October 6, 2013: The international hacker community is becoming less mysterious. Over the last decade Internet security firms (especially Kaspersky Labs and Symantec) have been increasingly successful at identifying the hacker organizations responsible for some of the large-scale hacker attacks on business and government networks. These commercial security outfits often cooperate with intelligence agencies to share their findings and get a better sense of who and what the threat is. Many of these hacker groups don’t really have a name, and are often groups of hackers put together for a specific campaign and that particular effort is given a name by the security experts who uncover and publicize it. Such is the case with Icefog, which was notable for going on for a long time. Operations like Icefog are also called APTs (Advanced Persistent Threats) because they are well crafted enough to remain undetected for a long time and d0 serious damage.
Icefog was directed at South Korean and Japanese military organizations, defense industries and mass media. Icefog kept its operation going via large scale targeting of specific individuals within these organizations. This sort of thing involves an official (or just convincing) looking email, with a file attached, sent to specific people at a specific military, government or commercial organization. It is usually an email they weren’t expecting but from someone or about something they recognize. This is known in the trade as “spear fishing” (or “phishing”), which is a Cyber War technique that has become much more popular as automated Internet defenses become more formidable, especially at the organizations Icefog targeted.
Technically, spear fishing is a combination of a social engineering attack (where someone, not software, is deceived into helping get the hacker in) and a pure hack (the email attachment which, if opened, secretly installs a program that sends files and information from the email recipient’s PC to the spear fisher’s computer). In the last decade an increasing number of organizations have been hacked into via these emails with a PDF document attached and asking for prompt attention.
Icefog was notable for the use of lots of phishing campaigns that ran for a short time and then shut down. This technique was used to avoid Icefog from being detected since it began in 2011. It also made it clear that Icefog has a lot of intel support to keep the lists of names and specific subjects (for the emails) coming. The sponsor of this campaign was probably a government, most likely China. The researchers (from Kaspersky Labs) recognized some of the programmers behind Icefog and it is believed the organization was a temporary one, organized just for the Icefog campaign but kept going for so long because of their ability to remain undetected. This is typical of China, which has a large number of criminal hackers who are allowed to operate without being arrested or extradited as long as they do not attack targets inside China and cooperate with government Cyber War activities.
Sometimes long-term hacker organizations are formed for projects like Icefog. Earlier this year such a Chinese group was identified and called Hidden Lynx. This group appears to contain 50-100 hackers (as identified by their coding style) and is believed to be largely responsible for a large scale espionage campaign (“Operation Aurora) in 2010 and is still active.
The security firms also identify and describe major malware (software created by hackers for penetrating and stealing from target systems). Earlier this year Kaspersky Labs discovered a stealthy espionage program called NetTraveler. This bit of malware had been secretly planted in PCs used by diplomats and government officials in over 40 countries. Also hit were oil companies and political activists opposed to China. NetTraveler apparently had little success in in Israel where it seems to have been prevented from stealing anything. Dissection of NetTraveler indicated it was created by about fifty different people, most of them Chinese speakers who knew how to program in English.
Kaspersky also discovered a similar bit of malware in late 2012 called Red October, because it appeared to have been created by Russian speaking programmers. Red October was a very elaborate and versatile malware system. Hundreds of different modules have been discovered and Red October had been customized for a larger number of specific targets. Red October was found to be in the PCs and smart phones of key military personnel in Eastern Europe, Central Asia, and dozens of other nations (U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan, and the UAE). The Red October Internet campaign has been going on since at least 2008 and has been seeking military and diplomatic secrets. As a result of this discovery Internet operators worldwide shut down the addresses Red October depended on.
Red October does not appear to be the product of some government intelligence agency and may be from one of several shadowy private hacker groups that specialize in seeking out military secrets and then selling them to the highest bidder. The buyers of this stuff prefer to remain quiet about obtaining secrets this way. In response to this publicity, the operators of Red October apparently shut down the network. The Russian government ordered the security services to find out if Russians were involved with Red October and, if so, to arrest and prosecute them. Russia has long been a sanctuary for Internet criminals, largely because of poor policing and corruption. It may well turn out that the Red October crew is in Russia and had paid off a lot of Russian cops in order to avoid detection and prosecution. To date, the operators of Red October have not been found.
South Korea has been subjected to a growing number of Cyber War attacks over the last few years, some of them quite damaging. After nearly a year of effort South Korean security researchers concluded in 2013 that nearly all these attacks were the work of one group of 10-50 people called DarkSeoul. Given the extent of the attacks, the amount of work required to carry them out, and the lack of an economic component (no money was being stolen) it appeared to be the work of a national government. That coincides with earlier conclusions that North Korean, not Chinese, hackers were definitely responsible for several attacks on South Korean networks. The most compelling bit of evidence came from an incident where a North Korean hacker’s error briefly made it possible to trace back to where he was operating from. The location was in the North Korean capital at an IP address belonging to the North Korean government. Actually, very few North Korean IP addresses belong to private individuals and fewer still have access to anything outside North Korea.
Like many other such discoveries, details of DarkSeoul were uncovered using pattern analysis of the hacker code left behind in damaged networks. This is a common technique for discovering who is behind an attack. There were patterns indicating the work of individual programmers and indications that there was only one organization involved in nearly all the attacks conducted since 2009. There was a lot of work involved in building all the software and assembling the resources (hacked South Korean PCs as well as hardware and network time required by the DarkSeoul team), and all this had to be paid for by someone. The likely culprit was North Korea, which has threatened Cyber War attacks but not taken credit for them. This is typical of most North Korean attacks, both conventional and now over the Internet.
What most of these large scale attacks have in common is the use of social engineering (exploitation of human weakness or error). Case in point is the continued success of attacks via Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This makes spear fishing one of the most popular hacker tools. That may continue for some time because of the difficulty of getting everyone in an organization to avoid opening the suspicious attachments. Security is being improved to weaken the impact of spear fishing, mainly by putting more monitoring on user activity. This is pattern analysis again as individuals have a distinctive pattern to their work and new security systems set off an alarm if any users “breaks pattern.”
China has been a major user of spear fishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spear fishing payloads. The methods, and source, of many spear fishing attacks have been traced back to China. For example, in 2010 Internet security researchers discovered a China-based espionage group, called the Shadow Network, which had hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. Examination of the viruses and related bits of computer code indicated that most of this stuff was created by Chinese speaking programmers and all movement of command and stolen data led back to servers in China. Since China is an ally of the Syrian Assad government, the pro-Assad SEA (Syrian Electronic Army) has access to the best spear fishing tools. The Shadow Network had also hacked into PCs used by military and civilian personnel working for the Indian armed forces and made off with huge quantities of data. This was done via Internet based attacks against specific military and government officials via “spear fishing” (or “phishing”).
China’s Cyber War hackers have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code (the human readable text that programmers create and then turn into smaller binary code for computers to use) and techniques for using it in hacking software used against Tibetan independence groups and commercial software sold by some firms in China and known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this.
For Chinese hackers that behave (don’t do cybercrimes against Chinese targets) the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can’t handle. This was seen recently when a group of hackers were caught trying to get into a high-security network in the White House (the one dealing with emergency communications with the military and nuclear forces). These amateurs are often caught and prosecuted. But the pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.