Black Code: Inside the Battle for Cyberspace (21 page)

•  •  •

Among those governments
using cyber-crime techniques for national military and intelligence purposes Syria may be the most recent, but it is not the first nor the most voracious. That title goes to China, whose adversaries have been the most frequently targeted, and for the longest periods of time. China has used just about all of the latest techniques of the cyber-criminal underworld for strategic intelligence, industrial espionage, and military action. Indeed, it is fair to say that China is
the
template for state-sponsored cyber crime.

During Ghostnet, basic Internet “social engineering” techniques – the art of fooling people into divulging confidential information – first refined by cyber criminals were used to fool recipients of emails at the Office of the Dalai Lama and Tibetan Government in Exile into opening attachments that contained a very simple piece of malicious software. Once infected, the attackers installed a more sophisticated remote administration tool on their computers, a freely available and open-source piece of software known as Ghost RAT (hence the name of the espionage network). During Shadows, the attackers borrowed from the widely deployed
criminal method of splitting up and routing stolen documents from victims’ computers across redundant social networking platforms to ensure resiliency and to disguise the origins of the malicious network in case parts of their infrastructure were reported on and shut down. When members of the Foreign Correspondents’ Club of China were targeted by socially engineered emails containing malicious trojans, the infected computers connected back to Taiwan-based command-and-control servers under the control of the attackers. (The compromised servers were based at Taiwan University and were the very ones used to distribute antivirus software to staff and faculty.) When the European Parliament passed a resolution condemning China’s repression of Tibet, the text was immediately repurposed to contain a malicious piece of software and then distributed to the contact list of an exiled Tibetan whose computer was compromised by Chinese attackers. When Twitter was used as a means to raise awareness by Tibetans about an important anniversary, pro-regime hackers employed several hundred bots – automated programs that generate content – to flood Twitter discussions using the hashtags #Tibet and #Freetibet, making those hashtags unusable, a technique known as “hashtag bot-flooding” originally developed by spammers. Chinese hackers redeployed a common technique, an iFrame injection, or “drive-by” attack, in which the websites of their adversaries are hacked into and loaded with malware that targets visitors using improperly secured browsers. Over the years numerous websites of prominent human rights groups have been exposed in this manner, including Amnesty International U.K. and Human Rights in China.

In each case, many of the primary methods and tools used were not specially designed or custom built; instead, they were simply repurposed from the world of cyber crime, and many observers believe China tacitly condones and supports the vast cyber criminal underworld because it benefits from it. Looking at the evidence, it’s
hard to conclude otherwise. And China is not alone. Many shadowy underground entities employ cyber-criminal methods against human rights and opposition groups in operations that benefit entrenched authorities. Russia, Kyrgyzstan, Belarus, and other states across the former Soviet Union represent good examples.

In February 2005,
during parliamentary elections in Kyrgyzstan, websites belonging to political parties and independent media aligned with the opposition were subjected to unexplained technical failures, glitches, and deliberate hacking. Journalists at independent media organizations had their email accounts flooded with large volumes of spam and phony emails. Several websites were hacked and defaced, and one had its domain name deregistered because the authorities claimed it had no “legal status.” Shortly thereafter, a major DDOS attack, undertaken by a group calling itself Shadow Team, overwhelmed Kyrgyzstan’s leading ISPs. OpenNet Initiative’s Krygyzstan-based researchers obtained the extortion note sent by Shadow Team to the ISPs, which threatened to continue the attacks until specific websites connected to the political opposition were shut down. A separate threatening email was sent to a popular regional news site,
http://www.centralasia.ru
, demanding that it stop publishing any and all information about the situation in Kyrgyzstan. The perpetrator turned out to be a single hacker operating out of Ukraine, but whose attacking computers were physically located in the United States. The same hacker was simultaneously pursued for different reasons by U.S. security researchers, and eventually the botnet was disabled.

Based on ONI’S experiences in Kyrgyzstan, leading up to the
2006 Belarus presidential elections we assembled a group of researchers (both inside and outside the country) to monitor the Internet. Although ONI testing indicated that Belarus, like Kyrgyzstan, had no Internet censorship, the regime of President Alexander Lukashenko was (and still is) widely considered typical
of Soviet-style authoritarianism: prone to silencing dissent and quelling opposition using heavy-handed methods. Indeed only a year before, Ilya Mafter, the program officer from the Open Society Institute (which had funded the ONI project) had been arrested on trumped-up money laundering charges and held in detention for several months. Before and during the presidential election, ONI documented numerous opposition websites coming under denial-of-service attacks, or made inaccessible on the state-owned Beltelecom network. During a day of major demonstrations in the capital city Minsk, when riot police intervened to disperse and arrest protesters, one of the main dial-up services for Internet connectivity in the city went dead, having experienced “technical problems.”

In 2008, two years after the Belarus election, war broke out between Russia and Georgia over the disputed territorial enclave of South Ossetia.
As Russian tanks stormed the territory, ONI researchers inside Georgia and neighbouring countries monitored the information domain, collecting evidence of computer network attacks and filtering. At the war’s height, Georgian government websites and much of its information infrastructure, including banking and emergency services, came under a massive denial-of-service attack, which most people attributed to the Russian government. (A similar assault had been inflicted on Estonia a year earlier, when that country’s leaders made the unpopular decision to relocate the
Bronze Soldier of Tallinn
, an elaborate Soviet-era war memorial, along with the remains of Soviet soldiers.) Desperate to stem the attacks, and hoping to counter Russia’s disinformation campaign, the Georgian government censored access to all Russia-based websites. Accustomed to seeing Russian news online, and unaware of the decision taken by their government, Georgians in the capital city of Tbilisi panicked, fearing that the blackout presaged a massive Russian ground assault. Rumours quickly spread of tanks approaching the outskirts of the city.

Were the DDOS attacks orchestrated by the Russian military, undertaken by sympathizers to the Russian cause, or some combination of the two? No one would or could tell. To illustrate how easy it is for anyone to participate in such attacks, journalist Evgeny Morozov, writing for
Slate
magazine,
downloaded instructions for one of the DDOS tools advertised on Russian forums and, in less than an hour, was a participant in the attacks on Georgian government websites himself.

After the war ground to a halt, Citizen Lab researchers were able to register the domains of the botnets responsible for the DDOS attacks, which the owners had let expire. Doing so gave us a precise sense of the breadth of commandeered computers under the hackers’ control during the Russian–Georgian conflict, as the zombie computers still “checked in” with domains now under our supervision. While most observers talked about Russian-based attacks on Georgian government websites, we found instead a global network of zombie computers used to assault the Georgian infrastructure, the vast majority of which were physically located in the U.S. and Germany. We also determined that the same botnets had been used in numerous recent criminal activities, mostly involving extortion against pornography and gambling websites.

The worldwide distribution of computers linked together to assault Georgia proves how difficult it is to “attack back” those causing mayhem in cyberspace. Indeed, at one moment during the conflict, when the Georgians took up an offer from a Georgian ex-pat based in Atlanta to host their websites in the United States, commandeered U.S.-based computers were overwhelming other U.S.-based computers hosting Georgian government websites!

•  •  •

What ONI researchers have found
in the former Soviet Union has parallels in other parts of the world. In 2009, the Citizen Lab analyzed DDOS and defacement attacks that were
vexing the Burmese opposition and independent media outlets alike. Most observers, including the victimized organizations themselves, blamed the Burmese government, but Nart Villeneuve determined that the attackers had no ties at all to the Burmese government. Instead, the attacks had been launched by a group of Burmese hackers trained as computer programmers at Russian military academies in Rangoon. Overseas Burmese pro-democracy groups had apparently irritated them, and they took it upon themselves to defend the military junta by menacing the groups persistently over the Internet. Part of the hackers’ motivation was to earn bragging rights, and their undoing was that they boasted about their exploits on chat forums that we were monitoring, allowing us to triangulate their usernames with other coincidental pieces of information. Still, why shut down cyber crime in your backyard if it happens to be doing work for you fighting national security threats abroad?

In the wake of the 2009 Green Movement in Iran, a group calling itself the Iranian Cyber Army emerged and began menacing Green Movement sympathizers at home and abroad. Hacking collectives had been active in Iran since the early 2000s, with groups like Ashiyane, Shabgard, and Simorgh cracking into websites for notoriety and, occasionally, profit. Beginning in the summer of 2009, however, politically motivated attacks on websites became increasingly common as a means to counter the Green Movement and create a climate of fear and suspicion. The Iranian Cyber Army hackers successfully defaced Twitter, Voice of America, the Chinese search engine Baidu, and opposition websites such as Radio Zamaneh, often emblazoning pages with their logo and leaving pro-government messages. (Recently, sophisticated attacks on the certificate authority systems that secure Internet traffic moving in
and out of Iran were undertaken by an individual claiming to be a loner sympathetic to the regime, although no one can say for sure if the claim is true.)

The Iranian government has tacitly condoned the activities of the Iranian Cyber Army – even going so far as to applaud its efforts – while keeping itself one step removed from any formal endorsement or incorporation.
When the Iranian Cyber Army launched a cyber attack on Voice of America websites and inserted an anti-American message, an Iranian official spokesman, Ali Saeedi Shahroudi, said that the U.S. could no longer claim that it was the “bellwether of software and cyber technology,” and that the “hacking of a VOA homepage by the Iranian Cyber Army and leaving a message on the site for the U.S. secretary of state shows the power and capability of the [Islamic Revolution Guards] Corps in the cyber arena.” In 2010, the leader of the Iranian Revolutionary Guard’s Ali Ibn abi-Talib Corps, Ebrahim Jabbari, publicly claimed that his organization possessed the world’s second-largest cyber army. Was he referring to the Iranian Cyber Army? In 2011, another Iranian Revolutionary Guard official, Brigadier General Gholamreza Jalali, said, “We welcome the presence of those hackers who are willing to work for the goals of the Islamic Republic with good will and revolutionary activities.”

•  •  •

Quasi-national cyber armies
like these are spreading, and spreading fast, for two fundamental reasons. First, the tools to engage in cyber attacks are now widely available and as simple to acquire as “download, point, and click.” With such easy access, we have entered the age of do-it-yourself information warfare. A second factor, which reinforces and builds upon the first, is the growing pressure on governments and their armed forces to
develop cyber warfare capabilities. While cyber warfare threats are often wildly exaggerated in order to win massive defence contracts, there is an undeniable arms race occurring in cyberspace, and the domain is being rapidly militarized. Governments around the world now see cyber security as an urgent priority. They are standing shoulder-to-shoulder with their armed forces on this issue, and the capacity to fight and win wars in cyberspace is now seen as an absolute necessity by authoritarian regimes and liberal democracies alike.

But not all countries follow the same playbook.

While the United States and other Western countries build cyber commands staffed by professionally trained military personnel, corrupt, autocratic, and authoritarian regimes follow a different path: exploiting the techniques and methods of the cyber-criminal underground, enlisting paramilitary hackers, and taking advantage of the vulnerabilities of the very systems their opponents depend on for mobilization and political action. They also target different adversaries, reflecting their own perception of what constitutes a national security threat: political opposition parties, independent media, bloggers and journalists, and the vast networks of civil society groups pressing for openness, democracy, and accountability.

For many years, global civil society networks saw the Internet and other forms of new media as powerful tools for their causes. They have gradually come to learn that these media can be controlled in ways that limit access to information and freedom of speech for citizens living behind national firewalls. Now, to those concerns must be added another, this time more ominous: cyberspace is becoming a dangerously weaponized and insecure environment. It is now a domain where human rights activists, opposition groups, and independent media can be trapped, harassed, and exploited, as much as they can be empowered. And there’s
another thing. On what basis can the West condemn, for instance, the Syrian Electronic Army or other quasi-state hacker groups for infiltrating the computers of opposition groups when we openly market offensive computer network attack products and services at Las Vegas–style trade shows?