Notas sobre o funcionamento do site

Voltar à disposição inicial da página.

Restaurar

barra login

Operação ‘Shady Rat’: O Assalto do Exército Chinês de Hackers à América

A Vanity Fair, com data de Sertembro 2011, tem a história (quase) toda do assalto à América pelo exército de hackers chineses. Para quem se interessa pela ciberguerra ou quer saber o que isso é e como é, é de leitura imprescindível.

National Security

Exclusive: Operation Shady rat—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza

For at least five years, a high-level hacking campaign—dubbed Operation Shady rat—has infiltrated the computer systems of national governments, global corporations, nonprofits, and other organizations, with more than 70 victims in 14 countries. Lifted from these highly secure servers, among other sensitive property: countless government secrets, e-mail archives, legal contracts, and design schematics. Here, Vanity Fair’s Michael Joseph Gross breaks the news of Operation Shady rat’s existence—and speaks to the McAfee cyber-security expert who discovered it. Related:Enter the Cyber-dragon”.

 

WEB EXCLUSIVE August 2, 2011

Photographs by Molly Riley/Reuters/Landov (Hillary) and Paul Sakuma/A.P. Images (Google); illustration by Brad Holland (center).

When the history of 2011 is written, it may well be remembered as the Year of the Hack.

Long before the saga of News of the World phone hacking began, stories of computer breaches were breaking almost every week. In recent months, Sony, Fox, the British National Health Service, and the Web sites of PBS, the U.S. Senate, and the C.I.A., among others, have all fallen victim to highly publicized cyber-attacks. Many of the breaches have been attributed to the groups Anonymous and LulzSec. Dmitri Alperovitch, vice president of threat research at the cyber-security firm McAfee, says that for him, “it’s been really hard to watch the news of this Anonymous and LulzSec stuff, because most of what they do, defacing Web sites and running denial-of-service attacks, is not serious. It’s really just nuisance.”

“Just nuisance,” that is, compared with a five-year campaign of hacks that Alperovitch discovered and named Operation Shady rat—a campaign that continues even now, and is being reported for the first time today, by vanityfair.com, and in a lengthier report on the larger problem of industrial cyber-espionage in the September issue of Vanity Fair. Operation Shady rat ranks with Operation Aurora (the attack on Google and many other companies in 2010) as among the most significant and potentially damaging acts of cyber-espionage yet made public. Operation Shady rat has been stealing valuable intellectual property (including government secrets, e-mail archives, legal contracts, negotiation plans for business activities, and design schematics) from more than 70 public- and private-sector organizations in 14 countries. The list of victims, which ranges from national governments to global corporations to tiny nonprofits, demonstrates with unprecedented clarity the universal scope of cyber-espionage and the vulnerability of organizations in almost every category imaginable. In Washington, where policymakers are struggling to chart a strategy for combating cyber-espionage, Operation Shady rat is already drawing attention at high levels. Last week, Alperovitch provided confidential briefings on Shady rat to senior White House officials, executive-branch agencies, and congressional-committee staff. Senator Dianne Feinstein (D-CA), chairman of the Senate Select Committee on Intelligence, reviewed the McAfee report on Shady rat and wrote in an e-mail to Vanity Fair: “This is further evidence that we need a strong cyber-defense system in this country, and that we need to start applying pressure to other countries to make sure they do more to stop cyber hacking emanating from their borders.” McAfee says that victims include government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada, the Olympic committees in three countries, and the International Olympic Committee. Rounding out the list of countries where Shady rat hacked into computer networks: Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India. The vast majority of victims—49—were U.S.-based companies, government agencies, and nonprofits. The category most heavily targeted was defense contractors—13 in all.

In addition to the International Olympic Committee, the only other victims that McAfee has publicly named are the World Anti-doping Agency, the United Nations, and ASEAN, the Association of Southeast Asian Nations (whose members are Indonesia, Malaysia, the Philippines, Singapore, Thailand, Brunei, Burma [Myanmar], Cambodia, Laos, and Vietnam).

In an e-mail to vanityfair.com, I.O.C. communications director Mark Adams wrote, “If proved true, such allegations would be disturbing. However, the IOC is transparent in its operations and has no secrets that would compromise either our operations or our reputation.” WADA spokesman Terence O’Rourke wrote in an e-mail that “WADA is constantly alert to the dangers of cyber hacking and maintains a vigilant security system on all of its computer programs.” He added that “WADA’s Anti-Doping Administration & Management System (ADAMS), which is on a completely different server to WADA’s emails, has never been compromised and remains a highly-secure system for the retention of athlete data.”

A prominent cyber-security expert who was briefed by McAfee on the intrusions says that the Associated Press was also a victim. McAfee declined to comment on that suggestion. Jack Stokes, A.P. media-relations manager, said, “We don’t comment on our network security,” when I asked if it was true that the A.P. was among Shady rat’s victims. Alperovitch believes the hacking was state-sponsored, pointing to Shady rat’s targeting of Olympic committees and political nonprofits as evidence, and contending that “[t]here’s no economic gain” to spying on them. Citing McAfee company policy, he refused to speculate on which country was behind Shady rat.

One leading cyber-espionage expert, however, thinks the likely culprit’s identity is clear. “All the signs point to China,” says James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, adding, “Who else spies on Taiwan?”

Alperovitch first picked up the trail of Shady rat in early 2009, when a McAfee client, a U.S. defense contractor, identified suspicious programs running on its network. Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing e-mail containing a link to a Web page that, when clicked, automatically loaded a malicious program—a remote-access tool, or rat—onto the victim’s computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data. After identifying the command-and-control server, located in a Western country, that operated this piece of malware, McAfee blocked its own clients from connecting to that server. Only this March, however, did Alperovitch finally discover the logs stored on the attackers’ servers. This allowed McAfee to identify the victims by name (using their Internet Protocol [I.P.] addresses) and to track the pattern of infections in detail.

The evolution of Shady rat’s activity provides more circumstantial evidence of Chinese involvement in the hacks. The operation targeted a broad range of public- and private-sector organizations in almost every country in Southeast Asia—but none in China. And most of Shady rat’s targets are known to be of interest to the People’s Republic. In 2006, or perhaps earlier, the intrusions began by targeting eight organizations, including South Korean steel and construction companies, a South Korean government agency, a U.S. Department of Energy laboratory, a U.S. real-estate company, international-trade organizations of Western and Asian nations, and the ASEAN Secretariat. (According to McAfee’s “Operation Shady rat” white paper, “[t]hat last intrusion began in October [2006], a month prior to the organization’s annual summit in Singapore, and continued for another 10 months.”) In 2007, the activity ramped up to hit 29 organizations. In addition to those previously targeted, new victims included a technology company owned by the Vietnamese government, four U.S. defense contractors, a U.S. federal-government agency, U.S. state and county government organizations, a computer-network-security company—and the national Olympic committees of two countries in Asia and one in the West, as well as the I.O.C. The Olympic organizations, strikingly, were targeted in the months leading up to the 2008 Olympic Games in Beijing. Shady rat’s activity continued to build in 2008, when it infiltrated the networks of 36 organizations, including the United Nations—and reached a crest of 38 organizations, including the World Anti-doping Agency, in 2009. Since then, the victim numbers have been dropping, but the activity continues. Shady rat’s command-and-control server is still operating, and some organizations, including the World Anti-doping Agency, were still under attack as of last month. (As of Tuesday, according to a WADA spokesman, the group was unaware of any breach, but “WADA is investigating” McAfee’s discovery.) The longest compromise duration—“on and off for 28 months,” according to McAfee’s report—was one Asian country’s Olympic committee. Many others were compromised for two full years. Nine organizations were compromised for one month or less. All others were compromised for a minimum of one month, potentially allowing for complete access to all data on their servers.

Alperovitch says that McAfee is “working closely with U.S.government agencies, a variety of them, law enforcement and others,” in hopes of eventually shutting down Shady rat’s command-and-control server. (He declined to say whether U.S. intelligence agencies are involved in the investigation.)

Alperovitch’s diagnosis of the problem raised by Shady rat is troubling: “It’s clear from this and other attacks we’ve been witnessing that there is an unprecedented transfer of wealth in the form of trade secrets and I.P., primarily from Western organizations and companies, falling off the truck and disappearing into massive electronic archives. What is happening to this data? Is this being accumulated in a giant, Indiana Jones–type warehouse? Or is it being used to create new products? If it’s the latter, we won’t know for a number of years. But if so, it’s not just a problem for these companies, but also for the governments of the countries where these companies are located, because they’re losing their economic advantage to competitors in other parts of the world overnight. That is a national-security problem, insofar as it leads to loss of jobs and lost economic growth. That’s a serious threat.”

His account of attempting to inform some of Shady rat’s victims may be even more troubling. Some victims seem determined to deny they’ve been attacked, even when offered empirical proof that a smash-and-grab has taken place. Two weeks ago, McAfee sent e-mails to officials at four organizations, informing them that their computer networks had been compromised. To each, Alperovitch wrote, “We would be glad to work with you and provide our assistance … to help you determine the impact of the intrusion … or how to prevent this type of infiltration in the future.” Three of those organizations—including one whose breach is ongoing—made no response to McAfee’s notifications. Even after McAfee’s second attempt to offer information about the breaches to two of the groups, Alperovitch says, they expressed no interest in learning details of the intrusions. The spokesman for one of those organizations, WADA, told me that he considered Alperovitch’s first e-mail to be “spam.” He said, “We are conducting our own investigation of the allegations.” When asked why WADA chose not to accept McAfee’s offer to provide detailed information that could help in that investigation, the spokesman answered, “I am under no obligation to answer your questions about my investigation.” (Later that day, according to McAfee, WADA did request information concerning the attack.)

“We’ve seen this before,” Alperovitch says. “Victims don’t want to know they’re victims. I guess that’s just victim psychology: if you don’t know about it, it’s not really happening.”

National Security: Enter the Cyber-dragon

Hackers have attacked America’s defense establishment, as well as companies from Google to Morgan Stanley to security giant RSA, and fingers point to China as the culprit. The author gets an exclusive look at the raging cyber-war—Operation Aurora! Operation Shady rat!—and learns why Washington has been slow to fight back. Related: Michael Joseph Gross goes inside Operation Shady rat.

 

Illustration by Brad Holland
September 2011


Lying there in the junk-mail folder, in the spammy mess of mortgage offers and erectile-dysfunction drug ads, an e-mail from an associate with a subject line that looked legitimate caught the man’s eye. The subject line said “2011 Recruitment Plan.” It was late winter of 2011. The man clicked on the message, downloaded the attached Excel spreadsheet file, and unwittingly set in motion a chain of events allowing hackers to raid the computer networks of his employer, RSA. RSA is the security division of the high-tech company EMC. Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.

The parent company disclosed the breach on March 17 in a filing with the Securities and Exchange Commission. The hack gravely undermined the reputation of RSA’s popular SecurID security service. As spring gave way to summer, bloggers and computer-security experts found evidence that the attack on RSA had come from China. They also linked the RSA attack to the penetration of computer networks at some of RSA’s most powerful defense-contractor clients—among them, Lockheed Martin, Northrop Grumman, and L-3 Communications. Few details of these episodes have been made public.

The RSA and defense-contractor hacks are among the latest battles in a decade-long spy war. Hackers from many countries have been exfiltrating—that is, stealing—intellectual property from American corporations and the U.S. government on a massive scale, and Chinese hackers are among the main culprits. Because virtual attacks can be routed through computer servers anywhere in the world, it is almost impossible to attribute any hack with total certainty. Dozens of nations have highly developed industrial cyber-espionage programs, including American allies such as France and Israel. And because the People’s Republic of China is such a massive entity, it is impossible to know how much Chinese hacking is done on explicit orders from the government. In some cases, the evidence suggests that government and military groups are executing the attacks themselves. In others, Chinese authorities are merely turning a blind eye to illegal activities that are good for China’s economy and bad for America’s. Last year Google became the first major company to blow the whistle on Chinese hacking when it admitted to a penetration known as Operation Aurora, which also hit Intel, Morgan Stanley, and several dozen other corporations. (The attack was given that name because the word “aurora” appears in the malware that victims downloaded.) Earlier this year, details concerning the most sweeping intrusion since Operation Aurora were discovered by the cyber-security firm McAfee. Dubbed “Operation Shady rat,” the attacks (of which more later) are being reported here for the first time. Most companies have preferred not to talk about or even acknowledge violations of their computer systems, for fear of panicking shareholders and exposing themselves to lawsuits—or for fear of offending the Chinese and jeopardizing their share of that country’s exploding markets. The U.S. government, for its part, has been fecklessly circumspect in calling out the Chinese.

A scattered alliance of government insiders and cyber-security experts are working to bring attention to the threat, but because of the topic’s extreme sensitivity, much of their consciousness-raising activity must be covert. The result in at least one case, according to documents obtained by Vanity Fair, has been a surreal new creation of American bureaucracy: government-directed “hacktivism,” in which an intelligence agency secretly provides information to a group of private-sector hackers so that truths too sensitive for the government to tell will nevertheless come out.

This unusual project began in March, when National Security Agency officials asked a private defense contractor to organize a cadre of elite non-government experts to study the RSA cyber-attacks. The experts constituted a SEAL Team Six of cyber-security and referred to their work as Operation Starlight. “This is the N.S.A. outsourcing the finger-pointing to the private sector,” says one person who was invited to join the group and has been privy to its e-mail logs. The N.S.A. provided Operation Starlight with the data it needed for its forensic analysis.

Operation Starlight’s secret “Working Draft Version 0.2” report, dated April 4, 2011, has a cover page that bears a galactic image resembling a meteor-pockmarked moon. The source who provided Vanity Fair with the document emphasized that the draft is just that—a draft—and said that Starlight’s provisional conclusions are subject to change. (The source also says that Operation Starlight’s analysis will continue for a matter of months, and possibly as long as a year.) As of April, however, the draft report argued that the RSA hacks represent an “organized, concerted campaign on behalf of China.” It also suggested that RSA had been under attack, perhaps by different groups, for months prior to the attack that the company acknowledged in March. In July, in the lengthiest interview that RSA officials have given since their troubles began, executive chairman Art Coviello and EMC chief security officer Dave Martin resisted those suggestions. Coviello admitted that the SecurID hack was preceded in March by “pretty heavy-duty reconnaissance.” He refused to say specifically when the attack began or ended, but described the duration as “a matter of days, not weeks.” He agreed that the evidence suggested that the SecurID attack had come from a nation-state, but declined to accuse a specific country.

“The Adversary”

If you were designing a new jetfighter for Lockheed Martin, sooner or later you would have to travel to an air-force base to talk to military personnel about what they want the new jetfighter to do. Meetings over, you’d go back to your hotel room, fire up your laptop, and log on to Lockheed’s remote network to get some work done. In order to log on, you’d have to glance down at an inch-long red-white-blue-and-gray plastic key-chain fob, shaped vaguely like a key, on which a little L.E.D. screen displays strings of six to eight digits that change every minute or so. Adding those numbers to the basic password that you’d memorized, you would type the whole hybrid string of characters into the Lockheed-network log-in box—and then you would be in. That key fob, called a SecurID token, is RSA’s best-known product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed.

Each numeric string is called a “one-time password,” and, when entered in combination with your own chosen password, it bumps up your network’s security by means of “two-factor authentication.” As of March 2011, RSA commanded 70 percent of the market for this form of security. More than 25 million of these tokens are in circulation, and for years they have been used by most U.S. intelligence and military officers, defense contractors, White House officials, and Fortune 500 executives.

So it was of great concern to many of the world’s most powerful people when, on the same day the company alerted the S.E.C., executive chairman Coviello posted an open letter to customers on RSA’s Web site, announcing that the company’s security system had identified “an extremely sophisticated cyber attack in progress,” an attack that “resulted in certain information being exported from RSA’s systems,” some of which was “specifically related to RSA’s SecurID two-factor authentication products.”

The letter was so vague and judiciously bland that many readers assumed what the later Lockheed hack seemed to suggest: that SecurID’s seed-key algorithm and some, if not all, of its seed-key database may have been stolen. RSA executives have consistently refused to say precisely what the company lost. Coviello did say in an interview that “the information taken, in and of itself, would not allow a direct attack.” An attacker, he went on, “would have had to get other information that only the customer had in their possession.” To weaponize the stolen SecurID information would require a strategy of coordinated intrusions, involving attacks not just on RSA but also preliminary attacks on every other target company—something that seemed so complicated as to be almost impossible. Yet within two months, the impossible had come to pass. Attackers, whom security experts often refer to in the satanic singular as “the Adversary,” had broken into Lockheed Martin’s network using SecurID information stolen from RSA.

Access to source code makes it relatively easy to discover new vulnerabilities in a Web application. For malware writers, these vulnerabilities are the keys to the kingdom, the open windows in the house that let them get inside to steal the furniture—or, depending on their goals, to move the furniture around, by altering the code and therefore potentially changing the functions of the company’s product.

It was eventually revealed that intruders had made off with source code for a Google password-management program called Gaia. The company’s losses are widely rumored to have been much greater, however. New information from security experts who were personally briefed by Google’s security chief, Heather Adkins, while Operation Aurora unfolded, offers a far more comprehensive picture of the attack than Google publicly told.

Three people who visited Google’s Mountain View, California, headquarters while the attacks were in progress describe dramatic scenes of a company under siege. Google “built a physically separate area for the security team,” one of them says. Sergey Brin, one of the company’s co-founders, was deeply involved in the cyber-defense. “He moved his desk to go sit with the Aurora responders every day. Because he grew up in the Soviet Union, he personally has a real hard-on for the Chinese now. He is pissed.” Caught unawares and shorthanded, the company made a list of the world’s top security professionals, and Brin personally called to offer them jobs—with $100,000 signing bonuses for some, according to one person who received such an offer—and quickly built Google’s small, pre-Aurora security operation into a group of more than 200.

Meanwhile, representatives of other companies hit by Aurora were invited to the Googleplex for private meetings with Adkins. She told two of the visitors that the attackers had made a beeline for Google’s “legal-discovery portals,” the system the company uses to evaluate requests for information from law-enforcement agencies and foreign governments. “The activity on those portals is closely monitored,” one visitor says. “Someone noticed that a bunch of Chinese names were queried on one woman’s computer [in the legal-discovery department] and asked her, ‘Why did you query all these people?’ She said, ‘I didn’t.’ ”

Security took her laptop to analyze it, and “that was the string they started pulling” that unraveled the Aurora attack.

Much more significant, however—and previously unreported—is that the intruders used Google’s internal search engine to look for words related to the company’s signing certificates: virtual credentials that verify the identity of the source of any software before it can be downloaded to a computer. This part of the attack was foiled because Google keeps its signing certificates offline, in an “air-gapped” network—a network that is not connected to the Internet.

The search for signing certificates is a disturbing new piece of information about Operation Aurora’s intentions. It also suggests a link to the SecurID theft. In both Operation Aurora and the RSA hack, not only did the attackers seek to steal proprietary information, they sought to steal the digital identities that would allow them to impersonate the companies.

Google’s initial announcement of Operation Aurora stated that “at least twenty other large companies from a wide range of businesses—including the Internet, finance, technology, media and chemical sectors”—had been affected, and early news reports named Yahoo and Symantec as among the other victims. As the year wore on, the body count grew: Adobe, Juniper Networks, and Rackspace admitted that they’d been attacked, then Intel. Before long a cache of e-mails written by analysts at the security firm HBGary and its sister company HBGary Federal were made public, after the companies were caught in the crosshairs of the hacktivist group Anonymous, a loose coalition of individuals who perform coordinated cyber-attacks, sometimes with the stated goal of advancing Internet freedom. The e-mails revealed that Aurora or similar attacks had also hit Baker Hughes, ExxonMobil, Royal Dutch Shell, BP, Conoco Phillips, Marathon Oil, Lockheed, Northrop Grumman, Symantec, Juniper, Disney, Sony, Johnson & Johnson, General Electric, General Dynamics, the law firm King & Spalding, and DuPont. DuPont was hit so intensely that, one HBGary analyst wrote, “their hair is on fire.”

Not only did the HBGary e-mails provide new details about Aurora, they also described similar attacks that had been going on for much longer than the public knew. “Many of the leading defense contractors … all had … aurora-type attacks as far back as 2005,” one analyst wrote. “So a search engine makes a big media stink about one intrusion, and that leads to a bunch of hype? I think the discussion needs to be on why it’s taken 5+ years for the rest of the industry to catch on.”

Pointing Fingers

From the start, Google openly asserted its view that the attack originated in China, and Hillary Clinton, after being “briefed by Google on these allegations,” issued a statement that pointedly said, “We look to the Chinese government for an explanation.” A report by Verisign iDefense, a security-intelligence service based in Dulles, Virginia, went further, stating that Aurora was directed by “agents of the Chinese state or proxies thereof.” The Chinese government made no official, public response to Clinton’s statement. But shortly thereafter, a spokesman for China’s Ministry of Industry and Information Technology told Xinhua, the official news agency, about the allegations regarding Google, that the “accusation that the Chinese government participated in [any] cyber attack, either in an explicit or inexplicit way, is groundless and aims to denigrate China.”

Yet, in the case of Aurora, there is evidence of involvement. After researchers found similarities between the tools used in the Aurora attacks and malware tools that were posted on open Chinese hacker forums, many analysts speculated that Beijing had employed civilian hackers as proxies to launch the attacks. A leading security-intelligence analyst says he received several dozen tips from sources in China suggesting that, “in point of fact, it was the P.R.C. government taking or demanding access to some of the research that the hackers had been doing, and then using it themselves.” The analyst goes on: “The Chinese government has employed this same tactic in numerous intrusions. Because their internal police and military have such a respected or feared voice among the hacking community, they can make use of the hackers’ research with their knowledge and still keep the hackers tight-lipped about it. The hackers know that if they step out of line they will find themselves quickly in a very unpleasant prison in western China, turning large rocks into smaller rocks.” In an undated cable made public by WikiLeaks, one American diplomat in Beijing reported to Washington that Aurora was an act of revenge ordered by a Chinese politburo member who had Googled himself and found a raft of unflattering articles.

The SecurID hack used the same basic technique as Operation Aurora and many other recent intrusions, though it made use of different specific tools. The technique, called “spear-phishing,” begins with reconnaissance to find personal information about a company’s employees. The Adversary may troll social-networking sites, including Facebook and Twitter, or may research e-mail archives exfiltrated in previous attacks to diagram its victims’ social situations. Then the Adversary writes e-mails or sends instant messages individually tailored to the recipients and sends them, with malicious attachments, from identities that the victim is likely to trust. If the recipient clicks on the attachment, the malware, called a remote-access tool, or “rat,” hooks itself into the user’s Windows operating system inside the company’s firewall. The rat is manually operated by the Adversary—an actual person, sitting at a computer, waiting to take over the victim’s machine. “The initial machine is just a beachhead,” explains McAfee’s Dmitri Alperovitch. “From that point, the Adversary will move into document repositories, e-mail archive servers, proceed to take the data and ship it out of the company through another mechanism, typically by setting up a second, command-and-control server that they will exfiltrate data to. From the moment you’ve clicked on the malware, there is another individual on the other end adapting to your network eco-system, your security system, and trying various things until they succeed in getting what they want. It’s like a Predator drone in Pakistan that’s being controlled by a joystick in Nevada.”

Some of the types of tools that the RSA hackers used—the rat, the command-and-control-server infrastructure, and the remote domains—had previously been employed in a persistent series of attacks on the Department of Defense and other U.S.-government systems. These attacks were originally code-named Titan Rain. After Titan Rain was made public, it was re-christened with the code name Byzantine Hades, and after that name, too, was made public, Byzantine Hades was re-dubbed with at least three more new classified code names, according to a former N.S.A. analyst. Some top intrusion specialists attribute this series of attacks to a group in China called the Red Hacker Alliance, which has suspected ties to the People’s Liberation Army. (The particular malware and command-and-control servers used in the SecurID hack, however, were unique, and had not been used in previous attacks.)

Act of War?

On May 21, the computer systems of America’s largest military contractor, Lockheed Martin, detected an intruder. A week later, Lockheed acknowledged the breach in a statement. The company called the attack “significant and tenacious” but also said that it had been detected “almost immediately,” at which point the company took “aggressive” actions to stop it. “Our systems remain secure; no customer, program or employee personal data has been compromised,” the statement said—leaving open the questions of how an intrusion could be both “tenacious” and detected “almost immediately,” and how it could be “significant” without compromising any data. The event was noteworthy enough that President Obama was briefed on the situation. An unnamed Lockheed executive told The New York Times that investigators “cannot rule out” a connection to the RSA breach. RSA said that it was “premature to speculate” on the cause of the attack.

On May 31, news broke that L-3 Communications, which provides intelligence, surveillance, and reconnaissance technology to the U.S. government, had also been attacked, according to an e-mail to L-3 employees dated April 6. The e-mail said that L-3 had been “actively targeted with penetration attacks leveraging the compromised information” from the RSA breach. When asked whether intruders had gained the ability to clone SecurID key fobs, an RSA spokeswoman said, “That’s not something we had commented on and probably never will.”

The next day, June 1, Fox News reported that Northrop Grumman had cut off remote access to its network without warning, resetting domain names and passwords, and causing “chaos” across the company, according to an unnamed Northrop executive. The company’s official response to Fox’s questions on the matter was, verbatim, the same as its response to my questions about previous reported hacks, going back several years: “We do not comment on whether or not Northrop Grumman is or has been a target for cyber intrusions.”

That same day, Google made its first allegation of Chinese hacking since Operation Aurora, announcing that it had thwarted an attempt from China to steal the Gmail passwords of senior U.S. government officials. The next week, on June 7, RSA’s Art Coviello gave a mea culpa interview to The Wall Street Journal, admitting that the entire SecurID system was compromised, offering to replace practically all of the millions of tokens on the market—and infuriating many of its customers, some of whom were reported to be sundering their relationship with RSA and hiring new security companies. Coviello says that he made the replacement offer because, “post-Lockheed, customers had a lower tolerance for risk,” and he says that “less than 10 percent of our customers have requested replacement tokens.”

This onslaught of revelations was all the more extraordinary because American industry has so few incentives to come clean about its losses, and so many incentives to cover them up. Was it a coincidence that, only hours before Northrop’s and Google’s alleged hacks became public, the Pentagon provided an element of its forthcoming cyber-war strategy to The Wall Street Journal, declaring that the U.S. will consider some cyber-attacks to be the equivalent of physical acts of war?

Like so many Rip Van Winkles, most of Washington has been asleep while cyber-attacks proliferated. But a few voices have been trying to wake the town up. One belongs to Scott Borg, director and chief economist of the U.S. Cyber-Consequences Unit, whose research indicates that China, to sustain economic growth, “is relying increasingly on large-scale information theft. This means that cyber attacks are now a basic part of China’s national development strategy.” Another voice is that of James A. Lewis, a former diplomat who now leads the Technology and Public Policy Program at the Center for Strategic and International Studies. He says, “The thing we have to work through is, how do we want to work with the Chinese on this issue? This administration has decided they want to cooperate, not have a confrontation.” A senior State Department official elaborates: “One of the core things we’re trying to do diplomatically is to build a consensus internationally to build norms of behavior, rules of the road,” as described in the president’s “International Strategy for Cyberspace.” (The norms include “Upholding Fundamental Freedoms,” “Respect for Property,” and “Right of Self-Defense.”) James A. Lewis goes on: “This is what we did on missile proliferation. Our allies showed up and we all said, ‘Here are the norms.’ But how do we get a flow of countries to show up and say, ‘You’re crossing a line. Back off, or there will be consequences’? What is the cost to the Chinese right now? Until there is some cost, they’re not going to stop.”

Another White House document, the “Comprehensive National CyberSecurity Initiative,” as well as several bills in Congress, propose ways of protecting critical infrastructure, such as electrical grids, from cyber-intrusions. China has so thoroughly probed and mapped our power system that former director of national intelligence Dennis Blair once publicly admitted that “a number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Still others are trying to address the economic impact of cyber-espionage. On May 11, Senator Jay Rockefeller and several of his colleagues sent a letter to Mary Schapiro, chair of the U.S. Securities and Exchange Commission, asking the S.E.C. to issue interpretive guidance for companies about disclosing material risk due to cyber-breaches. The morning Rockefeller sent his letter, Tom Kellermann, a former cyber-security specialist at the World Bank, told me that the S.E.C. would force companies to make significant disclosures. “The dragon lady’s gonna rain down fire,” he said.

The dragon lady has her work cut out for her. One industrial-control-systems security specialist recalls a conversation with a chief financial officer and a chief information officer of a major corporation after finding 65 vulnerabilities in the company’s networks, which would have required a huge investment to fix. “What’s the worst that can happen if we don’t fix any of these?” the C.F.O. asked.

“We have large exposure,” answered the C.I.O. “We could potentially be attacked—”

“No, no, no. What is the financial impact if we don’t do any of these?”

“We’re not regulated or audited, so there won’t be any fines.”

The C.F.O. answered, “You get no budget,” and the topic was closed.

The persistent culture of secrecy surrounding all things cyber compounds the difficulty of taking practical steps against Chinese hacking. Much, perhaps most, information about cyber-conflict of all types is classified, which creates tremendous practical problems of communication. Sometimes, when the F.B.I. learns of an intrusion through classified channels, the Bureau has to find other, unclassified evidence of the intrusion in order to be able to tell the victim what is happening. “If it’s a defense contractor being hacked, then the victim company includes people with clearances, so communication is easy. But if you’re talking about a company where no one has clearances, that presents a significant problem”—and can create a significant time delay between the discovery of a hack and the victim’s awareness of exposure, according to one cyber-security analyst.

Playing the Fool

Yet the deeper I delved into the Chinese hacking problem, the more I discovered a network of individuals in government and the private sector who are serving as a semi-official Resistance in this secret war. A handful of influential congressional staffers who shape Hill debate on these matters put me in touch with top intrusion specialists who are former hackers, military personnel, or National Security Agency officials. These analysts are the civilian, cyber-equivalent of special-ops forces. When my phone rang very late one night this spring, I was surprised to see the name of one of these analysts on the screen. In the mood to talk, he spent most of an hour describing his work to me, naming names and counting losses with shocking precision, though forbidding me to repeat the details of his disclosures.

In this conversation—the first of several that took place over the following months—the man said that he had started his career protecting government networks against foreign attacks. On that job, he became so preoccupied with the scale of Chinese hacking that a senior military officer told him to stop talking about it, with the gruff explanation that “the reason this is still going on is that the Chinese government now owns us.” Frustrated, the analyst eventually left government service for the private sector.

The problem may be reaching a boil that will take significant willpower to ignore. In mid-July, the security firm McAfee shared exclusively with Vanity Fair the results of its latest cyber-espionage investigation. McAfee reports that, over a period of five years, a single Adversary penetrated more than 70 organizations, from giant multi-national corporations to tiny nonprofits, representing more than 30 industries around the world, and exfiltrated intellectual property—including e-mail archives, legal contracts, negotiation plans for business activities, design schematics, and government secrets—as soon as its spear-phishing victims clicked on a link to a Web page. One country’s Olympic committee was compromised for a full 28 months; many other organizations were compromised for two whole years. McAfee has given the name Operation Shady rat to this set of intrusions. Dmitri Alperovitch, who discovered Operation Shady rat, draws a stark lesson: “There are only two types of companies—those that know they’ve been compromised, and those that don’t know. If you have anything that may be valuable to a competitor, you will be targeted, and almost certainly compromised.”

The full list of Operation Shady rat’s victims includes government agencies and corporations worldwide. The vast majority of victims—more than two-thirds of the total—are in the U.S. Among the other countries targeted are Taiwan, South Korea, Japan, Hong Kong, Singapore, India, Germany, and the U.K. In 2007, the year before the Beijing Olympics, one international athletics organization and the Olympic committees of three different countries were breached by this intruder. Alperovitch believes the targeting of the Olympic committees and of American political nonprofits suggests the intrusions were state-sponsored, explaining, “There’s no economic gain to compromising them.” When asked if the People’s Republic of China was conceivably behind Shady rat—given that China was not itself attacked—Alperovitch noted that McAfee’s policy was not to comment on attribution. He added, “If others want to draw that conclusion, I certainly wouldn’t discourage them.”

Another security researcher who was on the front lines during Operation Aurora says, “Those of us who are hands-on-keyboard want this story to be told, because we feel like the top corporate managers—following the advice of their lawyers—are reflexively keeping breach information secret from other companies that are trying to defend themselves. In the big picture, a little bit of short-term embarrassment is worth it, to get the American people to understand that there’s a low-level Cold War going on.” Despite—and also because of—the extreme secrecy surrounding industrial cyber-espionage, this phenomenon is gradually effecting a fundamental re-arrangement of the relationship between state and corporate power.

Michael Hayden was the director of the N.S.A. and then the C.I.A. during the period when the problem of Chinese cyber-espionage developed. In a conversation with him about Operation Aurora, I asked what he believed to be the most significant fact about those intrusions.

He answered, “You see Google acting in some ways as nation-states used to act, exercising to the best of their ability some attributes traditionally associated with sovereign states. ‘We’re going to break relationship’—cease doing business there, you know. It’s something I dwell on a lot. The cyberworld is so new that the old structures, you know—state, non-state, public, private—they all break down … The last time we had such a powerful discontinuity is probably the European discovery of the Western Hemisphere. At that point, we had some big, multi-national corporations—East India Company and Hudson’s Bay—that acted as states. And I see elements of that with the big Microsofts and Googles of the world. Because of their size, they actually are making decisions that have the impact of the kinds of decisions made in the halls of government. Google is not a state. But what constitutes Google’s inherent right of self-defense in this new environment against this kind of attack? I’m not accusing anyone of doing anything wrong. These situations are just so different. What do we believe would be legitimate for Google to do in response to this? Now, I don’t have answers. I really don’t know, but it’s a really good question.”

Operation Starlight has an old-fashioned answer to that question: Find the culprits and put them to shame. Its draft report declares: “The attacker’s name, telephone number records, and other pertinent information should be divulged to the public in order to support attacker attribution and assist in tracking back to the source.”

But no one believes that this tactic by itself will solve the problem—or that corporations will embrace their long-term best interest anytime soon. Rather, so long as executives and politicians are guided by short-term self-interest, they will continue to play the fool to the country that would be king. “You need to consider: What are the subconscious assumptions that companies bring to the issue of foreign cyber-attacks on their networks?,” a senior Senate staffer who works on cyber-issues asked me. “They assume that if something bad happens government will take care of the losses. They act like they don’t really believe that a bank could get completely taken out, or that a tech giant could get its whole lunch eaten, because it sounds as fictional as 9/11 would have sounded before it happened. But terrorism is not the best analogy here. Who could have imagined that people would have flown airplanes into buildings? The difference with cyber is there are people trying to fly planes into buildings every day now. And everybody just looks the other way.”

correction: The online version of this story reflects two developments that came to light since the magazine went to press. The number of athletics organizations breached in 2007 by the Shady rat intruder was one, not two. Additionally, American defense contractors were not among those whose systems were compromised for two whole years.

Related Posts Plugin for WordPress, Blogger...

Posts relacionados:

Deixe um Comentário

 


Compression Plugin made by Web Hosting