by Misha Glenny
Once you had downloaded Malware Destroyer (for i40), IM would instruct you to remove your existing anti-virus system, such as Norton, and install their product. Once installed, however, it did precisely nothing – it was an empty piece of software, although now of course you were open to infection by any passing virus and you had paid for that dubious privilege.
A researcher for McAfee in Hamburg, Dirk Kolberg, began to monitor this operation. He followed the scareware back to its source in East Asia and found that the administrator of IM’s servers had left some ports wide open, so Kolberg was at liberty to wander into the server and peruse it at will. What he uncovered was quite breathtaking. Innovative Marketing was making so much money that it had established three call centres – one for English speakers, one for German and one for French – to assist baffled customers who were trying to install their non-functioning products. Kolberg worked out from trawling through the receipts he also found on the server that the scareware scam had generated tens of millions of dollars in revenue for the management, in one of the most theatrical examples of Internet crime.
Beyond scareware, there are pump-and-dump schemes, which involve hackers moving into financial sites and digitally inflating share prices, before selling their holdings and then allowing the stock to collapse. There are also payroll schemes, whereby criminals hack into a corporation’s computer and add phantom employees to the personnel database. However, the hackers give these employees real salaries, which are dispatched monthly to so-called ‘money mules’. For a small consideration, these are instructed to pass on the money to a bank far away from where the crime is actually committed.
Just as the Web offers boundless possibilities to the creative mind in the licit world, so criminals can let their fantasies run free on the Internet.
The second major area of malfeasance on the Web is cyber industrial espionage. According to the annual threat report published by the American telecommunications giant, Verizon, this accounts for roughly 34 per cent of criminal activity on the Web and is almost certainly the most lucrative. Communications technology has made the theft of industrial secrets much easier than in the past. Until computers became widespread, stealing material involved physically breaking into a company or, if it were an inside job, finding ways of actually removing and distributing the data being sought.
No such difficulties now: industrial thieves can hack into a corporate system and then sniff around for blueprints, marketing strategies, payrolls or whatever else they are seeking, before downloading it. When Max Vision was not yet the fabled Iceman, he worked across the West Coast as a penetration tester – companies would pay him to attempt a digital break-in. Speaking to me in the orange jumpsuit that is his prison uniform, Vision said, ‘In those years, there was only one company which I failed to break into, and that was a major American pharmaceutical company.’ This is understandable – the value of pharmaceutical companies resides in their research, and the loss of formulae for new treatments can result in the loss of hundreds of millions of dollars and the collapse of share prices.
Vision was absolutely livid that he was unable to crack this one system. ‘Of course, I then launched a phishing attack on them and I was inside within five minutes, but it’s just not the same.’ What he means by that is that he sent infected emails to company email addresses, and it was but a matter of minutes before one of its many thousands of employees had fallen for the trap. So even if you have an unbreachable digital fortress, you have only overcome one of several major security challenges.
Similarly, these days it is much easier to perpetrate an inside job in a company because of the ease with which data can be collected and stored. We know that Bradley Manning, the man accused of having removed the US diplomatic cables that were subsequently published on WikiLeaks’ website, managed to download all the material onto a CD marked as a Lady Gaga album.
We also know that Stuxnet – to date the world’s most sophisticated virus – must have been planted on its apparent target in Iran’s nuclear facilities by somebody (wittingly or otherwise) infecting the computer systems with a memory stick or CD. Iran’s nuclear operating systems are not connected to the Internet. But they are still networks, and their infection by Stuxnet proved that they were within reach of a professional intelligence agency.
Stuxnet represented a significant escalation in the third major threat: cyber warfare. This piece of malware was so complicated that researchers estimated it must have taken in the region of several man-years to develop, which means that a dedicated team of coding engineers must have been working on it for an extended period. Organised crime does not operate in this fashion. The only entity capable of developing Stuxnet was a nation state with a lot of resources to devote to the design and manufacture of both defensive and offensive cyber weapons. Nonetheless, whoever designed Stuxnet borrowed huge amounts of computer code and techniques from the many tens of thousands of blackhat or greyhat hackers out in cyberspace. Criminal hackers are a great driver of creativity in all areas of the Web’s darkside. Military, private-sector, police and intelligence agencies are always quick to adopt the tools that crackers and hackers are developing.
When Stuxnet was successfully infiltrated into the control system of several nuclear facilities in Iran, the authorities admitted that it led to a major breakdown in the operation of a highly sensitive station. It could have resulted in an explosion. Its existence proves that the doomsday scenarios proposed by the so-called cyber warriors are no longer only theoretically possible. Serious though it was at the time, the attack on Estonia was the equivalent of a playful pre-match kick-about, compared to what Stuxnet heralds.
The cyber warriors are also referred to as cyber securocrats – these are the prophets who warn that the sky is about to fall on our heads. Among the most articulate of this breed is Richard Clarke, who describes the following scenario in his book Cyber War:
By the time you get to the Situation Room, the Director of the Defense Information Systems Agency is waiting on the secure phone for you.
FEMA, the Federal Emergency Management Agency, has reported large refinery fires and explosions in Philadelphia and Houston, as well as lethal clouds of chlorine gas being released from several chemical plants in New Jersey and Delaware.
The National Air Traffic Control Center in Herndon, Virginia, has experienced a total collapse of its systems . . .
Most securocrats continue by arguing that the only way we can prevent a digital Pearl Harbor or Cybergeddon is to put money into their think-tanks and companies in order to step up research into the threat.
In fact, this is already happening. The Estonian events accelerated the move towards the militarisation of cyberspace. NATO first agreed to create the majestically titled Cooperative Cyber Defence Centre of Excellence in Tallinn in 2005. Despite an enthusiastic reception for the idea of a cyber-war operational institute, member states proved reluctant to put any money on the table (with the understandable exception of the host country, Estonia). The project wasn’t mothballed, but it struggled to advance much beyond the stage of some attractively designed headed notepaper.
‘As soon as the attack happened, however,’ noted Peeter Lorents, an eminent Estonian mathematician and one of the Centre’s co-founders, ‘the atmosphere changed and we started getting real support from both Brussels and Washington. Indeed, my first reaction on hearing about the attack was to call France and order two cases of Cristal Champagne to be delivered to Mr Putin. By launching this attack, the Russians had surely secured the future of our centre.’
Alarm bells were certainly ringing in Washington. A number of events immediately preceded or followed on from the Estonian incident, and together these convinced the incoming Obama administration in 2009 that cyber defence needed to be strengthened at all costs. In particular, a few months after Estonia, it dawned on America’s huge global surveillance operation, the National Security Agency (NSA), just how serious the loss in April 2001 of an EP-3E Aries reconnaissance pla
ne to the Chinese Air Force really was. Although the pilot had succeeded in destroying the software before it went down, the hardware was intact and, as soon as it fell into Chinese hands, they began to reverse-engineer the state-of-the-art technology that would enable them to monitor and decode encrypted communications. Soon after Obama’s election to the White House the Chinese started testing their new toy, and their new capability at intercepting communications was observed by the NSA. The Chinese, it seems, wanted to indicate to Washington that it had successfully cracked the technology.
The United States government did not stop at putting its weight behind the cyber-defence centre in Tallinn, which, since 2008, has been conducting major research, including complex cyber military exercises. Computing networks had become so critical a part, both of the Defense Department’s infrastructure and of its offensive and defensive operational capability, that Robert Gates, the Secretary of Defense, made the momentous decision to create a new military domain – cyberspace.
This fifth military domain – a sibling to land, sea, air and space – is the first-ever man-made sphere of military operations, and the rules surrounding combat in it are almost entirely opaque. Along with the domain, the Pentagon has set up USCYBERCOMMAND to monitor hostile activity in cyberspace and, if necessary, plan to deploy offensive weapons like Stuxnet. For the moment, the US is the acknowledged leader in the cyber offensive capability.
‘Cyber offensive capability’ should not be mistaken for an ability to deploy conventional weapons that are enhanced by computer systems. The best examples from this latter arsenal are the drones (which the US has regularly deployed in Afghanistan and Pakistan) that can undertake surveillance and fighting missions while being piloted by a computer operator in Nevada.
Cyber weapons are the hacking tools that enable a cyber soldier to penetrate the computer systems of an enemy’s CNI (Critical National Infrastructure), such as their energy and water grids. Once in control of the system, the military doctrine goes, the cyber commander can order their shutdown (or, as we know from Stuxnet, trigger a very damaging explosion) so that within a matter of days the affected society will be reduced to Stone Age technology.
That, at least, is the idea. For the moment, the United States is the acknowledged front-runner as developer of offensive cyber weapons. But the Chinese, the French and the Israelis are snapping at their heels, with the Indians and British not far behind.
The militarisation of cyberspace was foreseeable. Where this is leading us is, by contrast, understood by nobody. Writing in The New Yorker, the ever-perceptive Seymour Hersh teased out the implications of the Chinese having nicked the secrets from the reconnaissance plane’s hard drive:
The EP-3E debacle fuelled a long-standing debate within the military and in the Obama Administration. Many military leaders view the Chinese penetration as a warning about present and future vulnerabilities – about the possibility that China, or some other nation, could use its expanding cyber skills to attack America’s civilian infrastructure and military complex. On the other side are those who argue for a civilian response to the threat, focussed on a wider use of encryption. They fear that an overreliance on the military will have adverse consequence for privacy and civil liberties.
The urge for the military to establish itself as the chief arbiter of cyber security appears widespread. In October 2010 President Obama charged the National Security Agency, which is part of the Pentagon, with assisting the Department of Homeland Security and the private sector in domestic cyber security. In China the People’s Liberation Army is the primary institution governing foreign and domestic cyber security, while in the Middle East the Israeli Defence Force is the inspiration for the extraordinary research into computer warfare, which allows Israel to punch high above its weight in this field.
But what, one may legitimately ask, has any of this to do with cybercrime?
The threats in cyberspace are real and dangerous. Ideally, a democratic state would ensure that this critical technology should benefit, not ruin, the lives of its citizens. Equally, the state should resist the temptation to infringe our rights and privacy. Allowing the military to assume a lead role in defence of civilian networks is most unwise. Yet given that cyber weapons have the potential to cripple a country’s Critical National Infrastructure (and ruin people’s lives in the process), there must be provision for the military to intervene in extreme situations. Those circumstances should be both exceptional and verifiable.
Separate agencies should be responsible for policing the three separate threats – cybercrime, cyber industrial espionage and cyber warfare. Recognised police agencies like the FBI or the US Secret Service should assume responsibility for cybercrime. Corporations and companies should either develop their own network security system or pay a company specialising in cyber security to do it. Civilian government should establish its own network defence, while the military should protect its systems.
On the surface that seems straightforward enough. But in the real world the edges are already blurred, encouraged by the interconnectivity of the Web. Then there is the hitherto insoluble two-part conundrum at the heart of the cyber security: what does a cyber attack look like?
To answer this, a cyber defender requires two vital pieces of knowledge. From where does this attack originate? And what is the attacker’s motive? Faced with a skilled cyber aggressor, not even the best defender can answer these questions. One may only calculate and – acting on a supposition – this can lead to wrong decisions, misunderstandings and, eventually, conflict.
Let us assume that our police agency, the corporate sector and the military dutifully stick to their task of protecting the state against their designated perils. There are still two actors who are ever present across the spectrum of threats: the spook and the hacker. The former seeks to crack the conundrum (although not necessarily to share the resulting knowledge); the latter is actually responsible for formulating the conundrum precisely in such a way as to render it insoluble.
The intelligence agency sniffs around the Web like a black cat against a dark background, never making a sound and socialising only when its team seeks to dissemble, recruit or confuse. This phantom-like behaviour is part of the spook’s DNA, but it is also explained by the intelligence service’s fascination with, and even admiration for, its primary opponent in cyber: the hacker.
Until recently, network defenders were confident that when an attack was under way there was a hacker masterminding it. This has changed in the last five years with the emergence of ‘off-the-shelf’ malware. Many criminal hackers now make their money not by compromising credit cards, bank accounts or similar cunning scams, but simply by selling trojans, viruses and worms that they have developed. They are user-friendly programs that do not require specialist knowledge to deploy them. The most common form is the botnet. Hackers will hire out botnets to be used in DDoS attacks for purposes such as extortion or revenge for a day or two, or maybe for a week or a month. Naturally, hackers selling a botnet or virus have the technical ability to control the length of hire because they can simply programme in its obsolescence, about which their clients – presumably petty jobbing criminals – can do nothing.
Yet the emergence of a secondary market on the Net for ‘off-the-shelf’ malware will not alter the fundamental truth that behind any cyber attack – whether it is criminal, corporate espionage or warfare – lies a gifted hacker. Mounting cyber attacks that are genuinely damaging, rather than merely inconvenient, invariably requires highly specialised and technical skills. This means that even if a hacker is working on behalf of a boss (be it a capo, a CEO or a Commander), he will still need to know a great deal about the intended target if he is to design the right product. Whichever team of hackers designed Stuxnet, for example, had to know not just about the Iranian nuclear facilities that were the presumed targets; they also needed to understand the Siemens PLC network that ran it and the very specific compressor designed by Vachon, a Finnish company (although man
ufactured in China), as well as the Taiwanese company whose RealTek digital certificate was spoofed to fool the Iranian system’s anti-virus program. Anyone smart enough to work on Stuxnet would have been smart enough to work out its intended victim.
In this respect, hackers are the key to cyber security as they hold the solution to the conundrum. Find the hackers and you will have made serious strides towards uncovering the truth.
The overwhelming percentage of funds that governments are now channelling into cyber security are devoted to ‘digital solutions’ – they are fighting the power of gadgets with gadgets. The money going into understanding hackers, their culture, their minds, their intentions and their vulnerabilities is negligible. But how do you find a hacker? And, on the Internet, how do you know if your new-found friend is a hacker, a police spy, an intelligence agent, an Air Force investigator, a prankster, a terrorist or an alien?
Everything revolves around trust. And building trust means being patient and nurturing relationships. Yet time is at a premium in the world of cyber security. Nowhere did the difficulties relating to trust and time become clearer to me than when DarkMarket’s locus shifted away from its origins in Britain, Germany and the United States towards a country whose economic and geo-strategic importance is growing at a rate of knots – Turkey.
Book two
Part I
26
BILAL IN PITTSBURGH
Pittsburgh, Pennsylvania, February 2008
One crisp winter morning in 2008, Inspector Bilal Şen of the Turkish Police stared out of his office window at Pittsburgh’s Hot Metal Bridge. Straddling the Monongahela River a tad east from where it joins the Allegheny to form the majestic Ohio, the bridge used to transport molten metal from the great Eliza furnace on the north side to the rolling mills on the south.
