense right now, saysColonel Ward E. Heinke, director
o the Air Force Network Opera-tions Center at Barksdale Air Force
Base. Only 10 o the top 35 antivi-rus soware programs identied
Poison Ivy when it was rst testedon behal oBusinessWeek in February. Malware-sning
soware rom several top security rms ound no virus inthe India ghter-jet RFP, the analysis showed.
Over the past two years thousands o highly customizede-mails akin to Stephen Morees have landed in the laptops
and PCs o U.S. government employees and deense contract-ing executives. According to sources amiliar with the matter,
the attacks targeted sensitive inormation on the networks
037
in depth
APRIL 21, 2008 I BUSineSSWeeK
t bogus -mal am a Booz All hamloa brILLIant Fake
sr,
th rg (28 ag) rcvd h 211 g id ml-Rl C arcr(mRCa) Rq r prl (RFp). th jr RFp r:
- 126 rcr (86 gl /40 dl); 18 l y oem, 108 c-rdcd id- 1 r 2 g; 14k-30k kg (30.9k-66.1k l) x gh- acv aesa rdr cl rgg 5 2 130k (80.8 l)- 24 h fxd rc vldy r; r 63 rcr gd r 3 yr (fxdrc)- 50% o rqr- arcr dlvry g 36 h r crc, c-rdc g 48h r crc- tch rr rk 5 cgr, 60% h hgh rcg- prrc bd Lgc (L Cycl c) r ddrd, id y/y fl drr
- igr us, R, d id d vc- src cd gv id r dg cr grd clyiaw h tg Drcv iv chd cy h cl RFp; hvr, ll rvd r dld ry r r tg mg. wll cld hdvl h saF/ia ud d Frdy CsaF ud ld.
vrsv
sh J. mrnrh a brch ChsaF/ia pcfc DvCOnFidentiALitY nOtiCe: th lcrc r Fr ofcl uoly d y c r rcd r dclr dr h Frd ir ac, 5 usC 552. D rl d DD chl hrr hrz r h dr.
-
8/8/2019 The New Cyber Threat
7/10
that a classied document called an intelligence community
assessment, or ICA, details the Byzantine intrusions and as-signs each a unique Byzantine-related name. The ICA has
circulated in recent months among selected ocials at U.S.intelligence agencies, the Pentagon, and cybersecurity con-
sultants acting as outside reviewers. Until December theICAs contents had not even been shared with congressional
intelligence committees.Now, Senate Intelligence Committee Chairman John D.
General Electric declined to comment. Several cited policies
o not discussing security-related matters.The rash o computer inections is the subject o Byzan-
tine Foothold, the classied operation designed to root outthe perpetrators and protect systems in the uture, accord-
ing to three people amiliar with the matter. In some cases,the governments own cybersecurity experts are engaged in
hack-backsollowing the malicious code to peer into thehackers own computer systems.BusinessWeek has learned
m a R k L e n n i h a n / a p p h o t o
038
BUSineSSWeeK I APRIL 21, 2008
anatOMy OF a SPear-PhISh t r sags o a succssul sar-sg aack
net recOnnaISSance
Aackrs scour Wbsuy-g ublc ocums, ca rooms,a blogso bul gal ossrsabou jobs, rsosbls, arsoal works o args.
cOnStructInG the SPear-PhISh
Aackrs bul a -mal w a Wblk or aacm o a subjc lkly orck vcm o clckg o . Com-mo sar-s ocs clu wsvs, args rsuls, a Wor apowrpo ocums coag ralo. t -mal arss s ma olook lk coms rom a logcal sr.
harVeStInG the data
W vcm os aac-m or clcks o Wb lk,malcous co s combsocum fls, sals asswors,a ss aa o a commaa corol srvr, o a orgcoury, wc collcs aa orsuy.
-
8/8/2019 The New Cyber Threat
8/10
tionproved so nettlesome that the White House shut o
aides access to the Web site or more than six months, says acybersecurity specialist amiliar with the incident. The De-
ense Dept. shut the door or even longer. Computer securityinvestigators, one o whom spoke withBusinessWeek, identi-
ed the culprit: a ew lines o Java script buried in AEIs homepage, www.aei.org, that activated as soon as someone visited
the site. The script secretly redirected the users computer toanother server that attempted to load malware. The malware,
in turn, sent inormation rom the visitors hard drive to a
server in China. But the security specialist says cybersleuthscouldnt get rid o the intruder. Aer each deletion, the ur-tive code would reappear. AEI says that except or a brie ac-
cidental recurrence caused by its own network personnel inAugust, 2007, the devious Java script did not return and was
not dicult to eradicate.The government has yet to disclose the breaches related to
Byzantine Foothold.BusinessWeek has learned that intrudersmanaged to wend their way into the State Dept.s highly sensi-
tive Bureau o Intelligence & Researchan important chan-nel between the work o intelligence agencies and the rest o
the government. The intrusion posed a risk to CIA operativesin embassies around the globe, say several network security
specialists amiliar with the eort to cope with what became
regarded as an internal crisis. Teams worked around-the-clock in search o malware, they say, calling the White House
regularly with updates.The attack began in May, 2006, when an unwitting em-
ployee in the State Dept.s East Asia Pacic region clickedon an attachment in a seemingly authentic e-mail. Mali-
cious code embedded in the Word document, a congressionalspeech, opened a Trojan back door or the codes creators
to peer inside the State Dept.s innermost networks. Soon,cybersecurity engineers began spotting more intrusions in
State Dept. computers across the globe. The malware tookadvantage o previously unknown vulnerabilities in the Mi-
croso operating system. Unable to develop a patch quicklyenough, engineers watched helplessly as streams o State
Dept. data slipped through the back door and into the Inter-
Rockeeller (D-W. Va.) is said to be discreetly inorming el-
low senators o the Byzantine operation, in part to win theirsupport or needed appropriations, many o which are part o
classied black budgets kept o ocial government books.Rockeeller declined to comment. In January a Senate Intelli-
gence Committee staer urged his boss, Missouri RepublicanChristopher Kit Bond, the committees vice-chairman, to
supplement closed-door testimony and classied documentswith a viewing o the movieDie Hard 4 on a fight the sena-
tor made to New Zealand. In the lm, cyberterrorists breachFBI networks, purloin nancial data, and bring car trac to a
halt in Washington. Hollywood, says Bond, doesnt exagger-ate as much as people might think. I cant discuss classied
matters, he cautions. But the movie illustrates the potentialimpact o a cyberconfict. Except or a ew things, let me just
tell you: Its credible.
go phish
The technique used in the attacks, known as phishing, is a
method o stealing inormation by posing as a trustworthy
entity in an online communication. The term started in themid-1990s when hackers began shing or inormation(and tweaked the spelling). The e-mail attacks in the gov-
ernment agency and deense contractor intrusions, calledspear-phish because they target speciic individuals,
are the Web version o laser-guided missiles. Spear-phishcreators gather inormation about peoples jobs and social
networks, oen rom publicly available inormation and datastolen rom other inected computers, and then trick them
into opening an e-mail.Spear-phish tap into a cyberespionage tactic that Internet
security experts call net reconnaissance. In the spear-phishattack on Booz Allen, attackers had a wealth o inormation
about Stephen J. Moree: his ull name, title (Northeast AsiaBranch Chie), job responsibilities, and
e-mail address. Net reconnaissance canbe surprisingly simple, oen starting
with a Google search. (A lookup o theAir Forces Pentagon e-mail address, or
instance, generated 8,680 hits or cur-rent or ormer Air Force personnel and
departments on Apr. 8.) The inorma-tion is woven into a ake e-mail, along
with a link to an inected Web site, or an attached document.All attackers have to do is hit their send button. Once the
e-mail is opened, intruders are automatically ushered insidethe walled perimeter o computer networksand malicious
code such as Poison Ivy can take over.By mid-2007 analysts at the National Security Agency
began to discern a pattern: personalized e-mails with cor-rupted attachments such as PowerPoint presentations, Word
documents, and Access database les had been turning up oncomputers connected to the networks o numerous agencies
and deense contractors.A previously undisclosed breach in the autumn o 2005
at the American Enterprise Institutea conservative thinktank whose ormer ocials and corporate executive board
members are closely connected to the Bush Administra-
039
in depth
APRIL 21, 2008 I BUSineSSWeeK
the breach OF a hIGhLy SenSItIVe State dePt.
bureau POSed a rISk tO cIa OPeratIVeS In
eMbaSSIeS arOund the GLObe
For mor o s sory, clug a rvw
w wrr Bra Grow, wac BusssWk
tV. to s vo cls or f your local sao a arm by Z Co go
o BussswktV.com.
BUSineSSWeeK tV
Vw a vo scrbg g-saks
cybrwar wag agas U.S., govrm
ocums warg o cybr aacks agas ublc a rva su-
os, a sarg o Ar. 14, our srs o cybrsoag.
BUSineSSWeeK.COM
-
8/8/2019 The New Cyber Threat
9/10
djari: We have to look at this as equivalent to the launch o
a Chinese Sputnik.Hints o the perils perceived within Americas corridors
o power have been slipping out in recent months. In Feb. 27testimony beore the U.S. Senate Armed Services Committee,
National Intelligence Director McConnell echoed the viewthat the threat comes rom China. He told Congress he wor-
ries less about another country capturing inormation thanaltering it. I someone has the ability to enter inormation in
systems, they can destroy data. And the destroyed data couldbe something like money supply, electric power distribution,
transportation sequencing, and that sort o thing. His con-clusion: The ederal government is not well-protected and
the private sector is not well-protected.Worries about China-
sponsored Internet attacksspread last year to Ger-
many, France, and Britain.British domestic intelli-
gence agency MI5 had seen
enough evidence o intru-sion and the o corporatesecrets by Chinese hackers
by November, 2007, thatthe agencys director gen-
eral, Jonathan Evans, sentan unusual letter o warn-
ing to 300 corporations,accounting rms, and law
rmsalong with a list onetwork security special-
ists to help block computerintrusions. Some recipi-
ents o the MI5 letter hiredPeter Yapp, a leading secu-
rity consultant with Lon-don-based Control Risks.
People treat this like itsjust another hacker story,
and it is almost unbeliev-able, says Yapp. Theres
a James Bond element toit. Too many people think,
Its not going to happen tome. But it has.
Identiying the thieves slipping their malware throughthe digital gates can be a tricky task. But a range o attacks
in the past two years on U.S. and oreign government enti-ties, U.S. deense contractors, and corporate networks have
been traced to Internet addresses registered through Chi-nese domain services such as 3322.org, run by Peng Yong.
In early March,BusinessWeek interviewed Peng in an apart-ment on the 14th foor o the gray-tiled residential building
that houses the ve-person oce or 3322.org in Changzhou.Peng says he started 3322.org in 2001 with $14,000 o his own
money so the growing ranks o Chinas Internet surers couldregister Web sites and distribute inormation. We elt that
this business would be very popular, especially as broadband,
net ether. Although they were unable to x the vulnerability,
specialists came up with a temporary x to block urther in-ections. They also yanked connections rom the Internet.
One member o the emergency team summoned to thescene recalls that each time cybersecurity proessionals
thought they had eliminated the source o a beacon report-ing back to its master, another popped up. He compared the
eort to the arcade game Whack-A-Mole. The State Dept.now says it has eradicated the inection, but only aer sani-
tizing scores o inected computers and servers and changingpasswords. Microsos own patch, meanwhile, was not de-
ployed until August, 2006, three months aer the inection.Microso declined to comment on the episode.
There is little doubt among senior U.S. oicials about
where the trail o the recent wave o attacks leads. The Byz-antine series tracks back to China, says Air Force Colonel
Heinke. More than a dozen U.S. military, cybersecurity, andintelligence ocials interviewed byBusinessWeek say China
is the biggest emerging adversaryand not just clubs orogue or enterprising hackers who happen to be Chinese. O.
Sami Saydjari, a ormer National Security Agency executiveand now president o computer security rm Cyber Deense
Agency, says the Chinese Peoples Liberation Army, one othe worlds largest military orces, with an annual budget o
$57 billion, has tens o thousands o trainees launching cy-berattacks on U.S. computer networks. Those gures could
not be independently conrmed byBusinessWeek. Says Say-
040
BUSineSSWeeK I APRIL 21, 2008
the GOVernMentS reSPOnSeKy lms o o-scrCybr iav, sg Ja. 8
cut cOnnectIOnSAms o cu umbr oorals bw govr-m works a ir rom mor a4,000 o wr a 100.
PaSSIVe IntruSIOnPreVentIOnRqurs a la o yw uauorz -s av ga accss ocomur works.
actIVe IntruSIOn
PreVentIOnRqurs a rogram orac cybrrusos backo r sourc, bo cou-rs a ol.
cOunterInteLLIGenceStrateGyRqurs a la o ra rv uur com-ur work bracs.
cOunterInteLLIGencetOOLSLaucs a rogram ovlo cology orcybrorsc aalyss.
educatIOnCras rag rogramso vlo ccal skllso mrov cybrscury.
FuSInGOPeratIOnSCombs comurcomma oss kow
as work oraoscrs o a ukowumbr o agcs.
cyber r&dLaucs a la ovlo osv a -sv cybrcaabls,clug os vloby coracors.
LeaP-aheadtechnOLOGIeSAms o v kllr aso w cybr arms rac.
crItIcaLInFraStructurePrOtectIOnCalls or a la o work w rva scor, wcows a oras mos o ir.
reVISItPrOject SOLarIuMLk esowrrojc o r uclarwar, ams o rv acybrwar.
IMPrOVe FederaLacquISItIOnSSars rogram o surgovrm it roucsa srvcs ar scur.
D: BusinessWeek
-
8/8/2019 The New Cyber Threat
10/10
ber-optic cables, [data transmis-
sion technology] ADSL, these wayso getting on the Internet took o,
says Peng (whose MandarinCKwas translated by BusinessWeek),
who wears hal-rimmed glassesand drives a black Lexus IS300
bought last year.His 3322.org has indeed be-
come a hit. Peng says the servicehas registered more than 1 million
domain names, charging $14 peryear or top-level names ending in .com, .org, or .net. But
cybersecurity experts and the Homeland Security Dept.sU.S. Computer Emergency Readiness Team (CERT) say that
3322.org is a hit with another group: hackers. Thats because3322.org and ve sister sites controlled by Peng are dynam-
ic DNS providers. Like an Internet phone book, dynamicDNS assigns names or the digits that mark a computers
location on the Web. For example, 3322.org is the registrar
or the n ame cybersyndrome.3322.org at Internet address61.234.4.28, the China-based computer that was contactedby the malicious code in the Booz Allen attack, according to
analyses reviewed byBusinessWeek. Hackers started usingsites like 3322.org so that the malware phones home to the
specic name. The reason? It is relatively dicult to have[Internet addresses] taken down in China, says Maarten van
Hoorenbeeck, a Belgium-based cybersleuth or the SANSInternet Storm Center.
Pengs 3322.org and sister sites have become a source oconcern to the U.S. government and private rms. Cyberse-
curity rm Team Cymru sent a condential report, reviewedby BusinessWeek, to clients on Mar. 7 that illustrates how
3322.org has enabled many recent attacks. In early March,the report says, Team Cymru received a spooed e-mail mes-
sage rom a U.S. military entity, and the PowerPoint attach-ment had a malware widget embedded
in it. The e-mail was a spear-phish.The computer that controlled the ma-
licious code in the PowerPoint? Cyber-syndrome.3322.orgthe same China-
registered computer in the attackon Booz Allen. Although the cyber-
syndrome Internet address may not belocated in China, the top ve comput-
ers communicating directly with it wereand our were reg-istered with ChinaNet, a large state-owned Internet service
provider, according to the report.
tArget: privAte seCtor
A person amiliar with Team Cymrus research says the
company has 10,710 distinct malware samples hosted by3322.org. Other groups that have reported attacks rom com-
puters hosted by 3322.org include activist group Studentsor a Free Tibet, the European Parliament, and U.S. Bancorp,
according to security reports. Team Cymru declined to com-ment. The U.S. government has pinpointed Pengs services
as a problem, too. In a Nov. 28, 2007, conidential report
rom Homeland Securitys U.S.
CERT obtained by BusinessWeek,titled Cyber Incidents Suspected
o Impacting Private Sector Net-works, the ederal cyberwatchdog
warned U.S. corporate inormationtechnology sta to update security
sotware to block Internet traicrom a dozen Web addresses aer
spear-phishing attacks. The levelo sophistication and scope o these
cybersecurity incidents indicatethey are coordinated and targeted at private-sector systems,
says the report. Among the sites named: Pengs 3322.org, aswell as 8800.org, 9966.org, and 8866.org. Homeland Secu-
rity and U.S. CERT declined to discuss the report.Peng says he has no idea hackers are using his service to
send and control malicious code. Are there a lot? he sayswhen asked why so many hackers use 3322.org. He says his
business is not responsible or cyberattacks on U.S. comput-
ers. Its like we have paved a road and what sort o car [users]drive on it is their own business, says Peng, who adds that hespends most o his time these days developing Internet te-
lephony or his new soware rm, Bitcomm Soware TechCo. Peng says he was not aware that several o his Web sites
and Internet addresses registered through them were namedin the U.S. CERT report. On Apr. 7, he said he planned to shut
the sites down and contact the U.S. agency. Asked byBusi-
nessWeek to check his database or the person who registered
the computer at the domain name cybersyndrome.3322.org,Peng says it is registered to Gansu Railway Communications,
a regional telecom subsidiary o Chinas Railways Ministry.He declined to provide the name o the registrant, citing a
condentiality agreement. You can go through the police tond out the user inormation, says Peng.
U.S. cybersecurity experts say its doubtul the Chinese
government would allow the high volume o attacks on U.S.entities rom China-based computers i it didnt want them
to happen. China has one o the best-controlled Internets inthe world. Anything that happens on their Internet requires
permission, says Cyber Deense Groups O. Sami Saydjari. AChinese government spokesman says TK about 3322.org.
But Peng says there is little he can do i hackers exploit hisgoodwilland there has been little incentive rom the Chi-
nese government to get tough. Normally, we take care othese problems by shutting them down, says Peng. Because
our laws do not have an extremely clear method to handle thisproblem, sometimes we are helpless to stop their services.
And so, it seems, is the U.S. government. ^
041
in depth
APRIL 21, 2008 I BUSineSSWeeK
brItaInS MI5 InteLLIGence aGency Sent a
warnInG In 2007 tO 300 cOMPanIeS abOut theFtS
OF cOrPOrate SecretS by chIneSe hackerS