scenarios

User Generated

iraxlaryyhev

Computer Science

Description

Review the scenarios 1 and 2 in chapter 3. For each of these scenarios choose only 1 option from the list. Explain why you chose that option and describe if the actions you've taken are currently legal. This should be a 2 to 3 page paper written in APA format. Make sure you adhere to the grading rubric.

Writing Requirements

  • 2-3 pages in length (excluding cover page, abstract, and reference list)
  • Include at least two peer reviewed sources that are properly cited
  • APA format, Use the APA template located in the Student Resource Center to complete the assignment.
  • Please use the Case Study Guide as a reference point for writing your case study.

Unformatted Attachment Preview

Inside Cyber Warfare Inside Cyber Warfare Jeffrey Carr foreword by Lewis Shepherd Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Inside Cyber Warfare by Jeffrey Carr Copyright © 2010 Jeffrey Carr. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://my.safaribooksonline.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com. Editor: Mike Loukides Production Editor: Loranah Dimant Copyeditor: Genevieve d’Entremont Proofreader: Loranah Dimant Indexer: John Bickelhaupt Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Robert Romano Printing History: December 2009: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Inside Cyber Warfare, the image of light cavalry, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. TM This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 978-0-596-80215-8 [M] 1259961702 Table of Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii 1. Assessing the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Complex Domain of Cyberspace Cyber Warfare in the 20th and 21st Centuries Cyber Espionage Cyber Crime Future Threats Increasing Awareness Critical Infrastructure The Conficker Worm: The Cyber Equivalent of an Extinction Event? Africa: The Future Home of the World’s Largest Botnet? The Way Forward 1 2 4 5 6 7 8 12 13 14 2. The Rise of the Non-State Hacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 The StopGeorgia.ru Project Forum Counter-Surveillance Measures in Place The Russian Information War The Foundation for Effective Politics’ War on the Net (Day One) The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead Impact Overview of Perpetrators Hackers’ Profiles Methods of Attack Israeli Retaliation Control the Voice of the Opposition by Controlling the Content in Cyberspace: Nigeria Are Non-State Hackers a Protected Asset? 15 16 16 17 19 19 21 22 26 28 28 29 v 3. The Legal Status of Cyber Warfare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Nuclear Nonproliferation Treaties The Antarctic Treaty System and Space Law UNCLOS MALT U.S. Versus Russian Federation: Two Different Approaches The Law of Armed Conflict Is This an Act of Cyber Warfare? South Korea Iran Tatarstan United States Kyrgyzstan Israel and the Palestinian National Authority Zimbabwe Myanmar Cyber: The Chaotic Domain 32 33 34 34 34 35 37 37 37 37 37 38 38 38 39 39 4. Responding to International Cyber Attacks As Acts of War . . . . . . . . . . . . . . . . . . . . 45 Introduction by Jeffrey Carr Introduction The Legal Dilemma The Road Ahead: A Proposal to Use Active Defenses The Law of War General Prohibition on the Use of Force The First Exception: UN Security Council Actions The Second Exception: Self-Defense A Subset of Self-Defense: Anticipatory Self-Defense An Alternate Basis for Using Active Defenses: Reprisals Non-State Actors and the Law of War Armed Attacks by Non-State Actors Duties Between States Imputing State Responsibility for Acts by Non-State Actors Cross-Border Operations Analyzing Cyber Attacks Under Jus ad Bellum Cyber Attacks As Armed Attacks Establishing State Responsibility for Cyber Attacks The Duty to Prevent Cyber Attacks Support from International Conventions Support from State Practice Support from the General Principles of Law Support from Judicial Opinions Fully Defining a State’s Duty to Prevent Cyber Attacks vi | Table of Contents 45 45 47 48 48 49 49 50 51 52 52 53 54 55 56 57 58 61 62 63 64 66 67 67 Sanctuary States and the Practices That Lead to State Responsibility The Choice to Use Active Defenses Technological Limitations and Jus ad Bellum Analysis Jus in Bello Issues Related to the Use of Active Defenses Conclusion 68 68 69 71 74 5. The Intelligence Component to Cyber Warfare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 The Korean DDoS Attacks (July 2009) The Botnet Versus the Malware The DPRK’s Capabilities in Cyberspace One Year After the RU-GE War, Social Networking Sites Fall to DDoS Attack Ingushetia Conflict, August 2009 The Predictive Role of Intelligence 78 80 81 83 85 86 6. Non-State Hackers and the Social Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Russia China The Middle East Pakistani Hackers and Facebook The Dark Side of Social Networks The Cognitive Shield TwitterGate: A Real-World Example of a Social Engineering Attack with Dire Consequences Automating the Process Catching More Spies with Robots 89 90 91 92 93 94 97 99 99 7. Follow the Money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 False Identities Components of a Bulletproof Network ICANN The Accredited Registrar The Hosting Company The Bulletproof Network of StopGeorgia.ru StopGeorgia.ru NAUNET.RU SteadyHost.ru Innovation IT Solutions Corp Mirhosting.com SoftLayer Technologies SORM-2 The Kremlin and the Russian Internet Nashi 103 105 105 106 106 106 106 107 108 110 112 112 114 115 115 Table of Contents | vii The Kremlin Spy for Hire Program Sergei Markov, Estonia, and Nashi A Three-Tier Model of Command and Control 117 118 119 8. Organized Crime in Cyberspace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 A Subtle Threat Atrivo/Intercage ESTDomains McColo: Bulletproof Hosting for the World’s Largest Botnets Russian Organized Crime and the Kremlin 125 125 126 127 129 9. Investigating Attribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Using Open Source Internet Data Background What Is an Autonomous System Network? Team Cymru and Its Darknet Report Using WHOIS Caveats to Using WHOIS 131 132 134 137 138 140 10. Weaponizing Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 A New Threat Landscape StopGeorgia.ru Malware Discussions Twitter As DDoS Command Post Against Iran Social Engineering Channel Consolidation An Adversary’s Look at LinkedIn BIOS-Based Rootkit Attack Malware for Hire Anti-Virus Software Cannot Protect You Targeted Attacks Against Military Brass and Government Executives 141 141 144 146 148 149 150 151 151 152 11. The Role of Cyber in Military Doctrine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 The Russian Federation The Foundation for Effective Politics (FEP) “Wars of the Future Will Be Information Wars” “RF Military Policy in International Information Security” The Art of Misdirection China Military Doctrine Anti-Access Strategies The 36 Stratagems U.S. Military Doctrine viii | Table of Contents 161 163 165 166 169 171 174 174 176 12. A Cyber Early Warning Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Introduction by Jeffrey Carr The Challenge We Face Cyber Early Warning Networks Building an Analytical Framework for Cyber Early Warning Cases Studies of Previous Cyber Attacks Lessons Learned Defense Readiness Condition for Cyberspace 179 179 180 180 183 187 188 13. Advice for Policy Makers from the Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 When It Comes to Cyber Warfare: Shoot the Hostage The United States Should Use Active Defenses to Defend Its Critical Information Systems Scenarios and Options to Responding to Cyber Attacks Scenario 1 Scenario 2 Scenario 3 Scenario 4 In Summary Whole-of-Nation Cyber Security 191 194 196 196 197 198 198 198 199 Afterword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Table of Contents | ix Foreword During his campaign for reelection in 1996, the Internet-savvy President Bill Clinton used the slogan “Building a Bridge to the 21st Century.” It turns out that the bridge is operated and maintained in cyber form, and that malevolent actors can practice their black arts to disrupt or destroy the bridge, its cyber traffic, and all who rely upon it. And although it is disturbingly clear that the bridge to the 21st century can be taken out, it is even more clear that we don’t always know by whom or why. Jeffrey Carr’s Inside Cyber Warfare explores the factual background of why that is so, who the actors are (and their motivations) and the likely future course of cyber warfare in all its manifestations. In part, this book’s value is the comprehensiveness of its coverage, across the spectrum of militarized or warlike computer network operations (CNO). New students of the field—and there are many, in academia, government, and private industry—will benefit from the clear explication of the divisions between computer network defense, computer network exploitation, and computer network attack. Examples abound of each, described in dispassionate, factual prose more helpful than the sometimes frightening headline media coverage of isolated events. Experts in the field of cyber warfare and CNO will find that these pages are required reading, for Jeffrey Carr has applied an evidentiary analytical framework to understanding the intricacies that distinguish state and non-state actors and hackers, and the varying but discoverable mosaic of political, economic, and social motivations that incentivize cyber warfare. I first became aware of Jeffrey Carr and his expertise while serving in the intelligence community, where like others, I relied on his much-read-within-the-Beltway blog Intelfusion. For this book, Carr’s background is ideal: an early career at the world’s leading software and technology company (Microsoft), his entrepreneurial founding of the highly regarded Project Grey Goose (which I have advised), and the activities of his GreyLogic organization. He now adds to that list the title of “authority,” with its imprimatur stamped by virtue of the pages in this book. xi Military analysts, pundits, and warfighters alike have known for centuries the Latin adage attributed to “the Roman Sun Tzu,” Publius Flavius Vegetius Renatus, famous for his “art-of-war” classic from 390 BC, De Re Militari: “Si vis pacem, para bellum”; if you wish peace, prepare for war. Inside Cyber Warfare is the necessary handbook for a new 21st century in which all who hope for the new world of cyber-powered peaceful interactions must prepare for cyber war. —Lewis Shepherd Chief Technology Officer and Senior Fellow, Microsoft Institute for Advanced Technology in Governments Senior Technology Officer, Defense Intelligence Agency (2004–2007) xii | Foreword Preface I was recently invited to participate in a cyber security dinner discussion by a few members of a well-known Washington D.C. think tank. The idea was that we could enjoy a fine wine and a delicious meal while allowing our hosts to pick our brains about this “cyber warfare stuff.” It seems that the new threatscape emerging in cyberspace has caught them unprepared and they were hoping we could help them grasp some of the essentials in a couple of hours. By the time we had finished dinner and two bottles of a wonderful 2003 red, one of the Fellows in attendance was holding his head in his hands, and it wasn’t because of the wine. International acts of cyber conflict (commonly but inaccurately referred to as cyber warfare) are intricately enmeshed with cyber crime, cyber security, cyber terrorism, and cyber espionage. That web of interconnections complicates finding solutions because governments have assigned different areas of responsibility to different agencies which historically do not play well with others. Then there is the matter of political will. When I signed the contract to write this book, President Obama had committed to make cyber security a top priority in his administration. Seven months later, as I write this introduction, cyber security has been pushed down the priority ladder behind the economy and health care, and the position of cyber coordinator, who originally was going to report directly to the President, must now answer to multiple bosses with their own agendas. A lot of highly qualified candidates have simply walked away from a position that has become a shadow of its former self. Consequently, we all find ourselves holding our heads in our hands more often than not. Cyberspace as a warfighting domain is a very challenging concept. The temptation to classify it as just another domain, like air, land, sea, and space, is frequently the first mistake that’s made by our military and political leaders and policy makers. I think that a more accurate analogy can be found in the realm of science fiction’s parallel universes–—mysterious, invisible realms existing in parallel to the physical world, but able to influence it in countless ways. Although that’s more metaphor than reality, we need to change the habit of thinking about cyberspace as if it’s the same thing as “meat” space. xiii After all, the term “cyberspace” was first coined by a science fiction writer. My own childhood love affair with science fiction predated William Gibson’s 1984 novel Neuromancer, going all the way back to The New Tom Swift Jr. Adventures series, which was the follow-up to the original series of the early 1900s. By some quirk of fate, the first Tom Swift Jr. book was published in 1954 (the year that I was born) and ceased publication in 1971 (the year that I left home for college). Although the young inventor didn’t have cyberspace to contend with, he did have the “Atomic Earth Blaster” and the “Diving Sea Copter.” In an otherwise awful childhood, the adventures of Tom Swift Jr. kept me feeling sane, safe, and excited about the future until I was old enough to leave home and embark on my own adventures. Now, 38 years later, I find myself investigating a realm that remains a sci-fi mystery to many leaders and policy makers of my generation, while younger people who have grown up with computers, virtual reality, and online interactions of all kinds are perfectly comfortable with it. For this reason, I predict that the warfighting domain of cyberspace won’t truly find its own for another five to eight years, when military officers who have grown up with a foot in both worlds rise to senior leadership roles within the Department of Defense. How This Book Came to Be This book exists because of an open source intelligence (OSINT) experiment that I launched on August 22, 2008, named Project Grey Goose (Figure P-1). On August 8, 2008, while the world was tuning in to the Beijing Olympics, elements of the Russian Federation (RF) Armed Forces invaded the nation of Georgia in a purported self-defense action against Georgian aggression. What made this interesting to me was the fact that a cyber component preceded the invasion by a few weeks, and then a second, much larger wave of cyber attacks was launched against Georgian government websites within 24 hours of the invasion date. These cyber attacks gave the appearance of being entirely spontaneous, an act of support by Russian “hacktivists” who were not part of the RF military. Other bloggers and press reports supported that view, and pointed to the Estonian cyber attacks in 2007 as an example. In fact, that was not only untrue, but it demonstrated such shallow historical analysis of comparable events that I found myself becoming more and more intrigued by the pattern that was emerging. There were at least four other examples of cyber attacks timed with RF military actions dating back to 2002. Why wasn’t anyone exploring that, I wondered? I began posting what I discovered to my blog IntelFusion.net, and eventually it caught the attention of a forward deployed intelligence analyst working at one of the threeletter agencies. By “forward deployed” I refer to those analysts who are under contract to private firms but working inside the agencies. In this case, his employer was Palantir Technologies. “Adam” (not his real name) had been a long-time subscriber to my blog and was as interested in the goings-on in Georgia as I was. He offered me the free use of the Palantir analytic platform for my analysis. xiv | Preface Figure P-1. The official logo of Project Grey Goose After several emails and a bunch of questions on my part, along with my growing frustration at the overall coverage of what was being played out in real time in the North Caucasus, I flashed on a solution. What would happen if I could engage some of the best people inside and outside of government to work on this issue without any restrictions, department politics, or bureaucratic red tape? Provide some basic guidance, a collaborate work space, and an analytic platform, and let experienced professionals do what they do best? I loved the idea. Adam loved it. His boss loved it. On August 22, 2008, I announced via my blog and Twitter an open call for volunteers for an OSINT experiment that I had named Project Grey Goose. Prospective volunteers were asked to show their interest by following a temporary Twitter alias that I had created just for this enrollment. Within 24 hours, I had almost 100 respondents consisting of college students, software engineers, active duty military officers, intelligence analysts, members of law enforcement, hackers, and a small percentage of Internetcreated personas who seemed to have been invented just to see if they could get in (they didn’t). It was an astounding display of interest, and it took a week for a few colleagues and I to make the selections. We settled on 15 people, Palantir provided us with some training on their platform, and the project was underway. Our Phase I report was produced about 45 days later. A follow-up report was produced in April 2009. This book pulls from some of the data that we collected and reported on, plus it contains quite a bit of new data that has not been published before. A lot has happened between April 2009 and September 2009, when the bulk of my writing for this book was done. As more and more data is moved to the Cloud and the popularity of social networks continues to grow, the accompanying risks of espionage and adversary targeting grow as well. While our increasingly connected world does manage to break down barriers and increase cross border friendships and new understandings, the same geopolitical politics and national self interests that breed conflicts and wars remain. Conflict continues to be an extension of political will, and now Preface | xv conflict has a new domain upon which its many forms can engage (espionage, terrorism, attacks, extortion, disruption). This book attempts to cover a very broad topic with sufficient depth to be informative and interesting without becoming too technically challenging. In fact, there is no shortage of technical books written about hackers, Internet architecture, website vulnerabilities, traffic routing, etc. My goal with this book is to demonstrate how much more there is to know about a cyber attack than simply what comprises its payload. Welcome to the new world of cyber warfare. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for queries. Constant width italic Shows text that should be replaced with user-supplied values or by values determined by context. This icon signifies a tip, suggestion, or general note. Using Code Examples This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Inside Cyber Warfare, by Jeffrey Carr. Copyright 2010 Jeffrey Carr, 978-0-596-80215-8.” If you feel your use of code examples falls outside fair use or the permission given here, feel free to contact us at permissions@oreilly.com. xvi | Preface How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at: http://oreilly.com/catalog/9780596802158/ To comment or ask technical questions about this book, send email to the following, quoting the book’s ISBN number (9780596802158): bookquestions@oreilly.com To contact the author and obtain information about GreyLogic and Project Grey Goose, visit the website at: http://greylogic.us For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our website at: http://oreilly.com Safari® Books Online Safari Books Online is an on-demand digital library that lets you easily search over 7,500 technology and creative reference books and videos to find the answers you need quickly. With a subscription, you can read any page and watch any video from our library online. Read books on your cell phone and mobile devices. Access new titles before they are available for print, and get exclusive access to manuscripts in development and post feedback for the authors. Copy and paste code samples, organize your favorites, download chapters, bookmark key sections, create notes, print out pages, and benefit from tons of other time-saving features. O’Reilly Media has uploaded this book to the Safari Books Online service. To have full digital access to this book and others on similar topics from O’Reilly and other publishers, sign up for free at http://my.safaribooksonline.com. Preface | xvii Acknowledgments Many people have contributed to moving this book from the idea stage to a finished product and I cannot possibly identify and thank all of them individually so I’d like to take this opportunity to thank all of my colleagues at Project Grey Goose (including Alex, Shyam, Shreyas, and Will at Palantir Technologies), as well as the wonderful production and editing team at O’Reilly Media. A few individuals have extended themselves beyond the call of duty and deserve special mention: Mike Loukides, Nitesh Dhanjani, Billy Rios, Lt. Col. Mark Coffin (USA), Lt. Cdr. Matt Sklerov (USN), and Lewis Shepherd. Also in this group are a few individuals who prefer to work without acknowledgment and as much as I’d love to thank you publicly, I respect your wishes in this matter. Finally and most importantly, I want to thank my beautiful and talented wife, Lilly, whose love and support has kept me sane, focused, and happy during the writing of this book and the greater adventure of launching a new consultancy (Greylogic). xviii | Preface CHAPTER 1 Assessing the Problem “You can’t say that civilization don’t advance, however, for in every war they kill you in a new way.” —Will Rogers, the New York Times, December 23, 1929 Whenever someone asks if anyone ever died in a cyber war, Magomed Yevloev springs to mind. On August 31, 2008, in the North Caucasus Republic of Ingushetia, Yevloev was arrested by Nazran police, ostensibly for questioning regarding his anti-Kremlin website Ingusheta.ru. As he was being transported to police headquarters, one of the officers in the car “accidentally” discharged his weapon into the head of Magomed Yevloev. The U.S. Department of State called for an investigation. Vladimir Putin reportedly said that there would be an investigation. To date, nothing has been done. Ingushetia.ru (now Ingushetia.org) and the Chechen website kavkazcenter.com are some of the earliest examples of politically motivated Russian cyber attacks dating as far back as 2002. In other words, in addition to Russian military operations in Chechnya, there were cyber attacks launched against opposition websites as well. The Russia Georgia War of August 2008 is the latest example, occurring just a few weeks before Magomed Yevloev’s killing. If anyone would qualify as a casualty of cyber warfare, it might just be this man. The Complex Domain of Cyberspace The focus of this book is cyber warfare, and therein lies the first complexity that must be addressed. As of this writing, there is no international agreement on what constitutes an act of cyber war, yet according to McAfee’s 2008 Virtual Criminology Report, there are over 120 nations “leveraging the Internet for political, military, and economic espionage activities.” 1 The U.S. Department of Defense (DOD) has prepared a formal definition of this new warfighting domain, which is discussed in Chapter 11, but inspired by the writings of Sun Tzu, I offer this definition instead: Cyber Warfare is the art and science of fighting without fighting; of defeating an opponent without spilling their blood. To that end, what follows are some examples of the disparate ways in which governments have attempted to force their wills against their adversaries and find victory without bloodshed in the cyber domain. Cyber Warfare in the 20th and 21st Centuries China The emergence of the People’s Republic of China’s (PRC) hacker community was instigated by a sense of national outrage at anti-Chinese riots taking place in Indonesia in May 1998. An estimated 3,000 hackers self-organized into a group called the China Hacker Emergency Meeting Center, according to Dahong Min’s 2005 blog entry entitled “Say goodbye to Chinese hackers’ passionate era: Writing on the dissolving moment of ‘Honker Union of China.’” The hackers launched attacks against Indonesian government websites in protest. About one year later on May 7, 1999, a NATO jet accidentally bombed the Chinese embassy in Belgrade, Yugoslavia. Less than 12 hours later, the Chinese Red Hacker Alliance was formed and began a series of attacks against several hundred U.S. government websites. The next event occurred in 2001 when a Chinese fighter jet collided with a U.S. military aircraft over the South China Sea. This time over 80,000 hackers became engaged in launching a “self-defense” cyber war for what they deemed to be an act of U.S. aggression. The New York Times referred to it as “World Wide Web War I.” Since then, most of the PRC’s focus has been on cyber espionage activities in accordance with its military strategy to focus on mitigating the technological superiority of the U.S. military. Israel In late December 2008, Israel launched Operation Cast Lead against Palestine. A corresponding cyber war quickly erupted between Israeli and Arabic hackers, which has been the norm of late when two nation states are at war. The unique aspect of this case is that at least part of the cyber war was engaged in by state hackers rather than the more common non-state hackers. Members of the Israeli Defense Forces hacked into the Hamas TV station Al-Aqsa to broadcast an animated cartoon showing the deaths of Hamas’ leadership with the tag line “Time is running out” (in Arabic). 2 | Chapter 1: Assessing the Problem In contrast, during the Chechnya, Estonia, and Georgia conflicts, nationalistic nonstate hackers acted in concert but were not in the employ of any nation state. That is the second complication: attribution. And lack of attribution is one of the benefits for states who rely on or otherwise engage non-state hackers to conduct their cyber campaigns. In other words, states gain plausible deniability. Russia The Second Russian-Chechen War (1997–2001). During this conflict, in which the Russian military invaded the breakaway region of Chechnya to reinstall a Moscow-friendly regime, both sides used cyberspace to engage in Information Operations to control and shape public perception. Even after the war officially ended, the Russian Federal Security Service (FSB) was reportedly responsible for knocking out two key Chechen websites at the same time that Russian Spetsnaz troops engaged Chechen terrorists who were holding Russian civilians hostage in a Moscow theatre on October 26, 2002. The Estonian cyber war (2007). Although there is no hard evidence linking the Russian government to the cyber attacks launched against Estonian government websites during the week of April 27, 2007, at least one prominent Russian Nashi youth leader, Konstantin Goloskokov, has admitted his involvement along with some associates. Goloskokov turned out to be the assistant to State Duma Deputy Sergei Markov of the pro-Kremlin Unified Russia party. The activating incident was Estonia’s relocation of the statue “The Bronze Soldier of Tallinn,” dedicated to soldiers of the former Soviet Union who had died in battle. The resulting massive distributed denial of service (DDoS) attacks took down Estonian websites belonging to banks, parliament, ministries, and communication outlets. The Russia-Georgia War (2008). This is the first example of a cyber-based attack that coincided directly with a land, sea, and air invasion by one state against another. Russia invaded Georgia in response to Georgia’s attack against separatists in South Ossetia. The highly coordinated cyber campaign utilized vetted target lists of Georgian government websites as well as other strategically valuable sites, including the U.S. And British embassies. Each site was vetted in terms of whether it could be attacked from Russian or Lithuanian IP addresses. Attack vectors included DDoS, SQL injection, and crosssite scripting (XSS). Iran The Iranian Presidential elections of 2009 spawned a massive public protest against election fraud that was fueled in large part by the availability of social media such as Twitter and Facebook as outlets for public protest. The Iranian government responded by instituting a harsh police action against protesters and shutting down media channels as well as Internet access inside the country. Some members of the opposition The Complex Domain of Cyberspace | 3 movement resorted to launching DDoS attacks against Iranian government websites. Twitter was used to recruit additional cyber warriors to their cause, and links to automated DDoS software made it easy for anyone to participate. North Korea Over the July 4th weekend of 2009, a few dozen U.S. websites, including the White House and other U.S. government sites, came under a mild DDoS attack. A few days later the target list grew to include South Korean government and civilian websites. The Democratic People’s Republic of Korea (DPRK) was the primary suspect, but as of this writing there is no evidence to support that theory. Nevertheless, South Korean media and government officials have pressed the case against the North, and U.S. Rep. Pete Hoekstra (R-MI) has called for the U.S. military to launch a cyber attack against the DPRK to send them a “strong signal.” Cyber Espionage Acts of cyber espionage are far more pervasive than acts of cyber warfare, and the leading nation that is conducting cyber espionage campaigns on a global scale is the People’s Republic of China. In December 2007, Jonathan Evans, the director-general of MI5, informed 300 British companies that they were “under attack by Chinese organizations,” including the People’s Liberation Army. Titan Rain “Titan Rain” is the informal code name for ongoing acts of Chinese cyber espionage directed against the U.S. Department of Defense since 2002. According to Lieutenant General William Lord, the Air Force’s Chief of Warfighting Integration and Chief Information Officer, “China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD’s Non-Classified IP Router Network).” This stolen data came from such agencies as the U.S. Army Information Systems Engineering Command, The Naval Ocean Systems Center, the Missile Defense Agency, and Sandia National Laboratories. According to testimony by Timothy L. Thomas (Lt. Col., USA Retired) of the Foreign Military Studies Office, Joint Reserve Intelligence Office, Ft. Leavenworth, Kansas, before the U.S.-China Economic and Security Review Commission in 2008, DOD computers experienced a 31% increase in malicious activity over the previous year, amounting to 43,880 incidents. In 2006, Department of Defense officials claimed that the Pentagon network backbone, known as the Global Information Grid, was the recipient of 3 million daily scans, and that China and the U.S. were the top two sources. Acts of cyber espionage are not only directed at U.S. Government websites but also at private companies that do classified work on government contracts. According to Allen 4 | Chapter 1: Assessing the Problem Paller of the SANS Institute, Raytheon, Lockheed Martin, Boeing, Northrup Grumman, and other large government contractors experienced data breaches in 2007. In January 2009, SRA, a company that specializes in providing computer security services to the U.S. government, reported that personal information on its employees and customers was at risk when it discovered malware on one of its servers. Cyber Crime At this time it is unknown if the attacks originated from the North Korean Army, a lonely South Korean Student, or the Japanse-Korean Mafia. Indeed, all of these entities could have been involved in the attacks at the same time. This is because the differentiation between Cyber Crime, Cyber Warfare and Cyber Terror can be a misleading one—in reality, Cyber Terror is often Cyber Warfare utilizing Cyber Crime. —Alexander Klimburg, Cyber-Attacken als Warnung (DiePresse.com, July 15, 2009) Most of the sources on cyber warfare that are publicly available do not address the problem of cyber crime. The reasoning goes that one is a military problem, whereas the other is a law enforcement problem; hence these two threats are dealt with by different agencies that rarely speak with one another. Unfortunately, this approach is not only counterproductive, but it also creates serious information gaps in intelligence gathering and analysis. My experience as Principal Investigator of the open source intelligence effort Project Grey Goose provides ample evidence that many of the non-state hackers who participated in the Georgian and Gaza cyber wars were also involved in cyber crime. It was, in effect, their “day job.” Additionally, cyber crime is the laboratory where the malicious payloads and exploits used in cyber warfare are developed, tested, and refined. The reason why it is such an effective lab environment is because cracking a secure system, whether it’s Heartland Payment Systems or the Global Information Grid, is valuable training, and it’s happening every day inside the cyber underground. The chart in Figure 1-1, prepared by independent security researcher Jart Armin, demonstrates the rapid rise in volume and sophistication of attacks in just the last 10 years. A 2009 report by Gartner Research states that financial fraud was up by 47% in 2008 from 2007, with 687 data breaches reported. What does that translate to in dollars? No one seems to know, although Chris Hoofnagle, Senior Fellow with the Berkeley Center for Law and Technology, says in an article that he wrote for the Fall 2007 issue of the Harvard Journal of Law and Technology that it’s probably in the tens of billions: Currently we don’t know the scope of the problem…. We do know that it is a big problem and that the losses are estimated in the tens of billions. Without reporting, we cannot tell whether the market is addressing the problem. Reporting will elucidate the scope of the problem and its trends, and as explained below, create a real market for identity theft prevention. Cyber Crime | 5 Figure 1-1. Evolution of cyber attacks In January 2009, Heartland Payment Systems revealed that it was the victim of the largest data breach in history, involving more than 130 million accounts. No one really knows for sure because hackers had five months of uninterrupted access to Heartland’s secure network before the breach was discovered. Organized crime syndicates from Russia, Japan, Hong Kong, and the U.S. are consolidating their influence in the underground world of cyber crime because the risk-reward ratio is so good. Although law enforcement agencies are making sustained progress in cyber crime detection and enforcement—such as Operation DarkMarket, an FBI sting that resulted in the arrest of 56 individuals worldwide, more than $70 million in potential economic loss prevented, and recovery of 100,000 compromised credit cards— cyberspace is still a crime syndicate’s dream environment for making a lot of money with little to no risk. Future Threats The assessment of future threats is an important part of assessing the priority for increased cyber security measures, not to mention building out the capabilities of a military cyber command. 6 | Chapter 1: Assessing the Problem A recent report by the European Commission predicts: There is a 10% to 20% probability that telecom networks will be hit by a major breakdown in the next 10 years, with a potential global economic cost of around €193 billion ($250 billion). This could be caused by natural disasters, hardware failures, rupture of submarine cables (there were 50 incidents recorded in the Atlantic Ocean in 2007 alone), as well as from human actions such as terrorism or cyber attacks, which are becoming more and more sophisticated. The commission goes on to recommend an increased focus in key areas to counter future threats in cyberspace. These include: Preparedness and prevention Fostering cooperation of information and transfer of good policy practices between member states via a European Forum Establishing a European Public-Private Partnership for Resilience, which will help businesses share experience and information with public authorities. Detection and response Supporting the development of a European information-sharing and alert system. Mitigation and recovery Stimulating stronger cooperation between member states via national and multinational contingency plans and regular exercises for large-scale network security incident response and disaster recovery. International cooperation Driving a Europe-wide debate to set EU priorities for the long-term resilience and stability of the Internet with a view to proposing principles and guidelines to be promoted internationally. Establish criteria for European critical infrastructure in the Information and Communication Technologies (ICT) sector The criteria and approaches currently vary across member states. Increasing Awareness The potential impact of attacks delivered in cyberspace has not always been as appreciated as it is today. As early as February 18, 2003, in an interview with PBS’s Frontline: Cyberwar!, noted expert James Lewis, director of the Center for Strategic and International Studies, said: Some people actually believe that this stuff here that they’re playing with is equal, if not a bigger threat, than a dirty bomb…. Nobody argues—or at least no sane person argues— that a cyber attack could lead to mass casualties. It’s not in any way comparable to weapons of mass destruction. In fact, what a lot of people call them is “weapons of mass annoyance.” If your power goes out for a couple hours, if somebody draws a mustache on Attorney General Ashcroft’s face on his website, it’s annoying. It’s irritating. But it’s not a weapon of mass destruction. The same is true for this. Future Threats | 7 Now contrast that statement with the following excerpt from “Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency” (issued December 2008), for which Mr. Lewis was the project director: The Commission’s three major findings are: (1) cybersecurity is now a major national security problem for the United States; (2) decisions and actions must respect privacy and civil liberties; and (3) only a comprehensive national security strategy that embraces both the national and international aspects of cybersecurity will make us more secure. That shows a significant difference of opinion on the part of Mr. Lewis in a relatively short period of time. Part of the reason for various respected individuals such as James Lewis to downplay the potential impact of cyber war is that past examples have not demonstrated any significant harm. Website defacements and extended downtime of a small country’s Internet access, while burdensome, have not resulted in human injuries. Even in 2009, when there is little doubt remaining about the critical need to address cyber vulnerabilities, there are still voices of dissent such as Jim Harper, director of information policy studies at the CATO Institute, who said in an interview with Russia Today on July 31, 2009 that “Both cyber terrorism and cyber warfare are concepts that are gross exaggerations of what’s possible through Internet attacks.” Although acts of cyber espionage such as Titan Rain or incidents of cyber crime resulting in major data losses such as Heartland Payment Systems are gravely serious in their own right, stove-piped thinking that excludes cyber crime from cyber war means that the potential for a threat case doesn’t cross over in the mind of the military strategist. Critical Infrastructure There is a growing awareness of the vulnerability of a nation’s critical infrastructure to network attack. Transportation, banking, telecommunications, and energy are among the most vulnerable systems and may be subject to the following modes of attack: • Insider threats • Anonymous access to protected networks via the Internet and Supervisory Control and Data Acquisition (SCADA) • Counterfeit hardware • Employee abuse of security guidelines leading to malware propagation inside the firewall The following future threat scenario is modeled after the ones created for the latest National Intelligence Council (NIC) report “Global Trends 2025.” While containing many scenarios on a variety of national security issues, the NIC did not include a largescale cyber event. The authors did, however, have this to say: 8 | Chapter 1: Assessing the Problem Cyber and sabotage attacks on critical US economic, energy, and transportation infrastructures might be viewed by some adversaries as a way to circumvent US strengths on the battlefield and attack directly US interests at home. What follows is my offering to stimulate discussion and raise awareness within the National Security community of what is possible in the cyber realm. The question of whether a nuclear catastrophe could be initiated by a hacker attack was explored through multiple scenarios in a paper commissioned by the International Commission on Nuclear Nonproliferation and Disarmament entitled “Hacking Nuclear Command and Control” by Jason Fritz, et al. Future Scenario Involving Critical Infrastructure October 19, 20** Chairperson House Permanent Select Committee on Intelligence Washington, D.C. RE: Establishment of North American Urgent Radiological Information Exchange Madame Chairperson: While we do not believe that this is a matter that rightfully falls under the province of your Committee, in the interest of cooperation, this letter will address the events leading up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE). As you know, on the nth year anniversary of 9/11, all of our nation’s nuclear power plants were targeted in a massive distributed denial of service attack orchestrated by the Conficker D botnet, which had grown to a heretofore unheard of 30,000,000+ infected hosts. While US CERT teams as well as regional DOE cyber security personnel were focused on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached from the inside due to the use of pirated hardware with malicious embedded code that passed server control to external users. Future Threats | 9 Of even more concern is the fact that all of these plants were targets of a carefully planned, long-term social engineering attack that relied on human error and the broadbased appeal of social network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks and lay dormant until activated by the attacking force. This led to a number of consecutive failures in our safety mechanisms resulting in partial to complete core meltdowns at 70% of our plants. When these plants went offline, the nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call, looting of businesses began in earnest as did home invasions in the wealthier neighborhoods. One year later, we still do not have a final count on the number of deaths and casualties but most responsible estimates place them in the tens of thousands. If we extrapolate out for the as yet unknown future effects of radiation poisoning on the victims, the count goes into six figures. While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as late as 2009, in a letter to the Los Alamos National Laboratory, did its part in improving security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well. Also, our G3 physical security model (Gates, Guards, Guns) was not compromised, and cyber security compliance has never been a mandatory policy; instead it is an ongoing negotiation among various other considerations. v/r, Director, National Nuclear Security Agency This scenario is perfectly plausible given what we know today about software exploits driven by social engineering; the availability of counterfeit hardware such as routers, switches, Gigabit Interface Converters, and WAN interface cards; and Conficker-type botnets that consist of millions of infected PCs. Combine those threats with a motivated, patient, and well-financed hacker crew and any number of doomsday scenarios become possible. If this scenario sounds far-fetched or seems to overstate the risk, the following news stories represent a sampling of actual cyber security events that have occurred at nuclear power plants since 2003: “NNSA wants more funding for cyber security” (Federal Computer Week, February 6, 2008) “Numerous cybersecurity problems at the department have come to light over the past few months. A recently released report by the department’s inspector general report said Energy had 132 serious security breaches in fiscal 2006.” 10 | Chapter 1: Assessing the Problem “Slammer worm crashed Ohio nuke power plant” (SecurityFocus, August, 19, 2003) “The Slammer worm penetrated a private computer network at Ohio’s Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall, SecurityFocus has learned.” “Cyber Incident Blamed for Nuclear Power Plant Shutdown” (The Washington Post, June 5, 2008) “A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.” “Fed aims to tighten nuclear cyber security” (SecurityFocus, January 25, 2005) “The U.S. Nuclear Regulatory Commission (NRC) quietly launched a public comment period late last month on a proposed 15-page update to its regulatory guide ‘Criteria for Use of Computers in Safety Systems of Nuclear Power Plants.’ The current version, written in 1996, is three pages long and makes no mention of security. Adherence to the new guidelines would be strictly voluntary for operators of the 103 nuclear reactors already running in the U.S.—a detail that irks some security experts. In filed comments, Joe Weiss, a control systems cyber security consultant at KEMA, Inc., argued the regulatory guide shouldn’t be limited to plant safety systems, and that existing plants should be required to comply. “There have been numerous cases of control system cyber security impacts including several in commercial nuclear plants,” Weiss wrote. “Many nuclear plants have connected their plant networks to corporate networks making them potentially vulnerable to cyber intrusions.” “Congressmen Want Explanation on Possible Nuclear Power Plant Cyber Security Incident” (SC Magazine, May 21, 2007) “U.S. Rep. Bennie G. Thompson, D-Miss., chairman of the House Committee on Homeland Security, and Rep. James R. Langevin, D-R.I., chairman of the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, have asked Dale E. Klein, chairman of the U.S. Nuclear Regulatory Commission (NRC), to investigate the nation’s nuclear cybersecurity infrastructure. They said a cybersecurity ‘incident’ resembling a DoS attack on Aug. 19, 2006 left the Browns Ferry Unit 3 nuclear power facility in northern Alabama at risk.” Besides the risks posed by various malicious attacks, both real and projected, a further complication that must be considered is the significant age of most of our nuclear power plants and how difficult it will be to rid a legacy network of a virus. Future Threats | 11 In a speech at the 2006 American Nuclear Society Winter Meeting, Nuclear Regulatory Committee Commissioner Peter B. Lyons recounted how, as he visited many of the U.S. Nuclear power plants, he was struck by the number that still use “very old analog instrumentation.” Keep in mind that this was just a few years ago. Now imagine the complexity involved in returning an infected machine back to a trustworthy state. If there’s a known good source available, a reinstall should work; however, do these antiquated systems even have a known good source? How does a nuclear power plant take all of its critical systems offline? Much of the software used in critical infrastructures in the U.S. were custom-made one-off versions. After infection occurs, the likelihood of a kernel-level rootkit remaining on the machine is worrisome at best, and catastrophic at worst. The Conficker Worm: The Cyber Equivalent of an Extinction Event? Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself. —Phillip Porras, Hassen Saidi, and Vinod Yegneswaran “An Analysis of Conficker’s Logic and Rendezvous Points,” SRI International report updated March 18, 2009 There are at least two sustained mysteries surrounding the Conficker worm: who is behind it, and what do they plan to do with it? Regarding the former, researchers who have studied the code contained in the worm as well as its A, B, and C variants can say with some certainty that the authors are skilled programmers with knowledge about the latest developments in cryptography along with an in-depth knowledge of Windows internals and security. They are also adept at code obfuscation and code packing, and they are closely monitoring and adapting to attempts to thwart Conficker’s operation. Perhaps more importantly, the Conficker authors have shown that they are innovative, agile, and quick to implement improvements in their worm. Quoting from the SRI report: They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next. 12 | Chapter 1: Assessing the Problem There has been an unprecedented amount of collaboration in the software community to overcome the threat posed by Conficker. Microsoft has offered a $250,000 reward for information leading to the arrest and conviction of Conficker’s authors. Although the idea of a bounty is interesting, the amount offered is ridiculously low. There are carders (cyber criminals who engage in illegal credit card transactions) who earn that much in one month. The software giant has also established a “Conficker Cabal” in the hope that collaboration will yield more results than one company’s efforts alone. Members of the cabal include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence. As of this writing, no progress has been made on discovery or mitigation of this threat, and the Conficker worm continues to propagate. Africa: The Future Home of the World’s Largest Botnet? African IT experts estimate an 80% infection rate on all PCs continent-wide, including government computers. It is the cyber equivalent of a pandemic. Few can afford to pay for anti-virus software, and for those who can, the download time on a dial-up connection makes the update out of date by the time the download is complete. Now, with the arrival of broadband service delivered via undersea cables such as Seacom’s on July 23, 2009, Teams cable (September 2009), and the East African Submarine Cable System (mid-year 2010), there will be a massive, target-rich environment of almost 100 million computers available for botnet herders to add infected hosts to their computer armies (Figure 1-2). One botnet of one million hosts could conservatively generate enough traffic to take most Fortune 500 companies collectively offline. A botnet of 10 million hosts (like Conficker) could paralyze the network infrastructure of a major Western nation. As of today, there is no unified front to combat botnets of this size. However, since these botnets are Windows-based, a switch to the Linux operating system is a feasible alternative being floated to address the African crisis. Another would be for anti-virus (AV) companies to provide free subscriptions to African residents. A third would require that Microsoft radically modify its policy about pirated versions of Windows and make its security patches available to all who request them, regardless of whether they have genuine software loaded on their boxes. The participation of the software industry is crucial as governments and the private sector face both criminal and geopolitical adversaries in a domain that has been in existence only since the birth of the World Wide Web in 1990, a domain that millions of individuals are impacting, shaping, and transforming on a daily, even hourly, basis. Africa: The Future Home of the World’s Largest Botnet? | 13 Figure 1-2. Broadband undersea cable service for Africa The Way Forward If I were asked what I hoped to accomplish with this collection of facts, opinions, and assessments about cyber warfare and its various permutations, my answer would be to expand senior leadership and policy makers’ limited thinking that surrounds the subject and instigate a broader and deeper conversation in the public sphere. This book will probably feel more like a collection of essays or an anthology by different authors than a cohesive story with a clean development arc. In part, that’s because of the nature of the beast. When it comes to how attacks orchestrated by a myriad of parties across globally connected networks are impacting national security for the U.S. and other nation states, we’re all like blind men describing an elephant. The big picture sort of eludes us. My hope for this book is that it will inform and engage the reader; inform through the recounting of incidents and actors stretching across multiple nations over a period of 10 years up to almost the present day (Thanksgiving 2009) and engage by firing the reader’s enthusiasm to get involved in the debate on every level—local, state, and national. If it raises almost as many questions as my contributors and I have attempted to answer, I’ll feel like the book accomplished its mission. 14 | Chapter 1: Assessing the Problem CHAPTER 2 The Rise of the Non-State Hacker Список первоочередных целей для атак опубликован на сайте: http://www.stopgeorgia.ru/ ?pg=tar По многим ресурсам в данный момент ведутся DDoS- атаки. Все кто может помочь отписываем. Свои предложения по данному списку просьба оставлять в этом топике. List of first goals for attacks is published on this site: [link]. DDoS attacks are being carried for most of the sites/resources at the moment. All who can help—we enlist. Please leave your suggestions for that list in that topic.” —Administrator, StopGeorgia.ru forum post, August 09, 2008, 2:47 p.m. The StopGeorgia.ru Project Forum On August 8, 2008, the Russian Federation launched a military assault against Georgia. One day later, the StopGeorgia.ru Project forum was up and running at http://www .stopgeorgia.ru with 30 members, eventually topping out at over 200 members by September 15, 2008. Not only did it launch with a core group of experienced hackers, the forum also featured a list with 37 high-value targets, each one vetted by whether it could be accessed from Russian or Lithuanian IP addresses. This was done because the Georgian government began blocking Russian IPs the month prior when the President of Georgia’s website was knocked offline by a DDoS attack on July 21, 2008. In addition to the target list, it provided members with downloadable DDoS kits, as well as advice on how to launch more sophisticated attacks, such as SQL injection. StopGeorgia.ru was not the only forum engaged in organized nationalistic hacking, but it serves as a good example of how this recent extension of state warfare operates in 15 cyberspace. In addition to this forum, an IRC channel was created on irc.dalnet.ru, called #stopgeorgia. At StopGeorgia.ru, there was a distinct forum hierarchy wherein forum leaders provided the necessary tools, pinpointed application vulnerabilities, and provided general target lists for other less-knowledgeable forum members to act upon. Those forum members who pinpointed application-level vulnerabilities and published target lists seemed to have moderate/high technical skill sets, whereas those carrying out the actual attacks appeared to have low/medium technical sophistication. Forum leaders analyzed the DoS tools and found them to be simple yet effective. Some forum members had difficulty using the tools, reinforcing that many of the forum members showed low/medium technical sophistication, but were able to carry out attacks with the aid of tools and pinpointed vulnerability analysis. Counter-Surveillance Measures in Place Forum administrators at both the well-known Russian hacker portal XAKEP.ru and StopGeorgia.ru were monitoring who visited their respective sites and kept an eye on what was being posted. During one week of intensive collection activity at the XAKEP.ru forum, Project Grey Goose analysts experienced two incidents that demonstrated that operational security (OPSEC) measures were in effect. Within hours after this author discovered a post on XAKEP.ru that pointed to a password-protected forum named ARMY (http://www.stopgeorgia.ru), that link was removed by the forum administrator. After about a half-dozen Grey Goose analysts spent one week probing the XAKEP.ru forum for relevant posts, all U.S. IP addresses were blocked from further forum access (a 403 error was returned). This lasted for about 10 days before the block was lifted. The StopGeorgia.ru forum also had to fend off attacks from Georgian hackers who had temporarily taken down their forum and a “project site” from August 14–18, both of which were hosted on a U.S. server owned by SoftLayer Technologies. According to one conversation between two members of the StopGeorgia forum (Alexander and CatcherMax), one Georgian hacker forum had over 10,000 members and blocked access to it from all Russian IP addresses. For that reason, members frequently discussed the use of various proxy servers, such as FreeCap.ru. The Russian Information War The following document helps paint a picture of how Russian military and political officials viewed the cyber component of the Russia-Georgia conflict of 2008. 16 | Chapter 2: The Rise of the Non-State Hacker Anatoly Tsyganok is a retired officer who’s now the director for the Center of Military Forecasting at the Moscow Institute of Political and Military Analysis. His essay “In formational Warfare—a Geopolitical Reality”(http://en.fondsk.ru/article.php?id= 1714) was just published by the Strategic Culture Foundation. It’s an interesting look at how the July and August cyber war between Russia and Georgia was viewed by an influential Russian military expert. The full article discusses information warfare, but this portion focuses on the cyber exchange: Georgia was also the first to launch an attack in cyberspace. When Tskhinvali was shelled on August 8 the majority of the South Ossetian sites were also knocked out. Later Russian media including Russia Today also came under cyberspace attacks. The response followed shortly as the sites of the Georgian President, parliament, government, and foreign ministry suffered malicious hacks. The site of Georgian President Saakashvili was simultaneously attacked from 500 IP-addresses. When the initially used addresses were blocked, the attacks resumed from others. The purpose was to render the Georgia sites completely inoperable. D.D.O.S. attacks overload and effectively shut own Internet servers. The addresses from which the requests meant to overload sites were sent were blocked by specialists from the Tulip Systems, but attacks from new 500 addresses began in just minutes. Cleaning up after a cyberspace attack took an average of 2 hours. Part of what’s so interesting about this excerpt is Tsyganok’s choice of words. He clearly states that Georgia launched a cyber attack against Russia first. This presents the attack as a state action rather than a civilian one. He then carefully states the Russian response, i.e., “the response followed shortly.” Since the subject of this exchange is two states warring, “the response followed shortly” implies a state response rather than a spontaneous grassroots action of so-called hactivists. Tsyganok’s depiction of events manages to underscore the Russian government’s practice of distancing itself from the nationalistic hacker community, thus gaining deniability while passively supporting and enjoying the strategic benefits of their actions. The Foundation for Effective Politics’ War on the Net (Day One) Pravada.ru printed an article by Maksim Zharov of the Foundation for Effective Politics (FEP) entitled “Russia Versus Georgia: War on the Net—Day One” on August 9, 2008. Zharov is also one of the authors of the book Chronicles of Information Warfare and used to work for Nikita Ivanov, then deputy chief of the Administration for Interregional and Cultural Ties With Foreign Countries of the President’s Staff and supervisor of the pro-Kremlin youth movements (i.e., Nashi). (Zharov earlier published (through Yevropa) an instruction manual for bloggers who want to “fight the enemies of Russia” in the blogosphere.) The Foundation for Effective Politics is a Kremlin-friendly organization created by Gleb Pavlovsky, one of the earliest adopters of the Russian Internet for state propaganda purposes. You can read more on Pavlovsky and the FEP in Chapter 11. The Russian Information War | 17 Zharov comments on the use of the Russian youth movements to wage warfare on the Net. This was repeated by the administrator of the StopGeorgia.ru forum in the following announcement to its membership on August 9, 2008, at 3:08 p.m.: Let me remind you that on August 8, leaders of several Russian youth movements have signed the statement which calls for supporters to wage information war against the President of Georgia Michael Saakashvili on all Internet resources. Zharov elaborates on this fact by referring to an event in the city of Krasnoyarsk where a joint statement by the leaders of Russian youth movements announced: We declare information war on the Saakashvili regime. The Internet should oppose American-Georgian propaganda which is based on double standards. He names Nashi as one such organization whose leaders have close ties with the Kremlin and whose members have been involved in these Internet wars, both in Estonia and Georgia. Internet warfare, according to Zharov, was started by Georgian hackers attacking South Ossettian websites on August 7, one day before the Russian invasion. The South Ossetian site http://cominf.org reported in the afternoon of August 7 that because of a DDoS attack, the Ossetian sites were often inaccessible for long periods. In order to relieve them, an additional site, tskhinval.ru, had to be set up. In addition, a fake site of the Osinform news agency, http://www.os-inform.com, created by Georgia, appeared. Zharov’s personal preference for information about the Georgian war was LiveJournal, known in Russian as ZhZh (Zhivoy Zhurnal), particularly the georgia_war community. It contained, in Zharov’s words, “a fairly objective indicator of the state of affairs on the Internet front, in which the most diverse opinions are published.” One of the more interesting things that Zharov wrote in “Russia Versus Georgia: War on the Net. Day Three,” published in Moscow Pravda.ru in Russian August 11, 2008, was his conjecture about which nation had the capability to launch a DDoS attack of the size seen during the five-day war: In general, many people are forming the impression that these attacks are certainly not the work of Georgian hackers. And to be honest, I do not believe that the Russian military have a special service that swamped all of the Georgian websites even more quickly on the very day of the unexpected attacks by the Georgians. However, in the United States, such sub-units of cyber troops were created many years ago (emphasis added). So Zharov acknowledges their involvement in organizing an “information war” against Georgia, but he completely ignores their involvement in the cyber war, and he instead speculates that the only military force that has the capability of “swamping all of Georgian websites” so quickly is that of the United States. This serves as another example of the Kremlin strategy in making the cyber war debate about military capabilities rather 18 | Chapter 2: The Rise of the Non-State Hacker than their use of Russian hackers and, of course, to paint the United States as the aggressor whenever possible. The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead Attacking Israeli websites has been a popular way for Palestinians and their supporters to voice their protests and hurt their adversaries. Arab and Muslim hackers mobilized to attack Danish and Dutch websites in 2006 during the Prophet cartoon controversy. A small-scale “cyber war” also erupted between Shiite and Sunni Muslims in the fall of 2008, as predominantly Arab Sunni Muslims and Iranian Shiite Muslims worked to deface or disrupt websites associated with one another’s sects. The latest example of this occurred when Israel began a military assault on Hamas’s infrastructure in Gaza on December 27, 2008, called Operation Cast Lead. After almost a month into the operation, Palestinian officials declared the death toll had topped 1,000, and media reports carried images of massive property destruction and civilian casualties. This provoked outrage in the Arab and Muslim communities, which manifested itself in a spike of anti-Semitic incidents around the world, calls for violent attacks on Jewish interests worldwide, and cyber attacks on Israeli websites. The exact number of Israeli or other websites that have been disrupted by hackers is unknown, but the number is well into the thousands. According to one estimate, the number reached 10,000 by the first week of January 2009 alone. Most attacks are simple website defacements, whereby hackers infiltrate the site, leaving behind their own graffiti throughout the site or on the home page. The hackers’ graffiti usually contains messages of protest against the violence in Gaza, as well as information about the hackers, such as their handles and country of origin. The majority of cyber attacks launched in protest of Operation Cast Lead were website defacements. There is no data to indicate more sophisticated or dangerous kinds of cyber attacks, such as those that could cause physical harm or injury to people. Impact While media coverage focuses on the most high-profile hacks or defacements, this current cyber campaign is a “war of a thousand cuts,” with the cumulative impact on thousands of small businesses, vanity websites, and individual websites likely outweighing the impact of more publicized, larger exploits. However, successfully compromising higher-profile websites not only brings more public attention, it also compels businesses all over Israel to preventively tighten security, which costs money. For that reason the financial impact of infiltrating a few larger corporate websites may be as important as disrupting thousands of smaller sites. The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 19 High-profile attacks or defacements between December 27, 2008, and February 15, 2009, include: Ynetnews.com The English language portal of one of Israel’s largest newspapers. The Moroccobased “Team Evil” accessed a domain registrar called DomainTheNet in New York and redirected traffic from Ynetnews and other Israeli websites. Traffic was redirected to a site with a protest message in jumbled English. Ynetnews.com emphasized that its site had not actually been “hacked,” but that Team Evil obtained a password allowing them to access a server. The Team then changed the IP addresses for different domain names, sending users attempting to access Ynet news.com to a domain containing their message. Discount Bank, one of the three largest banks in Israel, also had its website was also registered with DomainTheNet, and Team Evil switched its IP address just as they did with Ynetnews. Israel’s Cargo Airlines Ltd. An Israeli airline defaced by hackers. Kadima.org.il The website of Israel’s Kadima party was defaced twice during this period. DZ team, based in Algeria, was responsible for the first defacement, in which they adorned the Kadima’s home page with photos of IDF soldiers’ funerals, accompanied by messages in Arabic and Hebrew promising that more Israelis would die. The second time occurred on February 13, 2009, three days after close parliamentary elections in which Kadima and Likud both claimed victory and hackers could expect a spike in traffic to the Kadima website. Gaza Hacker Team claimed responsibility for the second defacement. Ehudbarak.org.il (This URL is no longer active.) Israeli Defense Minister and Deputy Prime Minister Ehud Barak’s website was defaced by Iranian hackers who call themselves Ashianeh Security Team. The group left a message in English reading “ISRAEL, You killed more than 800 innocent civil people in gaza. Do you think that you won’t pay for this? Stop War. If you don’t we will continue hacking your important sites.” http://www.102fm.co.il/ Hackers left images from Gaza, a graphic of burning U.S. and Israeli flags, and a message calling for Israel to be destroyed on this Radio Tel Aviv website. Defacements of Israeli portals associated with the following multinational companies or product lines were also defaced: Skype, Mazda, McDonald’s, Burger King, Pepsi, Fujifilm, Volkswagen, Sprite, Gillette, Fanta, Daihatsu, and Kia. 20 | Chapter 2: The Rise of the Non-State Hacker Overview of Perpetrators Judging from the graffiti left behind on defaced websites, the most active hackers are Moroccan, Algerian, Saudi Arabian, Turkish, and Palestinian, although they may be physically located in other countries. Applicure Technologies, Ltd., an Israel information security company, claims that some of the hackers are affiliated with Iranian organizations, as well as the terrorist group Hezbollah. So far, however, neither the messages left behind on defaced sites nor conversations among hackers on their own websites explicitly indicates membership in Hezbollah or other Islamist groups. The hackers involved do not have any unifying body organizing their activities, although some of them congregate in certain specialized hacker forums. Many active hackers during the current Gaza crisis are experienced. Some of them were involved in the Sunni-Shiite cyber conflict that intensified in the fall of 2008. Others have numerous apolitical hacks under their belts. Their participation in the current, politically motivated hacking of Israel websites is a reflection of their personal political feelings and/or recognition of the increased attention that they can attract with Gazarelated hacks. The majority of the graffiti left behind on Israel websites contains images of the victims and destruction in Gaza and exhortations to Israel and/or the United States to stop the violence. The most common motivation of the hackers appears to be to draw attention to the plight of the Palestinians in the Gaza Strip and to register their protest against Israeli actions there. In the words of two hackers interviewed by a Turkish newspaper, “Our goal is to protest what is being done to the innocent people in Gaza and show our reaction. The reason we chose this method was our bid to make our voices louder.” Motivations The imagery and text left on defaced websites suggests the importance the hackers place on sending messages to Israeli or Western audiences through their attacks. The owner of a Palestinian graphic design company designed images for hackers to use in their defacements. A hacker forum even held a competition to see who could come up with the best designs to leave on Israeli websites, with monetary rewards for the winners. Investigations into the hackers’ motivations have revealed the following: Inflicting financial damage to Israeli businesses, government, and individuals A message on the Arabic hackers’ site Soqor.net exhorted hackers to “Disrupt and destroy Zionist government and banking sites to cost the enemy not thousands but millions of dollars....” Delivering threats of physical violence to an Israeli audience One Moroccan hacker’s team posted symbols associated with violent Jihadist movements and an image of an explosion, along with a threatening message for Israelis. The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 21 Using cyber attacks as leverage to stop Operation Cast Lead Many of the defacements contained messages indicating that attacks on Israeli sites and servers would stop only when Israel stopped its violence in Gaza. Fulfilling the religious obligation of Jihad Some hackers couched their activities in religious terms, insisting that cyber attacks were tantamount to fighting Jihad against Islam’s enemies. One hacker wrote, “Use [the hacking skills] God has given you as bullets in the face of the Jewish Zionists. We cannot fight them with our bodies, but we can fight them with our minds and hands…. By God, this is Jihad.” Achieving enhanced personal status among the community of hackers or improving one’s personal position in rivalries or competitions with other hackers Two of the hackers’ websites held contests to encourage productive competition in hacking Israeli sites. Although there is much mutual encouragement and assistance on hackers’ websites, there are also signs of rivalry, with hackers defacing each other’s websites and leaving critical or taunting messages. Hackers’ Profiles The following are brief profiles of some of the hackers involved. They were identified by press reports or by the content of hacker websites as being the most active or highprofile hackers in the anti-Israel campaign. Team Evil Team Evil gained widespread notoriety for defacing thousands of websites in 2006 in protest of Israel’s military activities in the Gaza Strip and Lebanon. The group defaced more than 8,000 websites between June and November 2006. In addition to Israeli and Western sites, this tally also included websites associated with the governments of China, Saudi Arabia, and Indonesia. In all, Team Evil defaced 171 significant websites, according to records on Zone h, a website that serves as an archive of hacker exploits. The team often left anti-Israel or anti-Semitic messages on their defacements, regardless of the country of origin of the website. Israel’s Ynetnews reported that Team Evil was responsible for the majority of damage to Israeli websites in the first half of 2006, including sites belonging to banks, hospitals, major companies, NGOs, and political parties. When Ynetnews contacted the group, its members told the paper that they were Moroccan hackers who “hack into sites as part of the resistance in the war with Israel.” The group has resurfaced to take part in the current campaign against Israeli websites, but it is not as active as it was in 2006. Its greatest recent accomplishment was to reroute traffic from Ynetnews, Discount Bank, and other Israeli websites to a page with an antiIsrael message. 22 | Chapter 2: The Rise of the Non-State Hacker The Israeli IT security company Beyond Security released an extensive case study of Team Evil’s 2006 attacks. Its report concluded that Team Evil demonstrated a higher degree of technical skill than typically seen in similar groups. Given the skill and commitment it has previously demonstrated, it is unclear why Team Evil has not participated in the current campaign to a greater extent. It is possible the group is planning something for the future. Cold Zero (aka Cold Z3ro aka Roma Burner) Cold Zero first gained notoriety for an attack on the Likud Party website in August 2008. He has since claimed responsibility for 5,000 website defacements, according to Gary Warner, an expert in computer forensics. He has a profile on the Arabic Mirror website, which lists 2,485 of these defacements. According to the Arabic Mirror site, 779 of these are related to the Gaza crisis. Cold Zero is a member of Team Hell (discussed in the next section). Whereas most members of Team Hell are Saudi, Cold Zero is a Palestinian and is proficient in Hebrew. He runs a website at http://www.hackteach.net/. Cold Zero is engaged in rivalries with other anti-Israeli hackers. He has hacked both al3sifa.com and soqor.net, leaving messages criticizing their administrators. His own website was also attacked by DNS Team, which we’ll discuss later. According to a French language news source published on January 9, 2009, Cold Zero was arrested by Israeli authorities. The news source identified him as a 17-year-old Israeli Arab and reported that he appeared on January 6 before the Federal Court of Haifa, where the Israeli Justice Department alleged that he attacked commercial and political sites, mentioning the Likud Party website hack, as well as an attack on the website of the Tel Aviv Maccabis basketball team. According to the same source, he worked with accomplices in Turkey, Lebanon, Saudi Arabia, and elsewhere. He was caught in a “honey pot” set up by authorities. Authorities also uncovered his identity from a database stolen from Turkish hackers. The information from this news report has not yet been corroborated by other sources. The last hack for Cold Zero listed on the Arabic Mirror website was recorded on January 2, 2009, after a period of high activity, suggesting an abrupt interruption to his hacking campaign. Zone-h records hundreds of websites hacked by Cold Zero in late December, followed by a lull for one month. On January 29, 2009, Cold Zero returned with a defacement of rival hackers DNS Team’s website. Cold Zero has committed no Israeli or other website defacements after late December on Zone-h, lending credibility to the report of his arrest. Team Hell (aka Team H3ll and Team Heil) The graffiti from many websites hacked by Cold Zero name him as a member of Team Hell. Team Hell self-identifies as a Saudi-based hackers group, usually consisting of Kaspersky, Jeddawi, Dr. Killer, BlackShell, RedHat, Ambt, and Cold Zero. The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 23 Team Hell’s politically oriented hacks include more than just Israeli sites. In April 2007, Team Hell hacked Al-Nusra, a Palestinian-focused Jihadist website. They left a message indicating they associated al-Nusra with religious deviancy. On websites they have defaced, Cold Zero and Team Hell have expressed support for the secular, nationalist Fatah party. This would explain why Team Hell would hack Al-Nusra, a SalafistJihadist website, even though it is also anti-Israel. The group has also defaced the website of the Syrian parliament. Agd_Scorp/Peace Crew (aka Agd_Scorp/Terrorist Crew) Agd Scorp/Peace Crew are Turkish hackers who defaced NATO and U.S. military websites in response to Operation Cast Lead. On three subdomains of the U.S. Army Military District of Washington website and on the NATO parliament site http://www .nato-pa.int, the group posted a message reading: “Stop attacks u israel and usa! you cursed nations! one day muslims will clean the world from you!” The group also used an SQL injection attack to deface the website of the Joint Force Headquarters of the National Capital Region. Previously, the group has hacked websites belonging to a number of high-profile organizations, including the United Nations, Harvard University, Microsoft, Royal Dutch Shell, and the National Basketball Association. They also attacked U.S. military websites earlier in 2008. Jurm Team Jurm Team is a Moroccan group that has partnered with both Agd_Scorp and Team Evil. They have recently defaced the Israeli portals for major companies and products, including Kia, Sprite, Fanta, and Daihatsu. Their members call themselves Jurm, Sql_Master, CyberTerrorist, Dr. Noursoft, Dr. Win, J3ibi9a, Scriptpx //Fatna, and Bant Hmida. C-H Team (aka H-C Team) C-H Team consists of two hackers or hacker teams: Cmos_Clr and hard_hackerz. C-H Team targets Dutch and Israeli websites, leaving threatening messages in Hebrew on the latter. Both team members are Algerian. Besides defacing sites, Cmos_Clr claims to have used a variant of the Bifrost Trojan horse to break into Israeli computers, infiltrating 18 individual machines. Hackers Pal Hackers Pal is the administrator of the Hackers Hawks website and has claimed 285 defacements of Israeli websites. He is a supporter of the secular Fatah party. 24 | Chapter 2: The Rise of the Non-State Hacker Gaza Hacker Team Gaza Hacker Team runs the website of the same name. It is responsible for defacing the Kadima party website on February 13, 2009. The team consists of six members: Lito, Le0n, Claw, Virus, Zero code, and Zero Killer. DNS Team DNS Team is an active Arab hackers team focused primarily on apolitical hacking. However, it occasionally exhibits politically motivated attacks—targeting websites in Denmark and the Netherlands during the fall of 2008 in retaliation for the cartoon controversy, and it participated in recent anti-Israeli hacks. DNS Team maintains a hacking and security forum at http://www.v4-team.com/cc/. !TeAm RaBaT-SaLe! (aka Team Rabat-Sale aka Team Rabat-Sala) Team Rabat-Sale (named after the two Moroccan cities of Rabat and Sale) is unique because it has participated in this campaign and garnered press coverage without actually targeting Israeli websites. Instead, the group targets a variety of websites (probably opportunistic hacks; the group seems to specialize in websites using Linux) and then leaves startling messages and Jihadist imagery. It may reason that if the whole Western world is against the citizens of Gaza, any English-language website is a conduit for their message. They have recorded 380 such defacements on the Arabic Mirror site and 196 on Zone-h. Their members go by the aliases Mr. Tariklam, Mr. Sabirano, XDiablo, Mr. Konan, and Virus T. Team Rabat-Sale’s graffiti features the message, “For the Kids of Gaza…This Hack iS To DeFend Islam That Has Been Harrased by Denmark and USA and Israel.” The defacement includes an image of a sword piercing a skull with a Star of David on it, surrounded by skulls with the U.S., UK, and Danish flags superimposed on them. On another Team Rabat-Sale defacement, a Jihadist anthem commonly used as the soundtrack to insurgent videos plays in the background. It also features a picture of Osama Bin Laden, as well as a Team Rabat-Sale group logo depicting a Kalashnikov and crossed swords against a globe, with a Salafist flag waving from the barrel of the weapon. It includes an image that may imply a threat against a tractor-trailer truck. The photograph of the masked man with a laptop and a handgun by his side suggests physical violence in addition to cyber mischief. DZ Team DZ Team consists of Algerian and Egyptian hackers who use the aliases AOxideA, Maxi32, Skins, The Legend, Cyb3r-Devil, and The Moorish. It first made headlines in April 2008 when it hacked the Bank of Israel website over Passover weekend. DZ Team defaced several Israeli websites during Operation Cast Lead, including the Israeli portals of Volkswagen, Burger King, and Pepsi, the website of Israeli defense contractor The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 25 BVR systems, the Kadima party website, and the Hillel Yaffe hospital website. Videos of the group’s successful defacements were posted to YouTube. In an interview following its hack of the Bank of Israel site, members of the group reached by the press claimed they were religiously motivated: “We do everything in the name of Allah,” said one of them. Although one member of DZ team expressed support for suicide bombers in the interview, another stressed that the group members were not terrorists themselves. According to the interview, one member of the team specializes in creating Trojan horses, and another, a Hebrew-speaking Egyptian, specializes in locating security breaches. Ashianeh Security Group The Iranian Fars News Agency reported that the Ashianeh Security Group hacked 400 Israeli websites, including the websites of the Mossad and Israeli Defense Minister Ehud Barak. The group does not seem to participate in online hacker forums. It is possibly state-supported. Nimr al-Iraq (“The Tiger of Iraq”) and XX_Hacker_XX Nimr al-Iraq provides advice and links to download tools on hacker forums, especially the soqor.net forum. He is credited with updating the al-Durrah distributed denial of service tool for use during Operation Cast Lead (see the next section, “Methods of Attack”). He also provided links to download a remote access tool (RAT) program called hackattack, which permits hackers to gain remote control of another person’s computer. According to his profile on soqor.net, Nimr al-Iraq is a 22-year-old Iraqi named Mohammed Sattar al-Shamari and is listed as a former moderator on that site. XX_Hacker_XX is a moderator on soqor.net, and like Nimr al-Iraq, he provides advice and links to download tools, such as RAT programs. He is the moderator of the “hacking programs” section of the soqor.net website. His profile describes him as an 18-yearold from Kuwait. Methods of Attack Analysis of discussions on Arabic hacker forums and general pro-Jihad forums indicates that anti-Israeli hackers would like to carry out serious cyber attacks against Israeli targets. However, they do not have a demonstrated capability to carry out such attacks, and their actions have been limited to small- to mid-scale denial of service attacks and mass website defacement attacks. They may also have attempted to compromise individual computers via Trojans, particularly the Bifroze Trojan, a variant of which was developed by members of the 3asfh hacker forum. Additionally, they talk of the desire to use viruses against Israeli computers, although the kind of viruses under discussion are relatively old and many computers would already have been updated with protections against them. 26 | Chapter 2: The Rise of the Non-State Hacker Distributed denial of service (DDoS) capability Muslim hackers are using both indigenously developed and borrowed DDoS tools and making them available for download on hacker forums. One tool, named after Mohammed al-Durra, a Palestinian child allegedly shot and killed by Israeli soldiers in 2000, was first developed in 2006. An updated version has been provided by Nimr alIraq for use in the current conflict. With the al-Durra program, a user voluntarily downloads the program and then checks to see which target websites are on Arabic hacker forums. He then plugs in the target and the program will repeatedly send requests to it. When a sufficient number of people utilize the al-Durra program against a site, they can overwhelm it and bring it down. Other DDoS tools developed by hackers outside this community, such as hack tek, are also being used. Such tools do not require sophisticated technical skills or training. This makes them useful in a political dispute such as the Gaza crisis, when there is a very large global community willing to assist in cyber attacks against Israel but not necessarily skilled enough for more sophisticated attacks. Website defacements The hackers download vulnerability scanners from hacker forums to find websites with exploitable vulnerabilities. On the Arabic language forums, they have discussed using a few different methods, including SQL injection, cross-site scripting (XSS), and other web server software vulnerabilities. In most cases, they are reusing previously released exploit code to attack known vulnerabilities that the scanners identify. This is somewhat more difficult than the denial of service attacks, but it is still not considered sophisticated within the larger spectrum of hacking activities. The vulnerabilities being exploited by these hackers have already been identified, and patches and updates have been released to fix them. The only websites that are still susceptible are those whose administrators have been lax in updating their software and downloading patches. There is no evidence that this community is locating “zero day” vulnerabilities—those that have not yet been discovered—at this time. Viruses and Trojans Hacker forums reveal a desire to use viruses against Israeli targets, but there is no evidence of success thus far. A couple of hackers have boasted of successfully using Trojans and RATs to gain wide access to individual Israeli computers. This could give them the ability to capture passwords and other important data, facilitating financial crime and harassment. However, there is not yet much evidence that they have been successful with these tools. The Gaza Cyber War Between Israeli and Arabic Hackers During Operation Cast Lead | 27 Israeli Retaliation Israel and its supporters have also participated in this cyber conflict in a couple of ways. The Israeli government is behind an effort to recruit supporters who speak languages other than Hebrew—mostly new immigrants—to flood blogs with pro-Israel opinions. The Israel Defense Forces has hacked a television station belonging to Hamas. Supporters of Israel have also been hacking pro-Palestinian Facebook groups, using fake login pages and phishing emails to collect the login details of group members. According to the administrators of Gaza Hacker Team, pro-Israel activists are also pressuring hosting companies to cut off service to hacker websites. After the Gaza Hacker Team defaced the Kadima party website, they reported that their U.S. hosting company denied them service after being subjected to “Jewish” pressure. Perhaps the most creative tactic employed by Israel’s supporters is the development of a voluntary botnet. Developed by a group of Israeli hacktivists known as Help Israel Win, the distributed denial of service tool called Patriot is designed to attack anti-Israel websites. Once installed and executed, Patriot opens a connection to a server hosted by Defenderhosting.com. It runs in the background of a PC and does not have a configurable user interface that would allow the user to control which sites to attack. Rather, the server at Defenderhosting.com likely updates the client with the IP addresses to target. Help Israel Win describes itself as “a group of students who are tired of sitting around doing nothing while the citizens of Sderot and the cities around the Gaza Strip are suffering….” Their stated goal is to create “a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy’s efforts to destroy the state of Israel.” The Help Israel Win website is registered to Ron Shalit of Haifa, Israel. Control the Voice of the Opposition by Controlling the Content in Cyberspace: Nigeria Cyber wars are not always fought between states or between non-state actors; sometimes they are fought between a government and its political opponents. This is precisely the case in Nigeria where the Information Minister Dora Akunyili, with the support of Nigeria’s President Umaru Yar’adua, has launched a $5 million dollar campaign to support and create government-friendly websites. The objective, according to a June 16, 2009, news report filed by Saharareporters, is “to do everything to ensure that websites like yours (saharareporters.com) and others are stopped from taking root in Nigeria.” 28 | Chapter 2: The Rise of the Non-State Hacker Additionally, the plan calls for paying forum administrators to create discussion threads about topics created by Akunyili that will serve to cast the administration in the most favorable light. A third plank of the plan accelerates the arrest and detention of opposition bloggers at airports or other entry points into Nigeria. Civil actions against negative posters could include the filing of a libel lawsuit against them by the government. Are Non-State Hackers a Protected Asset? It would seem so. Instances of prosecution of Russian or Chinese hackers involved in foreign website attacks are so few as to be statistically insignificant. A news article written by Xinhua News Agency writers Zhou Zhou and Yuan Ye entitled “Experts: Web Security a pressing challenge in China” for China View (August 8, 2009) relates the pervasive security challenges China’s online population, which numbers almost 340 million, faces. The only illegal acts prosecuted by the PRC are online attacks causing financial harm to China; for example, two men from Yanbian County in Jilin Province were recently arrested and prosecuted for breaking into online banking systems and stealing 2.36 million yuan ($345,269 U.S.). All other types of attacks, according to Li Xiaodong, deputy director of the China Internet Network Information Center (CNNIC), fall into a “grey area.” Similarly, in the Russian Federation, the police are interested only in arresting hackers for financial crimes against Russian companies. Hacking attacks cloaked in nationalism are not only not prosecuted by Russian authorities, but they are encouraged through their proxies, the Russian youth associations, and the Foundation for Effective Policy. Are Non-State Hackers a Protected Asset? | 29 CHAPTER 3 The Legal Status of Cyber Warfare Although cyber warfare has been around for a decade or so, it still has not been well defined. As of this writing, there is no international treaty in place that establishes a legal definition for an act of cyber aggression. In fact, the entire field of international cyber law is still murky. The NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) published a paper on the subject in November 2008 entitled “Cyber Attacks Against Georgia: Legal Lessons Identified.” In it, the authors discuss possible applicability of the Law of Armed Conflict (...
Purchase answer to see full attachment
Tags: a b
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer


Anonymous
Really useful study material!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags