Malcolm Nance - The Plot to Hack America

Many hackers develop “0day exploits” and can either use them directly or sell them. Sales of 0day exploits are lucrative business on the black-market via the Dark Web. In order to find these holes in security, hackers have to develop a comprehensive profile of the target to include what email systems are used, what operating systems are in play, and what proprietary computer systems are in use. For the Democratic National Committee hack they used a custom computer system created by NGP VAN, a specialist computer company that helps Progressive non-profits. Malware samples discussed in the CrowdStrike report on the hack showed that the attackers were custom coding components to be used for that specific attack on that specific software to get a very specific result—Watergate 2.0.3

After detecting hacking activity, the victim often helps security companies and government agencies to determine the attacker’s origin or backers. APTs from China tend to focus only on Chinese government interests, which could include activities of its neighbors, or as seen in the past few years the Chinese buildup in the South China Sea. Some well-documented APTs developed by China include Blue Termite, The Elderwood Platform, Hidden Lynx, Deep Panda, and Putter Panda (APT2). Computer security authorities have identified APT1 as departments of the Chinese People’s Liberation Army (PLA) and also carries the APT name, “PLA Unit 61398.” It is well known for its focus on U.S. technology firms.

The Iranians are often labeled under APT names associated with Kittens. Rocket Kitten, for instance was credited in August of 2016 for cracking the Telegram encryption, constituting a threat to dissidents in or related to Iran. Other groups included Flying Kitten, Magic Kitten, and Clever Kitten just to name a few.

The Russians, similar to the Chinese, focus on Eastern Europe, NATO forces, the United States, and opposition to Russian interests. These attacks range from hits on a power station in Ukraine to an attack on the World Anti-Doping Agency in August 2016. While many firms do not directly attribute attacks to nation states capriciously, they do reveal the metadata patterns that indicate Russian or Chinese involvement, including examples of the OS the hackers used to compile the malware, IP ranges associated with spear-phishing-waterhole attacks, to the domain names used to spoof the target into clicking on hot links. Unlike Russian cyber criminals, Russian government APTs are focused almost purely on cyber espionage.

Criminal APTs or CRIMINAL BEARS, like Anunak/Carbanak and BuhTrap clearly focus on banking institutions across the world. First detected in December 2013, Carbanak stole well over a $1 billion in strikes against U.S. retailers, including office retailer Staples. They use very similar methods to other APTs, such as spear-phishing campaigns. Spearphishing is a malicious, fraudulent email that appears to come from a trusted source. It generally contains a hyperlink to a false sign-in page to enter your passwords, credit card, or other information. It could also be a direct link to a virus.

Like the nation-state actors, the Carbanak method of stealing financial data exploits malware with a backdoor that replicates itself as “svhost.exe” before it connects to a command-and-control server to download more files and begin probing for more vulnerabilities. The APT can then download additional tools to take control over the infected computer, including keylogging, as well as capturing data from screen captures, microphones, and video cameras. Carbanak has even documented their operations in video form to evaluate the process and train others. The data that this group seeks to exfiltrate may go beyond financial information alone, but the primary goal has been to steal funds via fraudulent transactions.

In the height of the cold war, Russia learned to make the leap from manual intercept of printed media to the computer age well before the internet existed. Between 1978–1984 the KGB carried out an audacious electronic intelligence operation that preceded the CYBER BEARS antics. A select group of special technicians had intercepted a shipment of American IBM Selectric II and Selectric III electrical typewriters en route to the American embassy in Moscow and the US Consulate in St Petersburg. The KGB inserted devices called the Selectric Bug into sixteen of the typewriters. 4The special electrical device was embedded in a hollow aluminum bar that would capture the impact of the rotating print ball as it struck the paper. As a typist struck the keys, the bug would transmit each keystroke to a nearby listening post via a short-distance radio signal. The NSA countered this by deploying a special team to Moscow and inspected all of the Embassy’s computers, encoding machines and typewriters. Code named GUNMAN, the NSA team eventually found the bugs and replaced the typewriters with secure ones in secret. 5Still, the KGB’s early awareness of the advance in print technology led them to implement one of the very first keystroke detection systems before computers became commonplace. With this corporate knowledge in hand, the KGB was well ahead of the curve in intercept technology, an aptitude they would soon come to command in the computer age.

Cyber intelligence collection operations didn’t start in the 21 stcentury, they preceded the rise of Putin. During the period where Vladimir Putin was just taking the reins from the former KGB under the leadership of Boris Yeltsin, the NSA and the Department of Defense’s Information Operations Response Cell noted a series of sophisticated computer penetrations, accessed through research university servers. The hackers were stealing sensitive information, but what was noteworthy was the seemingly random nature of the hacks and the peculiar nature of the sensitive information. Author Fred Kaplan detailed this hack, and numerous others, called MOONLIGHT MAZE in his brilliant book Dark Territory: The Secret History of Cyber War. The hack was tracked back to Russia after decrypts found that the hacker was using a Cyrillic, Russian language, keyboard. The classified materials stolen about obscure scientific programs perfectly matched discussion topics at recent conferences in the United States attended by Russian scientists. The Russian would attend a conference, realize that it held more secrets, and task the CYBER BEARS to steal the research. The Russian Academy of Sciences in Moscow submitted hack requests and the KGB, now FSB, acquired the 5.5GB of classified materials. 6

Russia didn’t sit on its laurels by stealing American scientific data. For more than ten years, volunteer militia hackers and cyber criminals carried out limited, and on occasion, full-scale cyber warfare on its neighbors in Europe. There is an arms race in the cyber weapons world as nation-state and freelance hackers seek to push the technology envelope. By 2016 the history of Russia’s attacks showed proficiency at destroying enemies with cyber strikes.

The first step is to establish a target organization or individual. Second would be to find out how and where to compromise the target’s IT systems with the least amount of effort possible and without being detected. This will most often start with examining the publicly-posted employee rosters at a company, organization, or government office. Next will be a scour on social media sites like Facebook, LinkedIn, Twitter, Google, or even simply within the agency of the target. 7

The target or targets are subjected to an email spear-phishing campaign. Spearphishing is a technique that seeks to fool a target into clicking on links or opening email attachments in emails the target would expect to receive. For example, if a State Department official was expected to attend a conference on a UN refugee program, they might receive an email with the title “Schedule for the Refugee Committee” with an attached document or link. If it is a link instead of an attachment, the target might take a look at the link before clicking, but the reasonable-looking link will lead to a spoofed site that has just returned malware back to their computer. Once that malware is installed, it may do a number of things depending on the intent of its coding. The first function it is likely to perform is to breach.